Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Virtumonde


  • This topic is locked This topic is locked
7 replies to this topic

#1 NNomali

NNomali

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 10 July 2008 - 04:45 PM

I've recently been under siege by pop-up ads while browsing the Internet, and a Spybot scan identified the culprit as Virtumonde, or Vundo. I attempted to remove it via both Spybot and Symantec's FixVundo.exe, but since Vundo's various components can regenerate each other (or so my research tells me), neither have worked. I found out about Bleeping Computer by searching Google for other removal methods, so I hope it can help resolve this.

Here's what DSS had to say:

Deckard's System Scanner v20071014.68
Run by Owner on 2008-07-10 02:54:49
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 2 Restore Point(s) --
2: 2008-07-10 06:54:54 UTC - RP2 - Deckard's System Scanner Restore Point
1: 2008-07-10 17:26:47 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:55, on 2008-07-10
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\DOCUME~1\Owner\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: {60cfedc2-2276-ee48-51e4-1b4f9119d40e} - {e04d9119-f4b1-4e15-84ee-67222cdefc06} - C:\WINDOWS\system32\khuzyx.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

--
End of file - 4922 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 Iviaspi (IVI ASPI Shell) - c:\windows\system32\drivers\iviaspi.sys <Not Verified; InterVideo, Inc.; InterVideo ASPI Shell>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-06-10 and 2008-07-10 -----------------------------

2008-07-10 13:32:33 0 d-------- C:\WINDOWS\Sun
2008-07-10 13:26:41 68096 --a------ C:\WINDOWS\zip.exe
2008-07-10 13:26:41 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-10 13:26:41 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-10 13:26:41 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-10 13:26:41 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-10 13:26:41 98816 --a------ C:\WINDOWS\sed.exe
2008-07-10 13:26:41 80412 --a------ C:\WINDOWS\grep.exe
2008-07-10 13:26:41 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-10 13:10:01 0 d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-07-10 13:09:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-10 13:09:56 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-10 02:55:35 0 d-------- C:\Program Files\Trend Micro
2008-07-10 02:46:15 89088 -----n--- C:\WINDOWS\system32\ilgdqbjf.dll
2008-07-10 02:46:11 112256 --a------ C:\WINDOWS\system32\khuzyx.dll
2008-07-10 02:46:10 112256 --a------ C:\WINDOWS\system32\tkdbinvo.dll
2008-07-10 01:11:46 0 d-------- C:\Program Files\ProcessExplorer
2008-07-09 20:50:34 0 d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-07-09 20:43:13 112256 --a------ C:\WINDOWS\system32\mxtpgs.dll
2008-07-09 20:43:11 112256 --a------ C:\WINDOWS\system32\kimtttja.dll
2008-07-09 20:42:16 318208 -----n--- C:\WINDOWS\system32\mlJYpNgg.dll
2008-07-09 20:37:12 29568 -----n--- C:\WINDOWS\system32\khfCuuvT.dll
2008-07-09 20:35:25 0 d-------- C:\Program Files\Adobe CS3
2008-07-09 19:59:12 0 d-------- C:\Documents and Settings\Owner\Application Data\Aim
2008-07-09 19:59:09 0 d-------- C:\Program Files\Viewpoint
2008-07-09 19:59:07 0 d-------- C:\Program Files\AOD
2008-07-09 19:59:05 0 d-------- C:\Program Files\AIM
2008-07-09 19:52:22 0 d-------- C:\Program Files\Azureus
2008-07-09 19:47:05 0 d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-07-09 19:47:02 0 d-------- C:\Documents and Settings\Owner\Application Data\Azureus
2008-07-09 00:56:11 0 d-------- C:\Documents and Settings\Owner\Application Data\Corel
2008-07-09 00:56:10 2828 --ahs---- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
2008-07-09 00:56:10 88 -r-hs---- C:\Documents and Settings\All Users\Application Data\9C8616D009.sys
2008-07-09 00:52:17 10368 --a------ C:\WINDOWS\system32\drivers\iviaspi.sys <Not Verified; InterVideo, Inc.; InterVideo ASPI Shell>
2008-07-09 00:51:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Corel
2008-07-09 00:51:11 0 d-------- C:\Program Files\InterVideo
2008-07-09 00:51:10 0 d-------- C:\Program Files\Common Files\Protexis
2008-07-09 00:51:10 0 d-------- C:\Program Files\Common Files\InterVideo
2008-07-09 00:50:52 0 d-------- C:\Program Files\Corel
2008-07-09 00:45:28 187032883 --a------ C:\Program Files\WinDVD.exe <Not Verified; InterVideo; WinDVD>
2008-07-08 02:18:19 0 d-------- C:\Program Files\VGA_nVidia_v.101.38_HDDVD
2008-07-08 01:34:43 0 d-------- C:\Documents and Settings\Owner\Application Data\DivX
2008-07-08 01:33:25 0 d-------- C:\Program Files\DivX
2008-07-07 22:10:15 0 d-------- C:\Documents and Settings\Owner\Application Data\Media Player Classic
2008-07-07 22:09:55 0 d-------- C:\Program Files\mpc2kxp6490
2008-07-07 19:57:04 49152 --a------ C:\WINDOWS\system32\ChCfg.exe
2008-07-07 19:56:48 0 d-------- C:\Program Files\Realtek
2008-07-07 19:56:38 520192 --a------ C:\WINDOWS\RtlExUpd.dll <Not Verified; Realtek Semiconductor Corp.; RtlExUpd Dynamic Link Library>
2008-07-07 19:54:37 0 d-------- C:\Program Files\RealTek Audio
2008-07-07 19:44:29 0 d-------- C:\Program Files\Innovative Solutions
2008-07-07 19:37:53 0 d-------- C:\Program Files\NVIDIA
2008-07-07 19:33:08 0 d-------- C:\Program Files\Winamp
2008-07-07 19:33:08 0 d-------- C:\Documents and Settings\Owner\Application Data\Winamp
2008-07-07 18:26:50 0 d-------- C:\Program Files\IrfanView
2008-07-07 17:45:57 0 d--h----- C:\WINDOWS\$hf_mig$
2008-07-07 16:22:16 0 d-------- C:\Documents and Settings\Owner\Application Data\OpenOffice.org2


-- Find3M Report ---------------------------------------------------------------

2008-07-10 12:45:34 140 --a------ C:\Program Files\FixVundo.log
2008-07-10 01:11:11 1602439 --a------ C:\Program Files\ProcessExplorer.zip
2008-07-09 21:07:33 0 d-------- C:\Program Files\Common Files
2008-07-09 21:07:33 0 d-------- C:\Program Files\Common Files\Adobe
2008-07-09 20:46:48 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2008-07-09 00:51:28 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-08 02:16:58 70150542 --a------ C:\Program Files\AS5920_5920G_VGA_nVidia_v.101.38.zip
2008-07-07 22:09:37 2223653 --a------ C:\Program Files\mpc2kxp6490.zip
2008-07-07 19:54:31 38822327 --a------ C:\Program Files\RealTek Audio.zip
2008-07-07 18:24:07 0 d-------- C:\Program Files\VideoLAN
2008-05-30 13:22:22 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-05-30 13:18:56 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-05-30 13:18:56 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-05-30 13:18:50 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX>
2008-05-30 13:18:48 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-05-30 13:18:48 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX>
2008-05-30 13:18:48 815104 --a------ C:\WINDOWS\system32\divx_xx0a.dll <Not Verified; DivX, Inc.; DivX>
2008-05-30 13:18:48 683520 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX>
2008-05-30 13:18:00 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-04-29 16:10:30 0 --a------ C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2008-04-11 16:22:57 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-11 14:43:04 315392 --a------ C:\WINDOWS\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program>
2008-04-11 09:55:17 0 -rahs---- C:\MSDOS.SYS
2008-04-11 09:55:17 0 -rahs---- C:\IO.SYS
2008-04-11 09:55:17 0 --a------ C:\CONFIG.SYS
2008-04-11 09:55:17 0 --a------ C:\AUTOEXEC.BAT
2008-04-11 09:52:37 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-04-11 05:45:03 62 --ahs---- C:\Documents and Settings\Owner\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e04d9119-f4b1-4e15-84ee-67222cdefc06}]
2008-07-10 02:46 112256 --a------ C:\WINDOWS\system32\khuzyx.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2008-03-17 08:05]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2008-03-17 08:05]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2008-03-17 08:05]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-15 19:19]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" []
"RTHDCPL"="RTHDCPL.EXE" [2007-05-28 16:32 C:\WINDOWS\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [2005-05-03 18:43 C:\WINDOWS\Alcmtr.exe]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2006-07-17 22:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:06]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"DriverMax"="" []

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 15:41:28]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys]
@="driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8120 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-07-10 02:56:32 ------------


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Core™2 Duo CPU T5450 @ 1.66GHz
CPU 1: Intel® Core™2 Duo CPU T5450 @ 1.66GHz
Percentage of Memory in Use: 26%
Physical Memory (total/avail): 2038.36 MiB / 1491.44 MiB
Pagefile Memory (total/avail): 3930.61 MiB / 3513.21 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1911.41 MiB

C: is Fixed (NTFS) - 232.88 GiB total, 225.37 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - WDC WD2500BEVS-22UST0 - 232.88 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 232.88 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: avast! antivirus 4.8.1201 [VPS 080709-1] v4.8.1201 (ALWIL Software)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Corel\\DVD9\\WinDVD.exe"="C:\\Program Files\\Corel\\DVD9\\WinDVD.exe:*:Enabled:WinDVD"
"C:\\Program Files\\Vuze\\Azureus.exe"="C:\\Program Files\\Vuze\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=OWNER-3
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\OWNER-3
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\PROGRA~1\Java\JRE16~1.0_0\bin;C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\;.
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 13, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f0d
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=OWNER-3
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Acer Crystal Eye webcam --> C:\Program Files\InstallShield Installation Information\{AA047D7C-5E7C-4878-B75C-77589151B563}\setup.exe -runfromtemp -l0x0009 -removeonly
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742) --> MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Reader 8.1.2 Security Update 1 (KB403742) -->
AOL Instant Messenger --> C:\Program Files\AIM\uninstll.exe -LOG= C:\Program Files\AIM\install.log -OEM=
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
avast! Antivirus --> C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
Azureus --> C:\Program Files\Azureus\Uninstall.exe
Corel WinDVD 9 --> C:\Program Files\InstallShield Installation Information\{E3993D46-AE3F-402E-9F9D-EEBDFBEC3564}\setup.exe -runfromtemp -l0x0409
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DriverMax 4 --> "C:\Program Files\Innovative Solutions\DriverMax\unins000.exe"
HDAUDIO Soft Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFAOR2C06_118\UIU32m.exe -U -IAcZUnM5k.inf
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
Intel® Graphics Media Accelerator Driver --> C:\WINDOWS\system32\igxpun.exe -uninstall
IrfanView (remove only) --> C:\Program Files\IrfanView\iv_uninstall.exe
Java™ 6 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160040}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
K-Lite Codec Pack 3.8.5 Full --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Mozilla Firefox (2.0.0.13) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Nero 7 Ultra Edition BASIC --> MsiExec.exe /I{4781569D-5404-1F26-4B2B-6DF444445167}
OpenOffice.org 2.4 --> MsiExec.exe /I{F87A8E11-02A4-4875-A3A5-5961081B0E4E}
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{59F6A514-9813-47A3-948C-8A155460CC2A}\setup.exe" -l0x9 anything
SelfImage 1.2.1 --> C:\Program Files\SelfImage\uninst.exe
Shockwave --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Winamp --> "C:\Program Files\Winamp\UninstWA.exe"
WinASO Registry Optimizer 3.2 --> "C:\Program Files\WinASO\Registry Optimizer 3.2\unins000.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type496 / Error
Event Submitted/Written: 07/10/2008 01:04:02 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application explorer.exe, version 6.0.2900.2180, faulting module browseui.dll, version 6.0.2900.2995, fault address 0x00071cb0.
Processing media-specific event for [explorer.exe!ws!]

Event Record #/Type472 / Error
Event Submitted/Written: 07/09/2008 10:02:00 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 7.0.5730.13, faulting module unknown, version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type402 / Error
Event Submitted/Written: 07/09/2008 00:52:14 AM
Event ID/Source: 10005 / MsiInstaller
Event Description:
Product: QuickTime -- A newer version of QuickTime is already installed. This installation cannot proceed while the newer version of QuickTime is installed.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type3864 / Warning
Event Submitted/Written: 07/10/2008 02:16:06 AM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 001DE010C725. The following
error occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type3849 / Warning
Event Submitted/Written: 07/10/2008 02:02:53 AM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 001DE010C725. The following
error occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type3834 / Error
Event Submitted/Written: 07/10/2008 01:47:03 AM
Event ID/Source: 1001 / Dhcp
Event Description:
Your computer was not assigned an address from the network (by the DHCP
Server) for the Network Card with network address 001DE010C725. The following error
occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type3828 / Warning
Event Submitted/Written: 07/10/2008 01:41:32 AM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 001DE010C725. The following
error occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type3825 / Warning
Event Submitted/Written: 07/10/2008 01:40:08 AM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 001DE010C725. The following
error occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.



-- End of Deckard's System Scanner: finished at 2008-07-10 02:56:32 ------------



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:07 PM

Posted 11 July 2008 - 12:26 AM

Hi,

Make sure that DSS.exe is located on your Desktop.
Click on your START button, then choose Run. A little box will appear.
Now copy and paste all the following in bold (including the "" marks) into the run box and click OK.

"C:\Documents and Settings\Owner\Desktop\dss.exe" /daft

This will start DSS in a different way. A small window will appear.
Click on the Scan button.
If it finds faulty file associations, they will appear in red beside a checkbox. If this occurs, just place a tick in the boxes in question.
Click the Fix button.
Re-scan and make sure it says that all associations are OK.

Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 NNomali

NNomali
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 11 July 2008 - 04:49 PM

Here's ComboFix:

ComboFix 08-07-09.5 - Owner 2008-07-11 5:39:39.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1578 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\fqxjqhik.ini
C:\WINDOWS\system32\ggNpYJlm.ini
C:\WINDOWS\system32\ilgdqbjf.dll
F:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CLBDRIVER
-------\Service_clbdriver


((((((((((((((((((((((((( Files Created from 2008-06-11 to 2008-07-11 )))))))))))))))))))))))))))))))
.

2008-07-10 13:32 . 2008-07-10 13:32 <DIR> d-------- C:\WINDOWS\Sun
2008-07-10 13:10 . 2008-07-10 13:10 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-07-10 13:09 . 2008-07-10 13:10 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-10 13:09 . 2008-07-10 13:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-10 13:09 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-10 13:09 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-10 06:38 . 2008-07-10 06:38 <DIR> d-------- C:\Program Files\Photoshop
2008-07-10 02:55 . 2008-07-10 02:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-10 02:54 . 2008-07-10 02:54 <DIR> d-------- C:\Deckard
2008-07-10 02:46 . 2008-07-10 02:46 112,256 --a------ C:\WINDOWS\system32\tkdbinvo.dll
2008-07-10 02:46 . 2008-07-10 02:46 112,256 --a------ C:\WINDOWS\system32\khuzyx.dll
2008-07-10 01:16 . 2008-07-10 12:26 173,456 --a------ C:\Program Files\FixVundo.exe
2008-07-10 01:11 . 2008-07-10 01:11 <DIR> d-------- C:\Program Files\ProcessExplorer
2008-07-10 01:11 . 2008-07-10 01:11 1,602,439 --a------ C:\Program Files\ProcessExplorer.zip
2008-07-09 21:12 . 2008-07-10 01:31 346,199,563 --a------ C:\Adobe_Photoshop_and_ImageReady_CS2_v9.0_incl_KeyGen_iNTERNAL-PARADOX-Repack.rar
2008-07-09 20:50 . 2008-07-09 20:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-07-09 20:43 . 2008-07-09 20:43 112,256 --a------ C:\WINDOWS\system32\mxtpgs.dll
2008-07-09 20:43 . 2008-07-09 20:43 112,256 --a------ C:\WINDOWS\system32\kimtttja.dll
2008-07-09 20:42 . 2008-07-10 13:15 318,208 --------- C:\WINDOWS\system32\mlJYpNgg.dll
2008-07-09 20:37 . 2008-07-10 13:15 29,568 --------- C:\WINDOWS\system32\khfCuuvT.dll
2008-07-09 20:37 . 2001-08-23 08:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-07-09 20:35 . 2008-07-09 20:35 <DIR> d-------- C:\Program Files\Adobe CS3
2008-07-09 20:33 . 2008-07-09 20:33 65,536 ---hs---- C:\Documents and Settings\Owner\MediaTubeCodec_ver1.1463.1.exe
2008-07-09 19:59 . 2008-07-09 19:59 <DIR> d-------- C:\Program Files\Viewpoint
2008-07-09 19:59 . 2008-07-09 19:59 <DIR> d-------- C:\Program Files\AOD
2008-07-09 19:59 . 2008-07-09 19:59 <DIR> d-------- C:\Program Files\AIM
2008-07-09 19:59 . 2008-07-09 19:59 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Aim
2008-07-09 19:58 . 2008-07-09 19:58 3,120,872 --a------ C:\Program Files\aim523277.exe
2008-07-09 19:52 . 2008-07-09 19:54 <DIR> d-------- C:\Program Files\Azureus
2008-07-09 19:51 . 2008-07-09 19:51 8,799,656 --a------ C:\Program Files\Azureus_2.5.0.0.exe
2008-07-09 19:47 . 2008-07-10 01:32 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Azureus
2008-07-09 19:47 . 2008-07-09 19:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-07-09 18:34 . 2008-07-09 18:35 9,057,472 --a------ C:\Program Files\Vuze_3.1.1.0_windows.exe
2008-07-09 01:52 . 2008-07-09 01:52 40 --ah----- C:\WINDOWS\system32\ivireg.ivr
2008-07-09 00:56 . 2008-07-09 00:58 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Corel
2008-07-09 00:56 . 2008-07-10 12:24 2,828 --ahs---- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
2008-07-09 00:56 . 2008-07-10 12:24 88 -r-hs---- C:\Documents and Settings\All Users\Application Data\9C8616D009.sys
2008-07-09 00:52 . 2005-09-20 17:27 10,368 --a------ C:\WINDOWS\system32\drivers\iviaspi.sys
2008-07-09 00:51 . 2008-07-09 00:51 <DIR> d-------- C:\Program Files\InterVideo
2008-07-09 00:51 . 2008-07-09 00:51 <DIR> d-------- C:\Program Files\Common Files\Protexis
2008-07-09 00:51 . 2008-07-09 00:51 <DIR> d-------- C:\Program Files\Common Files\InterVideo
2008-07-09 00:51 . 2008-07-09 00:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Corel
2008-07-09 00:50 . 2008-07-09 00:50 <DIR> d-------- C:\Program Files\Corel
2008-07-09 00:45 . 2008-07-09 00:49 187,032,883 --a------ C:\Program Files\WinDVD.exe
2008-07-08 02:18 . 2007-08-10 11:40 <DIR> d-------- C:\Program Files\VGA_nVidia_v.101.38_HDDVD
2008-07-08 02:16 . 2008-07-08 02:16 70,150,542 --a------ C:\Program Files\AS5920_5920G_VGA_nVidia_v.101.38.zip
2008-07-08 01:34 . 2008-07-08 01:34 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\DivX
2008-07-08 01:33 . 2008-07-08 01:33 <DIR> d-------- C:\Program Files\DivX
2008-07-08 01:33 . 2008-05-30 13:22 120,056 --------- C:\WINDOWS\system32\pxcpyi64.exe
2008-07-08 01:33 . 2008-05-30 13:22 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe
2008-07-08 01:32 . 2008-07-08 01:33 20,388,328 --a------ C:\Program Files\DivXInstaller.exe
2008-07-07 22:10 . 2008-07-07 22:10 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Media Player Classic
2008-07-07 22:10 . 2008-07-09 01:34 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-07-07 22:09 . 2008-07-07 22:09 <DIR> d-------- C:\Program Files\mpc2kxp6490
2008-07-07 22:09 . 2008-07-07 22:09 2,223,653 --a------ C:\Program Files\mpc2kxp6490.zip
2008-07-07 19:57 . 2006-08-01 15:02 49,152 --a------ C:\WINDOWS\system32\ChCfg.exe
2008-07-07 19:56 . 2008-07-07 19:56 <DIR> d-------- C:\Program Files\Realtek
2008-07-07 19:54 . 2008-07-07 19:54 <DIR> d-------- C:\Program Files\RealTek Audio
2008-07-07 19:54 . 2008-07-07 19:54 38,822,327 --a------ C:\Program Files\RealTek Audio.zip
2008-07-07 19:44 . 2008-07-07 19:44 <DIR> d-------- C:\Program Files\Innovative Solutions
2008-07-07 19:37 . 2008-07-07 19:37 <DIR> d-------- C:\Program Files\NVIDIA
2008-07-07 19:33 . 2008-07-07 19:33 <DIR> d-------- C:\Program Files\Winamp
2008-07-07 19:33 . 2008-07-08 01:43 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Winamp
2008-07-07 19:30 . 2008-07-07 19:31 8,990,072 --a------ C:\Program Files\winamp5531_full_emusic-7plus_en-us.exe
2008-07-07 18:26 . 2008-07-07 18:26 <DIR> d-------- C:\Program Files\IrfanView
2008-07-07 17:45 . 2008-07-07 17:45 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-07-07 17:29 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-07-07 17:29 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-07-07 17:29 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-07-07 17:29 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-07-07 16:22 . 2008-07-11 05:43 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2008-06-18 14:31 . 2008-06-18 14:31 161,096 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-10 16:45 140 ----a-w C:\Program Files\FixVundo.log
2008-07-10 01:07 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-09 04:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-07-09 04:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-07 22:24 --------- d-----w C:\Program Files\VideoLAN
2008-05-30 17:22 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-05-30 17:22 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-05-30 17:22 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2008-05-30 17:19 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-05-30 17:19 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-04-29 20:10 0 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2008-04-11 18:43 315,392 ----a-w C:\WINDOWS\HideWin.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e04d9119-f4b1-4e15-84ee-67222cdefc06}]
2008-07-10 02:46 112256 --a------ C:\WINDOWS\system32\khuzyx.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:06 1667584]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2008-03-17 08:05 135168]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2008-03-17 08:05 159744]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2008-03-17 08:05 131072]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2006-07-17 22:40 53248]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-28 16:32 16132608 C:\WINDOWS\RTHDCPL.exe]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 15:41:28 393216]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Corel\\DVD9\\WinDVD.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 19:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 19:16]
R2 PSI_SVC_2;Protexis Licensing V2;C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe [2007-07-24 11:15]
R2 regi;regi;C:\WINDOWS\system32\drivers\regi.sys [2007-04-17 20:09]
R3 hidshim;Service for HID-KMDF Shim layer;C:\WINDOWS\system32\DRIVERS\hidshim.sys [2007-05-30 17:49]
R3 winbondhidcir;Winbond HID CIR Receiver;C:\WINDOWS\system32\DRIVERS\winbondhidcir.sys [2007-05-30 17:49]

.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-DriverMax - (no file)
HKLM-Run-WinampAgent - C:\Program Files\Winamp\winampa.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-11 05:42:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.bin
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\DOCUME~1\Owner\LOCALS~1\temp\RtkBtMnt.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-07-11 5:44:04 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-07-11 09:44:00

Pre-Run: 241,442,488,320 bytes free
Post-Run: 241,694,715,904 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

182




And HijackThis:

Deckard's System Scanner v20071014.68
Run by Owner on 2008-07-11 05:45:44
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:45:51 AM, on 7/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\RtkBtMnt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: {60cfedc2-2276-ee48-51e4-1b4f9119d40e} - {e04d9119-f4b1-4e15-84ee-67222cdefc06} - C:\WINDOWS\system32\khuzyx.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

--
End of file - 4829 bytes

-- Files created between 2008-06-11 and 2008-07-11 -----------------------------

2008-07-11 05:39:29 0 d-------- C:\cmdcons
2008-07-10 13:32:33 0 d-------- C:\WINDOWS\Sun
2008-07-10 13:26:41 68096 --a------ C:\WINDOWS\zip.exe
2008-07-10 13:26:41 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-10 13:26:41 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-10 13:26:41 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-10 13:26:41 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-10 13:26:41 98816 --a------ C:\WINDOWS\sed.exe
2008-07-10 13:26:41 80412 --a------ C:\WINDOWS\grep.exe
2008-07-10 13:26:41 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-10 13:10:01 0 d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-07-10 13:09:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-10 13:09:56 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-10 06:38:52 0 d-------- C:\Program Files\Photoshop
2008-07-10 02:55:35 0 d-------- C:\Program Files\Trend Micro
2008-07-10 02:46:11 112256 --a------ C:\WINDOWS\system32\khuzyx.dll
2008-07-10 02:46:10 112256 --a------ C:\WINDOWS\system32\tkdbinvo.dll
2008-07-10 01:11:46 0 d-------- C:\Program Files\ProcessExplorer
2008-07-09 20:50:34 0 d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-07-09 20:43:13 112256 --a------ C:\WINDOWS\system32\mxtpgs.dll
2008-07-09 20:43:11 112256 --a------ C:\WINDOWS\system32\kimtttja.dll
2008-07-09 20:42:16 318208 -----n--- C:\WINDOWS\system32\mlJYpNgg.dll
2008-07-09 20:37:12 29568 -----n--- C:\WINDOWS\system32\khfCuuvT.dll
2008-07-09 20:35:25 0 d-------- C:\Program Files\Adobe CS3
2008-07-09 19:59:12 0 d-------- C:\Documents and Settings\Owner\Application Data\Aim
2008-07-09 19:59:09 0 d-------- C:\Program Files\Viewpoint
2008-07-09 19:59:07 0 d-------- C:\Program Files\AOD
2008-07-09 19:59:05 0 d-------- C:\Program Files\AIM
2008-07-09 19:52:22 0 d-------- C:\Program Files\Azureus
2008-07-09 19:47:05 0 d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-07-09 19:47:02 0 d-------- C:\Documents and Settings\Owner\Application Data\Azureus
2008-07-09 00:56:11 0 d-------- C:\Documents and Settings\Owner\Application Data\Corel
2008-07-09 00:56:10 2828 --ahs---- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
2008-07-09 00:56:10 88 -r-hs---- C:\Documents and Settings\All Users\Application Data\9C8616D009.sys
2008-07-09 00:52:17 10368 --a------ C:\WINDOWS\system32\drivers\iviaspi.sys <Not Verified; InterVideo, Inc.; InterVideo ASPI Shell>
2008-07-09 00:51:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Corel
2008-07-09 00:51:11 0 d-------- C:\Program Files\InterVideo
2008-07-09 00:51:10 0 d-------- C:\Program Files\Common Files\Protexis
2008-07-09 00:51:10 0 d-------- C:\Program Files\Common Files\InterVideo
2008-07-09 00:50:52 0 d-------- C:\Program Files\Corel
2008-07-09 00:45:28 187032883 --a------ C:\Program Files\WinDVD.exe <Not Verified; InterVideo; WinDVD>
2008-07-08 02:18:19 0 d-------- C:\Program Files\VGA_nVidia_v.101.38_HDDVD
2008-07-08 01:34:43 0 d-------- C:\Documents and Settings\Owner\Application Data\DivX
2008-07-08 01:33:25 0 d-------- C:\Program Files\DivX
2008-07-07 22:10:15 0 d-------- C:\Documents and Settings\Owner\Application Data\Media Player Classic
2008-07-07 22:09:55 0 d-------- C:\Program Files\mpc2kxp6490
2008-07-07 19:57:04 49152 --a------ C:\WINDOWS\system32\ChCfg.exe
2008-07-07 19:56:48 0 d-------- C:\Program Files\Realtek
2008-07-07 19:56:38 520192 --a------ C:\WINDOWS\RtlExUpd.dll <Not Verified; Realtek Semiconductor Corp.; RtlExUpd Dynamic Link Library>
2008-07-07 19:54:37 0 d-------- C:\Program Files\RealTek Audio
2008-07-07 19:44:29 0 d-------- C:\Program Files\Innovative Solutions
2008-07-07 19:37:53 0 d-------- C:\Program Files\NVIDIA
2008-07-07 19:33:08 0 d-------- C:\Program Files\Winamp
2008-07-07 19:33:08 0 d-------- C:\Documents and Settings\Owner\Application Data\Winamp
2008-07-07 18:26:50 0 d-------- C:\Program Files\IrfanView
2008-07-07 17:45:57 0 d--h----- C:\WINDOWS\$hf_mig$
2008-07-07 16:22:16 0 d-------- C:\Documents and Settings\Owner\Application Data\OpenOffice.org2


-- Find3M Report ---------------------------------------------------------------

2008-07-11 05:45:37 12848 --a------ C:\Program Files\combofixlog.txt
2008-07-10 12:45:34 140 --a------ C:\Program Files\FixVundo.log
2008-07-10 01:11:11 1602439 --a------ C:\Program Files\ProcessExplorer.zip
2008-07-09 21:07:33 0 d-------- C:\Program Files\Common Files
2008-07-09 21:07:33 0 d-------- C:\Program Files\Common Files\Adobe
2008-07-09 20:46:48 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2008-07-09 00:51:28 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-08 02:16:58 70150542 --a------ C:\Program Files\AS5920_5920G_VGA_nVidia_v.101.38.zip
2008-07-07 22:09:37 2223653 --a------ C:\Program Files\mpc2kxp6490.zip
2008-07-07 19:54:31 38822327 --a------ C:\Program Files\RealTek Audio.zip
2008-07-07 18:24:07 0 d-------- C:\Program Files\VideoLAN
2008-05-30 13:22:22 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-05-30 13:18:56 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-05-30 13:18:56 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-05-30 13:18:50 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX>
2008-05-30 13:18:48 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-05-30 13:18:48 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX>
2008-05-30 13:18:48 815104 --a------ C:\WINDOWS\system32\divx_xx0a.dll <Not Verified; DivX, Inc.; DivX>
2008-05-30 13:18:48 683520 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX>
2008-05-30 13:18:00 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-04-29 16:10:30 0 --a------ C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2008-04-11 16:22:57 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-11 14:43:04 315392 --a------ C:\WINDOWS\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program>
2008-04-11 09:55:17 0 -rahs---- C:\MSDOS.SYS
2008-04-11 09:55:17 0 -rahs---- C:\IO.SYS
2008-04-11 09:55:17 0 --a------ C:\CONFIG.SYS
2008-04-11 09:55:17 0 --a------ C:\AUTOEXEC.BAT
2008-04-11 09:52:37 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-04-11 05:45:03 62 --ahs---- C:\Documents and Settings\Owner\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e04d9119-f4b1-4e15-84ee-67222cdefc06}]
07/10/2008 02:46 AM 112256 --a------ C:\WINDOWS\system32\khuzyx.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [03/17/2008 08:05 AM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [03/17/2008 08:05 AM]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [03/17/2008 08:05 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"RTHDCPL"="RTHDCPL.EXE" [05/28/2007 04:32 PM C:\WINDOWS\RTHDCPL.exe]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [07/17/2006 10:40 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [08/04/2004 01:06 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:56 AM]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [1/21/2008 3:41:28 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"




-- End of Deckard's System Scanner: finished at 2008-07-11 05:46:23 ------------



#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:07 PM

Posted 12 July 2008 - 12:11 AM

Hi,

I see you're not afraid of visiting cracksites and other illegal sites, because I see that you downloaded some cracks here.
If you visit cracksites, use cracks, you'll ALWAYS get infected. This not only because of the crack itself, but because one single click entering that site may already download and install a huge malware bundle.
You really have to change your surfing habits though, because these malware bundles may contain a keylogger, collecting all your passwords and installing other random malware, compromising your system including infecting other computers. And this all, because you visited some illegal sites.
Also, keep in mind, malware DAMAGES A LOT! And the damage can't always be repaired, so a format and reinstall is the only solution in such cases.
So is it really worth it? Get illegal software for "free", but compromise/break your computer instead.... :thumbsup:
Better to avoid this instead and change your surfing habits. Then this wouldn't have happened.

Don't forget to change your passwords afterwards, once we are done with this thread, because they are known. Don't change them now, because as long as the malware is still present, it will gather the changed passwords as well.


* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\tkdbinvo.dll
C:\WINDOWS\system32\khuzyx.dll
C:\Program Files\FixVundo.exe
C:\Adobe_Photoshop_and_ImageReady_CS2_v9.0_incl_KeyGen_iNTERNAL-PARADOX-Repack.rar
C:\WINDOWS\system32\mxtpgs.dll
C:\WINDOWS\system32\kimtttja.dll
C:\WINDOWS\system32\mlJYpNgg.dll
C:\WINDOWS\system32\khfCuuvT.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e04d9119-f4b1-4e15-84ee-67222cdefc06}]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 NNomali

NNomali
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 12 July 2008 - 06:12 PM

Thanks for your advice. It's true that I've visited illicit sites for quite a while now, but this is the first time it's come back to haunt me. And you're right; it's not worth the hassle. I'll definitely change my habits now that I've gone through all this.

Here's the latest from ComboFix:

ComboFix 08-07-09.5 - Owner 2008-07-12 7:07:24.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1515 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Adobe_Photoshop_and_ImageReady_CS2_v9.0_incl_KeyGen_iNTERNAL-PARADOX-Repack.rar
C:\Program Files\FixVundo.exe
C:\WINDOWS\system32\khfCuuvT.dll
C:\WINDOWS\system32\khuzyx.dll
C:\WINDOWS\system32\kimtttja.dll
C:\WINDOWS\system32\mlJYpNgg.dll
C:\WINDOWS\system32\mxtpgs.dll
C:\WINDOWS\system32\tkdbinvo.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Adobe_Photoshop_and_ImageReady_CS2_v9.0_incl_KeyGen_iNTERNAL-PARADOX-Repack.rar
C:\Program Files\FixVundo.exe
C:\WINDOWS\system32\khfCuuvT.dll
C:\WINDOWS\system32\khuzyx.dll
C:\WINDOWS\system32\kimtttja.dll
C:\WINDOWS\system32\mlJYpNgg.dll
C:\WINDOWS\system32\mxtpgs.dll
C:\WINDOWS\system32\tkdbinvo.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-12 to 2008-07-12 )))))))))))))))))))))))))))))))
.

2008-07-12 04:49 . 2008-07-12 04:49 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-07-11 22:32 . 2008-07-11 22:32 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-11 22:32 . 2008-07-11 22:32 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-10 13:32 . 2008-07-10 13:32 <DIR> d-------- C:\WINDOWS\Sun
2008-07-10 13:10 . 2008-07-10 13:10 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-07-10 13:09 . 2008-07-10 13:10 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-10 13:09 . 2008-07-10 13:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-10 13:09 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-10 13:09 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-10 06:38 . 2008-07-10 06:38 <DIR> d-------- C:\Program Files\Photoshop
2008-07-10 02:55 . 2008-07-10 02:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-10 02:54 . 2008-07-10 02:54 <DIR> d-------- C:\Deckard
2008-07-10 01:11 . 2008-07-10 01:11 <DIR> d-------- C:\Program Files\ProcessExplorer
2008-07-10 01:11 . 2008-07-10 01:11 1,602,439 --a------ C:\Program Files\ProcessExplorer.zip
2008-07-09 20:50 . 2008-07-09 20:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-07-09 20:37 . 2001-08-23 08:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-07-09 20:35 . 2008-07-09 20:35 <DIR> d-------- C:\Program Files\Adobe CS3
2008-07-09 20:33 . 2008-07-09 20:33 65,536 ---hs---- C:\Documents and Settings\Owner\MediaTubeCodec_ver1.1463.1.exe
2008-07-09 19:59 . 2008-07-09 19:59 <DIR> d-------- C:\Program Files\Viewpoint
2008-07-09 19:59 . 2008-07-09 19:59 <DIR> d-------- C:\Program Files\AOD
2008-07-09 19:59 . 2008-07-09 19:59 <DIR> d-------- C:\Program Files\AIM
2008-07-09 19:59 . 2008-07-09 19:59 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Aim
2008-07-09 19:58 . 2008-07-09 19:58 3,120,872 --a------ C:\Program Files\aim523277.exe
2008-07-09 19:52 . 2008-07-09 19:54 <DIR> d-------- C:\Program Files\Azureus
2008-07-09 19:51 . 2008-07-09 19:51 8,799,656 --a------ C:\Program Files\Azureus_2.5.0.0.exe
2008-07-09 19:47 . 2008-07-10 01:32 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Azureus
2008-07-09 19:47 . 2008-07-09 19:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-07-09 18:34 . 2008-07-09 18:35 9,057,472 --a------ C:\Program Files\Vuze_3.1.1.0_windows.exe
2008-07-09 01:52 . 2008-07-09 01:52 40 --ah----- C:\WINDOWS\system32\ivireg.ivr
2008-07-09 00:56 . 2008-07-09 00:58 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Corel
2008-07-09 00:56 . 2008-07-12 04:52 2,828 --ahs---- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
2008-07-09 00:56 . 2008-07-11 05:56 88 -r-hs---- C:\Documents and Settings\All Users\Application Data\9C8616D009.sys
2008-07-09 00:52 . 2005-09-20 17:27 10,368 --a------ C:\WINDOWS\system32\drivers\iviaspi.sys
2008-07-09 00:51 . 2008-07-09 00:51 <DIR> d-------- C:\Program Files\InterVideo
2008-07-09 00:51 . 2008-07-09 00:51 <DIR> d-------- C:\Program Files\Common Files\Protexis
2008-07-09 00:51 . 2008-07-09 00:51 <DIR> d-------- C:\Program Files\Common Files\InterVideo
2008-07-09 00:51 . 2008-07-09 00:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Corel
2008-07-09 00:50 . 2008-07-09 00:50 <DIR> d-------- C:\Program Files\Corel
2008-07-09 00:45 . 2008-07-09 00:49 187,032,883 --a------ C:\Program Files\WinDVD.exe
2008-07-08 02:18 . 2007-08-10 11:40 <DIR> d-------- C:\Program Files\VGA_nVidia_v.101.38_HDDVD
2008-07-08 02:16 . 2008-07-08 02:16 70,150,542 --a------ C:\Program Files\AS5920_5920G_VGA_nVidia_v.101.38.zip
2008-07-08 01:34 . 2008-07-08 01:34 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\DivX
2008-07-08 01:33 . 2008-07-08 01:33 <DIR> d-------- C:\Program Files\DivX
2008-07-08 01:33 . 2008-05-30 13:22 120,056 --------- C:\WINDOWS\system32\pxcpyi64.exe
2008-07-08 01:33 . 2008-05-30 13:22 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe
2008-07-08 01:32 . 2008-07-08 01:33 20,388,328 --a------ C:\Program Files\DivXInstaller.exe
2008-07-07 22:10 . 2008-07-07 22:10 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Media Player Classic
2008-07-07 22:10 . 2008-07-09 01:34 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-07-07 22:09 . 2008-07-07 22:09 <DIR> d-------- C:\Program Files\mpc2kxp6490
2008-07-07 22:09 . 2008-07-07 22:09 2,223,653 --a------ C:\Program Files\mpc2kxp6490.zip
2008-07-07 19:57 . 2006-08-01 15:02 49,152 --a------ C:\WINDOWS\system32\ChCfg.exe
2008-07-07 19:56 . 2008-07-07 19:56 <DIR> d-------- C:\Program Files\Realtek
2008-07-07 19:54 . 2008-07-07 19:54 <DIR> d-------- C:\Program Files\RealTek Audio
2008-07-07 19:54 . 2008-07-07 19:54 38,822,327 --a------ C:\Program Files\RealTek Audio.zip
2008-07-07 19:44 . 2008-07-07 19:44 <DIR> d-------- C:\Program Files\Innovative Solutions
2008-07-07 19:37 . 2008-07-07 19:37 <DIR> d-------- C:\Program Files\NVIDIA
2008-07-07 19:33 . 2008-07-07 19:33 <DIR> d-------- C:\Program Files\Winamp
2008-07-07 19:33 . 2008-07-08 01:43 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Winamp
2008-07-07 19:30 . 2008-07-07 19:31 8,990,072 --a------ C:\Program Files\winamp5531_full_emusic-7plus_en-us.exe
2008-07-07 18:26 . 2008-07-07 18:26 <DIR> d-------- C:\Program Files\IrfanView
2008-07-07 17:45 . 2008-07-07 17:45 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-07-07 17:29 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-07-07 17:29 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-07-07 17:29 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-07-07 17:29 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-07-07 16:22 . 2008-07-11 05:43 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2008-06-18 14:31 . 2008-06-18 14:31 161,096 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-12 08:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-07-11 09:45 12,848 ----a-w C:\Program Files\combofixlog.txt
2008-07-10 16:45 140 ----a-w C:\Program Files\FixVundo.log
2008-07-10 01:07 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-09 04:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-07 22:24 --------- d-----w C:\Program Files\VideoLAN
2008-05-30 17:22 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-05-30 17:22 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-05-30 17:22 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2008-05-30 17:19 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-05-30 17:19 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-04-29 20:10 0 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((( snapshot@2008-07-11_ 5.43.49.78 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-11 00:32:31 41,238 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-07-11 09:46:37 41,238 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-07-11 00:32:31 315,076 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-07-11 09:46:37 315,076 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:06 1667584]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2008-03-17 08:05 135168]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2008-03-17 08:05 159744]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2008-03-17 08:05 131072]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2006-07-17 22:40 53248]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-28 16:32 16132608 C:\WINDOWS\RTHDCPL.exe]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 15:41:28 393216]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Corel\\DVD9\\WinDVD.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 19:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 19:16]
R2 PSI_SVC_2;Protexis Licensing V2;C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe [2007-07-24 11:15]
R2 regi;regi;C:\WINDOWS\system32\drivers\regi.sys [2007-04-17 20:09]
R3 hidshim;Service for HID-KMDF Shim layer;C:\WINDOWS\system32\DRIVERS\hidshim.sys [2007-05-30 17:49]
R3 winbondhidcir;Winbond HID CIR Receiver;C:\WINDOWS\system32\DRIVERS\winbondhidcir.sys [2007-05-30 17:49]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-12 07:08:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-12 7:08:55
ComboFix-quarantined-files.txt 2008-07-12 11:08:42
ComboFix2.txt 2008-07-11 09:44:05

Pre-Run: 241,452,490,752 bytes free
Post-Run: 241,729,658,880 bytes free

163




And from HijackThis:

Deckard's System Scanner v20071014.68
Run by Owner on 2008-07-12 07:09:46
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:09:52 AM, on 7/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

--
End of file - 4476 bytes

-- Files created between 2008-06-12 and 2008-07-12 -----------------------------

2008-07-12 04:49:35 0 d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-07-11 05:39:29 0 d-------- C:\cmdcons
2008-07-10 13:32:33 0 d-------- C:\WINDOWS\Sun
2008-07-10 13:26:41 68096 --a------ C:\WINDOWS\zip.exe
2008-07-10 13:26:41 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-10 13:26:41 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-10 13:26:41 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-10 13:26:41 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-10 13:26:41 98816 --a------ C:\WINDOWS\sed.exe
2008-07-10 13:26:41 80412 --a------ C:\WINDOWS\grep.exe
2008-07-10 13:26:41 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-10 13:10:01 0 d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-07-10 13:09:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-10 13:09:56 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-10 06:38:52 0 d-------- C:\Program Files\Photoshop
2008-07-10 02:55:35 0 d-------- C:\Program Files\Trend Micro
2008-07-10 01:11:46 0 d-------- C:\Program Files\ProcessExplorer
2008-07-09 20:50:34 0 d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-07-09 20:35:25 0 d-------- C:\Program Files\Adobe CS3
2008-07-09 19:59:12 0 d-------- C:\Documents and Settings\Owner\Application Data\Aim
2008-07-09 19:59:09 0 d-------- C:\Program Files\Viewpoint
2008-07-09 19:59:07 0 d-------- C:\Program Files\AOD
2008-07-09 19:59:05 0 d-------- C:\Program Files\AIM
2008-07-09 19:52:22 0 d-------- C:\Program Files\Azureus
2008-07-09 19:47:05 0 d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-07-09 19:47:02 0 d-------- C:\Documents and Settings\Owner\Application Data\Azureus
2008-07-09 00:56:11 0 d-------- C:\Documents and Settings\Owner\Application Data\Corel
2008-07-09 00:56:10 2828 --ahs---- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
2008-07-09 00:56:10 88 -r-hs---- C:\Documents and Settings\All Users\Application Data\9C8616D009.sys
2008-07-09 00:52:17 10368 --a------ C:\WINDOWS\system32\drivers\iviaspi.sys <Not Verified; InterVideo, Inc.; InterVideo ASPI Shell>
2008-07-09 00:51:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Corel
2008-07-09 00:51:11 0 d-------- C:\Program Files\InterVideo
2008-07-09 00:51:10 0 d-------- C:\Program Files\Common Files\Protexis
2008-07-09 00:51:10 0 d-------- C:\Program Files\Common Files\InterVideo
2008-07-09 00:50:52 0 d-------- C:\Program Files\Corel
2008-07-09 00:45:28 187032883 --a------ C:\Program Files\WinDVD.exe <Not Verified; InterVideo; WinDVD>
2008-07-08 02:18:19 0 d-------- C:\Program Files\VGA_nVidia_v.101.38_HDDVD
2008-07-08 01:34:43 0 d-------- C:\Documents and Settings\Owner\Application Data\DivX
2008-07-08 01:33:25 0 d-------- C:\Program Files\DivX
2008-07-07 22:10:15 0 d-------- C:\Documents and Settings\Owner\Application Data\Media Player Classic
2008-07-07 22:09:55 0 d-------- C:\Program Files\mpc2kxp6490
2008-07-07 19:57:04 49152 --a------ C:\WINDOWS\system32\ChCfg.exe
2008-07-07 19:56:48 0 d-------- C:\Program Files\Realtek
2008-07-07 19:56:38 520192 --a------ C:\WINDOWS\RtlExUpd.dll <Not Verified; Realtek Semiconductor Corp.; RtlExUpd Dynamic Link Library>
2008-07-07 19:54:37 0 d-------- C:\Program Files\RealTek Audio
2008-07-07 19:44:29 0 d-------- C:\Program Files\Innovative Solutions
2008-07-07 19:37:53 0 d-------- C:\Program Files\NVIDIA
2008-07-07 19:33:08 0 d-------- C:\Program Files\Winamp
2008-07-07 19:33:08 0 d-------- C:\Documents and Settings\Owner\Application Data\Winamp
2008-07-07 18:26:50 0 d-------- C:\Program Files\IrfanView
2008-07-07 17:45:57 0 d--h----- C:\WINDOWS\$hf_mig$
2008-07-07 16:22:16 0 d-------- C:\Documents and Settings\Owner\Application Data\OpenOffice.org2


-- Find3M Report ---------------------------------------------------------------

2008-07-11 05:45:37 12848 --a------ C:\Program Files\combofixlog.txt
2008-07-10 12:45:34 140 --a------ C:\Program Files\FixVundo.log
2008-07-10 01:11:11 1602439 --a------ C:\Program Files\ProcessExplorer.zip
2008-07-09 21:07:33 0 d-------- C:\Program Files\Common Files
2008-07-09 21:07:33 0 d-------- C:\Program Files\Common Files\Adobe
2008-07-09 20:46:48 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2008-07-09 00:51:28 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-08 02:16:58 70150542 --a------ C:\Program Files\AS5920_5920G_VGA_nVidia_v.101.38.zip
2008-07-07 22:09:37 2223653 --a------ C:\Program Files\mpc2kxp6490.zip
2008-07-07 19:54:31 38822327 --a------ C:\Program Files\RealTek Audio.zip
2008-07-07 18:24:07 0 d-------- C:\Program Files\VideoLAN
2008-05-30 13:22:22 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-05-30 13:18:56 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-05-30 13:18:56 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-05-30 13:18:50 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX>
2008-05-30 13:18:48 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-05-30 13:18:48 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX>
2008-05-30 13:18:48 815104 --a------ C:\WINDOWS\system32\divx_xx0a.dll <Not Verified; DivX, Inc.; DivX>
2008-05-30 13:18:48 683520 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX>
2008-05-30 13:18:00 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-04-29 16:10:30 0 --a------ C:\Documents and Settings\Owner\Application Data\wklnhst.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [03/17/2008 08:05 AM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [03/17/2008 08:05 AM]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [03/17/2008 08:05 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"RTHDCPL"="RTHDCPL.EXE" [05/28/2007 04:32 PM C:\WINDOWS\RTHDCPL.exe]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [07/17/2006 10:40 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [08/04/2004 01:06 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:56 AM]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [1/21/2008 3:41:28 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"




-- End of Deckard's System Scanner: finished at 2008-07-12 07:10:20 ------------




Thanks again for all your help.

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:07 PM

Posted 13 July 2008 - 01:11 AM

Hi,

I'll definitely change my habits now that I've gone through all this.

That's good to hear. After all, there are so many freeware replacements out there which are even better than the Commercial Apps.
Take a look here: http://www.bleepingcomputer.com/forums/topic3616.html

Your log looks clean again.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 7.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 7".
  • Click the "Download" button to the right.
  • For Platform, select "Windows"
  • For language, select your language
  • Read the License agreement and then Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement".
  • Click Continue
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • Java™ 6 Update 5
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u7-windows-i586-p.exe to install the newest version.
* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:07 PM

Posted 17 July 2008 - 04:16 PM

Let me know in your next reply how things are now.

Still with us?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:07 PM

Posted 23 July 2008 - 12:40 AM

Due to the lack of feedback, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users