Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Drwatson Debugger


  • This topic is locked This topic is locked
12 replies to this topic

#1 jeff_v2

jeff_v2

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:55 PM

Posted 25 July 2008 - 07:13 AM

having this problem in the last few days...
when click on the start menu, it suddenly appear window explorer problem, followed by the dr watson debugger...
after click dont send, my pc suddenly hang...
anyone can help me resolve my problem, really annoying bout this problem...
thankss...

i already conduct the dss scan yesterday, n hear is the result...

Deckard's System Scanner v20071014.68
Run by JEF14 on 2008-07-24 23:33:52
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
5: 2008-07-24 15:34:00 UTC - RP124 - Deckard's System Scanner Restore Point
4: 2008-07-23 21:07:06 UTC - RP123 - System Checkpoint
3: 2008-07-22 16:43:00 UTC - RP122 - System Checkpoint
2: 2008-07-21 16:03:31 UTC - RP121 - System Checkpoint
1: 2008-07-20 12:58:30 UTC - RP120 - Removed Kaspersky Anti-Virus 2009.


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as JEF14.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:35:58 PM, on 7/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\winsersec.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\winwd.exe
C:\WINDOWS\sdaemon.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\DNA\btdna.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Java\jre1.6.0_04\bin\jucheck.exe
C:\Program Files\Winamp\Winamp.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\JEF14\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\JEF14.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: nqgpedlr - {136717A3-DA9A-4322-997B-25D0843942F8} - C:\WINDOWS\nqgpedlr.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SWd] C:\WINDOWS\winwd.exe
O4 - HKLM\..\Run: [SDaemon] C:\WINDOWS\sdaemon.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SMrhccruj0e3f7] C:\Program Files\rhccruj0e3f7\rhccruj0e3f7.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/vwhpro/EN/install/gtdownlr.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: winser - Unknown owner - C:\WINDOWS\system32\winsersec.exe
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 6836 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 WINSEC - c:\windows\system32\drivers\winsec.sys <Not Verified; Tropical Software; Win XP Filter Driver for PC Security>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Nero BackItUp Scheduler 3 - c:\program files\nero\nero8\nero backitup\nbservice.exe
R2 PLFlash DeviceIoControl Service - c:\windows\system32\ioctlsvc.exe <Not Verified; Prolific Technology Inc.; IoctlSvc Application>
R2 winser - c:\windows\system32\winsersec.exe


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-07-04 17:19:49 390 --a------ C:\WINDOWS\Tasks\1-Click Maintenance.job


-- Files created between 2008-06-24 and 2008-07-24 -----------------------------

2008-07-23 20:58:56 0 d--h----- C:\Documents and Settings\All Users\Application Data\CanonBJ
2008-07-23 19:27:58 0 d-------- C:\Documents and Settings\JEF14\Application Data\Gtek
2008-07-23 19:27:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Gtek
2008-07-06 09:48:50 0 d-------- C:\Documents and Settings\JEF14\Application Data\Malwarebytes
2008-07-06 09:48:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-06 09:48:43 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-06 09:04:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-06 07:32:11 0 d-------- C:\Program Files\Alwil Software
2008-07-06 06:39:18 0 d-------- C:\Program Files\Trend Micro
2008-07-06 04:34:51 0 d-------- C:\Documents and Settings\JEF14\Application Data\rhccruj0e3f7
2008-07-06 04:33:07 0 d-------- C:\Program Files\rhccruj0e3f7
2008-07-06 04:32:13 0 d-------- C:\Documents and Settings\JEF14\Application Data\TmpRecentIcons
2008-07-06 04:31:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files


-- Find3M Report ---------------------------------------------------------------

2008-07-24 23:33:21 0 d-------- C:\Documents and Settings\JEF14\Application Data\DNA
2008-07-24 23:03:20 0 d-------- C:\Documents and Settings\JEF14\Application Data\DMCache
2008-07-24 16:24:50 0 d-------- C:\Program Files\PowerArchiver
2008-07-21 19:25:56 327124 --a------ C:\amt1
2008-07-06 04:55:50 0 d-------- C:\Program Files\Kaspersky Lab
2008-06-22 17:58:32 0 d-------- C:\Program Files\Internet Download Manager
2008-06-22 03:55:53 0 d-------- C:\Documents and Settings\JEF14\Application Data\BitTorrent
2008-06-21 03:52:51 0 d-------- C:\Documents and Settings\JEF14\Application Data\vlc
2008-06-21 03:51:36 0 d-------- C:\Program Files\VideoLAN
2008-06-16 02:17:57 0 d-------- C:\Documents and Settings\JEF14\Application Data\IDM


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [02/26/2004 04:53 PM C:\WINDOWS\SOUNDMAN.EXE]
"SWd"="C:\WINDOWS\winwd.exe" [04/23/2004 01:51 AM]
"SDaemon"="C:\WINDOWS\sdaemon.exe" [04/23/2004 01:52 AM]
"NeroCheck"="C:\WINDOWS\system32\\NeroCheck.exe" [07/09/2001 06:50 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [12/14/2007 03:42 AM]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [02/28/2008 09:59 AM]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [02/18/2008 04:29 PM]
"SMrhccruj0e3f7"="C:\Program Files\rhccruj0e3f7\rhccruj0e3f7.exe" []
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [05/16/2008 07:19 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [08/30/2007 05:43 PM]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [05/09/2008 07:49 PM]
"IDMan"="C:\Program Files\Internet Download Manager\IDMan.exe" [06/13/2008 08:56 PM]

C:\Documents and Settings\JEF14\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 7:16:50 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"DisableTaskMgr"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
"NoDispCPL"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStartMenuMorePrograms"=0 (0x0)
"NoSetFolders"=0 (0x0)
"StartMenuLogOff"=0 (0x0)
"NoToolbarCustomize"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2cccd593-89d2-11dc-9570-0004616cae4b}]
AutoRun\command- H:\autorun6e.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3054e66f-8f71-11dc-959d-0004616cae4b}]
AutoRun\command- ntdelect.com
explore\Command- ntdelect.com
open\Command- ntdelect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{884126b0-89d6-11dc-9572-0004616cae4b}]
AutoRun\command- G:\autorun6e.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{884126b7-89d6-11dc-9572-0004616cae4b}]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fab70889-8dd0-11dc-9598-0004616cae4b}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Flash.10.Setup.exe
Explore\command- H:\Flash.10.Setup.exe
Open\command- H:\Flash.10.Setup.exe
Scan for Viruses\command- H:\Scanner.exe




-- End of Deckard's System Scanner: finished at 2008-07-24 23:36:31 ------------

BC AdBot (Login to Remove)

 


#2 jeff_v2

jeff_v2
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:55 PM

Posted 28 July 2008 - 11:30 AM

no one care to help??? :thumbsup:

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,112 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:08:55 AM

Posted 08 August 2008 - 12:01 AM

Hello jeff-v2,

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. We aim to provide the valuable service known to come from BC to every member we can, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Upon completing the steps below, a staff member will review and take the steps necessary with you to get your machine back in working order, clean and free of malware.

Thanks and again sorry for the delay.

Please download Deckard's System Scanner (DSS) and save to your Desktop.
alternate download site

DSS will do the following:
  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
You must be logged onto an account with administrator privileges when using.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not
    malicious.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.


If you already preformed the steps above, we still need to see the current state of the machine. A fresh scan and logs are still necessary

Click on Start then Run
Copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /config
This will open up DSS configuration
Click on Check All
Click Scan
DSS will now run again when finished
Please post back both logs that open in notepad
Main txt and extra txt



Next
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif

#4 jeff_v2

jeff_v2
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:55 PM

Posted 14 August 2008 - 02:41 PM

thanksss...
will post the result soon...

#5 jeff_v2

jeff_v2
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:55 PM

Posted 15 August 2008 - 02:12 AM

MAIN

Deckard's System Scanner v20071014.68
Run by JEF14 on 2008-08-15 01:26:16
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
16: 2008-08-14 17:26:22 UTC - RP142 - Deckard's System Scanner Restore Point
15: 2008-08-14 16:56:20 UTC - RP141 - System Checkpoint
14: 2008-08-13 15:08:33 UTC - RP140 - System Checkpoint
13: 2008-08-12 14:56:59 UTC - RP139 - System Checkpoint
12: 2008-08-11 11:48:27 UTC - RP138 - System Checkpoint


-- First Restore Point --
1: 2008-07-27 20:01:40 UTC - RP127 - System Checkpoint


Performed disk cleanup.

System Drive C: has 1.37 GiB (less than 15%) free.


-- HijackThis (run as JEF14.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:26:41 AM, on 8/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\winsersec.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\winwd.exe
C:\WINDOWS\sdaemon.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\DNA\btdna.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre1.6.0_04\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\JEF14\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\JEF14.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: nqgpedlr - {136717A3-DA9A-4322-997B-25D0843942F8} - C:\WINDOWS\nqgpedlr.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SWd] C:\WINDOWS\winwd.exe
O4 - HKLM\..\Run: [SDaemon] C:\WINDOWS\sdaemon.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SMrhccruj0e3f7] C:\Program Files\rhccruj0e3f7\rhccruj0e3f7.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/vwhpro/EN/install/gtdownlr.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: winser - Unknown owner - C:\WINDOWS\system32\winsersec.exe
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 7727 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 WINSEC - c:\windows\system32\drivers\winsec.sys <Not Verified; Tropical Software; Win XP Filter Driver for PC Security>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Nero BackItUp Scheduler 3 - c:\program files\nero\nero8\nero backitup\nbservice.exe
R2 PLFlash DeviceIoControl Service - c:\windows\system32\ioctlsvc.exe <Not Verified; Prolific Technology Inc.; IoctlSvc Application>
R2 winser - c:\windows\system32\winsersec.exe


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\system32\winlogon.exe (pid 444)
2005-01-07 08:00:00 8450048 --a------ C:\WINDOWS\system32\shell32.dll <Not Verified; Microsoft Corporation; Microsoft Windows Operating System>
2005-01-07 08:00:00 140288 --a------ C:\WINDOWS\system32\sfc_os.dll <Not Verified; Microsoft Corporation; Microsoft Windows Operating System>
2005-01-07 08:00:00 218624 --a------ C:\WINDOWS\system32\uxtheme.dll <Not Verified; Microsoft Corporation; Microsoft Windows Operating System>

C:\WINDOWS\system32\svchost.exe (pid 664)
2005-01-07 08:00:00 8450048 --a------ C:\WINDOWS\system32\shell32.dll <Not Verified; Microsoft Corporation; Microsoft Windows Operating System>
2005-01-07 08:00:00 218624 --a------ C:\WINDOWS\system32\uxtheme.dll <Not Verified; Microsoft Corporation; Microsoft Windows Operating System>

C:\WINDOWS\system32\svchost.exe (pid 788)
2005-01-07 08:00:00 8450048 --a------ C:\WINDOWS\system32\shell32.dll <Not Verified; Microsoft Corporation; Microsoft Windows Operating System>
2005-01-07 08:00:00 218624 --a------ C:\WINDOWS\system32\uxtheme.dll <Not Verified; Microsoft Corporation; Microsoft Windows Operating System>
2005-01-07 08:00:00 140288 --a------ C:\WINDOWS\system32\sfc_os.dll <Not Verified; Microsoft Corporation; Microsoft Windows Operating System>

C:\WINDOWS\explorer.exe (pid 1212)
2005-01-07 08:00:00 8450048 --a------ C:\WINDOWS\system32\shell32.dll <Not Verified; Microsoft Corporation; Microsoft Windows Operating System>
2005-01-07 08:00:00 218624 --a------ C:\WINDOWS\system32\uxtheme.dll <Not Verified; Microsoft Corporation; Microsoft Windows Operating System>
2004-04-23 01:51:48 36352 --a------ C:\WINDOWS\wsec32hk.dll
2007-08-30 17:43:14 6144 --a------ C:\Program Files\Yahoo!\Messenger\idle.dll <Not Verified; Yahoo! Inc.; Yahoo! Messenger>
2004-12-27 11:56:08 121344 --a------ C:\Program Files\WinRAR\RarExt.dll
2006-07-30 20:14:00 80896 --a------ C:\Program Files\PowerArchiver\PASHLEXT.DLL <Not Verified; ConeXware, Inc.; PowerArchiver 2006>
2004-04-23 01:52:31 58368 --a------ C:\WINDOWS\pcsecshext.dll
2005-01-07 08:00:00 1712128 -ra------ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\GdiPlus.dll <Not Verified; Microsoft Corporation; Microsoft Windows Operating System>
2008-05-05 14:07:06 69120 --a------ C:\Program Files\7-Zip\7-zip.dll <Not Verified; Igor Pavlov; 7-Zip>


-- Scheduled Tasks -------------------------------------------------------------

2008-07-25 17:18:11 390 --a------ C:\WINDOWS\Tasks\1-Click Maintenance.job


-- Files created between 2008-07-15 and 2008-08-15 -----------------------------

2008-08-11 00:58:20 0 d-------- C:\Documents and Settings\JEF14\Application Data\Google
2008-08-11 00:49:44 0 d-------- C:\Documents and Settings\JEF14\Application Data\skypePM
2008-08-11 00:49:44 32 --a------ C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-08-11 00:47:44 0 d-------- C:\Documents and Settings\JEF14\Application Data\Skype
2008-08-11 00:47:39 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2008-08-11 00:47:30 0 d-------- C:\Program Files\Google
2008-08-11 00:47:20 0 d-------- C:\Program Files\Skype
2008-08-11 00:47:19 0 d-------- C:\Program Files\Common Files\Skype
2008-08-11 00:47:09 0 d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-07-31 17:40:45 0 d-------- C:\Program Files\7-Zip
2008-07-25 15:24:19 3532 --a------ C:\drmHeader.bin
2008-07-23 20:58:56 0 d--h----- C:\Documents and Settings\All Users\Application Data\CanonBJ
2008-07-23 19:27:58 0 d-------- C:\Documents and Settings\JEF14\Application Data\Gtek
2008-07-23 19:27:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Gtek


-- Find3M Report ---------------------------------------------------------------

2008-08-15 01:27:46 0 d-------- C:\Documents and Settings\JEF14\Application Data\DMCache
2008-08-15 01:19:43 0 d-------- C:\Documents and Settings\JEF14\Application Data\DNA
2008-08-14 05:47:59 0 d-------- C:\Program Files\PowerArchiver
2008-08-11 00:47:19 0 d-------- C:\Program Files\Common Files
2008-08-03 07:04:03 0 d-------- C:\Documents and Settings\JEF14\Application Data\Real
2008-07-21 19:25:56 327124 --a------ C:\amt1
2008-07-06 09:48:50 0 d-------- C:\Documents and Settings\JEF14\Application Data\Malwarebytes
2008-07-06 09:48:49 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-06 07:32:11 0 d-------- C:\Program Files\Alwil Software
2008-07-06 07:20:33 0 d-------- C:\Documents and Settings\JEF14\Application Data\TmpRecentIcons
2008-07-06 06:39:18 0 d-------- C:\Program Files\Trend Micro
2008-07-06 04:55:50 0 d-------- C:\Program Files\Kaspersky Lab
2008-07-06 04:46:43 0 d-------- C:\Program Files\rhccruj0e3f7
2008-07-06 04:34:51 0 d-------- C:\Documents and Settings\JEF14\Application Data\rhccruj0e3f7
2008-06-22 17:58:32 0 d-------- C:\Program Files\Internet Download Manager
2008-06-22 03:55:53 0 d-------- C:\Documents and Settings\JEF14\Application Data\BitTorrent
2008-06-21 03:52:51 0 d-------- C:\Documents and Settings\JEF14\Application Data\vlc
2008-06-21 03:51:36 0 d-------- C:\Program Files\VideoLAN
2008-06-16 02:17:57 0 d-------- C:\Documents and Settings\JEF14\Application Data\IDM


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [02/26/2004 04:53 PM C:\WINDOWS\SOUNDMAN.EXE]
"SWd"="C:\WINDOWS\winwd.exe" [04/23/2004 01:51 AM]
"SDaemon"="C:\WINDOWS\sdaemon.exe" [04/23/2004 01:52 AM]
"NeroCheck"="C:\WINDOWS\system32\\NeroCheck.exe" [07/09/2001 06:50 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [12/14/2007 03:42 AM]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [02/28/2008 09:59 AM]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [02/18/2008 04:29 PM]
"SMrhccruj0e3f7"="C:\Program Files\rhccruj0e3f7\rhccruj0e3f7.exe" []
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [05/16/2008 07:19 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [08/30/2007 05:43 PM]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [05/09/2008 07:49 PM]
"IDMan"="C:\Program Files\Internet Download Manager\IDMan.exe" [06/13/2008 08:56 PM]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [12/07/2007 03:08 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [08/11/2008 05:12 PM]

C:\Documents and Settings\JEF14\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 7:16:50 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"DisableTaskMgr"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
"NoDispCPL"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStartMenuMorePrograms"=0 (0x0)
"NoSetFolders"=0 (0x0)
"StartMenuLogOff"=0 (0x0)
"NoToolbarCustomize"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2cccd593-89d2-11dc-9570-0004616cae4b}]
AutoRun\command- H:\autorun6e.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3054e66f-8f71-11dc-959d-0004616cae4b}]
AutoRun\command- ntdelect.com
explore\Command- ntdelect.com
open\Command- ntdelect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{884126b0-89d6-11dc-9572-0004616cae4b}]
AutoRun\command- G:\autorun6e.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{884126b7-89d6-11dc-9572-0004616cae4b}]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fab70889-8dd0-11dc-9598-0004616cae4b}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Flash.10.Setup.exe
Explore\command- H:\Flash.10.Setup.exe
Open\command- H:\Flash.10.Setup.exe
Scan for Viruses\command- H:\Scanner.exe




-- End of Deckard's System Scanner: finished at 2008-08-15 01:28:18 ------------

EXTRA

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Sempron™
Percentage of Memory in Use: 67%
Physical Memory (total/avail): 511.48 MiB / 166.84 MiB
Pagefile Memory (total/avail): 1249.17 MiB / 602.64 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1926.53 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 19.56 GiB total, 1.38 GiB free.
D: is Fixed (NTFS) - 56.77 GiB total, 2.93 GiB free.
E: is CDROM (No Media)
F: is Fixed (NTFS) - 29.29 GiB total, 3.08 GiB free.
G: is Fixed (NTFS) - 41.99 GiB total, 1.6 GiB free.
H: is Fixed (NTFS) - 5.03 GiB total, 3.47 GiB free.
I: is CDROM (No Media)
J: is Removable (Unformatted)
K: is Removable (Unformatted)
L: is Removable (Unformatted)
M: is Removable (Unformatted)
N: is Removable (Unformatted)

\\.\PHYSICALDRIVE1 - Maxtor 6Y080L0 - 76.33 GiB - 3 partitions
\PARTITION0 (bootable) - Installable File System - 29.29 GiB - F:
\PARTITION1 - Extended w/Extended Int 13 - 47.03 GiB - G: - H:

\\.\PHYSICALDRIVE0 - Maxtor 6Y080L2 - 76.33 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 19.56 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 56.77 GiB - D:

\\.\PHYSICALDRIVE2 - Generic STORAGE DEVICE USB Device

\\.\PHYSICALDRIVE3 - Generic STORAGE DEVICE USB Device

\\.\PHYSICALDRIVE4 - Generic STORAGE DEVICE USB Device

\\.\PHYSICALDRIVE5 - Generic STORAGE DEVICE USB Device

\\.\PHYSICALDRIVE6 - Generic STORAGE DEVICE USB Device



-- Security Center -------------------------------------------------------------

Windows Internal Firewall is enabled.

FirstRunDisabled is set.

FW: Kaspersky Anti-Virus v8.0.0.357 (Kaspersky Lab) Disabled
AV: avast! antivirus 4.8.1201 [VPS 080814-0] v4.8.1201 (ALWIL Software)
AV: Kaspersky Anti-Virus v8.0.0.357 (Kaspersky Lab) Disabled Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Valve\\Condition Zero\\hl.exe"="C:\\Valve\\Condition Zero\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Documents and Settings\\JEF14\\Desktop\\utorrent.exe"="C:\\Documents and Settings\\JEF14\\Desktop\\utorrent.exe:*:Enabled:猥orrent"
"C:\\Program Files\\KONAMI\\Pro Evolution Soccer 6\\PES6.exe"="C:\\Program Files\\KONAMI\\Pro Evolution Soccer 6\\PES6.exe:*:Enabled:pes6.exe"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:*:Enabled:DNA"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Ares\\Ares.exe"="C:\\Program Files\\Ares\\Ares.exe:*:Enabled:Ares p2p for windows"
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 2009\\English\\setup.exe"="C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 2009\\English\\setup.exe:*:Disabled:Kaspersky Anti-Virus 2009 Setup"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype. Take a deep breath "
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Disabled:Internet Explorer"
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"="C:\\Program Files\\Windows Media Player\\wmplayer.exe:*:Disabled:Windows Media Player"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\JEF14\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=JEF14-BB6DE1F4C
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\JEF14
LOGONSERVER=\\JEF14-BB6DE1F4C
LUMBER_OF_PROCESSORS=1
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Adobe\AGL;C:\Program Files\Common Files\Nero\Lib\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0801
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\JEF14\LOCALS~1\Temp
TMP=C:\DOCUME~1\JEF14\LOCALS~1\Temp
USERDOMAIN=JEF14-BB6DE1F4C
USERNAME=JEF14
USERPROFILE=C:\Documents and Settings\JEF14
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

JEF14 (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE
--> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
--> C:\Program Files\Nero\Nero8\\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNRecode.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
7-Zip 4.58 beta --> "C:\Program Files\7-Zip\Uninstall.exe"
Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-1033-0000-0000-000000000001}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 6.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-000000000001}
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
AntivirXP08 --> "C:\Program Files\rhccruj0e3f7\uninstall.exe"
avast! Antivirus --> C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
BitTorrent --> "C:\Program Files\BitTorrent\BitTorrent.exe" /UNINSTALL
Condition Zero --> C:\WINDOWS\Condition Zero Uninstaller.exe
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DNA --> "C:\Program Files\DNA\btdna.exe" /UNINSTALL
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Internet Download Manager --> C:\Program Files\Internet Download Manager\Uninstall.exe
Java™ 6 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160040}
K-Lite Mega Codec Pack 1.62 --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"
LimeWire 4.16.6 --> "C:\Program Files\LimeWire\uninstall.exe"
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0.0 (Pre-Release 5348) --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
MP3 To Ringtone Gold 3.18 --> "C:\Program Files\AnMing\unins000.exe"
Nero - Burning Rom --> MsiExec.exe /X{A4D7B764-4140-11D4-88EB-0050DA3579C0}
Nero 8 --> MsiExec.exe /X{D6D5CB84-0E6E-4E69-B300-C690B6911033}
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
PC Security ™ --> C:\Program Files\security\security.exe /U
PowerArchiver 2006 v9.63 --> "C:\Program Files\PowerArchiver\unins000.exe"
Pro Evolution Soccer 6 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{EBB794ED-D282-4334-92FB-254481EFF514} /l1033
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
Replay Converter 2.20 --> C:\WINDOWS\iun6002.exe "C:\Program Files\Replay Converter\irunin.ini"
Skype 3.6 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
Total Video Converter 3.11 070908 --> "C:\Program Files\Total Video Converter\unins000.exe"
TuneUp Utilities 2007 --> MsiExec.exe /I{C8BB4912-12D9-42AE-B571-E580D8CD1B5B}
VCRedistSetup --> MsiExec.exe /I{3921A67A-5AB1-4E48-9444-C71814CF3027}
VideoLAN VLC media player 0.8.6c --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Yahoo! Browser Services --> C:\PROGRA~1\Yahoo!\Common\UNIN_Y~1.EXE /S
Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Internet Mail --> C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\YMMAPI.dll
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! 工具列 --> C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE


-- Application Event Log -------------------------------------------------------

Event Record #/Type2496 / Error
Event Submitted/Written: 08/14/2008 09:41:27 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type2495 / Error
Event Submitted/Written: 08/14/2008 09:41:25 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type2486 / Error
Event Submitted/Written: 08/14/2008 04:48:57 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application wmplayer.exe, version 11.0.5358.4827, faulting module gdiplus.dll, version 5.1.3102.2180, fault address 0x000460c2.
Processing media-specific event for [wmplayer.exe!ws!]

Event Record #/Type2485 / Error
Event Submitted/Written: 08/14/2008 04:48:52 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application wmplayer.exe, version 11.0.5358.4827, faulting module gdiplus.dll, version 5.1.3102.2180, fault address 0x000460c2.
Processing media-specific event for [wmplayer.exe!ws!]

Event Record #/Type2484 / Error
Event Submitted/Written: 08/14/2008 04:48:29 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application wmplayer.exe, version 11.0.5358.4827, faulting module gdiplus.dll, version 5.1.3102.2180, fault address 0x000460c2.
Processing media-specific event for [wmplayer.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type1574 / Error
Event Submitted/Written: 08/14/2008 06:37:54 PM
Event ID/Source: 11 / Disk
Event Description:
The driver detected a controller error on \Device\Harddisk2\D.

Event Record #/Type1541 / Warning
Event Submitted/Written: 08/14/2008 05:41:07 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type1538 / Error
Event Submitted/Written: 08/13/2008 04:05:22 PM
Event ID/Source: 11 / Disk
Event Description:
The driver detected a controller error on \Device\Harddisk2\D.

Event Record #/Type1425 / Warning
Event Submitted/Written: 08/12/2008 04:03:13 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type1424 / Warning
Event Submitted/Written: 08/12/2008 03:27:05 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.



-- End of Deckard's System Scanner: finished at 2008-08-15 01:28:18 ------------

KAV Scan

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, August 15, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, August 14, 2008 18:17:39
Records in database: 1093719
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\
M:\
N:\

Scan statistics:
Files scanned: 64390
Threat name: 5
Infected objects: 10
Suspicious objects: 0
Duration of the scan: 02:36:38


File name / Threat name / Threats count
C:\Documents and Settings\JEF14\Desktop\Music\Kaspersky_Solution_No_black-By-Meeen.rar Infected: Trojan.Win32.Agent.rzw 1
C:\Documents and Settings\JEF14\My Documents\Ahead_Nero_Burning_ROM_v8.3.2.1_by_CiM\Keygen.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.aq 1
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\Kaspersky Solution.exe Infected: Trojan.Win32.Agent.rzw 1
C:\Program Files\rhccruj0e3f7\Uninstall.exe Infected: Trojan-Downloader.Win32.FraudLoad.vaxg 1
D:\Kaspersky KIS & KAV v8.0.0.357 Final + working keys - WORKS PERFECT\kav8.0.0.357en.exe Infected: Trojan-Downloader.Win32.Zlob.olh 1
D:\Kaspersky KIS & KAV v8.0.0.357 Final + working keys - WORKS PERFECT\kis8.0.0.357en.exe Infected: Trojan-Downloader.Win32.Zlob.olh 1
F:\Software Only\Ahead_Nero_Burning_ROM_v8.3.2.1_by_CiM\Keygen.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.aq 1
F:\Software Only\Kaspersky AntiVirus v7.0.1.325 + Long Lasting Keys 6-01-08\kav7.0.1.325en.exe Infected: Trojan-Downloader.Win32.Injecter.tz 1
F:\Software Only\Kaspersky KIS & KAV v8.0.0.357 Final + working keys - WORKS PERFECT\kav8.0.0.357en.exe Infected: Trojan-Downloader.Win32.Zlob.olh 1
F:\Software Only\Kaspersky KIS & KAV v8.0.0.357 Final + working keys - WORKS PERFECT\kis8.0.0.357en.exe Infected: Trojan-Downloader.Win32.Zlob.olh 1

The selected area was scanned.

#6 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:08:55 AM

Posted 15 August 2008 - 06:30 PM

Hello jeff_v2 and welcome

I highly recommend you stay clear of the crack and keygens they are the root of the problems on this machine

Also do you have a flash/Thumb drive your using ? could be an mp3 player or the like ?

You have a few infections here to deal with,,
Please follow the instructions the best you can and post all replies back to this topic for me please

Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


#7 jeff_v2

jeff_v2
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:55 PM

Posted 16 August 2008 - 03:43 PM

thanksss...
will update it soon...

any idea on how to remove the virus???

#8 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:08:55 AM

Posted 16 August 2008 - 03:49 PM

My instructions above are the start of getting rid of it :thumbsup:

#9 jeff_v2

jeff_v2
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:55 PM

Posted 17 August 2008 - 05:40 AM

this is the log

ComboFix 08-08-15.04 - JEF14 2008-08-17 16:47:59.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.225 [GMT 8:00]
Running from: C:\Documents and Settings\JEF14\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\JEF14\Application Data\rhccruj0e3f7
C:\Documents and Settings\JEF14\Cookies\jef14@ad.yieldmanager[1].txt
C:\Documents and Settings\JEF14\Cookies\jef14@ebay.com[2].txt
C:\Documents and Settings\JEF14\Cookies\jef14@forum.lowyat[2].txt
C:\Documents and Settings\JEF14\Cookies\jef14@metacafe[2].txt
C:\Documents and Settings\JEF14\Cookies\jef14@revsci[2].txt
C:\Documents and Settings\JEF14\Cookies\jef14@yahoo[2].txt
C:\Documents and Settings\JEF14\My Documents\keje\UiTM Degree File\B4\Antivir\Desktop_.ini
C:\Documents and Settings\JEF14\My Documents\keje\UiTM Degree File\B5\B5\CLUB MED\Desktop_.ini
C:\Documents and Settings\JEF14\My Documents\keje\UiTM Degree File\B5\B5\CTU\Desktop_.ini
C:\Documents and Settings\JEF14\My Documents\keje\UiTM Degree File\B5\B5\Desktop_.ini
C:\Documents and Settings\JEF14\My Documents\keje\UiTM Degree File\B5\B5\G.RETAIL\Desktop_.ini
C:\Documents and Settings\JEF14\My Documents\keje\UiTM Degree File\B5\B5\GM\Desktop_.ini
C:\Documents and Settings\JEF14\My Documents\keje\UiTM Degree File\B5\B5\ISSUE\Desktop_.ini
C:\Documents and Settings\JEF14\My Documents\keje\UiTM Degree File\B5\B5\RM\Desktop_.ini
C:\Documents and Settings\JEF14\My Documents\keje\UiTM Degree File\B5\B5\SM\Desktop_.ini
C:\Documents and Settings\JEF14\My Documents\keje\UiTM Degree File\B5\B5\SMM\Desktop_.ini
C:\Program Files\rhccruj0e3f7

.
((((((((((((((((((((((((( Files Created from 2008-07-17 to 2008-08-17 )))))))))))))))))))))))))))))))
.

2008-08-15 01:36 . 2008-08-15 01:36 <DIR> d-------- C:\WINDOWS\Sun
2008-08-15 01:36 . 2008-08-15 01:36 <DIR> d-------- C:\Program Files\Sun
2008-08-11 00:49 . 2008-08-17 16:01 <DIR> d-------- C:\Documents and Settings\JEF14\Application Data\skypePM
2008-08-11 00:49 . 2008-08-11 00:49 32 --a------ C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-08-11 00:47 . 2008-08-11 00:47 <DIR> d-------- C:\Program Files\Skype
2008-08-11 00:47 . 2008-08-11 00:47 <DIR> d-------- C:\Program Files\Google
2008-08-11 00:47 . 2008-08-11 00:47 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-08-11 00:47 . 2008-08-17 16:55 <DIR> d-------- C:\Documents and Settings\JEF14\Application Data\Skype
2008-08-11 00:47 . 2008-08-11 00:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-07-31 17:40 . 2008-07-31 17:40 <DIR> d-------- C:\Program Files\7-Zip
2008-07-25 15:24 . 2008-07-25 15:24 3,532 --a------ C:\drmHeader.bin
2008-07-24 23:33 . 2008-07-24 23:33 <DIR> d-------- C:\Deckard
2008-07-23 20:58 . 2008-07-23 20:58 <DIR> d--h----- C:\Documents and Settings\All Users\Application Data\CanonBJ
2008-07-23 20:58 . 2006-03-17 13:00 161,792 --a------ C:\WINDOWS\system32\CNMLM7W.DLL
2008-07-23 19:27 . 2008-07-23 19:27 <DIR> d-------- C:\Documents and Settings\JEF14\Application Data\Gtek
2008-07-23 19:27 . 2008-07-23 19:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Gtek
2008-07-23 19:14 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-07-23 19:14 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-07-22 16:02 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-07-22 16:02 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-17 08:53 --------- d-----w C:\Documents and Settings\JEF14\Application Data\DMCache
2008-08-17 08:51 --------- d-----w C:\Documents and Settings\JEF14\Application Data\DNA
2008-08-16 20:26 --------- d-----w C:\Program Files\PowerArchiver
2008-08-14 17:36 --------- d-----w C:\Program Files\Java
2008-07-06 02:17 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-06 02:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-06 01:48 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-07-06 01:48 --------- d-----w C:\Documents and Settings\JEF14\Application Data\Malwarebytes
2008-07-06 01:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-05 23:32 --------- d-----w C:\Program Files\Alwil Software
2008-07-05 22:39 --------- d-----w C:\Program Files\Trend Micro
2008-07-05 20:55 --------- d-----w C:\Program Files\Kaspersky Lab
2008-07-05 20:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-06-28 06:16 34,296 ----a-w C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-28 06:16 17,144 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-06-22 09:58 --------- d-----w C:\Program Files\Internet Download Manager
2008-06-21 19:55 --------- d-----w C:\Documents and Settings\JEF14\Application Data\BitTorrent
2008-06-20 19:52 --------- d-----w C:\Documents and Settings\JEF14\Application Data\vlc
2008-06-20 19:51 --------- d-----w C:\Program Files\VideoLAN
2005-07-14 19:31 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 22:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-22 05:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 17:43 4670704]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-05-09 19:49 289088]
"IDMan"="C:\Program Files\Internet Download Manager\IDMan.exe" [2008-06-13 20:56 2594224]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-12-07 15:08 21686568]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-11 17:12 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SWd"="C:\WINDOWS\winwd.exe" [2004-04-23 01:51 26624]
"SDaemon"="C:\WINDOWS\sdaemon.exe" [2004-04-23 01:52 111104]
"NeroCheck"="C:\WINDOWS\system32\\NeroCheck.exe" [2001-07-09 18:50 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2008-02-28 09:59 570664]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 16:29 2221352]
"SoundMan"="SOUNDMAN.EXE" [2004-02-26 16:53 65024 C:\WINDOWS\SOUNDMAN.EXE]

C:\Documents and Settings\JEF14\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Valve\\Condition Zero\\hl.exe"=
"C:\\Program Files\\KONAMI\\Pro Evolution Soccer 6\\PES6.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 2009\\English\\setup.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=

R0 WINSEC;WINSEC;C:\WINDOWS\system32\drivers\WINSEC.SYS [2004-05-25 09:12]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 07:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 07:16]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2005-01-07 08:00]
R2 winser;winser;C:\WINDOWS\system32\winsersec.exe [2004-04-23 01:51]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2cccd593-89d2-11dc-9570-0004616cae4b}]
\Shell\AutoRun\command - H:\autorun6e.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3054e66f-8f71-11dc-959d-0004616cae4b}]
\Shell\AutoRun\command - ntdelect.com
\Shell\explore\Command - ntdelect.com
\Shell\open\Command - ntdelect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{884126b0-89d6-11dc-9572-0004616cae4b}]
\Shell\AutoRun\command - G:\autorun6e.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fab70889-8dd0-11dc-9598-0004616cae4b}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Flash.10.Setup.exe
\Shell\Explore\command - H:\Flash.10.Setup.exe
\Shell\Open\command - H:\Flash.10.Setup.exe
\Shell\Scan for Viruses\command - H:\Scanner.exe
.
Contents of the 'Scheduled Tasks' folder

2008-07-25 C:\WINDOWS\Tasks\1-Click Maintenance.job
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe [2007-04-26 21:51]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SMrhccruj0e3f7 - C:\Program Files\rhccruj0e3f7\rhccruj0e3f7.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.yahoo.com/
R0 -: HKCU-Main,Search Page = hxxp://www.google.com
R0 -: HKCU-Main,Search Bar = hxxp://www.google.com/ie
R0 -: HKLM-Main,Default_Search_URL = hxxp://www.google.com/ie
R0 -: HKLM-Main,Search Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R0 -: HKCU-Search,SearchAssistant = hxxp://www.google.com/ie
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
R0 -: HKLM-Search,SearchAssistant = hxxp://www.google.com/ie
O8 -: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 -: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 -: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-17 16:53:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
.
**************************************************************************
.
Completion time: 2008-08-17 16:57:54 - machine was rebooted [JEF14]
ComboFix-quarantined-files.txt 2008-08-17 08:57:48

Pre-Run: 934,961,152 bytes free
Post-Run: 1,281,404,928 bytes free

179

#10 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:08:55 AM

Posted 19 August 2008 - 07:08 PM

Sorry for the delay

Also do you have a flash/Thumb drive your using ? could be an mp3 player or the like ?



#11 jeff_v2

jeff_v2
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:55 PM

Posted 20 August 2008 - 10:55 AM

yup, i do have a thumb drive...
also using external hdd sometimes...
so what now??? :thumbsup:
thankssss

yup, i do have a thumb drive...
also using external hdd sometimes...
so what now??? :)
thankssss

#12 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:08:55 AM

Posted 21 August 2008 - 06:19 PM

Could you plug the thumb drive in and run Combofix again please

#13 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:08:55 AM

Posted 30 August 2008 - 07:16 AM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users