Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help With Logfile


  • This topic is locked This topic is locked
11 replies to this topic

#1 riz_cola

riz_cola

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:03 AM

Posted 02 August 2008 - 05:42 PM

My computer also has that screen saying "Warning: Spyware threat has been detected on your PC." and random popups coming up like everyone else. I tried using Spybot: Search and Destroy but it couldn't delete all the spyware,malware etc. most of them were coolwebsearch and smitfraud-C

Heres my Log file \/

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:04:09 PM, on 8/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\444.470
C:\WINDOWS\portsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\uoyzsydz.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\windows\system32\rwwnw64d.exe
C:\WINDOWS\system32\lcntltdm.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\CROSOF~1.NET\wuauclt.exe
C:\WINDOWS\??stem\n?lookup.exe
C:\Program Files\NETGEAR\WPN111\wpn111.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mgmrwmrv.exe,C:\WINDOWS\system32\uoyzsydz.exe,
O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)
O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file)
O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file)
O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)
O2 - BHO: {887ba623-4828-303a-d184-fc9045afcd22} - {22dcfa54-09cf-481d-a303-8284326ab788} - C:\WINDOWS\system32\gssphw.dll
O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
O2 - BHO: (no name) - {36953122-9F7C-4461-AF35-E23242461FD7} - C:\WINDOWS\system32\efcASlKa.dll (file missing)
O2 - BHO: (no name) - {467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} - (no file)
O2 - BHO: (no name) - {49EEEE5B-AFFF-468B-9ED1-0D21A1EDA000} - C:\WINDOWS\system32\efcARheE.dll (file missing)
O2 - BHO: (no name) - {4C30E873-A2C7-4F55-BA81-1EDCDA538E9B} - C:\WINDOWS\system32\hgGxVLDu.dll (file missing)
O2 - BHO: (no name) - {5321e378-ffad-4999-8c62-03ca8155f0b3} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {587dbf2d-9145-4c9e-92c2-1f953da73773} - (no file)
O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)
O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file)
O2 - BHO: (no name) - {8F5BD743-5F90-493D-87F7-058E65D2B769} - C:\WINDOWS\system32\xxyabcCv.dll (file missing)
O2 - BHO: (no name) - {977EA5E8-663C-461F-9FDB-4A3C790F0758} - C:\WINDOWS\system32\cfgbken.dll
O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
O2 - BHO: gooochi browser optimizer - {d83b4336-080b-6aca-0539-261d6e3f14db} - C:\WINDOWS\system32\salplngkmdwup.dll
O2 - BHO: (no name) - {D887549D-7759-4EE1-B290-5381879DB8FD} - C:\WINDOWS\system32\opnmLcyA.dll (file missing)
O2 - BHO: (no name) - {D9329E1A-54AA-7D50-FF4E-70A2939F1F90} - C:\WINDOWS\system32\bnwaexty.dll
O2 - BHO: (no name) - {E075D3D1-9A49-4320-A78C-24402A15C040} - C:\WINDOWS\system32\byXRkIXP.dll (file missing)
O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
O2 - BHO: (no name) - {E914A919-76B6-3F61-D20C-488FD5D966FC} - C:\WINDOWS\system32\zbvhrfia.dll (file missing)
O2 - BHO: (no name) - {F912FACD-EFB9-40D5-A740-8C73ADD42FAB} - C:\WINDOWS\system32\opnlLFVp.dll (file missing)
O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file)
O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4759ff704c22} - (no file)
O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [{D3-3E-E5-5A-DW}] C:\windows\system32\rwwnw64d.exe DWram02
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\lcntltdm.exe DWram02
O4 - HKLM\..\Run: [{3a704415-8bc4-9e64-c56d-95646abdd57d}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\salplngkmdwup.dll" DllStart
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSI Configuration] msiconf.exe
O4 - HKCU\..\Run: [Shdo] "C:\WINDOWS\system32\CROSOF~1.NET\wuauclt.exe" -vt yazb
O4 - HKCU\..\Run: [Qca] C:\WINDOWS\??stem\n?lookup.exe
O4 - HKUS\S-1-5-21-2025429265-1078145449-1708537768-1003\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Rick')
O4 - S-1-5-21-2025429265-1078145449-1708537768-1003 Startup: Deewoo.lnk = C:\WINDOWS\system32\lcntltdm.exe (User 'Rick')
O4 - S-1-5-21-2025429265-1078145449-1708537768-1003 Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe (User 'Rick')
O4 - S-1-5-21-2025429265-1078145449-1708537768-1003 User Startup: Deewoo.lnk = C:\WINDOWS\system32\lcntltdm.exe (User 'Rick')
O4 - S-1-5-21-2025429265-1078145449-1708537768-1003 User Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe (User 'Rick')
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\lcntltdm.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=21871
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHos...ronGameHost.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6AF5A3AD-7655-4EB3-B120-9E974CB0E674}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{7BBDE76E-295E-4216-9C23-573FD3FB60E0}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{6AF5A3AD-7655-4EB3-B120-9E974CB0E674}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{6AF5A3AD-7655-4EB3-B120-9E974CB0E674}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - Winlogon Notify: efcASlKa - efcASlKa.dll (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\444.470.exe (file missing)
O23 - Service: Plug and Play (RPC) (PlugPlayRPC) - Unknown owner - C:\WINDOWS\portsv.exe

--
End of file - 9515 bytes

Many thanks for helping :thumbsup:

Edited by riz_cola, 02 August 2008 - 05:50 PM.

It takes more muscle to frown than it is to smile...

So smile foo!

BC AdBot (Login to Remove)

 


m

#2 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:11:03 AM

Posted 10 August 2008 - 11:25 PM

Hello and welcome to BC

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. We aim to provide the valuable service known to come from BC to every member we can, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay.

Please download Deckard's System Scanner (DSS) and save to your Desktop.
alternate download site

DSS will do the following:
  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
You must be logged onto an account with administrator privileges when using.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not
    malicious.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.


If you already preformed the steps above We still need to see the current state of the machine fresh scan and logs are still necessary

click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /config
This will open up DSS configuration
click on Check All
click Scan
DSS will now run again when finished
Please post back both logs that open in notepad
Main txt and extra txt



Next
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Please post back with dss reports main.txt, extra.txt and Kaspersky report.

Regards
SNOWHITE
Posted Image

#3 riz_cola

riz_cola
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:03 AM

Posted 14 August 2008 - 10:21 PM

Hello here's the stuff you've asked for

Main.txt

Deckard's System Scanner v20071014.68
Run by Arris on 2008-08-14 20:05:46
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; disk is full.


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 128 MiB (512 MiB recommended).
System Drive C: has 0.07 GiB (less than 15%) free.


-- HijackThis (run as Arris.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:09, on 08/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\portsv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system32\rwwnw64d.exe
C:\WINDOWS\system32\lcntltdm.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\NETGEAR\WPN111\wpn111.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Arris.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [{D3-3E-E5-5A-DW}] c:\windows\system32\rswnw64n.exe DWram02
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\lcntltdm.exe DWram02
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\lcntltdm.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHos...ronGameHost.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6AF5A3AD-7655-4EB3-B120-9E974CB0E674}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{7BBDE76E-295E-4216-9C23-573FD3FB60E0}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{6AF5A3AD-7655-4EB3-B120-9E974CB0E674}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{6AF5A3AD-7655-4EB3-B120-9E974CB0E674}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Plug and Play (RPC) (PlugPlayRPC) - Unknown owner - C:\WINDOWS\portsv.exe

--
End of file - 4536 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 sfloppyy - c:\windows\system32\drivers\sfloppyy.sys
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.2.0.3) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.2.0.3>
R3 DNINDIS5 (DNINDIS5 NDIS Protocol Driver) - c:\windows\system32\dnindis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>

S3 catchme - c:\docume~1\arris\locals~1\temp\catchme.sys (file missing)
S3 N5SG (Airlink101 SuperG Wireless Network Adapter Service) - c:\windows\system32\drivers\n5sg.sys <Not Verified; Atheros Communications, Inc.; Atheros AR5001 Wireless Network Adapter>
S3 W8335XP (802.11g/b Driver for Windows XP ) - c:\windows\system32\drivers\mrvw125.sys <Not Verified; Marvell Semiconductor, Inc; Device driver for Marvell 802.11 NIC>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 PlugPlayRPC (Plug and Play (RPC)) - c:\windows\portsv.exe service


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-07-14 and 2008-08-14 -----------------------------

2008-08-13 21:53:48 686630 --a------ C:\dss.exe
2008-08-13 14:44:04 0 d-------- C:\Program Files\Common Files\??sembly
2008-08-13 02:41:08 0 d-------- C:\Program Files\Java
2008-08-13 02:39:39 0 d-------- C:\Program Files\Common Files\Java
2008-08-12 19:57:51 68096 --a------ C:\WINDOWS\zip.exe
2008-08-12 19:57:51 49152 --a------ C:\WINDOWS\VFind.exe
2008-08-12 19:57:51 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-08-12 19:57:51 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-08-12 19:57:51 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-08-12 19:57:51 98816 --a------ C:\WINDOWS\sed.exe
2008-08-12 19:57:51 80412 --a------ C:\WINDOWS\grep.exe
2008-08-12 19:57:51 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-08-12 13:29:16 0 d-------- C:\WINDOWS\ERUNT
2008-08-02 23:27:37 314469 --a------ C:\WINDOWS\system32\winivstr.exe
2008-08-02 23:26:23 10752 --a------ C:\WINDOWS\system32\univrs32.dat
2008-08-02 23:25:40 206 --a------ C:\Documents and Settings\Arris\delself.bat
2008-08-02 23:24:16 6144 --a------ C:\WINDOWS\system32\karina.dat
2008-08-02 23:24:16 15872 --a------ C:\WINDOWS\system32\buritos.exe
2008-08-02 23:24:16 6144 --a------ C:\WINDOWS\karina.dat
2008-08-02 23:24:16 15872 --a------ C:\WINDOWS\buritos.exe
2008-08-02 23:18:43 15872 --a------ C:\WINDOWS\system32\braviax.exe
2008-08-02 23:18:23 50189 --a------ C:\Documents and Settings\Arris\win.exe
2008-08-02 15:00:51 0 d-------- C:\Program Files\Trend Micro
2008-08-02 13:25:34 30976 --a------ C:\WINDOWS\editpad.exe
2008-07-30 18:36:48 25344 --a------ C:\WINDOWS\internet.exe
2008-07-28 16:36:25 0 d-------- C:\CWS
2008-07-23 16:35:07 81408 --a------ C:\WINDOWS\system32\uulyrfan.dll
2008-07-23 16:33:52 96768 --a------ C:\WINDOWS\system32\gssphw.dll
2008-07-23 16:33:51 96768 --a------ C:\WINDOWS\system32\iqsjqanl.dll
2008-07-23 16:31:55 1646 --ahs---- C:\WINDOWS\system32\PXIkRXyb.ini2
2008-07-21 23:17:58 95232 --a------ C:\WINDOWS\system32\rabpqt.dll
2008-07-21 23:17:54 95232 --a------ C:\WINDOWS\system32\dgccxsuq.dll
2008-07-21 23:11:54 849568 --ahs---- C:\WINDOWS\system32\uDLVxGgh.ini2
2008-07-15 20:55:53 9728 --a------ C:\WINDOWS\waol.exe
2008-07-14 21:00:51 0 d--h----- C:\WINDOWS\PIF
2008-07-14 20:32:41 266 -r-hs---- C:\WINDOWS\A


-- Find3M Report ---------------------------------------------------------------

2008-08-14 15:02:06 862 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-08-13 14:44:04 0 d-------- C:\Program Files\Common Files
2008-08-13 14:44:04 0 d-------- C:\Program Files\Common Files\??sembly
2008-07-30 18:16:16 0 d-------- C:\Program Files\Windows Media Connect 2
2008-07-21 16:00:09 101632 --a------ C:\WINDOWS\system32\cfgbken.dll
2008-07-14 13:17:58 5689 --ahs---- C:\WINDOWS\system32\AycLmnpo.ini2
2008-07-13 18:52:34 103424 --a------ C:\WINDOWS\system32\wiklbcgc.dll
2008-07-13 18:52:34 103424 --a------ C:\WINDOWS\system32\fvffxu.dll
2008-07-13 18:50:21 91648 --a------ C:\WINDOWS\system32\evcgrbuu.dll
2008-07-13 17:46:27 9216 --a------ C:\WINDOWS\win32e.exe
2008-07-13 00:40:33 742064 --ahs---- C:\WINDOWS\system32\vCcbayxx.ini2
2008-07-11 20:53:31 103424 --a------ C:\WINDOWS\system32\tgjqtuug.dll
2008-07-11 20:53:31 103424 --a------ C:\WINDOWS\system32\kablur.dll
2008-07-11 10:17:09 736874 --ahs---- C:\WINDOWS\system32\pVFLlnpo.ini2
2008-07-11 10:07:49 9472 --a------ C:\WINDOWS\xplugin.dll
2008-07-10 19:41:52 102912 --a------ C:\WINDOWS\system32\seamnsba.dll
2008-07-10 19:41:52 102912 --a------ C:\WINDOWS\system32\mctpjs.dll
2008-07-10 19:29:13 718640 --ahs---- C:\WINDOWS\system32\EehRAcfe.ini2
2008-07-10 14:25:03 102912 --a------ C:\WINDOWS\system32\gsgbqpwi.dll
2008-07-10 14:25:03 102912 --a------ C:\WINDOWS\system32\bbdtrh.dll
2008-07-08 21:44:11 103936 --a------ C:\WINDOWS\system32\keedza.dll
2008-07-08 21:44:11 103936 --a------ C:\WINDOWS\system32\dlvqvkbj.dll
2008-07-08 21:41:09 78848 --a------ C:\WINDOWS\system32\smiygwum.dll
2008-07-08 20:58:50 91136 --a------ C:\WINDOWS\system32\ilfvownn.dll
2008-07-08 01:14:24 298308 --a------ C:\WINDOWS\system32\gside.exe
2008-07-07 17:59:35 49174 --a------ C:\WINDOWS\system32\rswnw64n.exe <Not Verified; ; Browser Driver>
2008-07-07 17:50:14 55808 --a------ C:\WINDOWS\portsv.exe
2008-07-07 17:31:53 41984 --a------ C:\WINDOWS\17PHolmes572.exe
2008-07-07 17:09:40 9472 --a------ C:\WINDOWS\time.exe
2008-07-07 17:09:38 30208 --a------ C:\WINDOWS\svcinit.exe
2008-07-07 17:09:34 15104 --a------ C:\WINDOWS\svchost32.exe
2008-07-07 17:09:32 32000 --a------ C:\WINDOWS\searchword.dll
2008-07-07 17:09:27 17408 --a------ C:\WINDOWS\rundll16.exe
2008-07-07 17:09:23 23552 --a------ C:\WINDOWS\qttasks.exe
2008-07-07 17:09:16 21504 --a------ C:\WINDOWS\mswsc20.dll
2008-07-07 17:09:14 9984 --a------ C:\WINDOWS\mswsc10.dll
2008-07-07 17:09:12 11776 --a------ C:\WINDOWS\msspi.dll
2008-07-07 17:09:11 16128 --a------ C:\WINDOWS\msconfd.dll
2008-07-07 17:09:08 18688 --a------ C:\WINDOWS\inetinf.exe
2008-07-07 17:09:03 14592 --a------ C:\WINDOWS\helpcvs.exe
2008-07-07 17:09:02 9216 --a------ C:\WINDOWS\gfmnaaa.dll
2008-07-07 17:08:57 16640 --a------ C:\WINDOWS\explorer32.exe
2008-07-07 17:08:53 26368 --a------ C:\WINDOWS\dnsrelay.dll
2008-07-07 17:08:50 25088 --a------ C:\WINDOWS\directx32.exe
2008-07-07 17:08:43 28928 --a------ C:\WINDOWS\ctfmon32.exe
2008-07-07 17:08:39 8704 --a------ C:\WINDOWS\cpan.dll
2008-07-07 16:51:14 4 --a------ C:\WINDOWS\system32\hljwugsf.bin
2008-07-07 16:50:34 200765 --a------ C:\WINDOWS\system32\lcntltdm.exe
2008-07-07 16:50:23 152079 --a------ C:\WINDOWS\system32\g54.exe
2008-07-07 16:49:55 41984 --a------ C:\WINDOWS\mrofinu572.exe
2008-07-07 16:49:48 89561 --a------ C:\WINDOWS\system32\uoyzsydz.exe <Not Verified; keir.net; MD5File>
2008-07-07 16:49:48 89561 --a------ C:\WINDOWS\lfn.exe <Not Verified; Microsoft; XML Media>
2008-07-07 16:49:11 49166 --a------ C:\WINDOWS\system32\rwwnw64d.exe <Not Verified; ; Browser Driver>
2008-07-07 16:48:50 41984 --a------ C:\WINDOWS\mrofinu1000106.exe
2008-06-20 00:42:02 0 d-------- C:\Documents and Settings\Arris\Application Data\LimeWire
2008-06-17 23:46:05 0 d-------- C:\Program Files\Movie Maker
2008-05-31 14:50:03 768 --a------ C:\WINDOWS\system32\d3d8caps.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{D3-3E-E5-5A-DW}"="c:\windows\system32\rswnw64n.exe" [07/07/2008 05:59]
"ExploreUpdSched"="C:\WINDOWS\system32\lcntltdm.exe" [07/07/2008 04:50]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [08/04/2004 05:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [04/06/2008 07:30]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [07/30/2008 02:45]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [08/04/2004 01:06]

C:\Documents and Settings\Arris\Start Menu\Programs\Startup\
Deewoo.lnk - C:\WINDOWS\system32\lcntltdm.exe [07/07/2008 04:50:33 PM]
DW_Start.lnk - C:\WINDOWS\system32\rwwnw64d.exe [07/07/2008 04:49:11 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [02/13/2001 02:01:04 AM]
NETGEAR WPN111 Smart Wizard.lnk - C:\Program Files\NETGEAR\WPN111\wpn111.exe [02/08/2008 03:18:00 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\byXRkIXP

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Arris^Start Menu^Programs^Startup^Deewoo.lnk]
path=C:\Documents and Settings\Arris\Start Menu\Programs\Startup\Deewoo.lnk
backup=C:\WINDOWS\pss\Deewoo.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Arris^Start Menu^Programs^Startup^DW_Start.lnk]
path=C:\Documents and Settings\Arris\Start Menu\Programs\Startup\DW_Start.lnk
backup=C:\WINDOWS\pss\DW_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Rick^Start Menu^Programs^Startup^Deewoo.lnk]
path=C:\Documents and Settings\Rick\Start Menu\Programs\Startup\Deewoo.lnk
backup=C:\WINDOWS\pss\Deewoo.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Rick^Start Menu^Programs^Startup^DW_Start.lnk]
path=C:\Documents and Settings\Rick\Start Menu\Programs\Startup\DW_Start.lnk
backup=C:\WINDOWS\pss\DW_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\svchost.exe




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8972 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-08-14 20:11:11 ------------


Extra.txt

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel Pentium II processor
Percentage of Memory in Use: 81%
Physical Memory (total/avail): 127.48 MiB / 23.14 MiB
Pagefile Memory (total/avail): 403.31 MiB / 245.67 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1940.32 MiB

C: is Fixed (NTFS) - 3.03 GiB total, 0.07 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - IBM-DYKA-23240 - 3.03 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 3.03 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Arris\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=HOME-3BD3D7E55A
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Arris
LOGONSERVER=\\HOME-3BD3D7E55A
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 6 Stepping 10, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=060a
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Arris\LOCALS~1\Temp
TMP=C:\DOCUME~1\Arris\LOCALS~1\Temp
USERDOMAIN=HOME-3BD3D7E55A
USERNAME=Arris
USERPROFILE=C:\Documents and Settings\Arris
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

Rick (admin)
Arris (admin)
Guest (guest)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Java™ 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
LimeWire 4.18.2 --> "C:\Program Files\LimeWire\uninstall.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
NETGEAR RangeMax™ Wireless USB 2.0 Adapter WPN111 --> C:\Program Files\InstallShield Installation Information\{582E9125-32B6-4CBA-AB48-3E33CE3DB389}\setup.exe -runfromtemp -l0x0009 -removeonly
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type1020 / Error
Event Submitted/Written: 08/14/2008 04:22:17 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application teatimer.exe, version 1.6.1.22, faulting module kernel32.dll, version 5.1.2600.2180, fault address 0x0001eb33.
Processing media-specific event for [teatimer.exe!ws!]

Event Record #/Type1007 / Error
Event Submitted/Written: 08/13/2008 03:29:14 AM
Event ID/Source: 4609 / EventSystem
Event Description:
The COM+ Event System detected a bad return code during its internal processing. HRESULT was 8007043C from line 44 of d:\qxp_slp\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.

Event Record #/Type1006 / Error
Event Submitted/Written: 08/13/2008 03:04:19 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application teatimer.exe, version 1.6.1.22, faulting module kernel32.dll, version 5.1.2600.2180, fault address 0x0001eb33.
Processing media-specific event for [teatimer.exe!ws!]

Event Record #/Type1004 / Error
Event Submitted/Written: 08/13/2008 01:12:59 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module flash9f.ocx, version 9.0.124.0, fault address 0x00055b27.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type1003 / Error
Event Submitted/Written: 08/12/2008 01:01:56 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module flash9f.ocx, version 9.0.124.0, fault address 0x00055b27.
Processing media-specific event for [iexplore.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type9718 / Error
Event Submitted/Written: 08/14/2008 02:40:14 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type9717 / Error
Event Submitted/Written: 08/14/2008 10:46:08 AM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
AFD
Fips
IPSec
MRxSmb
NetBIOS
NetBT
Processor
RasAcd
Rdbss
Tcpip

Event Record #/Type9716 / Error
Event Submitted/Written: 08/14/2008 10:46:08 AM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:
%%31

Event Record #/Type9715 / Error
Event Submitted/Written: 08/14/2008 10:46:08 AM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error:
%%31

Event Record #/Type9714 / Error
Event Submitted/Written: 08/14/2008 10:46:08 AM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:
%%31



-- End of Deckard's System Scanner: finished at 2008-08-14 20:11:11 ------------


Kaspersky Report

Thursday, August 14, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, August 14, 2008 23:17:05
Records in database: 1093987


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\
D:\

Scan statistics
Files scanned 23905
Threat name 31
Infected objects 55
Suspicious objects 0
Duration of the scan 04:12:41

File name Threat name Threats count
C:\Documents and Settings\Arris\Application Data\Sun\Java\Deployment\cache\6.0\39\6fed5667-79de24b8 Infected: Exploit.Java.ByteVerify 2

C:\Documents and Settings\Arris\Application Data\Sun\Java\Deployment\cache\6.0\39\6fed5667-79de24b8 Infected: Trojan-Downloader.Java.OpenConnection.aa 1

C:\Documents and Settings\Arris\win.exe Infected: Trojan.Win32.BHO.flc 1

C:\Documents and Settings\Guest\ie_updates3r.exe Infected: Trojan.Win32.Buzus.dfy 1

C:\Documents and Settings\Guest\Local Settings\Temp\tmp1.tmp Infected: Trojan-Proxy.Win32.Agent.aee 1

C:\Documents and Settings\Guest\Start Menu\Programs\Startup\Update_0803_KB130720.exe Infected: Trojan-Downloader.Win32.Injecter.gx 1

C:\Documents and Settings\Rick\Local Settings\Temporary Internet Files\Content.IE5\056JW1I7\params[1].js Infected: Trojan-Downloader.JS.Agent.clm 1

C:\Documents and Settings\Rick\Local Settings\Temporary Internet Files\Content.IE5\4123KDY3\kb456456[1] Infected: Trojan.Win32.Monderc.gen 1

C:\Documents and Settings\Rick\Local Settings\Temporary Internet Files\Content.IE5\45WFEBCF\kb767887[1] Infected: Trojan.Win32.Monderc.gen 1

C:\Documents and Settings\Rick\Local Settings\Temporary Internet Files\Content.IE5\90839XO9\CA7AM9VR Infected: Trojan.Win32.Monderc.gen 1

C:\Documents and Settings\Rick\Local Settings\Temporary Internet Files\Content.IE5\G7LZMQRX\kb671231[1] Infected: Trojan.Win32.Monderc.gen 1

C:\Documents and Settings\Rick\Local Settings\Temporary Internet Files\Content.IE5\PJVRP98E\index[1].js Infected: Trojan-Downloader.JS.Agent.cln 1

C:\Documents and Settings\Rick\Local Settings\Temporary Internet Files\Content.IE5\PJVRP98E\kb456456[1] Infected: Trojan.Win32.Monderc.gen 1

C:\Documents and Settings\Rick\Local Settings\Temporary Internet Files\Content.IE5\PJVRP98E\kb767887[1] Infected: Trojan.Win32.Monderc.gen 1

C:\Documents and Settings\Rick\Local Settings\Temporary Internet Files\Content.IE5\STIVSHEN\kb671231[1] Infected: Trojan.Win32.Monderc.gen 1

C:\WINDOWS\17PHolmes572.exe Infected: Trojan-Downloader.Win32.Homles.br 1

C:\WINDOWS\444.470 Infected: Trojan.Win32.DNSChanger.eys 1

C:\WINDOWS\karina.dat Infected: Backdoor.Win32.Small.ejx 1

C:\WINDOWS\lfn.exe Infected: Hoax.Win32.Renos.vaff 1

C:\WINDOWS\MicroSoft.pif Infected: Trojan-Downloader.Win32.Agent.mdr 1

C:\WINDOWS\MicroSoft.vbs Infected: Trojan.VBS.Starter.n 1

C:\WINDOWS\mrofinu1000106.exe Infected: Trojan-Downloader.Win32.Homles.br 1

C:\WINDOWS\mrofinu572.exe Infected: Trojan-Downloader.Win32.Homles.br 1

C:\WINDOWS\mrofinu572.exe.tmp Infected: Trojan-Downloader.Win32.Homles.br 1

C:\WINDOWS\portsv.exe Infected: Trojan.Win32.Agent.sdd 1

C:\WINDOWS\system32\000070.exe Infected: Trojan-Downloader.Win32.PurityScan.gb 1

C:\WINDOWS\system32\000090.exe Infected: Trojan-Downloader.Win32.Small.tod 1

C:\WINDOWS\system32\1030\icmsetup.exe Infected: Trojan.Win32.DNSChanger.eyr 1

C:\WINDOWS\system32\bbdtrh.dll Infected: Trojan.Win32.Monderc.gen 1

C:\WINDOWS\system32\cREG\bmndird.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bp 1

C:\WINDOWS\system32\dlvqvkbj.dll Infected: Trojan.Win32.Monder.alp 1

C:\WINDOWS\system32\evcgrbuu.dll Infected: Trojan.Win32.Monderc.gen 1

C:\WINDOWS\system32\fvffxu.dll Infected: Trojan.Win32.Monderc.gen 1

C:\WINDOWS\system32\gsgbqpwi.dll Infected: Trojan.Win32.Monderc.gen 1

C:\WINDOWS\system32\gside.exe Infected: not-a-virus:AdWare.Win32.BHO.cdk 1

C:\WINDOWS\system32\gssphw.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.cdg 1

C:\WINDOWS\system32\ilfvownn.dll Infected: Trojan.Win32.Monder.aln 1

C:\WINDOWS\system32\iqsjqanl.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.cdg 1

C:\WINDOWS\system32\kablur.dll Infected: Trojan.Win32.Monderc.gen 1

C:\WINDOWS\system32\karina.dat Infected: Backdoor.Win32.Small.ejx 1

C:\WINDOWS\system32\keedza.dll Infected: Trojan.Win32.Monder.alp 1

C:\WINDOWS\system32\lcntltdm.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bo 1

C:\WINDOWS\system32\mctpjs.dll Infected: Trojan.Win32.Monderc.gen 1

C:\WINDOWS\system32\net\jvvtmp3.exe Infected: Trojan-Downloader.Win32.Small.buy 1

C:\WINDOWS\system32\olixds01\olixds011065.exe Infected: Trojan-Downloader.Win32.VB.eyc 1

C:\WINDOWS\system32\rswnw64n.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bp 1

C:\WINDOWS\system32\rwwnw64d.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bp 1

C:\WINDOWS\system32\seamnsba.dll Infected: Trojan.Win32.Monderc.gen 1

C:\WINDOWS\system32\smiygwum.dll Infected: Trojan.Win32.Monder.alo 1

C:\WINDOWS\system32\tfig\ichnewu.exe Infected: Trojan.Win32.Agent.lom 1

C:\WINDOWS\system32\tgjqtuug.dll Infected: Trojan.Win32.Monderc.gen 1

C:\WINDOWS\system32\univrs32.dat Infected: not-a-virus:AdWare.Win32.Agent.zo 1

C:\WINDOWS\system32\wiklbcgc.dll Infected: Trojan.Win32.Monderc.gen 1

C:\WINDOWS\system32\winivstr.exe Infected: not-a-virus:FraudTool.Win32.XPSecurityCenter.n 1

The selected area was scanned.


Thanks in advance :thumbsup:
It takes more muscle to frown than it is to smile...

So smile foo!

#4 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:11:03 AM

Posted 14 August 2008 - 11:46 PM

Hello riz_cola,

ewww.. You have some nasty collection of infections at your computer :thumbsup:

Some of them have backdoor capabilities, this means that attacker has access to your computer without you knowing that and can steal personal info, steal critical system information, download and excecute other malicious files. I recommend these actions:

1) use a known secure computer to change all of your online passwords
2) contact your bank and credit card company for possible unauthorized transactions

More info can be found here:


How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?


Should you have any questions, please feel free to ask.

Seeing that you have this P2P program "LimeWire 4.18.2", I highly advice that you remove it from your system, since it it most likely how your system got infected so much with malwares. Even when a program like this is not infected itself, it will still bring malware into your system because more than half of all files available for download from peer-to-peer networks have been deliberately infected with some form of malware.

Go to Start > Control Panel > Add or Remove Programs.

Remove the following programs, if they are present.
  • LimeWire 4.18.2
If you are unsure of how to use Add or Remove Programs, the please see this tutorial:
How To Remove An Installed Program From Your Computer

Total Physical Memory: 128 MiB (512 MiB recommended).


Your system is way too low on Physical Memory for running XP, as the above quote shows. See the following article for adding more RAM: Add more memory to your computer.


You also do not have any security related programs to protect your system! Spybot - Search & Destroy is not enough to keep system protected. We will deal with that after we try to get your computer more stable. Now please follow my instructions below:

Please download FixWareout from one of these mirrors:
http://download.bleepingcomputer.com/lonny/Fixwareout.exe
http://downloads.subratam.org/Fixwareout.exe


Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please post the text that will open (report.txt).

Next:

Lets proceed with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:


Contents of report.txt
C:\ComboFix.txt
New HijackThis log.


Regards
SNOWHITE
Posted Image

#5 riz_cola

riz_cola
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:03 AM

Posted 16 August 2008 - 07:29 PM

Heya finally got everything :thumbsup:

Report.txt

Username "Arris" - 08/15/2008 1:16:30 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{D3-3E-E5-5A-DW}"="c:\\windows\\system32\\rswnw64n.exe DWram02"
"ExploreUpdSched"="C:\\WINDOWS\\system32\\lcntltdm.exe DWram02"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_07\\bin\\jusched.exe\""
"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~


Combofix.txt


ComboFix 08-08-14.02 - Arris 2008-08-16 16:23:33.1 - NTFSx86

Running from: C:\Documents and Settings\Arris\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Arris\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Rabio
C:\Documents and Settings\Arris\Application Data\macromedia\Flash Player\#SharedObjects\ZMN93TGS\interclick.com
C:\Documents and Settings\Arris\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Arris\Start Menu\Programs\Startup\Deewoo.lnk
C:\Documents and Settings\Arris\Start Menu\Programs\Startup\DW_Start.lnk
C:\Documents and Settings\NetworkService\Application Data\macromedia\Flash Player\#SharedObjects\MZRQ9S7E\interclick.com
C:\Documents and Settings\NetworkService\Application Data\macromedia\Flash Player\#SharedObjects\MZRQ9S7E\interclick.com\ud.sol
C:\Documents and Settings\NetworkService\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\NetworkService\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\NetworkService\Cookies\arris@ad.yieldmanager[2].txt
C:\Documents and Settings\NetworkService\Cookies\arris@trafficmp[2].txt
C:\Documents and Settings\Rick\Application Data\macromedia\Flash Player\#SharedObjects\87DSU89H\interclick.com
C:\Documents and Settings\Rick\Application Data\macromedia\Flash Player\#SharedObjects\87DSU89H\interclick.com\ud.sol
C:\Documents and Settings\Rick\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Rick\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Rick\Cookies\rick@ad.yieldmanager[1].txt
C:\Documents and Settings\Rick\Start Menu\Programs\Startup\Deewoo.lnk
C:\Documents and Settings\Rick\Start Menu\Programs\Startup\DW_Start.lnk
C:\Program Files\Common Files\asembl~1
C:\Program Files\Common Files\sembly~1
C:\Program Files\stc
C:\Program Files\stc\csv5p070.exe
C:\Program Files\Sysmnt
C:\Program Files\Sysmnt\Ssmgr.exe
C:\temp\tn3
C:\WINDOWS\17PHolmes572.exe
C:\WINDOWS\444.470
C:\WINDOWS\apphelp32.dll
C:\WINDOWS\asferror32.dll
C:\WINDOWS\astctl32.ocx
C:\WINDOWS\asycfilt32.dll
C:\WINDOWS\athprxy32.dll
C:\WINDOWS\ati2dvaa32.dll
C:\WINDOWS\ati2dvag32.dll
C:\WINDOWS\audiosrv32.dll
C:\WINDOWS\autodisc32.dll
C:\WINDOWS\avifile32.dll
C:\WINDOWS\avisynthex32.dll
C:\WINDOWS\aviwrap32.dll
C:\WINDOWS\BMcf0e0d69.txt
C:\WINDOWS\BMcf0e0d69.xml
C:\WINDOWS\buritos.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\cpan.dll
C:\WINDOWS\ctfmon32.exe
C:\WINDOWS\directx32.exe
C:\WINDOWS\dnsrelay.dll
C:\WINDOWS\editpad.exe
C:\WINDOWS\explorer32.exe
C:\WINDOWS\gfmnaaa.dll
C:\WINDOWS\helpcvs.exe
C:\WINDOWS\inetinf.exe
C:\WINDOWS\internet.exe
C:\WINDOWS\karina.dat
C:\WINDOWS\lfn.exe
C:\WINDOWS\licencia.txt
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\msa64chk.dll
C:\WINDOWS\msapasrc.dll
C:\WINDOWS\msconfd.dll
C:\WINDOWS\mspphe.dll
C:\WINDOWS\msspi.dll
C:\WINDOWS\mswsc10.dll
C:\WINDOWS\mswsc20.dll
C:\WINDOWS\muotr.so
C:\WINDOWS\portsv.exe
C:\WINDOWS\qttasks.exe
C:\WINDOWS\rundll16.exe
C:\WINDOWS\rundll32.vbe
C:\WINDOWS\saiemod.dll
C:\WINDOWS\searchword.dll
C:\WINDOWS\shdocpe.dll
C:\WINDOWS\shdocpl.dll
C:\WINDOWS\stem~1
C:\WINDOWS\svchost32.exe
C:\WINDOWS\svcinit.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\5257\29625.dll
C:\WINDOWS\system32\AycLmnpo.ini
C:\WINDOWS\system32\AycLmnpo.ini2
C:\WINDOWS\system32\bbdtrh.dll
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\system32\buritos.exe
C:\WINDOWS\system32\cfgbken.dll
C:\WINDOWS\system32\cookie1.dat
C:\WINDOWS\system32\cs.dat
C:\WINDOWS\system32\cyaduymt.ini
C:\WINDOWS\system32\dgccxsuq.dll
C:\WINDOWS\system32\dllcache\npptools.dll
C:\WINDOWS\system32\dlvqvkbj.dll
C:\WINDOWS\system32\dqayiuia.ini
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\sfloppyy.sys
C:\WINDOWS\system32\EehRAcfe.ini
C:\WINDOWS\system32\EehRAcfe.ini2
C:\WINDOWS\system32\evcgrbuu.dll
C:\WINDOWS\system32\fvffxu.dll
C:\WINDOWS\system32\gsgbqpwi.dll
C:\WINDOWS\system32\gside.exe
C:\WINDOWS\system32\gssphw.dll
C:\WINDOWS\system32\hljwugsf.bin
C:\WINDOWS\system32\ilfvownn.dll
C:\WINDOWS\system32\iqnthuyd.ini
C:\WINDOWS\system32\iqsjqanl.dll
C:\WINDOWS\system32\kablur.dll
C:\WINDOWS\system32\karina.dat
C:\WINDOWS\system32\keedza.dll
C:\WINDOWS\system32\lcntltdm.exe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mctpjs.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\MSNSA32.dll
C:\WINDOWS\system32\muwgyims.ini
C:\WINDOWS\system32\nafryluu.ini
C:\WINDOWS\system32\npptools.dll
C:\WINDOWS\system32\ntnut32.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\plseiarr.ini
C:\WINDOWS\system32\ps1.dat
C:\WINDOWS\system32\pVFLlnpo.ini
C:\WINDOWS\system32\pVFLlnpo.ini2
C:\WINDOWS\system32\PXIkRXyb.ini
C:\WINDOWS\system32\PXIkRXyb.ini2
C:\WINDOWS\system32\rabpqt.dll
C:\WINDOWS\system32\rc.dat
C:\WINDOWS\system32\rswnw64n.exe
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\system32\seamnsba.dll
C:\WINDOWS\system32\shdocpe.dll
C:\WINDOWS\system32\SIPSPI32.dll
C:\WINDOWS\system32\smiygwum.dll
C:\WINDOWS\system32\tgjqtuug.dll
C:\WINDOWS\system32\uDLVxGgh.ini
C:\WINDOWS\system32\uDLVxGgh.ini2
C:\WINDOWS\system32\univrs32.dat
C:\WINDOWS\system32\uoyzsydz.exe
C:\WINDOWS\system32\uulyrfan.dll
C:\WINDOWS\system32\vCcbayxx.ini
C:\WINDOWS\system32\vCcbayxx.ini2
C:\WINDOWS\system32\wiklbcgc.dll
C:\WINDOWS\system32\winfrun32.bin
C:\WINDOWS\system32\winivstr.exe
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\wlogon32.dll
C:\WINDOWS\system32\wrguyany.ini
C:\WINDOWS\system32\ymgeergr.ini
C:\WINDOWS\system32\yrvqppac.ini
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\telefonos.txt
C:\WINDOWS\textos.txt
C:\WINDOWS\time.exe
C:\WINDOWS\voiceip.dll
C:\WINDOWS\waol.exe
C:\WINDOWS\win32e.exe
C:\WINDOWS\winsb.dll
C:\WINDOWS\xplugin.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SFLOPPYY
-------\Service_sfloppyy
-------\Legacy_PlugPlayRPC
-------\Service_PlugPlayRPC


((((((((((((((((((((((((( Files Created from 2008-07-16 to 2008-08-16 )))))))))))))))))))))))))))))))
.

2008-08-15 00:46 . 2008-08-15 01:32 <DIR> d-------- C:\fixwareout
2008-08-15 00:40 . 2008-08-15 00:40 1 --a------ C:\WINDOWS\system32\tb.dr
2008-08-14 23:02 . 2008-08-14 23:02 45,568 --a------ C:\WINDOWS\system32\smb32.dll
2008-08-14 21:15 . 2008-08-14 21:15 <DIR> d-------- C:\Program Files\Microsoft Common
2008-08-14 21:15 . 2008-08-14 23:02 60,416 --a------ C:\WINDOWS\inform.dat
2008-08-14 21:15 . 2008-08-14 21:15 45,568 --a------ C:\WINDOWS\system32\pns32.dll
2008-08-12 13:29 . 2008-08-12 13:29 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-02 23:25 . 2008-08-03 00:42 206 --a------ C:\Documents and Settings\Arris\delself.bat
2008-08-02 23:18 . 2008-08-02 23:18 50,189 --a------ C:\Documents and Settings\Arris\win.exe
2008-08-02 15:00 . 2008-08-02 15:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-30 18:23 . 2008-08-15 02:26 7,680 --ahs---- C:\WINDOWS\Thumbs.db
2008-07-28 16:36 . 2008-08-15 02:31 <DIR> d-------- C:\CWS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-13 18:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-13 10:02 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-07 23:27 4,224 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2008-07-31 01:16 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-07-07 23:50 152,079 ----a-w C:\WINDOWS\system32\g54.exe
2008-07-04 16:56 23 ----a-w C:\Documents and Settings\Arris\jagex_runescape_preferences.dat
2008-06-20 07:42 --------- d-----w C:\Documents and Settings\Arris\Application Data\LimeWire
2008-03-16 10:55 15,560 ----a-w C:\Documents and Settings\Guest\ie_updates3r.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

C:\Documents and Settings\Guest\Start Menu\Programs\Startup\
Update_0803_KB130720.exe [2008-03-13 01:20:26 22016]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
NETGEAR WPN111 Smart Wizard.lnk - C:\Program Files\NETGEAR\WPN111\wpn111.exe [2008-02-08 15:18:00 884838]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^Arris^Start Menu^Programs^Startup^Deewoo.lnk]
path=C:\Documents and Settings\Arris\Start Menu\Programs\Startup\Deewoo.lnk
backup=C:\WINDOWS\pss\Deewoo.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Arris^Start Menu^Programs^Startup^DW_Start.lnk]
path=C:\Documents and Settings\Arris\Start Menu\Programs\Startup\DW_Start.lnk
backup=C:\WINDOWS\pss\DW_Start.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Rick^Start Menu^Programs^Startup^Deewoo.lnk]
path=C:\Documents and Settings\Rick\Start Menu\Programs\Startup\Deewoo.lnk
backup=C:\WINDOWS\pss\Deewoo.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Rick^Start Menu^Programs^Startup^DW_Start.lnk]
path=C:\Documents and Settings\Rick\Start Menu\Programs\Startup\DW_Start.lnk
backup=C:\WINDOWS\pss\DW_Start.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Common\\wuauclt.exe"=

R3 Maestro;ESS Maestro2E Audio Driver (WDM);C:\WINDOWS\system32\drivers\essm2e.sys [2004-08-03 15:32]
R3 tgiul50;tgiul50;C:\WINDOWS\system32\DRIVERS\tgiulnt5.sys [2001-08-17 05:51]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\DNINDIS5.SYS [2003-07-24 13:10]
S3 N5SG;Airlink101 SuperG Wireless Network Adapter Service;C:\WINDOWS\system32\DRIVERS\N5SG.sys [2006-11-03 16:30]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;C:\WINDOWS\system32\DRIVERS\WPN111.sys [2005-09-26 17:02]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9988775D-4368-4857-871A-D01D66CA3A71}]
rundll32 smb32.dll,InitO
.
- - - - ORPHANS REMOVED - - - -

BHO-{D21D9540-6415-4288-BDD0-4453088D9D38} - (no file)
MSConfigStartUp-Load - C:\WINDOWS\svchost.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Local Page = \blank.htm
R0 -: HKCU-Main,Start Page = hxxp://www.yahoo.com/
R0 -: HKCU-Main,Search Page = hxxp://www.google.com
R0 -: HKCU-Main,Search Bar = hxxp://www.google.com/ie
R0 -: HKLM-Main,Default_Search_URL = hxxp://www.google.com/ie
R0 -: HKLM-Main,Start Page = hxxp://www.google.com
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
R0 -: HKCU-Search,SearchAssistant = hxxp://www.google.com/ie
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
R0 -: HKLM-Search,SearchAssistant = hxxp://www.google.com/ie
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O17 -: HKLM\CCS\Interface\{6AF5A3AD-7655-4EB3-B120-9E974CB0E674}: NameServer = 208.67.220.220,208.67.222.222
O17 -: HKLM\CCS\Interface\{7BBDE76E-295E-4216-9C23-573FD3FB60E0}: NameServer = 208.67.220.220,208.67.222.222

O16 -: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

O16 -: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
C:\WINDOWS\Downloaded Program Files\OberonGameHost_dbg.inf
C:\WINDOWS\Downloaded Program Files\OberonGameHost.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-16 16:36:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Abiosdsk]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\abp480n5]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ACPI]
"ImagePath"="system32\DRIVERS\ACPI.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ACPIEC]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\adpu160m]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aec]
"ImagePath"="system32\drivers\aec.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AegisP]
"ImagePath"="system32\DRIVERS\AegisP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AFD]
"ImagePath"="\SystemRoot\System32\drivers\afd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Aha154x]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aic78u2]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aic78xx]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Alerter]
"ServiceDll"="%SystemRoot%\system32\alrsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ALG]
"ImagePath"="%SystemRoot%\System32\alg.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AliIde]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\amsint]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AppMgmt]
"ServiceDll"="%SystemRoot%\System32\appmgmts.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\asc]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\asc3350p]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\asc3550]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AsyncMac]
"ImagePath"="system32\DRIVERS\asyncmac.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\atapi]
"ImagePath"="system32\DRIVERS\atapi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Atdisk]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Atmarpc]
"ImagePath"="system32\DRIVERS\atmarpc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AudioSrv]
"ServiceDll"="%SystemRoot%\System32\audiosrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\audstub]
"ImagePath"="system32\DRIVERS\audstub.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BattC]
"MofImagePath"="System32\Drivers\battc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Beep]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BITS]
"ServiceDll"="%systemroot%\system32\qmgr.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Browser]
"ServiceDll"="%SystemRoot%\System32\browser.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme]
"ImagePath"="\??\C:\ComboFix\catchme.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cbidf2k]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cd20xrnt]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cdaudio]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cdfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cdrom]
"ImagePath"="system32\DRIVERS\cdrom.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Changer]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CiSvc]
"ImagePath"="%SystemRoot%\system32\cisvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ClipSrv]
"ImagePath"="%SystemRoot%\system32\clipsrv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CmBatt]
"ImagePath"="system32\DRIVERS\CmBatt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CmdIde]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Compbatt]
"ImagePath"="system32\DRIVERS\compbatt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\COMSysApp]
"ImagePath"="C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ContentFilter]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ContentIndex]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cpqarray]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CryptSvc]
"ServiceDll"="%SystemRoot%\System32\cryptsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dac2w2k]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dac960nt]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DcomLaunch]
"ServiceDll"="%SystemRoot%\system32\rpcss.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dhcp]
"ServiceDll"="%SystemRoot%\System32\dhcpcsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Disk]
"ImagePath"="system32\DRIVERS\disk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmadmin]
"ImagePath"="%SystemRoot%\System32\dmadmin.exe /com"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmboot]
"ImagePath"="System32\drivers\dmboot.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmio]
"ImagePath"="System32\drivers\dmio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmload]
"ImagePath"="System32\drivers\dmload.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmserver]
"ServiceDll"="%SystemRoot%\System32\dmserver.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DMusic]
"ImagePath"="system32\drivers\DMusic.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DNINDIS5]
"ImagePath"="\??\C:\WINDOWS\system32\DNINDIS5.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dnscache]
"ServiceDll"="%SystemRoot%\System32\dnsrslvr.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dpti2o]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\drmkaud]
"ImagePath"="system32\drivers\drmkaud.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ERSvc]
"ServiceDll"="%SystemRoot%\System32\ersvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Eventlog]
"ImagePath"="%SystemRoot%\system32\services.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EventSystem]
"ServiceDll"="C:\WINDOWS\system32\es.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fastfat]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FastUserSwitchingCompatibility]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fdc]
"ImagePath"="system32\DRIVERS\fdc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fips]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Flpydisk]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FltMgr]
"ImagePath"="system32\DRIVERS\fltMgr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fs_Rec]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ftdisk]
"ImagePath"="system32\DRIVERS\ftdisk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Gpc]
"ImagePath"="system32\DRIVERS\msgpc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gusvc]
"ImagePath"="\"C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\helpsvc]
"ServiceDll"="%WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HidServ]
"ServiceDll"="%SystemRoot%\System32\hidserv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hpn]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HTTP]
"ImagePath"="System32\Drivers\HTTP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HTTPFilter]
"ServiceDll"="%SystemRoot%\System32\w3ssl.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\i2omgmt]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\i2omp]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\i8042prt]
"ImagePath"="system32\DRIVERS\i8042prt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Imapi]
"ImagePath"="system32\DRIVERS\imapi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ImapiService]
"ImagePath"="%systemroot%\system32\imapi.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\inetaccs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ini910u]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Inport]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IntelIde]
"ImagePath"="system32\DRIVERS\intelide.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ip6Fw]
"ImagePath"="system32\DRIVERS\Ip6Fw.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IpFilterDriver]
"ImagePath"="system32\DRIVERS\ipfltdrv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IpInIp]
"ImagePath"="system32\DRIVERS\ipinip.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IpNat]
"ImagePath"="system32\DRIVERS\ipnat.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IPSec]
"ImagePath"="system32\DRIVERS\ipsec.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\irda]
"ImagePath"="system32\DRIVERS\irda.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IRENUM]
"ImagePath"="system32\DRIVERS\irenum.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Irmon]
"ServiceDll"="%SystemRoot%\System32\irmon.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ISAPISearch]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\isapnp]
"ImagePath"="system32\DRIVERS\isapnp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Kbdclass]
"ImagePath"="system32\DRIVERS\kbdclass.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kmixer]
"ImagePath"="system32\drivers\kmixer.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\KSecDD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lanmanserver]
"ServiceDll"="%SystemRoot%\System32\srvsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lanmanworkstation]
"ServiceDll"="%SystemRoot%\System32\wkssvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lbrtfdc]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ldap]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LicenseService]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LmHosts]
"ServiceDll"="%SystemRoot%\System32\lmhsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Maestro]
"ImagePath"="system32\drivers\essm2e.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Messenger]
"ServiceDll"="%SystemRoot%\System32\msgsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mnmdd]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mnmsrvc]
"ImagePath"="C:\WINDOWS\system32\mnmsrvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Modem]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Mouclass]
"ImagePath"="system32\DRIVERS\mouclass.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MountMgr]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mraid35x]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MRxDAV]
"ImagePath"="system32\DRIVERS\mrxdav.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MRxSmb]
"ImagePath"="system32\DRIVERS\mrxsmb.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSDTC]
"ImagePath"="C:\WINDOWS\system32\msdtc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Msfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSIServer]
"ImagePath"="%systemroot%\system32\msiexec.exe /V"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSKSSRV]
"ImagePath"="system32\drivers\MSKSSRV.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSPCLOCK]
"ImagePath"="system32\drivers\MSPCLOCK.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSPQM]
"ImagePath"="system32\drivers\MSPQM.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mssmbios]
"ImagePath"="system32\DRIVERS\mssmbios.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Mup]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N5SG]
"ImagePath"="system32\DRIVERS\N5SG.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NDIS]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NdisTapi]
"ImagePath"="system32\DRIVERS\ndistapi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ndisuio]
"ImagePath"="system32\DRIVERS\ndisuio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NdisWan]
"ImagePath"="system32\DRIVERS\ndiswan.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NDProxy]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetBIOS]
"ImagePath"="system32\DRIVERS\netbios.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetBT]
"ImagePath"="system32\DRIVERS\netbt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetDDE]
"ImagePath"="%SystemRoot%\system32\netdde.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetDDEdsdm]
"ImagePath"="%SystemRoot%\system32\netdde.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Netlogon]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Netman]
"ServiceDll"="%SystemRoot%\System32\netman.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Nla]
"ServiceDll"="%SystemRoot%\System32\mswsock.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Npfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NSCIRDA]
"ImagePath"="system32\DRIVERS\nscirda.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ntfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NtLmSsp]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NtmsSvc]
"ServiceDll"="%SystemRoot%\system32\ntmssvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Null]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NwlnkFlt]
"ImagePath"="system32\DRIVERS\nwlnkflt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NwlnkFwd]
"ImagePath"="system32\DRIVERS\nwlnkfwd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Parport]
"ImagePath"="system32\DRIVERS\parport.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PartMgr]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ParVdm]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCI]
"ImagePath"="system32\DRIVERS\pci.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCIDump]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCIIde]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Pcmcia]
"ImagePath"="system32\DRIVERS\pcmcia.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDCOMP]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDFRAME]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDRELI]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDRFRAME]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\perc2]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\perc2hib]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfDisk]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfNet]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfOS]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfProc]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PlugPlay]
"ImagePath"="%SystemRoot%\system32\services.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PolicyAgent]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PptpMiniport]
"ImagePath"="system32\DRIVERS\raspptp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Processor]
"ImagePath"="system32\DRIVERS\processr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ProtectedStorage]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSched]
"ImagePath"="system32\DRIVERS\psched.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ptilink]
"ImagePath"="system32\DRIVERS\ptilink.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql1080]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ql10wnt]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql12160]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql1240]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql1280]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasAcd]
"ImagePath"="system32\DRIVERS\rasacd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasAuto]
"ServiceDll"="%SystemRoot%\System32\rasauto.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Rasirda]
"ImagePath"="system32\DRIVERS\rasirda.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Rasl2tp]
"ImagePath"="system32\DRIVERS\rasl2tp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasMan]
"ServiceDll"="%SystemRoot%\System32\rasmans.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasPppoe]
"ImagePath"="system32\DRIVERS\raspppoe.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Raspti]
"ImagePath"="system32\DRIVERS\raspti.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Rdbss]
"ImagePath"="system32\DRIVERS\rdbss.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPCDD]
"ImagePath"="System32\DRIVERS\RDPCDD.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPDD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rdpdr]
"ImagePath"="system32\DRIVERS\rdpdr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPNP]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPWD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDSessMgr]
"ImagePath"="C:\WINDOWS\system32\sessmgr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\redbook]
"ImagePath"="system32\DRIVERS\redbook.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RemoteAccess]
"ServiceDll"="%SystemRoot%\System32\mprdim.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RemoteRegistry]
"ServiceDll"="%SystemRoot%\system32\regsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RpcLocator]
"ImagePath"="%SystemRoot%\system32\locator.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RpcSs]
"ServiceDll"="%SystemRoot%\System32\rpcss.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RSVP]
"ImagePath"="%SystemRoot%\system32\rsvp.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SamSs]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SCardSvr]
"ImagePath"="%SystemRoot%\System32\SCardSvr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Schedule]
"ServiceDll"="%SystemRoot%\system32\schedsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Secdrv]
"ImagePath"="system32\DRIVERS\secdrv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\seclogon]
"ServiceDll"="%SystemRoot%\System32\seclogon.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SENS]
"ServiceDll"="%SystemRoot%\system32\sens.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\serenum]
"ImagePath"="system32\DRIVERS\serenum.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Serial]
"ImagePath"="system32\DRIVERS\serial.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sfloppy]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess]
"ServiceDll"="%SystemRoot%\System32\ipnathlp.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ShellHWDetection]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Simbad]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sparrow]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\splitter]
"ImagePath"="system32\drivers\splitter.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Spooler]
"ImagePath"="%SystemRoot%\system32\spoolsv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sr]
"ImagePath"="system32\DRIVERS\sr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\srservice]
"ServiceDll"="C:\WINDOWS\system32\srsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Srv]
"ImagePath"="system32\DRIVERS\srv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SSDPSRV]
"ServiceDll"="%SystemRoot%\System32\ssdpsrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\stisvc]
"ServiceDll"="%SystemRoot%\system32\wiaservc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\swenum]
"ImagePath"="system32\DRIVERS\swenum.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\swmidi]
"ImagePath"="system32\drivers\swmidi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SwPrv]
"ImagePath"="C:\WINDOWS\system32\dllhost.exe /Processid:{EF529764-3EB9-485B-9670-8950F433BDC3}"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\symc810]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\symc8xx]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sym_hi]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sym_u3]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sysaudio]
"ImagePath"="system32\drivers\sysaudio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SysmonLog]
"ImagePath"="%SystemRoot%\system32\smlogsvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TapiSrv]
"ServiceDll"="%SystemRoot%\System32\tapisrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip]
"ImagePath"="system32\DRIVERS\tcpip.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDPIPE]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDTCP]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TermDD]
"ImagePath"="system32\DRIVERS\termdd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TermService]
"ServiceDll"="%SystemRoot%\System32\termsrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\tgiul50]
"ImagePath"="system32\DRIVERS\tgiulnt5.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Themes]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TlntSvr]
"ImagePath"="C:\WINDOWS\system32\tlntsvr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TosIde]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TrkWks]
"ServiceDll"="%SystemRoot%\system32\trkwks.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TSDDD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Udfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ultra]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Update]
"ImagePath"="system32\DRIVERS\update.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\upnphost]
"ServiceDll"="%SystemRoot%\System32\upnphost.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UPS]
"ImagePath"="%SystemRoot%\System32\ups.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbhub]
"ImagePath"="system32\DRIVERS\usbhub.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\USBSTOR]
"ImagePath"="system32\DRIVERS\USBSTOR.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbuhci]
"ImagePath"="system32\DRIVERS\usbuhci.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VgaSave]
"ImagePath"="\SystemRoot\System32\drivers\vga.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ViaIde]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VolSnap]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VSS]
"ImagePath"="%SystemRoot%\System32\vssvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VxD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\W32Time]
"ServiceDll"="%systemroot%\system32\w32time.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\W3SVC]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\W8335XP]
"ImagePath"="system32\DRIVERS\Mrvw125.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Wanarp]
"ImagePath"="system32\DRIVERS\wanarp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WDICA]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wdmaud]
"ImagePath"="system32\drivers\wdmaud.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WebClient]
"ServiceDll"="%SystemRoot%\System32\webclnt.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\winmgmt]
"ServiceDll"="%SystemRoot%\system32\wbem\WMIsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Winsock]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinSock2]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinTrust]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmdmPmSN]
"ServiceDll"="C:\WINDOWS\system32\MsPMSNSv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Wmi]
"ServiceDll"="%SystemRoot%\System32\advapi32.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmiApRpl]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmiApSrv]
"ImagePath"="C:\WINDOWS\system32\wbem\wmiapsrv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WMPNetworkSvc]
"ImagePath"="\"C:\Program Files\Windows Media Player\WMPNetwk.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WpdUsb]
"ImagePath"="system32\DRIVERS\wpdusb.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WPN111]
"ImagePath"="system32\DRIVERS\WPN111.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WS2IFSL]
"ImagePath"="\SystemRoot\System32\drivers\ws2ifsl.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wscsvc]
"ServiceDll"="%SYSTEMROOT%\system32\wscsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wuauserv]
"ServiceDll"="C:\WINDOWS\system32\wuauserv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfPf]
"ImagePath"="system32\DRIVERS\WudfPf.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfRd]
"ImagePath"="system32\DRIVERS\wudfrd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfSvc]
"ServiceDll"="%SystemRoot%\System32\WUDFSvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WZCSVC]
"ServiceDll"="%SystemRoot%\System32\wzcsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\xmlprov]
"ServiceDll"="%SystemRoot%\System32\xmlprov.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{6AF5A3AD-7655-4EB3-B120-9E974CB0E674}]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{7BBDE76E-295E-4216-9C23-573FD3FB60E0}]
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-08-16 16:54:06 - machine was rebooted [Arris]
ComboFix-quarantined-files.txt 2008-08-16 23:53:54

Pre-Run: 303,484,928 bytes free
Post-Run: 527,929,344 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

749 --- E O F --- 2008-02-08 22:21:50


Hijackthis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:27:05 PM, on 8/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\NETGEAR\WPN111\wpn111.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: (no name) - {D21D9540-6415-4288-BDD0-4453088D9D38} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [{D3-3E-E5-5A-DW}] c:\windows\system32\rswnw64n.exe DWram02
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\lcntltdm.exe DWram02
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHos...ronGameHost.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6AF5A3AD-7655-4EB3-B120-9E974CB0E674}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{7BBDE76E-295E-4216-9C23-573FD3FB60E0}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{6AF5A3AD-7655-4EB3-B120-9E974CB0E674}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{6AF5A3AD-7655-4EB3-B120-9E974CB0E674}: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 4024 bytes

Thanks again! :)
It takes more muscle to frown than it is to smile...

So smile foo!

#6 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:11:03 AM

Posted 20 August 2008 - 04:35 AM

Hello again riz_cola,

PLEASE READ THIS POST COMPLETELY, IT MAY MAKE IT EASIER FOR YOU IF YOU COPY AND PASTE THIS POST INTO A NEW TEXT DOCUMENT OR PRINT IT FOR REFERENCE LATER



Please follow these steps to disable Tea Timer, because it will interfere with our fixes:

Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.
Run HijackThis.
Click on Do a system scan only.
Place a checkmark next to these lines (if still present).

O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: (no name) - {D21D9540-6415-4288-BDD0-4453088D9D38} - (no file)
O4 - HKLM\..\Run: [{D3-3E-E5-5A-DW}] c:\windows\system32\rswnw64n.exe DWram02
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\lcntltdm.exe DWram02
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{6AF5A3AD-7655-4EB3-B120-9E974CB0E674}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{7BBDE76E-295E-4216-9C23-573FD3FB60E0}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{6AF5A3AD-7655-4EB3-B120-9E974CB0E674}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{6AF5A3AD-7655-4EB3-B120-9E974CB0E674}: NameServer = 208.67.220.220,208.67.222.222


Then close all windows except HijackThis and click Fix Checked.

Restart


Open notepad and copy/paste the text in the quotebox below into it:

http://www.bleepingcomputer.com/forums/t/161111/need-help-with-logfile/

File::
C:\WINDOWS\system32\tb.dr
C:\WINDOWS\inform.dat
C:\Documents and Settings\Arris\delself.bat

Collect::[29]
C:\WINDOWS\system32\pns32.dll
C:\WINDOWS\system32\smb32.dll
C:\Documents and Settings\Arris\win.exe
C:\WINDOWS\system32\g54.exe
C:\Documents and Settings\Guest\ie_updates3r.exe

Suspect::[29]
C:\WINDOWS\system32\drivers\beep.sys

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=-
"DisableRegistryTools"=-

Save this as CFScript.txt


Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
  • A browser will open.
  • Simply follow the instructions to copy/paste/send the requested file.
Next,

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum.

1. Go to this website: www.virustotal.com
2. Upload this file by copy/pasting (Ctrl+C/Ctrl+V) it in to the file box: C:\Documents and Settings\Guest\Start Menu\Programs\Startup\Update_0803_KB130720.exe
3. Submit the file and copy/paste the results back into this thread.

Post back with the following reports:

- Combofix report
- SDFix report
- VirusTotal report
- New HijackThis report
Let me know of any remaining problems.

Regards
SNOWHITE
Posted Image

#7 riz_cola

riz_cola
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:03 AM

Posted 22 August 2008 - 10:10 PM

Hello Snowhite heres the results :thumbsup:


ComboFix.txt


ComboFix 08-08-21.02 - Arris 2008-08-22 18:12:32.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.29 [GMT -7:00]
Running from: C:\Documents and Settings\Arris\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Arris\My Documents\CFScript.txt

FILE ::
C:\Documents and Settings\Arris\delself.bat
C:\WINDOWS\inform.dat
C:\WINDOWS\system32\tb.dr
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Arris\Application Data\macromedia\Flash Player\#SharedObjects\ZMN93TGS\interclick.com
C:\Documents and Settings\Arris\Application Data\macromedia\Flash Player\#SharedObjects\ZMN93TGS\interclick.com\ud.sol
C:\Documents and Settings\Arris\Application Data\macromedia\Flash Player\#SharedObjects\ZMN93TGS\static.youku.com
C:\Documents and Settings\Arris\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Arris\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Arris\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com
C:\Documents and Settings\Arris\delself.bat
C:\Documents and Settings\Arris\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
C:\Documents and Settings\Arris\win.exe
C:\Documents and Settings\Guest\ie_updates3r.exe
C:\Program Files\Microsoft Common
C:\Program Files\Microsoft Common\wuauclt.exe
C:\WINDOWS\inform.dat
C:\WINDOWS\system32\g54.exe
C:\WINDOWS\system32\pns32.dll
C:\WINDOWS\system32\smb32.dll
C:\WINDOWS\system32\tb.dr

.
((((((((((((((((((((((((( Files Created from 2008-07-23 to 2008-08-23 )))))))))))))))))))))))))))))))
.

2008-08-19 17:10 . 2003-07-17 02:17 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd
2008-08-19 17:10 . 2004-12-31 17:43 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2008-08-19 17:09 . 2008-08-19 17:09 <DIR> d-------- C:\Program Files\Common Files\INCA Shared
2008-08-19 16:17 . 2008-08-19 17:19 <DIR> d--h----- C:\Documents and Settings\Arris\Application Data\ijjigame
2008-08-15 00:46 . 2008-08-15 01:32 <DIR> d-------- C:\fixwareout
2008-08-12 13:29 . 2008-08-12 13:29 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-02 15:00 . 2008-08-02 15:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-30 18:23 . 2008-08-15 02:26 7,680 --ahs---- C:\WINDOWS\Thumbs.db
2008-07-28 16:36 . 2008-08-15 02:31 <DIR> d-------- C:\CWS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-20 00:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-13 18:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-13 10:02 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-07 23:27 4,224 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2008-07-31 01:16 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-07-04 16:56 23 ----a-w C:\Documents and Settings\Arris\jagex_runescape_preferences.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-06 19:30 68856]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:06 1667584]

C:\Documents and Settings\Guest\Start Menu\Programs\Startup\
Update_0803_KB130720.exe [2008-03-13 01:20:26 22016]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
NETGEAR WPN111 Smart Wizard.lnk - C:\Program Files\NETGEAR\WPN111\wpn111.exe [2008-02-08 15:18:00 884838]

[HKLM\~\startupfolder\C:^Documents and Settings^Arris^Start Menu^Programs^Startup^Deewoo.lnk]
path=C:\Documents and Settings\Arris\Start Menu\Programs\Startup\Deewoo.lnk
backup=C:\WINDOWS\pss\Deewoo.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Arris^Start Menu^Programs^Startup^DW_Start.lnk]
path=C:\Documents and Settings\Arris\Start Menu\Programs\Startup\DW_Start.lnk
backup=C:\WINDOWS\pss\DW_Start.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Rick^Start Menu^Programs^Startup^Deewoo.lnk]
path=C:\Documents and Settings\Rick\Start Menu\Programs\Startup\Deewoo.lnk
backup=C:\WINDOWS\pss\Deewoo.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Rick^Start Menu^Programs^Startup^DW_Start.lnk]
path=C:\Documents and Settings\Rick\Start Menu\Programs\Startup\DW_Start.lnk
backup=C:\WINDOWS\pss\DW_Start.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\DNINDIS5.SYS [2003-07-24 13:10]
R3 Maestro;ESS Maestro2E Audio Driver (WDM);C:\WINDOWS\system32\drivers\essm2e.sys [2004-08-03 15:32]
R3 tgiul50;tgiul50;C:\WINDOWS\system32\DRIVERS\tgiulnt5.sys [2001-08-17 05:51]
R3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;C:\WINDOWS\system32\DRIVERS\WPN111.sys [2005-09-26 17:02]
S3 N5SG;Airlink101 SuperG Wireless Network Adapter Service;C:\WINDOWS\system32\DRIVERS\N5SG.sys [2006-11-03 16:30]

*Newly Created Service* - CATCHME

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9988775D-4368-4857-871A-D01D66CA3A71}]
rundll32 smb32.dll,InitO
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SunJavaUpdateSched - C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe



**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-22 18:17:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-08-22 18:23:58
ComboFix-quarantined-files.txt 2008-08-23 01:22:50
ComboFix2.txt 2008-08-16 23:54:08

Pre-Run: 249,745,408 bytes free
Post-Run: 259,448,832 bytes free

104 --- E O F --- 2008-02-08 22:21:50


SDFix Report



SDFix: Version 1.218
Run by Arris on Fri 08/22/2008 at 06:51 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\Documents and Settings\Arris\Desktop\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\000070.exe - Deleted
C:\WINDOWS\system32\000090.exe - Deleted
C:\WINDOWS\system32\dpl.txt - Deleted



Folder C:\Documents and Settings\Arris\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#w*w.redtube.com - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-22 19:06:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 65536 bytes

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 1


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\DOCUME~1\Arris\Desktop\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 30 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Wed 30 Jul 2008 4,891,984 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Wed 30 Jul 2008 1,829,712 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Tue 11 Mar 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Wed 6 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\080070f6461c8001578e5e4cd4bb024b\BIT79.tmp"
Wed 6 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\1fb659e25c21839251d560da33cbcfad\BIT5E.tmp"
Fri 8 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\3becf78026ee8bb0c18f61c3d3645cb6\BIT5.tmp"
Wed 6 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\495213e4cb2a90b1fa5505a5fab8e00b\BIT6B.tmp"
Wed 6 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4cbc0c1da652794a86c37dbd177bef9d\BIT6F.tmp"
Wed 6 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4cc8107fde988bba1481bb736cc96c29\BIT66.tmp"
Fri 8 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\582374c56f566bb2a83a59d0c2cd7d87\BIT8.tmp"
Wed 6 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\6b5f9b6e24a379bdb34ad3589556de3e\BIT7D.tmp"
Wed 6 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\972f9ceb5c3be430fe6cdcb43653d74d\BIT53.tmp"
Wed 6 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\a0d1667f129d439fad31a81898b17830\BIT4A.tmp"
Wed 6 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b6bef673c2e4e242a39946c4931e8a98\BIT70.tmp"
Wed 6 Feb 2008 7,799,416 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b857106b57491ac2a650851d43af1c92\BIT15.tmp"
Fri 8 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\bc7d0f6ab3aa3bf7be4e2f411369f85d\BIT7.tmp"
Wed 6 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d20fc1765c1d2a8e6c26cf77036ce48f\BIT77.tmp"
Wed 6 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d424e8f655073b64c82b6f4f138d5f7e\BIT57.tmp"
Wed 6 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d8816d09f86abbe0c321ddc90d5c0948\BIT74.tmp"
Wed 6 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\da70638ee8e6f6c7eff37e755cd6f449\BIT41.tmp"
Fri 8 Feb 2008 2,300,320 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\dcfb65ff18fcfdf3d0086d241818e7bc\BIT5F.tmp"
Wed 6 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ee52836d5c671146809a1dc54498be1f\BIT7C.tmp"
Wed 6 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f040a43a7788e207ef67f26bf9f0471f\BIT5D.tmp"
Wed 6 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f1717a50ad70787e0b2e37537d202992\BIT5B.tmp"
Fri 8 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0091ab299e899a5920ad91739ad99c67\download\BIT14.tmp"
Fri 8 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\05dc5f0b39a115d1962503e7297cdba7\download\BIT9.tmp"
Fri 8 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0a120212db9f8797932f46def01672fc\download\BIT1C.tmp"
Wed 6 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0a7407b49e4a15c0b9a45c0426de5360\download\BIT86.tmp"
Fri 8 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0c114cf5b19927cfea8b29c83de1ed86\download\BIT1F.tmp"
Fri 8 Feb 2008 29,349 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\1230492412c0d92c55a03b0de671f167\download\BIT8B.tmp"
Wed 6 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\131ae35a2f5be2cefedd349d083bb253\download\BIT89.tmp"
Fri 8 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\1950380ad27a186ad7b25c1e483494eb\download\BIT20.tmp"
Fri 8 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\1d8773e3b9bba05290b442f31de09a2e\download\BITE.tmp"
Fri 8 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\208c1a8c52f47d7b2df4baa21f58d3da\download\BIT1A.tmp"
Fri 8 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\29f79ad83880337acafe2a37966d9d29\download\BIT18.tmp"
Fri 8 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2abaeb659824de5967ddf7181c6befdb\download\BIT1B.tmp"
Fri 8 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2d7809720343ee9223ce4d88d99bf3c2\download\BIT1D.tmp"
Fri 8 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\30afadc4c35db2f5d8b4c076a49edc7b\download\BITA.tmp"
Fri 8 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\32e99364da67a7850c38a7a4e067a1ed\download\BIT16.tmp"
Fri 8 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\33831624a2e810dc854ea2f820d0dd53\download\BITF.tmp"
Fri 8 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\37fefde58a963f27982e5f97ce053f7f\download\BIT21.tmp"
Fri 8 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\393673217fc83f2b990ca70aa98f1df8\download\BITB.tmp"
Fri 8 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4b6ccd5ccf72ffca11e7f7e0165f2082\download\BIT11.tmp"
Fri 8 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\52b72a8354f3c8a72b1aee0b2a11d368\download\BIT17.tmp"
Fri 8 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\7b94d041c29d0b8d724c97ae0005e71b\download\BIT15.tmp"
Fri 8 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\86c1313b3b7233a513215d577f5db5c4\download\BIT22.tmp"
Wed 6 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\a4eec31189780c76a955690dc00fbe64\download\BIT88.tmp"
Fri 8 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\aa19f15378aa75d2b2c7ba5771e0c521\download\BIT10.tmp"
Wed 6 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\aebb83db003f77a45671fd2c1557da38\download\BIT87.tmp"
Fri 8 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b3ba2a040ecf3ac2cd2da399851bda00\download\BITD.tmp"
Fri 8 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b79f0480d592be3a8c6db381ffc0c693\download\BIT23.tmp"
Fri 8 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c1b0851ac9312d2f7e1ab716c11967b5\download\BIT13.tmp"
Fri 8 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c23140ab2b4cffaee396a230df8b1229\download\BIT6.tmp"
Fri 8 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c3c3c6d9de8be474641d4bbceb22a36f\download\BIT19.tmp"
Fri 8 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c87932aedce288373d0b6a6c23f00c8a\download\BITC.tmp"
Fri 8 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c9cdbfcd49200c55d94bb81819c80f2b\download\BIT1E.tmp"
Wed 6 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d1c98689cdcd0ea9312780ffc77a2cbe\download\BIT8A.tmp"
Fri 8 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d378d94379aa314a2f8a03df7faef1bc\download\BIT24.tmp"
Fri 8 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f941c900a413f153861a4032214a1aec\download\BIT12.tmp"

Finished!


VirusTotal Report


File Update_0803_KB130720.exe received on 08.23.2008 04:34:44 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 27/35 (77.15%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 38 and 55 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.8.21.0 2008.08.22 Win-Trojan/Injecter.22016.G
AntiVir 7.8.1.23 2008.08.22 TR/Dropper.Gen
Authentium 5.1.0.4 2008.08.23 W32/Downldr2.BEWE
Avast 4.8.1195.0 2008.08.22 Win32:Injecter-AL
AVG 8.0.0.161 2008.08.22 Downloader.BHO.C
BitDefender 7.2 2008.08.23 Trojan.Downloader.Injecter.E
CAT-QuickHeal 9.50 2008.08.22 TrojanDownloader.Injecter.gx
ClamAV 0.93.1 2008.08.23 -
DrWeb 4.44.0.09170 2008.08.22 BackDoor.Apex.93
eSafe 7.0.17.0 2008.08.21 Win32.Injecter.gx
eTrust-Vet 31.6.6040 2008.08.22 Win32/SillyDl.EBT
Ewido 4.0 2008.08.22 -
F-Prot 4.4.4.56 2008.08.23 W32/Downldr2.BEWE
F-Secure 7.60.13501.0 2008.08.23 Trojan-Downloader.Win32.Injecter.gx
Fortinet 3.14.0.0 2008.08.23 -
GData 2.0.7306.1023 2008.08.20 Trojan-Downloader.Win32.Injecter.gx
Ikarus T3.1.1.34.0 2008.08.23 Trojan-Downloader.Win32.Injecter.dd
K7AntiVirus 7.10.425 2008.08.22 Trojan-Downloader.Win32.Injecter.gx
Kaspersky 7.0.0.125 2008.08.23 Trojan-Downloader.Win32.Injecter.gx
McAfee 5368 2008.08.22 Downloader.gen.a
Microsoft 1.3807 2008.08.23 TrojanDropper:Win32/Cavitate.A
NOD32v2 3381 2008.08.22 -
Norman 5.80.02 2008.08.22 DLoader.FPFI
Panda 9.0.0.4 2008.08.22 -
PCTools 4.4.2.0 2008.08.22 -
Prevx1 V2 2008.08.23 Malware Downloader
Rising 20.58.42.00 2008.08.22 -
Sophos 4.32.0 2008.08.23 Mal/Generic-A
Sunbelt 3.1.1571.1 2008.08.23 Trojan-Downloader.Win32.Injecter.dd
TheHacker 6.3.0.6.060 2008.08.23 Trojan/Downloader.Injecter.gx
TrendMicro 8.700.0.1004 2008.08.22 TROJ_DLOADER.OOL
VBA32 3.12.8.4 2008.08.22 Trojan-Downloader.Win32.Injecter.gx
ViRobot 2008.8.22.1346 2008.08.22 Trojan.Win32.Downloader.22016.AF
VirusBuster 4.5.11.0 2008.08.22 -
Webwasher-Gateway 6.6.2 2008.08.23 Trojan.Dropper.Gen
Additional information
File size: 22016 bytes
MD5...: 2498657e1dc250045286afcf53991577
SHA1..: c260abf3a799443f207b6f47169ad07826c91e88
SHA256: 2a97e2557152b0d953df0b4f55e4c70083d84fb0bc1e54cf9f5358ae9979ef40
SHA512: da62cb050df084db5eab617bd422a0c1599bf9294bc159215a4e7ab642a9d2e0
3a502b141ff81a6922cf2d816f27ff34dbc2fcf306e313588b44b3161d4f1f1f
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x410d40
timedatestamp.....: 0x47c86002 (Fri Feb 29 19:41:54 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0xb000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0xc000 0x5000 0x5000 7.85 a793d5d8d240aea8273029d820134fc4
UPX2 0x11000 0x1000 0x200 2.62 7736cda92abf8b00300ee4d442e86108

( 3 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
> ADVAPI32.dll: RegCloseKey
> USER32.dll: CharToOemA

( 0 exports )

Prevx info: http://info.prevx.com/aboutprogramtext.asp...69FFB00998EA8F3
packers (Kaspersky): PE_Patch.UPX, UPX
packers (Authentium): UPX
packers (Avast): UPX
packers (F-Prot): UPX


HijackThis Report


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:49:22 PM, on 8/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\NETGEAR\WPN111\wpn111.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHos...ronGameHost.cab
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 2784 bytes

Thanks! :)
It takes more muscle to frown than it is to smile...

So smile foo!

#8 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:11:03 AM

Posted 25 August 2008 - 04:32 PM

Hello riz_cola :thumbsup:

Looking better now. How is the computer running?

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the code below into it:

File::
C:\Documents and Settings\Guest\Start Menu\Programs\Startup\Update_0803_KB130720.exe
C:\Documents and Settings\Arris\Start Menu\Programs\Startup\DW_Start.lnk
C:\Documents and Settings\Rick\Start Menu\Programs\Startup\DW_Start.lnk
C:\Documents and Settings\Arris\Start Menu\Programs\Startup\Deewoo.lnk
C:\Documents and Settings\Rick\Start Menu\Programs\Startup\Deewoo.lnk
C:\WINDOWS\pss\DW_Start.lnkStartup
C:\WINDOWS\pss\Deewoo.lnkStartup

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9988775D-4368-4857-871A-D01D66CA3A71}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupfolder\C:^Documents and Settings^Arris^Start Menu^Programs^Startup^DW_Start.lnk]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupfolder\C:^Documents and Settings^Rick^Start Menu^Programs^Startup^DW_Start.lnk]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupfolder\C:^Documents and Settings^Rick^Start Menu^Programs^Startup^Deewoo.lnk]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupfolder\C:^Documents and Settings^Arris^Start Menu^Programs^Startup^Deewoo.lnk]

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Looking over your log, it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors:
[/list]It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.

In your next post include combofix report and fresh HijackThis log, let me know how is the computer running.

Regards
SNOWHITE
Posted Image

#9 riz_cola

riz_cola
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:03 AM

Posted 29 August 2008 - 05:34 PM

Hello Snowhite :thumbsup:
Computers running just like new thanks to you :)

ComboFix.txt


ComboFix 08-08-29.02 - Arris 2008-08-29 14:57:09.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.27 [GMT -7:00]
Running from: C:\Documents and Settings\Arris\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Arris\Desktop\CFScript.txt

FILE ::
C:\Documents and Settings\Arris\Start Menu\Programs\Startup\Deewoo.lnk
C:\Documents and Settings\Arris\Start Menu\Programs\Startup\DW_Start.lnk
C:\Documents and Settings\Guest\Start Menu\Programs\Startup\Update_0803_KB130720.exe
C:\Documents and Settings\Rick\Start Menu\Programs\Startup\Deewoo.lnk
C:\Documents and Settings\Rick\Start Menu\Programs\Startup\DW_Start.lnk
C:\WINDOWS\pss\Deewoo.lnkStartup
C:\WINDOWS\pss\DW_Start.lnkStartup
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Arris\Application Data\macromedia\Flash Player\#SharedObjects\ZMN93TGS\bin.clearspring.com
C:\Documents and Settings\Arris\Application Data\macromedia\Flash Player\#SharedObjects\ZMN93TGS\bin.clearspring.com\clearspring.sol
C:\Documents and Settings\Arris\Application Data\macromedia\Flash Player\#SharedObjects\ZMN93TGS\interclick.com
C:\Documents and Settings\Arris\Application Data\macromedia\Flash Player\#SharedObjects\ZMN93TGS\interclick.com\ud.sol
C:\Documents and Settings\Arris\Application Data\macromedia\Flash Player\#SharedObjects\ZMN93TGS\static.youku.com
C:\Documents and Settings\Arris\Application Data\macromedia\Flash Player\#SharedObjects\ZMN93TGS\static.youku.com\v1.0.0314\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Arris\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\Arris\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol
C:\Documents and Settings\Arris\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Arris\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Arris\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com
C:\Documents and Settings\Arris\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com\settings.sol
C:\Documents and Settings\Guest\Start Menu\Programs\Startup\Update_0803_KB130720.exe
C:\Documents and Settings\Rick\Application Data\macromedia\Flash Player\#SharedObjects\87DSU89H\bin.clearspring.com
C:\Documents and Settings\Rick\Application Data\macromedia\Flash Player\#SharedObjects\87DSU89H\bin.clearspring.com\clearspring.sol
C:\Documents and Settings\Rick\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\Rick\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol
C:\WINDOWS\pss\Deewoo.lnkStartup
C:\WINDOWS\pss\DW_Start.lnkStartup

.
((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-29 )))))))))))))))))))))))))))))))
.

2008-08-19 17:10 . 2003-07-17 02:17 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd
2008-08-19 17:10 . 2004-12-31 17:43 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2008-08-19 17:09 . 2008-08-19 17:09 <DIR> d-------- C:\Program Files\Common Files\INCA Shared
2008-08-19 16:17 . 2008-08-19 17:19 <DIR> d--h----- C:\Documents and Settings\Arris\Application Data\ijjigame
2008-08-12 13:29 . 2008-08-12 13:29 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-02 15:00 . 2008-08-02 15:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-30 18:23 . 2008-08-15 02:26 7,680 --ahs---- C:\WINDOWS\Thumbs.db

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-20 00:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-13 18:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-13 10:02 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-07 23:27 4,224 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2008-07-31 01:16 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-07-04 16:56 23 ----a-w C:\Documents and Settings\Arris\jagex_runescape_preferences.dat
.

((((((((((((((((((((((((((((( snapshot@2008-08-16_16.43.59.23 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-12 20:43:48 3,969,024 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-08-23 01:46:05 4,993,024 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
- 2008-08-12 20:43:48 151,552 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-08-23 01:46:05 155,648 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-06 19:30 68856]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:06 1667584]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
NETGEAR WPN111 Smart Wizard.lnk - C:\Program Files\NETGEAR\WPN111\wpn111.exe [2008-02-08 15:18:00 884838]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\DNINDIS5.SYS [2003-07-24 13:10]
R3 Maestro;ESS Maestro2E Audio Driver (WDM);C:\WINDOWS\system32\drivers\essm2e.sys [2004-08-03 15:32]
R3 tgiul50;tgiul50;C:\WINDOWS\system32\DRIVERS\tgiulnt5.sys [2001-08-17 05:51]
R3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;C:\WINDOWS\system32\DRIVERS\WPN111.sys [2005-09-26 17:02]
S3 N5SG;Airlink101 SuperG Wireless Network Adapter Service;C:\WINDOWS\system32\DRIVERS\N5SG.sys [2006-11-03 16:30]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-29 15:03:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-29 15:09:55
ComboFix-quarantined-files.txt 2008-08-29 22:08:53

Pre-Run: 194,592,768 bytes free
Post-Run: 223,223,808 bytes free

97 --- E O F --- 2008-02-08 22:21:50


Hijackthis Log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:23:09 PM, on 8/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\NETGEAR\WPN111\wpn111.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHos...ronGameHost.cab
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 2712 bytes


Thanks again :)
It takes more muscle to frown than it is to smile...

So smile foo!

#10 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:11:03 AM

Posted 01 September 2008 - 06:16 PM

Hello Snowhite :thumbsup:
Computers running just like new thanks to you :)


Hello riz_cola,

Glad that the computer is running better :)

I must also mention that to keep it safer you need to have at least firewall and antivirus programs of which I don't see any signs. I know that your system is low on resources etc, but you really need to add protection to it, otherwise you will just get reinfected again.

I will leave your topic open for couple of days, if the malware problem comes back feel free to post here.


Click start>Run, into empty Run box copy&paste the following command:

combofix /u


Press OK button.

The above will uninstall combofix from your computer, some of the tools we used, set new restore point and hide system protected files/folders.

Please take time to read my recommendations below:
  • Practice Safe Internet

    One of the main reasons people get infected in the first place is that they are not practicing Safe Internet. You practice Safe Internet when you educate yourself on how to properly use the Internet through the use of security tools and good practice. Knowing how you can get infected and what types of files and sites to avoid will be the most crucial step in keeping your computer malware free. The reality is that the majority of people who are infected with malware are ones who click on things they shouldn't be clicking on. Whether these things are files or sites it doesn't really matter. If something is out to get you, and you click on it, it most likely will. Below are a list of simple precautions to take to keep your computer clean and running securely:
  • If you receive an attachment from someone you do not know, DO NOT OPEN IT! Simple as that. Opening attachments from people you do not know is a very common method for viruses or worms to infect your computer.

  • If you receive an attachment and it ends with a .exe, .com, .bat, or .pif do not open the attachment unless you know for a fact that it is clean. For the casual computer user, you will almost never receive a valid attachment of this type.

  • If you receive an attachment from someone you know, and it looks suspicious, then it probably is. The email could be from someone you know infected with a malware that is trying to infect everyone in their address book.

  • If you are browsing the Internet and a popup appears saying that you are infected, ignore it!. These are, as far as I am concerned, scams that are being used to scare you into purchasing a piece of software. For an example of these types of popups, or Foistware, you should read this article: Foistware, And how to avoid it.

    There are also programs that disguise themselves as Anti-Spyware or security products but are instead scams. For a list of these types of programs we recommend you visit this link: Rogue/Suspect Anti-Spyware Products & Web Sites

  • Another tactic to fool you on the web is when a site displays a popup that looks like a normal Windows message or alert. When you click on them, though, they instead bring you to another site that is trying to push a product on you. We suggest that you close these windows by clicking on the X instead of the OK button. Alternatively, you can check to see if it's a real alert by right-clicking on the window. If there is a menu that comes up saying Add to Favorites... you know it's a fake.

  • Do not go to adult sites. I know this may bother some of you, but the fact is that a large amount of malware is pushed through these types of sites. I am not saying all adult sites do this, but a lot do.

  • When using an Instant Messaging program be cautious about clicking on links people send to you. It is not uncommon for infections to send a message to everyone in the infected person's contact list that contains a link to an infection. Instead when you receive a message that contains a link, message back to the person asking if it is legit before you click on it.

  • Stay away from Warez and Crack sites! In addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections.

  • Be careful of what you download off of web sites and Peer-2-Peer networks. Some sites disguise malware as legitimate software to trick you into installing them and Peer-2-Peer networks are crawling with it. If you want to download a piece of software a from a site, and are not sure if they are legitimate, you can use McAfee Siteadvisor to look up info on the site.

  • DO NOT INSTALL any software without first reading the End User License Agreement, otherwise known as the EULA. A tactic that some developers use is to offer their software for free, but have spyware and other programs you do not want bundled with it. This is where they make their money. By reading the agreement there is a good chance you can spot this and not install the software.
  • SECURING INTERNET EXPLORER
    From within Internet Explorer click on the Tools menu and then click on Internet Options.
  • Select the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Select Custom Level .
  • Change 'Download signed ActiveX controls' to Prompt
  • Change 'Download unsigned ActiveX controls' to Disable
  • Change 'Initialize and script ActiveX controls not marked as safe' to Disable
  • Change 'Installation of desktop items' to Prompt
  • Change 'Launching programs and files in an IFRAME' to Prompt
  • Change 'Navigate sub-frames across different domains' to Prompt
  • When all these changes have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
[*] Select OK to exit the Internet Properties page.
[/list]Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Secunia Software Inspector
Check for other vulnerable programs running on your PC that are in need of an update.
http://secunia.com/software_inspector
Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see this link:
Understanding and Using Firewalls



SPYWAREBLASTER
SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.

Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here:
http://www.bleepingcomputer.com/forums/tutorial49.html


IE-SPYAD
IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here:
http://www.spywarewarrior.com/uiuc/resource.htm


COMODO BOClean
BOClean runs automatically in the background without interfering with your work and kills malwares INSTANTLY the moment they activate without giving them the chance to invade your machine. A tutorial on installing this product can be found here:
http://www.comodo.com/boclean/boclean.html


WINPATROL
Download and install the free version of Winpatrol. A tutorial for this product is located here:
http://www.winpatrol.com/features.html

A-SQUARED Anti-Dialer
This is a free program that provides defense against Dialers, scans the harddisk and provides a permanent background guard protection against new Dialer infections.

"Dialers are small programs that change the Internet access number of a modem-equipped computer to a much more expensive number"

To understand this threat better read this article The Dialer-Problem in Detail. a-squared Anti-Dialer can be downloaded at the following link:
http://download5.emsisoft.com/a2AntiDialerSetup.exe

A-SQUARED Free
This program is completely free of charge for private use, it removes infections of Trojans, Spyware, Adware, Worms, Keyloggers, Rootkits, Dialers and other malicious programs. It can be downloaded at the following link:
http://www.emsisoft.com/en/software/free

SUPERAntiSpyware Home Edition
Another effective program for helping remove some of the more difficult infections.
http://www.superantispyware.com/downloadfile.html
  • More Secure Browser - Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, and Opera
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.

See these links for more information:

Foistware & How To Avoid It
Browser Hijacking & How to Stop It
Rogue/Suspect Anti-Spyware Products & Web Sites
So how did I get infected in the first place?

Stand Up and Be Counted ---> Posted Image <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.


Happy surfing and stay clean! :)


Best regards,
SNOWHITE
Posted Image

#11 riz_cola

riz_cola
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:03 AM

Posted 03 September 2008 - 10:09 PM

Big thanks for the big help Snowhite :)

Just installed Avira Antivir. Thanks again for the support. :thumbsup:
It takes more muscle to frown than it is to smile...

So smile foo!

#12 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:11:03 AM

Posted 06 September 2008 - 04:24 PM

Big thanks for the big help Snowhite :)

Just installed Avira Antivir. Thanks again for the support. :thumbsup:

You are welcome riz_cola :)

As the problem here seems to be resolved this topic is now closed.
To get it reopened PM a staff member with the address of this thread.
This applies to the topic starter only, everyone else with similar problems start a new topic.

Glad we could help :)
SNOWHITE
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users