Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Red "x" Mark Instead Of The Icon For Local Disk C


  • This topic is locked This topic is locked
18 replies to this topic

#1 spastank

spastank

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Africa
  • Local time:09:24 PM

Posted 05 August 2008 - 08:35 AM

My computer just had a nasty infection. More info here:
http://www.bleepingcomputer.com/forums/t/159600/how-to-remove-trojnfakealert/
That's my hijackthis logfile:

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-08-05 14:56:43
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 5.84 GiB (less than 15%) free.


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:56:46 , on 05.8.2008 .
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\Program Files\RDM+\rdmpserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\PROGRA~1\MICROS~3\wcescomm.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\WINDOWS\Datecs\Flex2K.exe
C:\Program Files\iBurst Terminal\iBurst_Terminal_UTL.EXE
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~3\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [IETI] C:\Program Files\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [IETI] C:\Program Files\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART (User 'Default user')
O4 - .DEFAULT User Startup: hpothb07.dat (User 'Default user')
O4 - .DEFAULT User Startup: hpothb07.tif (User 'Default user')
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: FlexType 2K.lnk = C:\WINDOWS\Datecs\Flex2K.exe
O4 - Global Startup: iBurst Terminal UTL.lnk = ?
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1217453773531
O17 - HKLM\System\CCS\Services\Tcpip\..\{68068C0F-08E7-4B00-B714-4817B5E130CE}: NameServer = 196.207.32.83 196.207.32.69
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: RDM+ Local Service (RDMPLocalService) - SHAPE Services GmbH - C:\Program Files\RDM+\rdmpserv.exe

--
End of file - 6233 bytes

-- Files created between 2008-07-05 and 2008-08-05 -----------------------------

2008-08-05 14:55:51 0 d-------- C:\Program Files\Trend Micro
2008-08-04 20:44:49 0 d-------- C:\Program Files\SOTI
2008-08-03 00:18:32 0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-30 15:34:36 0 d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-07-30 15:34:27 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-30 15:34:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-30 09:47:46 0 d--hs---- C:\WINDOWS\CSC
2008-07-29 23:01:47 0 dr-h----- C:\$VAULT$.AVG
2008-07-29 11:44:37 0 d-------- C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic
2008-07-29 10:30:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-29 10:29:56 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-29 09:56:30 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-07-29 09:56:18 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-07-29 09:55:44 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-07-29 09:55:44 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-07-29 09:46:05 0 d-------- C:\Program Files\CCleaner
2008-07-24 20:23:20 0 d-------- C:\Documents and Settings\Administrator\Application Data\TmpRecentIcons
2008-07-20 09:38:51 0 d-------- C:\Program Files\AC3Filter
2008-07-15 22:52:45 0 d-------- C:\WINDOWS\system\_sv_CMD_


-- Find3M Report ---------------------------------------------------------------

2008-08-05 14:56:31 0 d-------- C:\Documents and Settings\Administrator\Application Data\Free Download Manager
2008-08-05 00:16:36 53784 --a----c- C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2008-08-04 20:44:49 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-08-04 20:09:57 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-08-04 16:37:47 0 d-------- C:\Documents and Settings\Administrator\Application Data\Skype
2008-08-04 16:18:26 0 d-------- C:\Documents and Settings\Administrator\Application Data\skypePM
2008-08-03 10:39:18 0 d-------- C:\Program Files\Nokia
2008-08-03 10:39:18 0 d-------- C:\Program Files\Common Files\Nokia
2008-08-03 10:39:17 0 d-------- C:\Program Files\Common Files\PCSuite
2008-08-03 09:06:27 53784 --a------ C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
2008-08-02 23:15:10 2508 --a------ C:\Documents and Settings\Administrator\Application Data\$_hpcst$.hpc
2008-08-02 23:06:37 0 d-------- C:\Program Files\Total Video Converter
2008-08-02 13:27:26 900 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-07-29 10:30:36 0 d-------- C:\Program Files\Lavasoft
2008-07-29 10:29:56 0 d-------- C:\Program Files\Common Files
2008-07-29 10:22:55 0 d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-07-29 10:12:02 81984 --a------ C:\WINDOWS\system32\bdod.bin
2008-07-29 10:09:07 0 d-------- C:\Program Files\Westward_at
2008-07-29 10:08:30 0 d-------- C:\Program Files\Common Files\Logitech
2008-07-24 20:03:02 0 d-------- C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-07-20 08:34:55 0 d-------- C:\Documents and Settings\Administrator\Application Data\BSplayer
2008-07-17 16:36:27 0 d-------- C:\Documents and Settings\Administrator\Application Data\Ahead
2008-07-05 15:18:11 0 d-------- C:\Program Files\iPod
2008-07-04 18:24:23 0 d-------- C:\Program Files\iTunes
2008-06-16 09:33:40 0 d-------- C:\Program Files\Common Files\Ahead


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [30.07.2008 . 11:42]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [02.04.2007 . 10:35]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"amva"="C:\WINDOWS\system32\amvo.exe" []
"H/PC Connection Agent"="C:\PROGRA~1\MICROS~3\wcescomm.exe" [20.06.2006 . 10:36]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"IETI"=C:\Program Files\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [31.8.2005 . 00:40:36]
FlexType 2K.lnk - C:\WINDOWS\Datecs\Flex2K.exe [08.9.2005 . 21:28:27]
iBurst Terminal UTL.lnk - C:\Program Files\iBurst Terminal\iBurst_Terminal_UTL.EXE [12.5.2007 . 08:04:18]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispCPL"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoToolbarCustomize"=0 (0x0)
"NoStartMenuMorePrograms"=0 (0x0)
"StartMenuLogOff"=0 (0x0)
"NoSetFolders"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\jkhhh.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys]
@="driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winlo25.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2b9addd2-e1cb-11da-898e-806d6172696f}]
AutoRun\command- E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3628cc97-94f6-11dc-8b3a-00c0eec372b7}]
AutoRun\command- K:\uxdeiect.com
explore\Command- K:\uxdeiect.com
open\Command- K:\uxdeiect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6976c860-1981-11da-91a9-806d6172696f}]
AutoRun\command- uxdeiect.com
explore\Command- uxdeiect.com
open\Command- uxdeiect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b463efe0-60e9-11db-89cc-00c0eec372b7}]
AutoRun\command- J:\
explore\Command- J:\RECYCLER\INFO.exe
open\Command- J:\RECYCLER\INFO.exe




-- End of Deckard's System Scanner: finished at 2008-08-05 14:57:27 ------------

Edited by spastank, 05 August 2008 - 09:09 AM.


BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:08:24 PM

Posted 07 August 2008 - 11:21 AM

Hello Spastank and welcome to BleepingComputer,

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please update Malwarebytes' Anti-Malware

Doubleclick MBAM to run it.
  • Go to the Update tab and click Update.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

3. Restart your computer.

4. Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first (not for Windows Vista users !).
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you. (WinXP SP3 users, please download the appropriate SP2 file, Home or Pro, to install the RC)

In the event you already have Combofix, delete your current version and download the latest version as described in the tutorial.
It must be saved directly to your desktop.


Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder

Edited by Thunder, 07 August 2008 - 11:24 AM.

Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 spastank

spastank
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Africa
  • Local time:09:24 PM

Posted 07 August 2008 - 07:12 PM

Hi I've followed all the instructions described.All missing icons came back to the desktop,but The Local Disk C is still the same. Here are my logs from Combofix,Hijackthis and MBAM:

Combofix:
ComboFix 08-08-07.01 - Administrator 2008-08-08 0:12:32.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1251.1.1033.18.410 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.
ADS - svchost.exe: deleted 68 bytes in 1 streams.
ADS - explorer.exe: deleted 100 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\Documents and Settings\Administrator\Application Data\Install.dat
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\hpothb07.dat
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\hpothb07.tif
C:\WINDOWS\system\_sv_CMD_
C:\WINDOWS\system32\akgseray.ini
C:\WINDOWS\system32\bhkcxtpm.ini
C:\WINDOWS\system32\pojhhrwn.ini
C:\WINDOWS\system32\upovexml.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CLBDRIVER


((((((((((((((((((((((((( Files Created from 2008-07-07 to 2008-08-07 )))))))))))))))))))))))))))))))
.

2008-08-05 14:55 . 2008-08-05 14:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-05 13:22 . 2008-08-05 13:22 <DIR> d-------- C:\Deckard
2008-08-04 20:44 . 2008-08-04 20:44 <DIR> d-------- C:\Program Files\SOTI
2008-08-03 09:46 . 2008-08-03 09:46 33 --a------ C:\WINDOWS\Multimedia manager.INI
2008-08-03 00:18 . 2008-08-03 00:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-30 15:34 . 2008-08-07 22:56 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-30 15:34 . 2008-07-30 15:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-30 15:34 . 2008-07-30 15:34 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-07-30 15:34 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-30 15:34 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-29 23:01 . 2008-08-07 10:26 <DIR> dr-h----- C:\$VAULT$.AVG
2008-07-29 11:44 . 2008-07-29 11:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic
2008-07-29 10:30 . 2008-07-29 10:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-29 10:29 . 2008-07-29 10:29 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-29 10:05 . 2008-07-29 10:05 272 --a------ C:\WINDOWS\_delis32.ini
2008-07-29 09:56 . 2008-07-29 09:56 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-07-29 09:56 . 2008-07-29 09:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-07-29 09:55 . 2008-07-29 09:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-07-29 09:55 . 2008-07-29 10:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-07-29 09:46 . 2008-07-29 10:05 <DIR> d-------- C:\Program Files\CCleaner
2008-07-24 20:24 . 2001-08-23 14:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-07-20 09:46 . 2008-07-09 10:05 421,888 --a------ C:\WINDOWS\system32\ac3filter.acm
2008-07-20 09:38 . 2008-07-30 20:10 <DIR> d-------- C:\Program Files\AC3Filter

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-07 21:50 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Free Download Manager
2008-08-06 15:33 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Skype
2008-08-06 14:09 --------- d-----w C:\Documents and Settings\Administrator\Application Data\skypePM
2008-08-04 22:16 53,784 -c--a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2008-08-04 18:44 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-04 18:09 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-08-03 08:39 --------- d-----w C:\Program Files\Nokia
2008-08-03 08:39 --------- d-----w C:\Program Files\Common Files\PCSuite
2008-08-03 08:39 --------- d-----w C:\Program Files\Common Files\Nokia
2008-08-03 08:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2008-08-02 21:06 --------- d-----w C:\Program Files\Total Video Converter
2008-07-29 08:30 --------- d-----w C:\Program Files\Lavasoft
2008-07-29 08:22 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-07-29 08:13 --------- d-----w C:\Program Files\Common Files\Softwin
2008-07-29 08:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\BitDefender
2008-07-29 08:09 --------- d-----w C:\Program Files\Westward_at
2008-07-29 08:08 --------- d-----w C:\Program Files\Common Files\Logitech
2008-07-24 18:03 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-07-20 06:34 --------- d-----w C:\Documents and Settings\Administrator\Application Data\BSplayer
2008-07-17 14:36 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Ahead
2008-07-05 13:18 --------- d-----w C:\Program Files\iPod
2008-07-04 16:24 --------- d-----w C:\Program Files\iTunes
2008-06-16 07:33 --------- d-----w C:\Program Files\Common Files\Ahead
2008-06-16 07:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2007-12-14 14:18 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-07-20 12:41 2,226,086 ----a-w C:\Program Files\Vinyl_AudioCodec_v610b_64bit.zip
2007-06-04 16:05 255 ----a-w C:\Program Files\emotikoni.vbs
2007-05-28 13:32 1,770,322 ----a-w C:\Program Files\bl_elven_magic.zip
2006-09-05 07:31 774,144 -c--a-w C:\Program Files\RngInterstitial.dll
2006-06-25 18:36 24,192 ----a-w C:\Documents and Settings\Administrator\usbsermptxp.sys
2006-06-25 18:36 22,768 ----a-w C:\Documents and Settings\Administrator\usbsermpt.sys
2006-05-11 16:14 461 -c--a-w C:\Program Files\INSTALL.LOG
2005-12-17 21:28 0 -c-ha-w C:\Documents and Settings\Administrator\hpothb07.dat
2005-10-18 06:40 164 -c-ha-w C:\Documents and Settings\All Users\hpothb07.dat
2005-10-18 06:40 0 -c-ha-w C:\Documents and Settings\Default User\hpothb07.dat
2005-10-18 06:39 185 -c-ha-w C:\Documents and Settings\All Users\Application Data\hpothb07.dat
2005-10-18 06:37 0 -c-ha-w C:\Documents and Settings\NetworkService\hpothb07.dat
2005-10-18 06:37 0 -c-ha-w C:\Documents and Settings\LocalService\hpothb07.dat
2005-10-02 12:35 742,912 ----a-w C:\Program Files\VirtualDub.exe
2005-10-02 12:35 118,474 -c--a-w C:\Program Files\VirtualDub.vdi
2005-10-02 12:33 7,738 ----a-w C:\Program Files\vdub.exe
2005-10-02 12:33 7,168 -c--a-w C:\Program Files\vdremote.dll
2005-10-02 12:33 6,656 -c--a-w C:\Program Files\vdicmdrv.dll
2005-10-02 12:33 5,120 -c--a-w C:\Program Files\vdsvrlnk.dll
2005-10-02 12:33 16,384 -c--a-w C:\Program Files\auxsetup.exe
2005-10-02 12:32 137,087 -c--a-w C:\Program Files\VirtualDub.vdhelp
2005-09-27 16:28 0 -c-ha-w C:\Documents and Settings\Administrator\Application Data\hpothb07.dat
2005-08-26 22:48 18,321 -c--a-w C:\Program Files\copying
2004-10-01 13:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2006-04-22 19:16 8 --sh--r C:\WINDOWS\system32\C4CA68C1F1.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\PROGRA~1\MICROS~3\wcescomm.exe" [2006-06-20 22:36 1207080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-07-30 23:42 579072]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-04-02 10:35 327720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-07-30 23:42 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [2005-08-31 00:40:36 57344]
FlexType 2K.lnk - C:\WINDOWS\Datecs\Flex2K.exe [2005-09-08 21:28:27 130048]
iBurst Terminal UTL.lnk - C:\Program Files\iBurst Terminal\iBurst_Terminal_UTL.EXE [2007-05-12 08:04:18 311296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.iac2"= C:\PROGRA~1\CCIPTV\sys\Decoder\others\iac25_32.ax
"msacm.divxa32"= DivXa32.acm
"msacm.enc"= ITIG726.acm
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winlo25.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\msncall.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 tffsport;M-Systems DiskOnChip 2000;C:\WINDOWS\system32\DRIVERS\tffsport.sys [2004-08-03 23:00]
R1 eusk2par;EUTRON SmartKey Parallel Driver;C:\WINDOWS\system32\Drivers\eusk2par.sys [2004-11-18 12:49]
R1 kbfilter;Keyboard Filter Driver;C:\WINDOWS\system32\drivers\kbfilter.sys [2002-07-11 12:00]
R1 UsbFltr;WayTechUSBFilterDriver;C:\WINDOWS\system32\drivers\UsbFltr.sys [2003-12-29 18:27]
R2 RDMPLocalService;RDM+ Local Service;C:\Program Files\RDM+\rdmpserv.exe [2006-12-03 13:48]
R3 dfmirage;dfmirage;C:\WINDOWS\system32\DRIVERS\dfmirage.sys [2005-11-27 15:25]
S0 Winlo25;Winlo25;C:\WINDOWS\system32\Drivers\Winlo25.sys []
S2 FILESpy;FILESpy;C:\Program Files\Softwin\BitDefender9\filespy.sys []
S3 eusk3usb;SmartKey 3 USB;C:\WINDOWS\system32\Drivers\eusk3usb.sys [2004-11-18 12:49]
S3 iBurst;iBurst Modem;C:\WINDOWS\system32\DRIVERS\iBurst.sys []
S3 iBurstu;iBurst Terminal;C:\WINDOWS\system32\DRIVERS\iBurstu.sys [2004-09-28 02:14]
S3 msloop;Microsoft Loopback Adapter Driver;C:\WINDOWS\system32\DRIVERS\loop.sys [2001-08-17 13:53]
S3 PID_0920;Logitech QuickCam Express(PID_0920);C:\WINDOWS\system32\DRIVERS\LV532AV.SYS []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3628cc97-94f6-11dc-8b3a-00c0eec372b7}]
\Shell\AutoRun\command - K:\uxdeiect.com
\Shell\explore\Command - K:\uxdeiect.com
\Shell\open\Command - K:\uxdeiect.com
.
Contents of the 'Scheduled Tasks' folder

2005-12-21 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1127205820.job
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 00:52]

2008-08-07 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1127214977.job
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 00:52]
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-RunOnce-IETI - C:\Program Files\Skype\Phone\IEPlugin\unins000.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = about:blank
R0 -: HKLM-Main,Start Page = hxxp://www.msn.com
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/keyword/%s
O8 -: Download all links using BitComet - C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 -: Download all videos using BitComet - C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 -: Download link using &BitComet - C:\Program Files\BitComet\BitComet.exe/AddLink.htm


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-08 00:54:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\newdll.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
.
**************************************************************************
.
Completion time: 2008-08-08 1:14:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-07 23:14:09

Pre-Run: 6,155,579,392 bytes free
Post-Run: 6,033,129,472 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

214

Hijackthis :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:18:59 , on 08.8.2008 .
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\Program Files\RDM+\rdmpserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\PROGRA~1\MICROS~3\wcescomm.exe
C:\WINDOWS\Datecs\Flex2K.exe
C:\Program Files\iBurst Terminal\iBurst_Terminal_UTL.EXE
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~3\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: hpothb07.dat (User 'Default user')
O4 - .DEFAULT User Startup: hpothb07.tif (User 'Default user')
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: FlexType 2K.lnk = C:\WINDOWS\Datecs\Flex2K.exe
O4 - Global Startup: iBurst Terminal UTL.lnk = ?
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1217453773531
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: RDM+ Local Service (RDMPLocalService) - SHAPE Services GmbH - C:\Program Files\RDM+\rdmpserv.exe

--
End of file - 5693 bytes



MBAM:

Malwarebytes' Anti-Malware 1.24
Database version: 1031
Windows 5.1.2600 Service Pack 2

23:07:51 07.8.2008 .
mbam-log-8-7-2008 (23-07-51).txt

Scan type: Quick Scan
Objects scanned: 41081
Time elapsed: 7 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\clbdriver (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.



Thanks a lot!
Spas

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:08:24 PM

Posted 08 August 2008 - 04:02 PM

Hello Spas,

Please go to VirusTotal,
copy and paste :C:\WINDOWS\_delis32.ini
in the input window and submit the file for a scan.
Post the results in your next reply please.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 spastank

spastank
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Africa
  • Local time:09:24 PM

Posted 09 August 2008 - 05:24 AM

http://www.virustotal.com/analisis/b1aa71b...13081d6546ef51d

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:08:24 PM

Posted 11 August 2008 - 03:42 AM

Hello Spas,

Let's clean up some more :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:Driver::
Winlo25
Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winlo25.sys]

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh HijackThislog.

What problems remain after this run ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 spastank

spastank
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Africa
  • Local time:09:24 PM

Posted 11 August 2008 - 08:25 AM

Hello!
I've done everything,but it's still the same with the only exception that now I can open the Local Disc C directory.Before it was only asking what program I want to open it with when I've tried to access it.
Here are the logfiles and thanks again for all your help!



ComboFix 08-08-07.01 - Administrator 2008-08-11 14:28:01.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1251.1.1033.18.394 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\actskn43.ocx
F:\autorun.inf
F:\RECYCLER\desktop.ini
F:\RECYCLER\INFO.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WINLO25
-------\Service_Winlo25


((((((((((((((((((((((((( Files Created from 2008-07-11 to 2008-08-11 )))))))))))))))))))))))))))))))
.

2008-08-09 19:31 . 2008-08-09 19:31 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-08-09 17:29 . 2008-08-09 17:29 0 --a------ C:\WINDOWS\nsreg.dat
2008-08-05 14:55 . 2008-08-05 14:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-05 13:22 . 2008-08-05 13:22 <DIR> d-------- C:\Deckard
2008-08-04 20:44 . 2008-08-04 20:44 <DIR> d-------- C:\Program Files\SOTI
2008-08-03 09:46 . 2008-08-03 09:46 33 --a------ C:\WINDOWS\Multimedia manager.INI
2008-08-03 00:18 . 2008-08-03 00:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-30 15:34 . 2008-08-07 22:56 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-30 15:34 . 2008-07-30 15:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-30 15:34 . 2008-07-30 15:34 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-07-30 15:34 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-30 15:34 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-29 23:01 . 2008-08-07 10:26 <DIR> dr-h----- C:\$VAULT$.AVG
2008-07-29 11:44 . 2008-07-29 11:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic
2008-07-29 10:30 . 2008-07-29 10:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-29 10:29 . 2008-07-29 10:29 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-29 10:05 . 2008-07-29 10:05 272 --a------ C:\WINDOWS\_delis32.ini
2008-07-29 09:56 . 2008-07-29 09:56 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-07-29 09:56 . 2008-07-29 09:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-07-29 09:55 . 2008-07-29 09:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-07-29 09:55 . 2008-07-29 10:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-07-29 09:46 . 2008-07-29 10:05 <DIR> d-------- C:\Program Files\CCleaner
2008-07-24 20:24 . 2001-08-23 14:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-07-20 09:46 . 2008-07-09 10:05 421,888 --a------ C:\WINDOWS\system32\ac3filter.acm
2008-07-20 09:38 . 2008-07-30 20:10 <DIR> d-------- C:\Program Files\AC3Filter

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-09 17:00 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Skype
2008-08-09 14:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\skypePM
2008-08-07 21:50 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Free Download Manager
2008-08-04 22:16 53,784 -c--a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2008-08-04 18:44 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-04 18:09 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-08-03 08:39 --------- d-----w C:\Program Files\Nokia
2008-08-03 08:39 --------- d-----w C:\Program Files\Common Files\PCSuite
2008-08-03 08:39 --------- d-----w C:\Program Files\Common Files\Nokia
2008-08-03 08:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2008-08-02 21:06 --------- d-----w C:\Program Files\Total Video Converter
2008-07-29 08:30 --------- d-----w C:\Program Files\Lavasoft
2008-07-29 08:22 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-07-29 08:13 --------- d-----w C:\Program Files\Common Files\Softwin
2008-07-29 08:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\BitDefender
2008-07-29 08:12 81,984 ----a-w C:\WINDOWS\system32\bdod.bin
2008-07-29 08:09 --------- d-----w C:\Program Files\Westward_at
2008-07-29 08:08 --------- d-----w C:\Program Files\Common Files\Logitech
2008-07-24 18:03 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-07-20 06:34 --------- d-----w C:\Documents and Settings\Administrator\Application Data\BSplayer
2008-07-17 14:36 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Ahead
2008-07-05 13:18 --------- d-----w C:\Program Files\iPod
2008-07-04 16:24 --------- d-----w C:\Program Files\iTunes
2008-06-16 07:33 --------- d-----w C:\Program Files\Common Files\Ahead
2008-06-16 07:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-05-16 09:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-14 14:18 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-07-20 12:41 2,226,086 ----a-w C:\Program Files\Vinyl_AudioCodec_v610b_64bit.zip
2007-06-04 16:05 255 ----a-w C:\Program Files\emotikoni.vbs
2007-05-28 13:32 1,770,322 ----a-w C:\Program Files\bl_elven_magic.zip
2006-09-05 07:31 774,144 -c--a-w C:\Program Files\RngInterstitial.dll
2006-06-25 18:36 24,192 ----a-w C:\Documents and Settings\Administrator\usbsermptxp.sys
2006-06-25 18:36 22,768 ----a-w C:\Documents and Settings\Administrator\usbsermpt.sys
2006-05-11 16:14 461 -c--a-w C:\Program Files\INSTALL.LOG
2005-12-17 21:28 0 -c-ha-w C:\Documents and Settings\Administrator\hpothb07.dat
2005-10-18 06:40 164 -c-ha-w C:\Documents and Settings\All Users\hpothb07.dat
2005-10-18 06:40 0 -c-ha-w C:\Documents and Settings\Default User\hpothb07.dat
2005-10-18 06:39 185 -c-ha-w C:\Documents and Settings\All Users\Application Data\hpothb07.dat
2005-10-18 06:37 0 -c-ha-w C:\Documents and Settings\NetworkService\hpothb07.dat
2005-10-18 06:37 0 -c-ha-w C:\Documents and Settings\LocalService\hpothb07.dat
2005-10-02 12:35 742,912 ----a-w C:\Program Files\VirtualDub.exe
2005-10-02 12:35 118,474 -c--a-w C:\Program Files\VirtualDub.vdi
2005-10-02 12:33 7,738 ----a-w C:\Program Files\vdub.exe
2005-10-02 12:33 7,168 -c--a-w C:\Program Files\vdremote.dll
2005-10-02 12:33 6,656 -c--a-w C:\Program Files\vdicmdrv.dll
2005-10-02 12:33 5,120 -c--a-w C:\Program Files\vdsvrlnk.dll
2005-10-02 12:33 16,384 -c--a-w C:\Program Files\auxsetup.exe
2005-10-02 12:32 137,087 -c--a-w C:\Program Files\VirtualDub.vdhelp
2005-09-27 16:28 0 -c-ha-w C:\Documents and Settings\Administrator\Application Data\hpothb07.dat
2005-08-26 22:48 18,321 -c--a-w C:\Program Files\copying
2004-10-01 13:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2006-04-22 19:16 8 --sh--r C:\WINDOWS\system32\C4CA68C1F1.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\PROGRA~1\MICROS~3\wcescomm.exe" [2006-06-20 22:36 1207080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-07-30 23:42 579072]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-04-02 10:35 327720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-07-30 23:42 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [2005-08-31 00:40:36 57344]
FlexType 2K.lnk - C:\WINDOWS\Datecs\Flex2K.exe [2005-09-08 21:28:27 130048]
iBurst Terminal UTL.lnk - C:\Program Files\iBurst Terminal\iBurst_Terminal_UTL.EXE [2007-05-12 08:04:18 311296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.iac2"= C:\PROGRA~1\CCIPTV\sys\Decoder\others\iac25_32.ax
"msacm.divxa32"= DivXa32.acm
"msacm.enc"= ITIG726.acm
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winlo25.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\msncall.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 tffsport;M-Systems DiskOnChip 2000;C:\WINDOWS\system32\DRIVERS\tffsport.sys [2004-08-03 23:00]
R1 eusk2par;EUTRON SmartKey Parallel Driver;C:\WINDOWS\system32\Drivers\eusk2par.sys [2004-11-18 12:49]
R1 kbfilter;Keyboard Filter Driver;C:\WINDOWS\system32\drivers\kbfilter.sys [2002-07-11 12:00]
R1 UsbFltr;WayTechUSBFilterDriver;C:\WINDOWS\system32\drivers\UsbFltr.sys [2003-12-29 18:27]
R2 RDMPLocalService;RDM+ Local Service;C:\Program Files\RDM+\rdmpserv.exe [2006-12-03 13:48]
R3 dfmirage;dfmirage;C:\WINDOWS\system32\DRIVERS\dfmirage.sys [2005-11-27 15:25]
S2 FILESpy;FILESpy;C:\Program Files\Softwin\BitDefender9\filespy.sys []
S3 eusk3usb;SmartKey 3 USB;C:\WINDOWS\system32\Drivers\eusk3usb.sys [2004-11-18 12:49]
S3 iBurst;iBurst Modem;C:\WINDOWS\system32\DRIVERS\iBurst.sys []
S3 iBurstu;iBurst Terminal;C:\WINDOWS\system32\DRIVERS\iBurstu.sys [2004-09-28 02:14]
S3 msloop;Microsoft Loopback Adapter Driver;C:\WINDOWS\system32\DRIVERS\loop.sys [2001-08-17 13:53]
S3 PID_0920;Logitech QuickCam Express(PID_0920);C:\WINDOWS\system32\DRIVERS\LV532AV.SYS []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3628cc97-94f6-11dc-8b3a-00c0eec372b7}]
\Shell\AutoRun\command - K:\uxdeiect.com
\Shell\explore\Command - K:\uxdeiect.com
\Shell\open\Command - K:\uxdeiect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95e63a7d-48d6-11db-89bf-00c0eec372b7}]
\Shell\AutoRun\command - uxdeiect.com
\Shell\explore\Command - uxdeiect.com
\Shell\open\Command - uxdeiect.com
.
Contents of the 'Scheduled Tasks' folder

2005-12-21 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1127205820.job
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 00:52]

2008-08-11 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1127214977.job
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 00:52]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-11 14:40:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\newdll.dll
-> ?:\WINDOWS\System32\CSCDLL.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
.
**************************************************************************
.
Completion time: 2008-08-11 15:00:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-11 13:00:09
ComboFix2.txt 2008-08-07 23:14:17

Pre-Run: 5,751,517,184 bytes free
Post-Run: 5,813,067,776 bytes free

199


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:05:40 , on 11.8.2008 .
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\Program Files\RDM+\rdmpserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\PROGRA~1\MICROS~3\wcescomm.exe
C:\WINDOWS\Datecs\Flex2K.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\iBurst Terminal\iBurst_Terminal_UTL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~3\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: hpothb07.dat (User 'Default user')
O4 - .DEFAULT User Startup: hpothb07.tif (User 'Default user')
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: FlexType 2K.lnk = C:\WINDOWS\Datecs\Flex2K.exe
O4 - Global Startup: iBurst Terminal UTL.lnk = ?
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1217453773531
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: RDM+ Local Service (RDMPLocalService) - SHAPE Services GmbH - C:\Program Files\RDM+\rdmpserv.exe

--
End of file - 5804 bytes

#8 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:08:24 PM

Posted 11 August 2008 - 04:01 PM

Hello Spas,

For te next step, it's very important that you connect your removable drive (usb stick, camera, mp3 player ??) that is usually known as the K: drive,
Prior to running next CFScript !! :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:File::
K:\uxdeiect.com
F:\uxdeiect.com
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3628cc97-94f6-11dc-8b3a-00c0eec372b7}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95e63a7d-48d6-11db-89bf-00c0eec372b7}]

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This may start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply (if else, reboot your system yourself),
as well as a fresh HijackThislog.

If that red X is still showing,
download xp_drive_association_fix.zip to your desktop,
unpack/unzip it, and double click on xp_drive_association_fix.reg to merge the content with your registry.
Reboot your system and check again.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#9 spastank

spastank
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Africa
  • Local time:09:24 PM

Posted 13 August 2008 - 02:30 AM

Hello

It's still the same.


ComboFix 08-08-07.01 - Administrator 2008-08-12 7:59:45.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1251.1.1033.18.424 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE ::
F:\uxdeiect.com
K:\uxdeiect.com
.

((((((((((((((((((((((((( Files Created from 2008-07-12 to 2008-08-12 )))))))))))))))))))))))))))))))
.

2008-08-09 19:31 . 2008-08-09 19:31 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-08-09 17:29 . 2008-08-09 17:29 0 --a------ C:\WINDOWS\nsreg.dat
2008-08-05 14:55 . 2008-08-05 14:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-05 13:22 . 2008-08-05 13:22 <DIR> d-------- C:\Deckard
2008-08-04 20:44 . 2008-08-04 20:44 <DIR> d-------- C:\Program Files\SOTI
2008-08-03 09:46 . 2008-08-03 09:46 33 --a------ C:\WINDOWS\Multimedia manager.INI
2008-08-03 00:18 . 2008-08-03 00:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-30 15:34 . 2008-08-07 22:56 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-30 15:34 . 2008-07-30 15:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-30 15:34 . 2008-07-30 15:34 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-07-30 15:34 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-30 15:34 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-29 23:01 . 2008-08-07 10:26 <DIR> dr-h----- C:\$VAULT$.AVG
2008-07-29 11:44 . 2008-07-29 11:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic
2008-07-29 10:30 . 2008-07-29 10:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-29 10:29 . 2008-07-29 10:29 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-29 10:05 . 2008-07-29 10:05 272 --a------ C:\WINDOWS\_delis32.ini
2008-07-29 09:56 . 2008-07-29 09:56 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-07-29 09:56 . 2008-07-29 09:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-07-29 09:55 . 2008-07-29 09:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-07-29 09:55 . 2008-07-29 10:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-07-29 09:46 . 2008-07-29 10:05 <DIR> d-------- C:\Program Files\CCleaner
2008-07-24 20:24 . 2001-08-23 14:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-07-20 09:46 . 2008-07-09 10:05 421,888 --a------ C:\WINDOWS\system32\ac3filter.acm
2008-07-20 09:38 . 2008-07-30 20:10 <DIR> d-------- C:\Program Files\AC3Filter

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-09 17:00 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Skype
2008-08-09 14:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\skypePM
2008-08-07 21:50 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Free Download Manager
2008-08-04 22:16 53,784 -c--a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2008-08-04 18:44 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-04 18:09 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-08-03 08:39 --------- d-----w C:\Program Files\Nokia
2008-08-03 08:39 --------- d-----w C:\Program Files\Common Files\PCSuite
2008-08-03 08:39 --------- d-----w C:\Program Files\Common Files\Nokia
2008-08-03 08:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2008-08-02 21:06 --------- d-----w C:\Program Files\Total Video Converter
2008-07-29 08:30 --------- d-----w C:\Program Files\Lavasoft
2008-07-29 08:22 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-07-29 08:13 --------- d-----w C:\Program Files\Common Files\Softwin
2008-07-29 08:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\BitDefender
2008-07-29 08:12 81,984 ----a-w C:\WINDOWS\system32\bdod.bin
2008-07-29 08:09 --------- d-----w C:\Program Files\Westward_at
2008-07-29 08:08 --------- d-----w C:\Program Files\Common Files\Logitech
2008-07-24 18:03 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-07-20 06:34 --------- d-----w C:\Documents and Settings\Administrator\Application Data\BSplayer
2008-07-17 14:36 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Ahead
2008-07-05 13:18 --------- d-----w C:\Program Files\iPod
2008-07-04 16:24 --------- d-----w C:\Program Files\iTunes
2008-06-16 07:33 --------- d-----w C:\Program Files\Common Files\Ahead
2008-06-16 07:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-05-16 09:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-14 14:18 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-07-20 12:41 2,226,086 ----a-w C:\Program Files\Vinyl_AudioCodec_v610b_64bit.zip
2007-06-04 16:05 255 ----a-w C:\Program Files\emotikoni.vbs
2007-05-28 13:32 1,770,322 ----a-w C:\Program Files\bl_elven_magic.zip
2006-09-05 07:31 774,144 -c--a-w C:\Program Files\RngInterstitial.dll
2006-06-25 18:36 24,192 ----a-w C:\Documents and Settings\Administrator\usbsermptxp.sys
2006-06-25 18:36 22,768 ----a-w C:\Documents and Settings\Administrator\usbsermpt.sys
2006-05-11 16:14 461 -c--a-w C:\Program Files\INSTALL.LOG
2005-12-17 21:28 0 -c-ha-w C:\Documents and Settings\Administrator\hpothb07.dat
2005-10-18 06:40 164 -c-ha-w C:\Documents and Settings\All Users\hpothb07.dat
2005-10-18 06:40 0 -c-ha-w C:\Documents and Settings\Default User\hpothb07.dat
2005-10-18 06:39 185 -c-ha-w C:\Documents and Settings\All Users\Application Data\hpothb07.dat
2005-10-18 06:37 0 -c-ha-w C:\Documents and Settings\NetworkService\hpothb07.dat
2005-10-18 06:37 0 -c-ha-w C:\Documents and Settings\LocalService\hpothb07.dat
2005-10-02 12:35 742,912 ----a-w C:\Program Files\VirtualDub.exe
2005-10-02 12:35 118,474 -c--a-w C:\Program Files\VirtualDub.vdi
2005-10-02 12:33 7,738 ----a-w C:\Program Files\vdub.exe
2005-10-02 12:33 7,168 -c--a-w C:\Program Files\vdremote.dll
2005-10-02 12:33 6,656 -c--a-w C:\Program Files\vdicmdrv.dll
2005-10-02 12:33 5,120 -c--a-w C:\Program Files\vdsvrlnk.dll
2005-10-02 12:33 16,384 -c--a-w C:\Program Files\auxsetup.exe
2005-10-02 12:32 137,087 -c--a-w C:\Program Files\VirtualDub.vdhelp
2005-09-27 16:28 0 -c-ha-w C:\Documents and Settings\Administrator\Application Data\hpothb07.dat
2005-08-26 22:48 18,321 -c--a-w C:\Program Files\copying
2004-10-01 13:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2006-04-22 19:16 8 --sh--r C:\WINDOWS\system32\C4CA68C1F1.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\PROGRA~1\MICROS~3\wcescomm.exe" [2006-06-20 22:36 1207080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-07-30 23:42 579072]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-04-02 10:35 327720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-07-30 23:42 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [2005-08-31 00:40:36 57344]
FlexType 2K.lnk - C:\WINDOWS\Datecs\Flex2K.exe [2005-09-08 21:28:27 130048]
iBurst Terminal UTL.lnk - C:\Program Files\iBurst Terminal\iBurst_Terminal_UTL.EXE [2007-05-12 08:04:18 311296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.iac2"= C:\PROGRA~1\CCIPTV\sys\Decoder\others\iac25_32.ax
"msacm.divxa32"= DivXa32.acm
"msacm.enc"= ITIG726.acm
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winlo25.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\msncall.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 tffsport;M-Systems DiskOnChip 2000;C:\WINDOWS\system32\DRIVERS\tffsport.sys [2004-08-03 23:00]
R1 eusk2par;EUTRON SmartKey Parallel Driver;C:\WINDOWS\system32\Drivers\eusk2par.sys [2004-11-18 12:49]
R1 kbfilter;Keyboard Filter Driver;C:\WINDOWS\system32\drivers\kbfilter.sys [2002-07-11 12:00]
R1 UsbFltr;WayTechUSBFilterDriver;C:\WINDOWS\system32\drivers\UsbFltr.sys [2003-12-29 18:27]
R2 RDMPLocalService;RDM+ Local Service;C:\Program Files\RDM+\rdmpserv.exe [2006-12-03 13:48]
R3 dfmirage;dfmirage;C:\WINDOWS\system32\DRIVERS\dfmirage.sys [2005-11-27 15:25]
S2 FILESpy;FILESpy;C:\Program Files\Softwin\BitDefender9\filespy.sys []
S3 eusk3usb;SmartKey 3 USB;C:\WINDOWS\system32\Drivers\eusk3usb.sys [2004-11-18 12:49]
S3 iBurst;iBurst Modem;C:\WINDOWS\system32\DRIVERS\iBurst.sys []
S3 iBurstu;iBurst Terminal;C:\WINDOWS\system32\DRIVERS\iBurstu.sys [2004-09-28 02:14]
S3 msloop;Microsoft Loopback Adapter Driver;C:\WINDOWS\system32\DRIVERS\loop.sys [2001-08-17 13:53]
S3 PID_0920;Logitech QuickCam Express(PID_0920);C:\WINDOWS\system32\DRIVERS\LV532AV.SYS []

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2005-12-21 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1127205820.job
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 00:52]

2008-08-11 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1127214977.job
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 00:52]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-12 08:06:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-08-12 8:18:14
ComboFix-quarantined-files.txt 2008-08-12 06:17:12
ComboFix2.txt 2008-08-11 13:00:15
ComboFix3.txt 2008-08-07 23:14:17

Pre-Run: 5,804,490,752 bytes free
Post-Run: 5,781,667,840 bytes free

162


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:25:13 , on 12.8.2008 .
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\PROGRA~1\MICROS~3\wcescomm.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\WINDOWS\Datecs\Flex2K.exe
C:\Program Files\iBurst Terminal\iBurst_Terminal_UTL.EXE
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\Program Files\RDM+\rdmpserv.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~3\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: hpothb07.dat (User 'Default user')
O4 - .DEFAULT User Startup: hpothb07.tif (User 'Default user')
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: FlexType 2K.lnk = C:\WINDOWS\Datecs\Flex2K.exe
O4 - Global Startup: iBurst Terminal UTL.lnk = ?
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1217453773531
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: RDM+ Local Service (RDMPLocalService) - SHAPE Services GmbH - C:\Program Files\RDM+\rdmpserv.exe

--
End of file - 5914 bytes


Greetings
Spas

#10 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:08:24 PM

Posted 13 August 2008 - 03:24 PM

Hello Spas,

Open Notepad and copy and paste the bold, blue text below in it:regedit /e export.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\DriveIcons"
type export.txt
start notepad export.txt

Save this as export.bat Choose to save as "all files" and place it on your Desktop.
It should look like this: Posted Image
Doubleclick on it and if a log appears, post it in your next reply please.

Btw., are you running 2 antivirus programs (Antivir & AVG7) actively at the same time ? :thumbsup:
If so, please remove one of them through Control Panel > Software from the Softwarelist to prevent interference.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#11 spastank

spastank
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Africa
  • Local time:09:24 PM

Posted 14 August 2008 - 12:45 PM

Hello!
How can I show you the log,because it is quite big(122 MB). It can not be copied and pasted too.I've tried to compress it,but it's still big to be attached with my post(5 MB).
Thanks!

#12 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:08:24 PM

Posted 14 August 2008 - 03:08 PM

Hello Spas,

Are you sure you copied all of the blue text and only the blue text in your Notepad window ?
The log shouldn't be any larger than a few kb. :thumbsup:

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#13 spastank

spastank
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Africa
  • Local time:09:24 PM

Posted 14 August 2008 - 05:53 PM

sorry
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\DriveIcons]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\DriveIcons\c]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\DriveIcons\c\DefaultIcon]
@="%SystemRoot%\\system32\\shell32.dll,131"

#14 spastank

spastank
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Africa
  • Local time:09:24 PM

Posted 14 August 2008 - 05:55 PM

Duplicate post removed by Thunder

Edited by Thunder, 15 August 2008 - 07:12 AM.


#15 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:08:24 PM

Posted 15 August 2008 - 07:13 AM

Hello Spas,

Open Notepad and copy and paste the bold, blue text below in it:
(don't forget to copy and paste REGEDIT4)REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\DriveIcons]

Save this as fix.reg Choose to save as "all files" and place it on your Desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click Yes/OK.
(In case you are unsure how to create a reg file, take a look here with screenshots.)

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users