Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TotalSecure 2009 download popups


  • This topic is locked This topic is locked
14 replies to this topic

#1 funky_beats06

funky_beats06

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:01:00 PM

Posted 05 November 2008 - 03:52 AM

Hi, i recently downloaded a keygen, ran it and since then there have been these popups telling me to download totalsecure2009 antivirus, which i know is a rogue and have not downloaded it. Since then, whenever i open any website, and after opening 3- 4 pages ,i get this popup.Again, when opening any folder i get a fake warning tellin me to download totalsecure.
And whenever i search anything on google, the first two results are fake, regarding some porn stuff.
I ran superAnti Spyware and removed some entities including a rogue.totalSecure2009.
After that, while opening folders i get a popup with no text and two buttons "yes" and "no".so, its not fixed yet.
heres the hjtlog:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:20, on 2008-11-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\updater\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\Faiz\LOCALS~1\Temp\ir_ext_temp_12\autorun.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\taskmgr.exe
D:\ad aware 07\aawservice.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Broadband Pacenet\Pacenet Dialer\PaceDial.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 202.165.102.205 972.aksjd11.com
O1 - Hosts: 202.165.102.205 w3og.cn
O1 - Hosts: 203.208.35.100 qazc.fourtw.cn
O1 - Hosts: 203.208.35.100 www.aujoy.cn
O1 - Hosts: 203.208.35.101 www.hao601.cn
O1 - Hosts: 203.208.35.101 www.psp476.cn
O1 - Hosts: 72.14.235.99 222.1212l112.net
O1 - Hosts: 72.14.235.99 444.1212l112.netn
O1 - Hosts: 72.14.235.99 555.1212l112.net
O1 - Hosts: 72.14.235.99 111.1212l112.net
O1 - Hosts: 65.55.21.250 111.3243l24.com
O1 - Hosts: 65.55.21.250 222.3243l24.com
O1 - Hosts: 65.55.21.250 333.3243l24.com
O1 - Hosts: 125.64.8.112 kao2.gmwo03.com
O1 - Hosts: 125.64.8.112 kao.gmwo06.com
O1 - Hosts: 125.64.8.112 444.gmwo07.com
O1 - Hosts: 116.252.185.15 ru.update365.us
O1 - Hosts: 116.252.185.15 ad.update365.us
O1 - Hosts: 207.46.232.182 popmails.net
O1 - Hosts: 203.208.37.99 3.goodhh.com
O1 - Hosts: 220.181.37.55 down.rwixr.com
O1 - Hosts: 160.79.42.52 www.xdj2008.com
O1 - Hosts: 63.175.76.152 www.revtr.cn
O1 - Hosts: 219.133.40.91 qq.ljsll.com
O1 - Hosts: 203.208.35.102 www.aassccwe.cn
O1 - Hosts: 209.132.177.50 973.aksjd11.com
O1 - Hosts: 209.132.177.50 974.aksjd11.com
O1 - Hosts: 209.132.177.50 971.aksjd11.com
O1 - Hosts: 209.132.177.50 975.aksjd11.com
O1 - Hosts: 72.14.235.104 user1.12-39.net
O1 - Hosts: 72.14.235.147 www.infomt.net
O1 - Hosts: 192.150.18.101 ata1.sysions.net
O1 - Hosts: 192.150.18.101 ata2.sysions.net
O1 - Hosts: 192.150.18.101 ata3.sysions.net
O1 - Hosts: 192.150.18.101 ata4.sysions.net
O1 - Hosts: 193.120.42.226 8nnnnn99.cn
O1 - Hosts: 24.39.54.34 www.haoaoao.cn
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: {06f8947b-7e4b-a379-a674-71f5310136d3} - {3d631013-5f17-476a-973a-b4e7b7498f60} - (no file)
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: mnmhgsrv.dll - {7C8D1401-A58D-A81C-CD24-A5915C4517C7} - (no file)
O2 - BHO: ypcqghlp.dll - {80AF1289-F140-A140-D012-C1458759FC08} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: hdf453d.dll - {B629FF4F-ACDB-5C90-A098-FACB3456A26B} - (no file)
O2 - BHO: (no name) - {C15DDCB3-7D55-410B-9B49-5A3CF98B8845} - C:\WINDOWS\system32\browsel.dll (file missing)
O2 - BHO: JurToolbar - {DEE7B1F7-A014-477C-B0C5-23A51AA81DB5} - C:\WINDOWS\system32\hhahgxda.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Updater] C:\WINDOWS\system32\updater\explorer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: Download all links with IDM - C:\Documents and Settings\Faiz\Desktop\Exe Files\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Documents and Settings\Faiz\Desktop\Exe Files\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Documents and Settings\Faiz\Desktop\Exe Files\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1186238036171
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames.com/downloads/activex/YoYo.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{24DCF250-8DD5-406B-AAC0-497FB10EA533}: NameServer = 25.1.1.1 203.115.71.66
O17 - HKLM\System\CS1\Services\Tcpip\..\{24DCF250-8DD5-406B-AAC0-497FB10EA533}: NameServer = 25.1.1.1 203.115.71.66
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: winaff32 - winaff32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\ad aware 07\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: mental ray 3.6 Satellite for Autodesk 3ds Max 2008 32-bit 32-bit (mi-raysat_3dsMax2008_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 9862 bytes




Thanx ,please help.

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:00 PM

Posted 05 November 2008 - 04:43 AM

Hi,

i recently downloaded a keygen, ran it and since then there have been these popups telling me to download totalsecure2009 antivirus, which i know is a rogue and have not downloaded it

It is totally normal that you get infected if you decide to use illegal software.
If you visit cracksites, use cracks/keygens, you'll ALWAYS get infected. This not only because of the crack itself, but because one single click entering that site may already download and install a huge malware bundle.
You really have to change your surfing habits though, because these malware bundles may contain a keylogger, collecting all your passwords and installing other random malware, compromising your system including infecting other computers. And this all, because you visited some illegal sites.
Also, keep in mind, malware DAMAGES A LOT! And the damage can't always be repaired, so a format and reinstall is the only solution in such cases.
So is it really worth it? Get illegal software for "free", but compromise/break your computer instead.... :thumbsup:
Better to avoid this instead and change your surfing habits. Then this wouldn't have happened.

Don't forget to change your passwords afterwards, once we are done with this thread, because they are known. Don't change them now, because as long as the malware is still present, it will gather the changed passwords as well.

Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 funky_beats06

funky_beats06
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:01:00 PM

Posted 05 November 2008 - 06:05 AM

Thanks for your fast replyand advice.
Im sorry......no more crack sites ,keygens now. the keygen dint help me anyhow but it has infected my pc . i promise not to surf crack sites in future.

heres the COMBOFIX log:

ComboFix 08-11-04.02 - Faiz 2008-11-05 16:12:25.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.125 [GMT 5.5:30]
Running from: c:\documents and settings\Faiz\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Faiz\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Faiz\Application Data\urlredir.cfg
c:\documents and settings\Faiz\Favorites\Cheap Pharmacy Online.url
c:\documents and settings\Faiz\Favorites\SMS TRAP.url
c:\documents and settings\Faiz\Start Menu\Cheap Pharmacy Online.url
c:\documents and settings\Faiz\Start Menu\SMS TRAP.url
c:\program files\Adssite Games Collection
c:\program files\Adssite Games Collection\BattlesOfHelicopters.exe
c:\program files\Adssite Games Collection\BobAndBill.exe
c:\program files\Adssite Games Collection\CrazyBlocks.exe
c:\program files\Adssite Games Collection\Lines.exe
c:\program files\Adssite Games Collection\uninstall.exe
c:\program files\Adssite Games Collection\VideoPool.exe
c:\windows\AppPatch\AclLayer.dll
c:\windows\AppPatch\AcSpecf.dll
c:\windows\AppPatch\AcXtrnel.bpl
c:\windows\k.txt
c:\windows\pskt.ini
c:\windows\rising663.exe
c:\windows\rising664.exe
c:\windows\rising894.exe
c:\windows\system32\ayvhmwbc.ini
c:\windows\system32\caotxbk.exe
c:\windows\system32\dmbpgbeh.ini
c:\windows\system32\drplawrj.ini
c:\windows\system32\ezcronk.exe
c:\windows\system32\fackwirk.exe
c:\windows\system32\fmlvqhwo.ini
c:\windows\system32\gajzalit.sys
c:\windows\system32\gnlvrnxm.ini
c:\windows\system32\gxxebimb.ini
c:\windows\system32\isdsasrv.exe
c:\windows\system32\ismhasrv.exe
c:\windows\system32\itodkkvf.ini
c:\windows\system32\joliomk.exe
c:\windows\system32\keyiftpk.exe
c:\windows\system32\lmdrjbcm.ini
c:\windows\system32\ltrhdarc.ini
c:\windows\system32\MSINET.oca
c:\windows\system32\mssetdk.exe
c:\windows\system32\myasemtk.exe
c:\windows\system32\ntqagcdj.ini
c:\windows\system32\onjzalit.exe
c:\windows\system32\ps.exe
c:\windows\system32\qblqvhbv.ini
c:\windows\system32\sfinmctm.ini
c:\windows\system32\simyaapi.exe
c:\windows\system32\smmhbsrv.sys
c:\windows\system32\spmybapi.sys
c:\windows\system32\sswyfdhu.ini
c:\windows\system32\wcnonpek.exe
c:\windows\system32\wktrmeew.ini
c:\windows\system32\zscqahlp.exe

.
((((((((((((((((((((((((( Files Created from 2008-10-05 to 2008-11-05 )))))))))))))))))))))))))))))))
.

2008-11-05 14:53 . 2008-11-05 14:55 3,659,204 --a------ C:\Ramchand-Pakistani-pDVD-IMTIYAZ-2.avi
2008-11-05 14:40 . 2008-10-16 09:09 24,220,384 --a------ C:\Ramchand-Pakistani-pDVD-IMTIYAZ-1.avi
2008-11-05 12:51 . 2008-11-05 12:51 69,632 --a------ c:\windows\system32\hhahgxda.dll
2008-11-02 23:15 . 2008-11-02 23:15 4,096 --a------ c:\windows\d3dx.dat
2008-11-02 23:14 . 2008-11-03 00:18 <DIR> d-------- c:\program files\Torque
2008-11-01 23:44 . 2008-11-01 23:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\YoYoGames
2008-11-01 21:58 . 2008-11-01 22:11 <DIR> d-------- c:\program files\Game_Maker7
2008-10-31 21:13 . 2008-11-01 22:14 <DIR> d-------- c:\program files\Dark Basic Software
2008-10-30 22:48 . 2008-11-01 22:14 70 --a------ c:\windows\dbinside.ini
2008-10-28 20:24 . 2008-10-28 20:24 0 --ah----- c:\windows\SwSys2.bmp
2008-10-28 20:24 . 2008-10-28 20:24 0 --ah----- c:\windows\SwSys1.bmp
2008-10-24 21:36 . 2008-10-24 21:36 <DIR> d-------- c:\program files\LimeWire
2008-10-24 21:35 . 2008-10-24 21:35 9 --a------ C:\boot.inf
2008-10-23 19:52 . 2008-10-23 20:17 75 --a------ C:\clock.html
2008-10-23 19:45 . 2008-10-25 22:24 4,919 --a------ C:\Clock.class
2008-10-23 19:45 . 2008-10-25 22:24 1,835 --a------ C:\Clock$ClockHand.class
2008-10-23 19:41 . 2008-10-25 22:24 7,199 --a------ C:\Clock.java
2008-10-17 21:27 . 2008-10-17 21:27 <DIR> d-------- C:\VundoFix Backups
2008-10-11 12:34 . 2008-10-11 12:34 65,101,824 --a------ C:\Sarfuu.mpg_New.mpg
2008-10-10 00:19 . 2008-10-10 00:19 <DIR> d-------- c:\documents and settings\Faiz\test
2008-10-10 00:19 . 2008-10-10 00:19 <DIR> d-------- c:\documents and settings\Faiz\classes
2008-10-07 19:30 . 2008-10-07 19:45 <DIR> d-------- c:\documents and settings\Faiz\Application Data\DVD Catalyst3
2008-10-07 19:15 . 2008-10-07 19:15 <DIR> d-------- c:\program files\Bluetooth File Sender
2008-10-05 20:43 . 2005-08-16 12:23 38,422 --a------ c:\windows\system32\drivers\StMp3Rec.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-02 19:08 --------- d-----w c:\documents and settings\Faiz\Application Data\uTorrent
2008-10-31 15:43 --------- d-----w c:\program files\SUPERAntiSpyware
2008-10-31 15:17 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-10-26 17:48 --------- d-----w c:\program files\NetBeans 6.1
2008-10-25 14:53 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-24 16:03 --------- d-----w c:\documents and settings\Faiz\Application Data\LimeWire
2008-10-15 18:19 2,864 ----a-w c:\windows\system32\winsock.dll
2008-10-12 16:28 --------- d-----w c:\documents and settings\Faiz\Application Data\dvdcss
2008-10-09 18:40 --------- d-----w c:\program files\Java
2008-10-05 15:13 --------- d-----w c:\program files\Creative
2008-10-05 15:09 --------- d-----w c:\program files\Yacc Yet Another CSO Compressor
2008-10-03 18:04 --------- d-----w c:\documents and settings\Faiz\Application Data\Audacity
2008-09-30 19:28 --------- d-----w c:\documents and settings\Faiz\Application Data\Subversion
2008-09-30 19:27 --------- d-----w c:\program files\Subversion
2008-09-30 18:18 --------- d-----w c:\program files\Cygwin
2008-09-29 10:00 --------- d-----w c:\program files\PMFplay H.264 Decoder
2008-09-25 07:56 --------- d-----w c:\documents and settings\Faiz\Application Data\Creative
2008-09-25 06:56 --------- d-----w c:\documents and settings\All Users\Application Data\Creative
2008-09-24 14:24 --------- d--h--w c:\program files\Creative Installation Information
2008-09-24 14:10 --------- d-----w c:\program files\Common Files\Creative
2008-09-24 11:35 --------- d-----w c:\program files\EvilLyrics
2008-09-24 11:29 --------- d-----w c:\program files\MIKSOFT
2008-09-21 15:42 2,288,128 ----a-w c:\windows\system32\TUKernel.exe
2008-09-21 11:15 --------- d-----w c:\program files\Winamp
2008-09-21 11:11 --------- d-----w c:\program files\Audacity
2008-09-20 17:15 --------- d-----w c:\program files\Stardock
2008-09-20 17:15 --------- d-----w c:\program files\Common Files\Stardock
2008-09-19 16:47 --------- d-----w c:\documents and settings\Faiz\Application Data\DMCache
2008-09-18 12:25 359,040 ----a-w c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2008-09-18 10:39 --------- d-----w c:\program files\FDRLab
2008-09-18 06:18 --------- d-----w c:\program files\Cavaj Java Decompiler
2008-09-14 09:47 --------- d-----w c:\program files\Audacity 1.3 Beta (Unicode)
2008-09-12 13:01 --------- d-----w c:\documents and settings\Faiz\Application Data\Broadband
2008-04-25 14:18 32,936 ----a-w c:\documents and settings\Faiz\Application Data\GDIPFONTCACHEV1.DAT
2007-10-17 05:50 3,346,944 ----a-w c:\program files\VersionTrackerProWindows40cn0074.msi
2007-09-30 20:18 5,970,944 ----a-w c:\documents and settings\Faiz\irfanview_plugins_400_setup.exe
2004-08-08 06:07 16,984 --sh--w c:\windows\system32\fdtxaiua.exe
2007-11-08 14:35 155,760 --sha-w c:\windows\system32\fiber.exe
2004-08-08 06:07 2,080 --sh--w c:\windows\system32\ictxaiua.sys
2007-11-08 14:35 958,464 --sha-w c:\windows\system32\imapd.exe
2007-11-08 14:35 41,472 --sha-w c:\windows\system32\imapdb.dll
2007-11-08 14:35 24,576 --sha-w c:\windows\system32\imapdb.exe
2007-11-08 14:35 438,272 --sha-w c:\windows\system32\imapdc.dll
2007-11-08 14:35 36,352 --sha-w c:\windows\system32\imapdd.dll
2007-11-08 14:35 99,840 --sha-w c:\windows\system32\imapde.dll
2004-08-08 07:52 520 --sh--w c:\windows\system32\smdsbsrv.sys
2004-08-08 14:53 1,560 --sh--w c:\windows\system32\xscqbhlp.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DEE7B1F7-A014-477C-B0C5-23A51AA81DB5}]
2008-11-05 12:51 69632 --a------ c:\windows\system32\hhahgxda.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-07 4670968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-06 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Updater"="c:\windows\system32\updater\explorer.exe" [2007-11-24 1478612]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-06-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\\WINDOWS\\system32\\logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-10-29 13:09 352256 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-20 22:34 24576 c:\program files\Stardock\Object Desktop\ThemeManager\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.NUB2"= NuB2.dll
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
--a------ 2007-12-04 18:30 79224 c:\progra~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-02 02:52 3739648 c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2007-01-13 09:47 163840 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2007-01-13 09:47 131072 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-08-04 01:06 1667584 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SifyBB]
--a------ 2006-04-21 20:04 127085 c:\program files\Sify Broadband\BBImpSec.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2005-10-26 16:17 159744 c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 04:00 132496 c:\program files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-10-29 13:09 1576176 c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-08-27 23:11 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-03-06 00:16 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-06-07 14:08 4670968 c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a------ 2005-01-07 17:07 61952 c:\windows\system32\HdAShCut.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
"Persistence"=c:\windows\system32\igfxpers.exe
"googletalk"=c:\program files\Google\Google Talk\googletalk.exe /autostart
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe"
"CTCheck"=f:\zen media explorer\CTCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"e:\\Counter Strike\\czero.exe"=
"e:\\Counter Strike\\hltv.exe"=
"e:\\Counter Strike\\hlds.exe"=
"d:\\onceuponatime\\DC++\\DCPlusPlus.exe"=
"d:\\onceuponatime\\Network Assistant\\Nassi.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"f:\\games\\MIDTOWN MADNESS\\midtown.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2008\\3dsmax.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Faiz\\Desktop\\exe files\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\Program Files\\IEPro\\MiniDM.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"d:\\Program Files\\SpeedBit Video Accelerator\\VideoAccelerator.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Java\\jdk1.5.0_16\\jre\\bin\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800
"50069:TCP"= 50069:TCP:utorrent

R2 UxTuneUp;TuneUp Theme Extension;c:\windows\System32\svchost.exe [2004-08-04 14336]
R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);c:\windows\system32\DRIVERS\RMSPPPOE.SYS [2002-10-03 31504]
S0 hvutipgr;hvutipgr;c:\windows\system32\drivers\obrtbipa.dat [ ]
S3 libusb0;LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120;c:\windows\system32\DRIVERS\libusb0.sys [2007-05-11 29184]
S3 SetupNTGLM7X;SetupNTGLM7X;G:\NTGLM7X.sys [ ]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;c:\windows\System32\TuneUpDefragService.exe [2008-02-15 306432]
S3 z530bus;Sony Ericsson Z530 Driver driver (WDM);c:\windows\system32\DRIVERS\z530bus.sys [2007-10-30 58288]
S3 z530mdfl;Sony Ericsson Z530 USB WMC Modem Filter;c:\windows\system32\DRIVERS\z530mdfl.sys [2007-10-30 8336]
S3 z530mdm;Sony Ericsson Z530 USB WMC Modem Driver;c:\windows\system32\DRIVERS\z530mdm.sys [2007-10-30 94064]
S3 z530mgmt;Sony Ericsson Z530 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\z530mgmt.sys [2007-10-30 85408]
S3 z530obex;Sony Ericsson Z530 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\z530obex.sys [2007-10-30 83344]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3442834a-6860-11dd-a0fd-00804840618b}]
\Shell\Auto\command - MicrosoftPowerPoint.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4ffd892a-cf38-11dc-9edf-00804840618b}]
\Shell\Auto\command - MicrosoftPowerPoint.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6481d5aa-40fd-11dc-9cd8-00804840618b}]
\Shell\Auto\command - MicrosoftPowerPoint.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe
.
Contents of the 'Scheduled Tasks' folder

2008-09-19 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClick.exe [2007-12-21 15:17]
.
- - - - ORPHANS REMOVED - - - -

BHO-{3d631013-5f17-476a-973a-b4e7b7498f60} - (no file)
BHO-{C15DDCB3-7D55-410B-9B49-5A3CF98B8845} - c:\windows\system32\browsel.dll
Notify-winaff32 - winaff32.dll
MSConfigStartUp-L08AXLRD_722546 - e:\encarta\Microsoft Student with Encarta Premium 2008 DVD\EDICT.EXE
MSConfigStartUp-RTHDCPL - RTHDCPL.EXE


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = about:blank
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: Download all links with IDM - c:\documents and settings\Faiz\Desktop\Exe Files\IEGetAll.htm
O8 -: Download FLV video content with IDM - c:\documents and settings\Faiz\Desktop\Exe Files\IEGetVL.htm
O8 -: Download with IDM - c:\documents and settings\Faiz\Desktop\Exe Files\IEExt.htm
O8 -: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

O16 -: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} - hxxp://www.yoyogames.com/downloads/activex/YoYo.cab
c:\windows\Downloaded Program Files\YYGInstantPlay.inf
c:\windows\Downloaded Program Files\YYGInstantPlay.ocx
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-05 16:15:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hvutipgr]
"ImagePath"="system32\drivers\obrtbipa.dat"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\docume~1\Faiz\LOCALS~1\Temp\ir_ext_temp_0\autorun.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
d:\ad aware 07\aawservice.exe
c:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
c:\windows\system32\oodag.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2008-11-05 16:17:54 - machine was rebooted [Faiz]
ComboFix-quarantined-files.txt 2008-11-05 10:47:50

Pre-Run: 4,861,435,904 bytes free
Post-Run: 4,943,081,472 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /TUTag=9PLHMX /Kernel=TUKernel.exe
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional (TuneUp Backup)" /noexecute=optin /fastdetect /TUTag=9PLHMX-BAK

328



heres the HJTLOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:32:46 PM, on 11/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\Faiz\LOCALS~1\Temp\ir_ext_temp_0\autorun.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\ad aware 07\aawservice.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Broadband Pacenet\Pacenet Dialer\PaceDial.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\java.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: JurToolbar - {DEE7B1F7-A014-477C-B0C5-23A51AA81DB5} - C:\WINDOWS\system32\hhahgxda.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Updater] C:\WINDOWS\system32\updater\explorer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: Download all links with IDM - C:\Documents and Settings\Faiz\Desktop\Exe Files\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Documents and Settings\Faiz\Desktop\Exe Files\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Documents and Settings\Faiz\Desktop\Exe Files\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1186238036171
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames.com/downloads/activex/YoYo.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{24DCF250-8DD5-406B-AAC0-497FB10EA533}: NameServer = 25.1.1.1 203.115.71.66
O17 - HKLM\System\CS1\Services\Tcpip\..\{24DCF250-8DD5-406B-AAC0-497FB10EA533}: NameServer = 25.1.1.1 203.115.71.66
O17 - HKLM\System\CS2\Services\Tcpip\..\{24DCF250-8DD5-406B-AAC0-497FB10EA533}: NameServer = 25.1.1.1 203.115.71.66
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\ad aware 07\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: mental ray 3.6 Satellite for Autodesk 3ds Max 2008 32-bit 32-bit (mi-raysat_3dsMax2008_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 7892 bytes


please help me.

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:00 PM

Posted 05 November 2008 - 06:21 AM

Hi,

It looks like it isn't the first time you got infected. Actually you should have learned your lesson already, because the previous infections came also with illegal software/cracks/keygens. Not sure why you still proceeded with this behavior afterwards, even though you know it is and stays a risk. One thing is for sure.. your passwords are known, because one of the infections you dealed with previously collected them.

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\Windows\system32\drivers\obrtbipa.dat
c:\windows\system32\hhahgxda.dll
c:\windows\system32\updater\explorer.exe
c:\windows\system32\fdtxaiua.exe
c:\windows\system32\ictxaiua.sys
c:\windows\SwSys2.bmp
c:\windows\SwSys1.bmp
Folder::
C:\VundoFix Backups
Driver::
hvutipgr
Dirlook::
c:\windows\system32\updater
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DEE7B1F7-A014-477C-B0C5-23A51AA81DB5}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Updater"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3442834a-6860-11dd-a0fd-00804840618b}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4ffd892a-cf38-11dc-9edf-00804840618b}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6481d5aa-40fd-11dc-9cd8-00804840618b}]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 funky_beats06

funky_beats06
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:01:00 PM

Posted 05 November 2008 - 06:53 AM

I did as u said.I think that my pc is now fine, no more popups till now :)Thanks .Here r the log files.
COMBOFIX log:

ComboFix 08-11-04.02 - Faiz 2008-11-05 17:10:27.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.162 [GMT 5.5:30]
Running from: c:\documents and settings\Faiz\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Faiz\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
c:\windows\k.txt
c:\windows\temp\wmsetup.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_HVUTIPGR
-------\Service_hvutipgr


((((((((((((((((((((((((( Files Created from 2008-10-05 to 2008-11-05 )))))))))))))))))))))))))))))))
.

2008-11-05 17:03 . 2008-11-05 17:03 19,663 --a------ C:\FileFind.zip
2008-11-05 14:53 . 2008-11-05 14:55 3,659,204 --a------ C:\Ramchand-Pakistani-pDVD-IMTIYAZ-2.avi
2008-11-05 14:40 . 2008-10-16 09:09 24,220,384 --a------ C:\Ramchand-Pakistani-pDVD-IMTIYAZ-1.avi
2008-11-05 12:51 . 2008-11-05 12:51 69,632 --a------ c:\windows\system32\hhahgxda.dll
2008-11-02 23:15 . 2008-11-02 23:15 4,096 --a------ c:\windows\d3dx.dat
2008-11-02 23:14 . 2008-11-03 00:18 <DIR> d-------- c:\program files\Torque
2008-11-01 23:44 . 2008-11-01 23:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\YoYoGames
2008-11-01 21:58 . 2008-11-01 22:11 <DIR> d-------- c:\program files\Game_Maker7
2008-10-31 21:13 . 2008-11-01 22:14 <DIR> d-------- c:\program files\Dark Basic Software
2008-10-30 22:48 . 2008-11-01 22:14 70 --a------ c:\windows\dbinside.ini
2008-10-28 20:24 . 2008-10-28 20:24 0 --ah----- c:\windows\SwSys2.bmp
2008-10-28 20:24 . 2008-10-28 20:24 0 --ah----- c:\windows\SwSys1.bmp
2008-10-24 21:36 . 2008-10-24 21:36 <DIR> d-------- c:\program files\LimeWire
2008-10-24 21:35 . 2008-10-24 21:35 9 --a------ C:\boot.inf
2008-10-23 19:52 . 2008-10-23 20:17 75 --a------ C:\clock.html
2008-10-23 19:45 . 2008-10-25 22:24 4,919 --a------ C:\Clock.class
2008-10-23 19:45 . 2008-10-25 22:24 1,835 --a------ C:\Clock$ClockHand.class
2008-10-23 19:41 . 2008-10-25 22:24 7,199 --a------ C:\Clock.java
2008-10-11 12:34 . 2008-10-11 12:34 65,101,824 --a------ C:\Sarfuu.mpg_New.mpg
2008-10-10 00:19 . 2008-10-10 00:19 <DIR> d-------- c:\documents and settings\Faiz\test
2008-10-10 00:19 . 2008-10-10 00:19 <DIR> d-------- c:\documents and settings\Faiz\classes
2008-10-07 19:30 . 2008-10-07 19:45 <DIR> d-------- c:\documents and settings\Faiz\Application Data\DVD Catalyst3
2008-10-07 19:15 . 2008-10-07 19:15 <DIR> d-------- c:\program files\Bluetooth File Sender
2008-10-05 20:43 . 2005-08-16 12:23 38,422 --a------ c:\windows\system32\drivers\StMp3Rec.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-02 19:08 --------- d-----w c:\documents and settings\Faiz\Application Data\uTorrent
2008-10-31 15:43 --------- d-----w c:\program files\SUPERAntiSpyware
2008-10-31 15:17 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-10-26 17:48 --------- d-----w c:\program files\NetBeans 6.1
2008-10-25 14:53 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-24 16:03 --------- d-----w c:\documents and settings\Faiz\Application Data\LimeWire
2008-10-12 16:28 --------- d-----w c:\documents and settings\Faiz\Application Data\dvdcss
2008-10-09 18:40 --------- d-----w c:\program files\Java
2008-10-05 15:13 --------- d-----w c:\program files\Creative
2008-10-05 15:09 --------- d-----w c:\program files\Yacc Yet Another CSO Compressor
2008-10-03 18:04 --------- d-----w c:\documents and settings\Faiz\Application Data\Audacity
2008-09-30 19:28 --------- d-----w c:\documents and settings\Faiz\Application Data\Subversion
2008-09-30 19:27 --------- d-----w c:\program files\Subversion
2008-09-30 18:18 --------- d-----w c:\program files\Cygwin
2008-09-29 10:00 --------- d-----w c:\program files\PMFplay H.264 Decoder
2008-09-25 07:56 --------- d-----w c:\documents and settings\Faiz\Application Data\Creative
2008-09-25 06:56 --------- d-----w c:\documents and settings\All Users\Application Data\Creative
2008-09-24 14:24 --------- d--h--w c:\program files\Creative Installation Information
2008-09-24 14:10 --------- d-----w c:\program files\Common Files\Creative
2008-09-24 11:35 --------- d-----w c:\program files\EvilLyrics
2008-09-24 11:29 --------- d-----w c:\program files\MIKSOFT
2008-09-21 11:15 --------- d-----w c:\program files\Winamp
2008-09-21 11:11 --------- d-----w c:\program files\Audacity
2008-09-20 17:15 --------- d-----w c:\program files\Stardock
2008-09-20 17:15 --------- d-----w c:\program files\Common Files\Stardock
2008-09-19 16:47 --------- d-----w c:\documents and settings\Faiz\Application Data\DMCache
2008-09-18 12:25 359,040 ----a-w c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2008-09-18 10:39 --------- d-----w c:\program files\FDRLab
2008-09-18 06:18 --------- d-----w c:\program files\Cavaj Java Decompiler
2008-09-14 09:47 --------- d-----w c:\program files\Audacity 1.3 Beta (Unicode)
2008-09-12 13:01 --------- d-----w c:\documents and settings\Faiz\Application Data\Broadband
2008-04-25 14:18 32,936 ----a-w c:\documents and settings\Faiz\Application Data\GDIPFONTCACHEV1.DAT
2007-10-17 05:50 3,346,944 ----a-w c:\program files\VersionTrackerProWindows40cn0074.msi
2007-09-30 20:18 5,970,944 ----a-w c:\documents and settings\Faiz\irfanview_plugins_400_setup.exe
2004-08-08 06:07 16,984 --sh--w c:\windows\system32\fdtxaiua.exe
2007-11-08 14:35 155,760 --sha-w c:\windows\system32\fiber.exe
2004-08-08 06:07 2,080 --sh--w c:\windows\system32\ictxaiua.sys
2007-11-08 14:35 958,464 --sha-w c:\windows\system32\imapd.exe
2007-11-08 14:35 41,472 --sha-w c:\windows\system32\imapdb.dll
2007-11-08 14:35 24,576 --sha-w c:\windows\system32\imapdb.exe
2007-11-08 14:35 438,272 --sha-w c:\windows\system32\imapdc.dll
2007-11-08 14:35 36,352 --sha-w c:\windows\system32\imapdd.dll
2007-11-08 14:35 99,840 --sha-w c:\windows\system32\imapde.dll
2004-08-08 07:52 520 --sh--w c:\windows\system32\smdsbsrv.sys
2004-08-08 14:53 1,560 --sh--w c:\windows\system32\xscqbhlp.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\windows\system32\updater ----

2007-11-24 14:08 1478612 --------- c:\windows\system32\updater\explorer.exe


((((((((((((((((((((((((((((( snapshot@2008-11-05_16.17.30.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-05 11:43:23 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_538.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-07 4670968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-06 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-06-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\\WINDOWS\\system32\\logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-10-29 13:09 352256 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-20 22:34 24576 c:\program files\Stardock\Object Desktop\ThemeManager\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.NUB2"= NuB2.dll
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
--a------ 2007-12-04 18:30 79224 c:\progra~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-02 02:52 3739648 c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2007-01-13 09:47 163840 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2007-01-13 09:47 131072 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-08-04 01:06 1667584 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SifyBB]
--a------ 2006-04-21 20:04 127085 c:\program files\Sify Broadband\BBImpSec.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2005-10-26 16:17 159744 c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 04:00 132496 c:\program files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-10-29 13:09 1576176 c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-08-27 23:11 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-03-06 00:16 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-06-07 14:08 4670968 c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a------ 2005-01-07 17:07 61952 c:\windows\system32\HdAShCut.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
"Persistence"=c:\windows\system32\igfxpers.exe
"googletalk"=c:\program files\Google\Google Talk\googletalk.exe /autostart
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe"
"CTCheck"=f:\zen media explorer\CTCheck.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"e:\\Counter Strike\\czero.exe"=
"e:\\Counter Strike\\hltv.exe"=
"e:\\Counter Strike\\hlds.exe"=
"d:\\onceuponatime\\DC++\\DCPlusPlus.exe"=
"d:\\onceuponatime\\Network Assistant\\Nassi.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"f:\\games\\MIDTOWN MADNESS\\midtown.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2008\\3dsmax.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Faiz\\Desktop\\exe files\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\Program Files\\IEPro\\MiniDM.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"d:\\Program Files\\SpeedBit Video Accelerator\\VideoAccelerator.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Java\\jdk1.5.0_16\\jre\\bin\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800
"50069:TCP"= 50069:TCP:utorrent

R2 UxTuneUp;TuneUp Theme Extension;c:\windows\System32\svchost.exe [2004-08-04 14336]
R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);c:\windows\system32\DRIVERS\RMSPPPOE.SYS [2002-10-03 31504]
S3 libusb0;LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120;c:\windows\system32\DRIVERS\libusb0.sys [2007-05-11 29184]
S3 SetupNTGLM7X;SetupNTGLM7X;G:\NTGLM7X.sys [ ]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;c:\windows\System32\TuneUpDefragService.exe [2008-02-15 306432]
S3 z530bus;Sony Ericsson Z530 Driver driver (WDM);c:\windows\system32\DRIVERS\z530bus.sys [2007-10-30 58288]
S3 z530mdfl;Sony Ericsson Z530 USB WMC Modem Filter;c:\windows\system32\DRIVERS\z530mdfl.sys [2007-10-30 8336]
S3 z530mdm;Sony Ericsson Z530 USB WMC Modem Driver;c:\windows\system32\DRIVERS\z530mdm.sys [2007-10-30 94064]
S3 z530mgmt;Sony Ericsson Z530 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\z530mgmt.sys [2007-10-30 85408]
S3 z530obex;Sony Ericsson Z530 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\z530obex.sys [2007-10-30 83344]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2008-09-19 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClick.exe [2007-12-21 15:17]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-05 17:13:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
d:\ad aware 07\aawservice.exe
c:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
c:\windows\system32\oodag.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-11-05 17:16:09 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-05 11:46:05
ComboFix2.txt 2008-11-05 10:47:56

Pre-Run: 4,922,306,560 bytes free
Post-Run: 4,919,066,624 bytes free

243


HJTLOG:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:19:50 PM, on 11/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\ad aware 07\aawservice.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Broadband Pacenet\Pacenet Dialer\PaceDial.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: Download all links with IDM - C:\Documents and Settings\Faiz\Desktop\Exe Files\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Documents and Settings\Faiz\Desktop\Exe Files\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Documents and Settings\Faiz\Desktop\Exe Files\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1186238036171
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames.com/downloads/activex/YoYo.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{24DCF250-8DD5-406B-AAC0-497FB10EA533}: NameServer = 25.1.1.1 203.115.71.66
O17 - HKLM\System\CS1\Services\Tcpip\..\{24DCF250-8DD5-406B-AAC0-497FB10EA533}: NameServer = 25.1.1.1 203.115.71.66
O17 - HKLM\System\CS2\Services\Tcpip\..\{24DCF250-8DD5-406B-AAC0-497FB10EA533}: NameServer = 25.1.1.1 203.115.71.66
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\ad aware 07\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: mental ray 3.6 Satellite for Autodesk 3ds Max 2008 32-bit 32-bit (mi-raysat_3dsMax2008_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 7653 bytes

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:00 PM

Posted 05 November 2008 - 07:01 AM

Hi,

It looks like you forgot to copy and paste the File:: part on top in the script, so we'll have to do this again..

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\Windows\system32\drivers\obrtbipa.dat
c:\windows\system32\hhahgxda.dll
c:\windows\system32\fdtxaiua.exe
c:\windows\system32\ictxaiua.sys
c:\windows\system32\smdsbsrv.sys
c:\windows\system32\xscqbhlp.sys
c:\windows\SwSys2.bmp
c:\windows\SwSys1.bmp
Folder::
c:\windows\system32\updater


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 funky_beats06

funky_beats06
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:01:00 PM

Posted 05 November 2008 - 07:09 AM

OK, heres the new combofix log:

ComboFix 08-11-04.02 - Faiz 2008-11-05 17:35:53.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.154 [GMT 5.5:30]
Running from: c:\documents and settings\Faiz\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Faiz\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\SwSys1.bmp
c:\windows\SwSys2.bmp
c:\windows\system32\drivers\obrtbipa.dat
c:\windows\system32\fdtxaiua.exe
c:\windows\system32\hhahgxda.dll
c:\windows\system32\ictxaiua.sys
c:\windows\system32\smdsbsrv.sys
c:\windows\system32\xscqbhlp.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\SwSys1.bmp
c:\windows\SwSys2.bmp
c:\windows\system32\fdtxaiua.exe
c:\windows\system32\hhahgxda.dll
c:\windows\system32\ictxaiua.sys
c:\windows\system32\smdsbsrv.sys
c:\windows\system32\updater
c:\windows\system32\updater\explorer.exe
c:\windows\system32\xscqbhlp.sys
c:\windows\temp\wmsetup.dll

.
((((((((((((((((((((((((( Files Created from 2008-10-05 to 2008-11-05 )))))))))))))))))))))))))))))))
.

2008-11-05 17:03 . 2008-11-05 17:03 19,663 --a------ C:\FileFind.zip
2008-11-05 14:53 . 2008-11-05 14:55 3,659,204 --a------ C:\Ramchand-Pakistani-pDVD-IMTIYAZ-2.avi
2008-11-05 14:40 . 2008-10-16 09:09 24,220,384 --a------ C:\Ramchand-Pakistani-pDVD-IMTIYAZ-1.avi
2008-11-02 23:15 . 2008-11-02 23:15 4,096 --a------ c:\windows\d3dx.dat
2008-11-02 23:14 . 2008-11-03 00:18 <DIR> d-------- c:\program files\Torque
2008-11-01 23:44 . 2008-11-01 23:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\YoYoGames
2008-11-01 21:58 . 2008-11-01 22:11 <DIR> d-------- c:\program files\Game_Maker7
2008-10-31 21:13 . 2008-11-01 22:14 <DIR> d-------- c:\program files\Dark Basic Software
2008-10-30 22:48 . 2008-11-01 22:14 70 --a------ c:\windows\dbinside.ini
2008-10-24 21:36 . 2008-10-24 21:36 <DIR> d-------- c:\program files\LimeWire
2008-10-24 21:35 . 2008-10-24 21:35 9 --a------ C:\boot.inf
2008-10-23 19:52 . 2008-10-23 20:17 75 --a------ C:\clock.html
2008-10-23 19:45 . 2008-10-25 22:24 4,919 --a------ C:\Clock.class
2008-10-23 19:45 . 2008-10-25 22:24 1,835 --a------ C:\Clock$ClockHand.class
2008-10-23 19:41 . 2008-10-25 22:24 7,199 --a------ C:\Clock.java
2008-10-11 12:34 . 2008-10-11 12:34 65,101,824 --a------ C:\Sarfuu.mpg_New.mpg
2008-10-10 00:19 . 2008-10-10 00:19 <DIR> d-------- c:\documents and settings\Faiz\test
2008-10-10 00:19 . 2008-10-10 00:19 <DIR> d-------- c:\documents and settings\Faiz\classes
2008-10-07 19:30 . 2008-10-07 19:45 <DIR> d-------- c:\documents and settings\Faiz\Application Data\DVD Catalyst3
2008-10-07 19:15 . 2008-10-07 19:15 <DIR> d-------- c:\program files\Bluetooth File Sender
2008-10-05 20:43 . 2005-08-16 12:23 38,422 --a------ c:\windows\system32\drivers\StMp3Rec.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-02 19:08 --------- d-----w c:\documents and settings\Faiz\Application Data\uTorrent
2008-10-31 15:43 --------- d-----w c:\program files\SUPERAntiSpyware
2008-10-31 15:17 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-10-26 17:48 --------- d-----w c:\program files\NetBeans 6.1
2008-10-25 14:53 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-24 16:03 --------- d-----w c:\documents and settings\Faiz\Application Data\LimeWire
2008-10-15 18:19 2,864 ----a-w c:\windows\system32\winsock.dll
2008-10-12 16:28 --------- d-----w c:\documents and settings\Faiz\Application Data\dvdcss
2008-10-09 18:40 --------- d-----w c:\program files\Java
2008-10-05 15:13 --------- d-----w c:\program files\Creative
2008-10-05 15:09 --------- d-----w c:\program files\Yacc Yet Another CSO Compressor
2008-10-03 18:04 --------- d-----w c:\documents and settings\Faiz\Application Data\Audacity
2008-09-30 19:28 --------- d-----w c:\documents and settings\Faiz\Application Data\Subversion
2008-09-30 19:27 --------- d-----w c:\program files\Subversion
2008-09-30 18:18 --------- d-----w c:\program files\Cygwin
2008-09-29 10:00 --------- d-----w c:\program files\PMFplay H.264 Decoder
2008-09-25 07:56 --------- d-----w c:\documents and settings\Faiz\Application Data\Creative
2008-09-25 06:56 --------- d-----w c:\documents and settings\All Users\Application Data\Creative
2008-09-24 14:24 --------- d--h--w c:\program files\Creative Installation Information
2008-09-24 14:10 --------- d-----w c:\program files\Common Files\Creative
2008-09-24 11:35 --------- d-----w c:\program files\EvilLyrics
2008-09-24 11:29 --------- d-----w c:\program files\MIKSOFT
2008-09-21 15:42 2,288,128 ----a-w c:\windows\system32\TUKernel.exe
2008-09-21 11:15 --------- d-----w c:\program files\Winamp
2008-09-21 11:11 --------- d-----w c:\program files\Audacity
2008-09-20 17:15 --------- d-----w c:\program files\Stardock
2008-09-20 17:15 --------- d-----w c:\program files\Common Files\Stardock
2008-09-19 16:47 --------- d-----w c:\documents and settings\Faiz\Application Data\DMCache
2008-09-18 12:25 359,040 ----a-w c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2008-09-18 10:39 --------- d-----w c:\program files\FDRLab
2008-09-18 06:18 --------- d-----w c:\program files\Cavaj Java Decompiler
2008-09-14 09:47 --------- d-----w c:\program files\Audacity 1.3 Beta (Unicode)
2008-09-12 13:01 --------- d-----w c:\documents and settings\Faiz\Application Data\Broadband
2008-04-25 14:18 32,936 ----a-w c:\documents and settings\Faiz\Application Data\GDIPFONTCACHEV1.DAT
2007-10-17 05:50 3,346,944 ----a-w c:\program files\VersionTrackerProWindows40cn0074.msi
2007-09-30 20:18 5,970,944 ----a-w c:\documents and settings\Faiz\irfanview_plugins_400_setup.exe
2007-11-08 14:35 155,760 --sha-w c:\windows\system32\fiber.exe
2007-11-08 14:35 958,464 --sha-w c:\windows\system32\imapd.exe
2007-11-08 14:35 41,472 --sha-w c:\windows\system32\imapdb.dll
2007-11-08 14:35 24,576 --sha-w c:\windows\system32\imapdb.exe
2007-11-08 14:35 438,272 --sha-w c:\windows\system32\imapdc.dll
2007-11-08 14:35 36,352 --sha-w c:\windows\system32\imapdd.dll
2007-11-08 14:35 99,840 --sha-w c:\windows\system32\imapde.dll
.

((((((((((((((((((((((((((((( snapshot@2008-11-05_16.17.30.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-05 11:43:23 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_538.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-07 4670968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-06 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-06-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\\WINDOWS\\system32\\logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-10-29 13:09 352256 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-20 22:34 24576 c:\program files\Stardock\Object Desktop\ThemeManager\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.NUB2"= NuB2.dll
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
--a------ 2007-12-04 18:30 79224 c:\progra~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-02 02:52 3739648 c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2007-01-13 09:47 163840 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2007-01-13 09:47 131072 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-08-04 01:06 1667584 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SifyBB]
--a------ 2006-04-21 20:04 127085 c:\program files\Sify Broadband\BBImpSec.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2005-10-26 16:17 159744 c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 04:00 132496 c:\program files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-10-29 13:09 1576176 c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-08-27 23:11 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-03-06 00:16 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-06-07 14:08 4670968 c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a------ 2005-01-07 17:07 61952 c:\windows\system32\HdAShCut.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
"Persistence"=c:\windows\system32\igfxpers.exe
"googletalk"=c:\program files\Google\Google Talk\googletalk.exe /autostart
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe"
"CTCheck"=f:\zen media explorer\CTCheck.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"e:\\Counter Strike\\czero.exe"=
"e:\\Counter Strike\\hltv.exe"=
"e:\\Counter Strike\\hlds.exe"=
"d:\\onceuponatime\\DC++\\DCPlusPlus.exe"=
"d:\\onceuponatime\\Network Assistant\\Nassi.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"f:\\games\\MIDTOWN MADNESS\\midtown.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2008\\3dsmax.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Faiz\\Desktop\\exe files\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\Program Files\\IEPro\\MiniDM.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"d:\\Program Files\\SpeedBit Video Accelerator\\VideoAccelerator.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Java\\jdk1.5.0_16\\jre\\bin\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800
"50069:TCP"= 50069:TCP:utorrent

R2 UxTuneUp;TuneUp Theme Extension;c:\windows\System32\svchost.exe [2004-08-04 14336]
R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);c:\windows\system32\DRIVERS\RMSPPPOE.SYS [2002-10-03 31504]
S3 libusb0;LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120;c:\windows\system32\DRIVERS\libusb0.sys [2007-05-11 29184]
S3 SetupNTGLM7X;SetupNTGLM7X;G:\NTGLM7X.sys [ ]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;c:\windows\System32\TuneUpDefragService.exe [2008-02-15 306432]
S3 z530bus;Sony Ericsson Z530 Driver driver (WDM);c:\windows\system32\DRIVERS\z530bus.sys [2007-10-30 58288]
S3 z530mdfl;Sony Ericsson Z530 USB WMC Modem Filter;c:\windows\system32\DRIVERS\z530mdfl.sys [2007-10-30 8336]
S3 z530mdm;Sony Ericsson Z530 USB WMC Modem Driver;c:\windows\system32\DRIVERS\z530mdm.sys [2007-10-30 94064]
S3 z530mgmt;Sony Ericsson Z530 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\z530mgmt.sys [2007-10-30 85408]
S3 z530obex;Sony Ericsson Z530 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\z530obex.sys [2007-10-30 83344]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-09-19 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClick.exe [2007-12-21 15:17]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-05 17:37:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-05 17:37:39
ComboFix-quarantined-files.txt 2008-11-05 12:07:36
ComboFix2.txt 2008-11-05 11:46:10
ComboFix3.txt 2008-11-05 10:47:56

Pre-Run: 4,877,934,592 bytes free
Post-Run: 4,882,685,952 bytes free

231


the HJTlog:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:39:36 PM, on 11/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\ad aware 07\aawservice.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Broadband Pacenet\Pacenet Dialer\PaceDial.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: Download all links with IDM - C:\Documents and Settings\Faiz\Desktop\Exe Files\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Documents and Settings\Faiz\Desktop\Exe Files\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Documents and Settings\Faiz\Desktop\Exe Files\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1186238036171
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames.com/downloads/activex/YoYo.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{24DCF250-8DD5-406B-AAC0-497FB10EA533}: NameServer = 25.1.1.1 203.115.71.66
O17 - HKLM\System\CS1\Services\Tcpip\..\{24DCF250-8DD5-406B-AAC0-497FB10EA533}: NameServer = 25.1.1.1 203.115.71.66
O17 - HKLM\System\CS2\Services\Tcpip\..\{24DCF250-8DD5-406B-AAC0-497FB10EA533}: NameServer = 25.1.1.1 203.115.71.66
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\ad aware 07\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: mental ray 3.6 Satellite for Autodesk 3ds Max 2008 32-bit 32-bit (mi-raysat_3dsMax2008_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 7587 bytes


OK, heres the new combofix log:

ComboFix 08-11-04.02 - Faiz 2008-11-05 17:35:53.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.154 [GMT 5.5:30]
Running from: c:\documents and settings\Faiz\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Faiz\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\SwSys1.bmp
c:\windows\SwSys2.bmp
c:\windows\system32\drivers\obrtbipa.dat
c:\windows\system32\fdtxaiua.exe
c:\windows\system32\hhahgxda.dll
c:\windows\system32\ictxaiua.sys
c:\windows\system32\smdsbsrv.sys
c:\windows\system32\xscqbhlp.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\SwSys1.bmp
c:\windows\SwSys2.bmp
c:\windows\system32\fdtxaiua.exe
c:\windows\system32\hhahgxda.dll
c:\windows\system32\ictxaiua.sys
c:\windows\system32\smdsbsrv.sys
c:\windows\system32\updater
c:\windows\system32\updater\explorer.exe
c:\windows\system32\xscqbhlp.sys
c:\windows\temp\wmsetup.dll

.
((((((((((((((((((((((((( Files Created from 2008-10-05 to 2008-11-05 )))))))))))))))))))))))))))))))
.

2008-11-05 17:03 . 2008-11-05 17:03 19,663 --a------ C:\FileFind.zip
2008-11-05 14:53 . 2008-11-05 14:55 3,659,204 --a------ C:\Ramchand-Pakistani-pDVD-IMTIYAZ-2.avi
2008-11-05 14:40 . 2008-10-16 09:09 24,220,384 --a------ C:\Ramchand-Pakistani-pDVD-IMTIYAZ-1.avi
2008-11-02 23:15 . 2008-11-02 23:15 4,096 --a------ c:\windows\d3dx.dat
2008-11-02 23:14 . 2008-11-03 00:18 <DIR> d-------- c:\program files\Torque
2008-11-01 23:44 . 2008-11-01 23:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\YoYoGames
2008-11-01 21:58 . 2008-11-01 22:11 <DIR> d-------- c:\program files\Game_Maker7
2008-10-31 21:13 . 2008-11-01 22:14 <DIR> d-------- c:\program files\Dark Basic Software
2008-10-30 22:48 . 2008-11-01 22:14 70 --a------ c:\windows\dbinside.ini
2008-10-24 21:36 . 2008-10-24 21:36 <DIR> d-------- c:\program files\LimeWire
2008-10-24 21:35 . 2008-10-24 21:35 9 --a------ C:\boot.inf
2008-10-23 19:52 . 2008-10-23 20:17 75 --a------ C:\clock.html
2008-10-23 19:45 . 2008-10-25 22:24 4,919 --a------ C:\Clock.class
2008-10-23 19:45 . 2008-10-25 22:24 1,835 --a------ C:\Clock$ClockHand.class
2008-10-23 19:41 . 2008-10-25 22:24 7,199 --a------ C:\Clock.java
2008-10-11 12:34 . 2008-10-11 12:34 65,101,824 --a------ C:\Sarfuu.mpg_New.mpg
2008-10-10 00:19 . 2008-10-10 00:19 <DIR> d-------- c:\documents and settings\Faiz\test
2008-10-10 00:19 . 2008-10-10 00:19 <DIR> d-------- c:\documents and settings\Faiz\classes
2008-10-07 19:30 . 2008-10-07 19:45 <DIR> d-------- c:\documents and settings\Faiz\Application Data\DVD Catalyst3
2008-10-07 19:15 . 2008-10-07 19:15 <DIR> d-------- c:\program files\Bluetooth File Sender
2008-10-05 20:43 . 2005-08-16 12:23 38,422 --a------ c:\windows\system32\drivers\StMp3Rec.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-02 19:08 --------- d-----w c:\documents and settings\Faiz\Application Data\uTorrent
2008-10-31 15:43 --------- d-----w c:\program files\SUPERAntiSpyware
2008-10-31 15:17 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-10-26 17:48 --------- d-----w c:\program files\NetBeans 6.1
2008-10-25 14:53 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-24 16:03 --------- d-----w c:\documents and settings\Faiz\Application Data\LimeWire
2008-10-15 18:19 2,864 ----a-w c:\windows\system32\winsock.dll
2008-10-12 16:28 --------- d-----w c:\documents and settings\Faiz\Application Data\dvdcss
2008-10-09 18:40 --------- d-----w c:\program files\Java
2008-10-05 15:13 --------- d-----w c:\program files\Creative
2008-10-05 15:09 --------- d-----w c:\program files\Yacc Yet Another CSO Compressor
2008-10-03 18:04 --------- d-----w c:\documents and settings\Faiz\Application Data\Audacity
2008-09-30 19:28 --------- d-----w c:\documents and settings\Faiz\Application Data\Subversion
2008-09-30 19:27 --------- d-----w c:\program files\Subversion
2008-09-30 18:18 --------- d-----w c:\program files\Cygwin
2008-09-29 10:00 --------- d-----w c:\program files\PMFplay H.264 Decoder
2008-09-25 07:56 --------- d-----w c:\documents and settings\Faiz\Application Data\Creative
2008-09-25 06:56 --------- d-----w c:\documents and settings\All Users\Application Data\Creative
2008-09-24 14:24 --------- d--h--w c:\program files\Creative Installation Information
2008-09-24 14:10 --------- d-----w c:\program files\Common Files\Creative
2008-09-24 11:35 --------- d-----w c:\program files\EvilLyrics
2008-09-24 11:29 --------- d-----w c:\program files\MIKSOFT
2008-09-21 15:42 2,288,128 ----a-w c:\windows\system32\TUKernel.exe
2008-09-21 11:15 --------- d-----w c:\program files\Winamp
2008-09-21 11:11 --------- d-----w c:\program files\Audacity
2008-09-20 17:15 --------- d-----w c:\program files\Stardock
2008-09-20 17:15 --------- d-----w c:\program files\Common Files\Stardock
2008-09-19 16:47 --------- d-----w c:\documents and settings\Faiz\Application Data\DMCache
2008-09-18 12:25 359,040 ----a-w c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2008-09-18 10:39 --------- d-----w c:\program files\FDRLab
2008-09-18 06:18 --------- d-----w c:\program files\Cavaj Java Decompiler
2008-09-14 09:47 --------- d-----w c:\program files\Audacity 1.3 Beta (Unicode)
2008-09-12 13:01 --------- d-----w c:\documents and settings\Faiz\Application Data\Broadband
2008-04-25 14:18 32,936 ----a-w c:\documents and settings\Faiz\Application Data\GDIPFONTCACHEV1.DAT
2007-10-17 05:50 3,346,944 ----a-w c:\program files\VersionTrackerProWindows40cn0074.msi
2007-09-30 20:18 5,970,944 ----a-w c:\documents and settings\Faiz\irfanview_plugins_400_setup.exe
2007-11-08 14:35 155,760 --sha-w c:\windows\system32\fiber.exe
2007-11-08 14:35 958,464 --sha-w c:\windows\system32\imapd.exe
2007-11-08 14:35 41,472 --sha-w c:\windows\system32\imapdb.dll
2007-11-08 14:35 24,576 --sha-w c:\windows\system32\imapdb.exe
2007-11-08 14:35 438,272 --sha-w c:\windows\system32\imapdc.dll
2007-11-08 14:35 36,352 --sha-w c:\windows\system32\imapdd.dll
2007-11-08 14:35 99,840 --sha-w c:\windows\system32\imapde.dll
.

((((((((((((((((((((((((((((( snapshot@2008-11-05_16.17.30.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-05 11:43:23 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_538.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-07 4670968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-06 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-06-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\\WINDOWS\\system32\\logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-10-29 13:09 352256 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-20 22:34 24576 c:\program files\Stardock\Object Desktop\ThemeManager\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.NUB2"= NuB2.dll
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
--a------ 2007-12-04 18:30 79224 c:\progra~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-02 02:52 3739648 c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2007-01-13 09:47 163840 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2007-01-13 09:47 131072 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-08-04 01:06 1667584 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SifyBB]
--a------ 2006-04-21 20:04 127085 c:\program files\Sify Broadband\BBImpSec.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2005-10-26 16:17 159744 c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 04:00 132496 c:\program files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-10-29 13:09 1576176 c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-08-27 23:11 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-03-06 00:16 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-06-07 14:08 4670968 c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a------ 2005-01-07 17:07 61952 c:\windows\system32\HdAShCut.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
"Persistence"=c:\windows\system32\igfxpers.exe
"googletalk"=c:\program files\Google\Google Talk\googletalk.exe /autostart
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe"
"CTCheck"=f:\zen media explorer\CTCheck.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"e:\\Counter Strike\\czero.exe"=
"e:\\Counter Strike\\hltv.exe"=
"e:\\Counter Strike\\hlds.exe"=
"d:\\onceuponatime\\DC++\\DCPlusPlus.exe"=
"d:\\onceuponatime\\Network Assistant\\Nassi.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"f:\\games\\MIDTOWN MADNESS\\midtown.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2008\\3dsmax.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Faiz\\Desktop\\exe files\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\Program Files\\IEPro\\MiniDM.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"d:\\Program Files\\SpeedBit Video Accelerator\\VideoAccelerator.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Java\\jdk1.5.0_16\\jre\\bin\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800
"50069:TCP"= 50069:TCP:utorrent

R2 UxTuneUp;TuneUp Theme Extension;c:\windows\System32\svchost.exe [2004-08-04 14336]
R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);c:\windows\system32\DRIVERS\RMSPPPOE.SYS [2002-10-03 31504]
S3 libusb0;LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120;c:\windows\system32\DRIVERS\libusb0.sys [2007-05-11 29184]
S3 SetupNTGLM7X;SetupNTGLM7X;G:\NTGLM7X.sys [ ]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;c:\windows\System32\TuneUpDefragService.exe [2008-02-15 306432]
S3 z530bus;Sony Ericsson Z530 Driver driver (WDM);c:\windows\system32\DRIVERS\z530bus.sys [2007-10-30 58288]
S3 z530mdfl;Sony Ericsson Z530 USB WMC Modem Filter;c:\windows\system32\DRIVERS\z530mdfl.sys [2007-10-30 8336]
S3 z530mdm;Sony Ericsson Z530 USB WMC Modem Driver;c:\windows\system32\DRIVERS\z530mdm.sys [2007-10-30 94064]
S3 z530mgmt;Sony Ericsson Z530 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\z530mgmt.sys [2007-10-30 85408]
S3 z530obex;Sony Ericsson Z530 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\z530obex.sys [2007-10-30 83344]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-09-19 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClick.exe [2007-12-21 15:17]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-05 17:37:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-05 17:37:39
ComboFix-quarantined-files.txt 2008-11-05 12:07:36
ComboFix2.txt 2008-11-05 11:46:10
ComboFix3.txt 2008-11-05 10:47:56

Pre-Run: 4,877,934,592 bytes free
Post-Run: 4,882,685,952 bytes free

231


the HJTlog:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:39:36 PM, on 11/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\ad aware 07\aawservice.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Broadband Pacenet\Pacenet Dialer\PaceDial.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: Download all links with IDM - C:\Documents and Settings\Faiz\Desktop\Exe Files\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Documents and Settings\Faiz\Desktop\Exe Files\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Documents and Settings\Faiz\Desktop\Exe Files\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1186238036171
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames.com/downloads/activex/YoYo.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{24DCF250-8DD5-406B-AAC0-497FB10EA533}: NameServer = 25.1.1.1 203.115.71.66
O17 - HKLM\System\CS1\Services\Tcpip\..\{24DCF250-8DD5-406B-AAC0-497FB10EA533}: NameServer = 25.1.1.1 203.115.71.66
O17 - HKLM\System\CS2\Services\Tcpip\..\{24DCF250-8DD5-406B-AAC0-497FB10EA533}: NameServer = 25.1.1.1 203.115.71.66
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\ad aware 07\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: mental ray 3.6 Satellite for Autodesk 3ds Max 2008 32-bit 32-bit (mi-raysat_3dsMax2008_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 7587 bytes

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:00 PM

Posted 05 November 2008 - 07:24 AM

Hi,

Let's give this one more run, because I've investigated some other files in your system32 folder and some appear to be leftovers from another infection (flashdrive infection - Kinza.exe). So let's delete them..

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\windows\system32\fiber.exe
c:\windows\system32\imapd.exe
c:\windows\system32\imapdb.dll
c:\windows\system32\imapdb.exe
c:\windows\system32\imapdc.dll
c:\windows\system32\imapdd.dll
c:\windows\system32\imapde.dll


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

Edited by miekiemoes, 05 November 2008 - 07:27 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 funky_beats06

funky_beats06
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:01:00 PM

Posted 05 November 2008 - 07:31 AM

thanks,heres the combofix log:

ComboFix 08-11-04.02 - Faiz 2008-11-05 17:57:22.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.112 [GMT 5.5:30]
Running from: c:\documents and settings\Faiz\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Faiz\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\boot.inf
c:\windows\system32\fiber.exe
c:\windows\system32\imapd.exe
c:\windows\system32\imapdb.dll
c:\windows\system32\imapdb.exe
c:\windows\system32\imapdc.dll
c:\windows\system32\imapdd.dll
c:\windows\system32\imapde.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\boot.inf
c:\windows\system32\fiber.exe
c:\windows\system32\imapd.exe
c:\windows\system32\imapdb.dll
c:\windows\system32\imapdb.exe
c:\windows\system32\imapdc.dll
c:\windows\system32\imapdd.dll
c:\windows\system32\imapde.dll

.
((((((((((((((((((((((((( Files Created from 2008-10-05 to 2008-11-05 )))))))))))))))))))))))))))))))
.

2008-11-05 17:03 . 2008-11-05 17:03 19,663 --a------ C:\FileFind.zip
2008-11-05 14:53 . 2008-11-05 14:55 3,659,204 --a------ C:\Ramchand-Pakistani-pDVD-IMTIYAZ-2.avi
2008-11-05 14:40 . 2008-10-16 09:09 24,220,384 --a------ C:\Ramchand-Pakistani-pDVD-IMTIYAZ-1.avi
2008-11-02 23:15 . 2008-11-02 23:15 4,096 --a------ c:\windows\d3dx.dat
2008-11-02 23:14 . 2008-11-03 00:18 <DIR> d-------- c:\program files\Torque
2008-11-01 23:44 . 2008-11-01 23:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\YoYoGames
2008-11-01 21:58 . 2008-11-01 22:11 <DIR> d-------- c:\program files\Game_Maker7
2008-10-31 21:13 . 2008-11-01 22:14 <DIR> d-------- c:\program files\Dark Basic Software
2008-10-30 22:48 . 2008-11-01 22:14 70 --a------ c:\windows\dbinside.ini
2008-10-24 21:36 . 2008-10-24 21:36 <DIR> d-------- c:\program files\LimeWire
2008-10-23 19:52 . 2008-10-23 20:17 75 --a------ C:\clock.html
2008-10-23 19:45 . 2008-10-25 22:24 4,919 --a------ C:\Clock.class
2008-10-23 19:45 . 2008-10-25 22:24 1,835 --a------ C:\Clock$ClockHand.class
2008-10-23 19:41 . 2008-10-25 22:24 7,199 --a------ C:\Clock.java
2008-10-11 12:34 . 2008-10-11 12:34 65,101,824 --a------ C:\Sarfuu.mpg_New.mpg
2008-10-10 00:19 . 2008-10-10 00:19 <DIR> d-------- c:\documents and settings\Faiz\test
2008-10-10 00:19 . 2008-10-10 00:19 <DIR> d-------- c:\documents and settings\Faiz\classes
2008-10-07 19:30 . 2008-10-07 19:45 <DIR> d-------- c:\documents and settings\Faiz\Application Data\DVD Catalyst3
2008-10-07 19:15 . 2008-10-07 19:15 <DIR> d-------- c:\program files\Bluetooth File Sender
2008-10-05 20:43 . 2005-08-16 12:23 38,422 --a------ c:\windows\system32\drivers\StMp3Rec.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-05 12:27 --------- d-----w c:\documents and settings\Faiz\Application Data\DMCache
2008-11-02 19:08 --------- d-----w c:\documents and settings\Faiz\Application Data\uTorrent
2008-10-31 15:43 --------- d-----w c:\program files\SUPERAntiSpyware
2008-10-31 15:17 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-10-26 17:48 --------- d-----w c:\program files\NetBeans 6.1
2008-10-25 14:53 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-24 16:03 --------- d-----w c:\documents and settings\Faiz\Application Data\LimeWire
2008-10-15 18:19 2,864 ----a-w c:\windows\system32\winsock.dll
2008-10-12 16:28 --------- d-----w c:\documents and settings\Faiz\Application Data\dvdcss
2008-10-09 18:40 --------- d-----w c:\program files\Java
2008-10-05 15:13 --------- d-----w c:\program files\Creative
2008-10-05 15:09 --------- d-----w c:\program files\Yacc Yet Another CSO Compressor
2008-10-03 18:04 --------- d-----w c:\documents and settings\Faiz\Application Data\Audacity
2008-09-30 19:28 --------- d-----w c:\documents and settings\Faiz\Application Data\Subversion
2008-09-30 19:27 --------- d-----w c:\program files\Subversion
2008-09-30 18:18 --------- d-----w c:\program files\Cygwin
2008-09-29 10:00 --------- d-----w c:\program files\PMFplay H.264 Decoder
2008-09-25 07:56 --------- d-----w c:\documents and settings\Faiz\Application Data\Creative
2008-09-25 06:56 --------- d-----w c:\documents and settings\All Users\Application Data\Creative
2008-09-24 14:24 --------- d--h--w c:\program files\Creative Installation Information
2008-09-24 14:10 --------- d-----w c:\program files\Common Files\Creative
2008-09-24 11:35 --------- d-----w c:\program files\EvilLyrics
2008-09-24 11:29 --------- d-----w c:\program files\MIKSOFT
2008-09-21 15:42 2,288,128 ----a-w c:\windows\system32\TUKernel.exe
2008-09-21 11:15 --------- d-----w c:\program files\Winamp
2008-09-21 11:11 --------- d-----w c:\program files\Audacity
2008-09-20 17:15 --------- d-----w c:\program files\Stardock
2008-09-20 17:15 --------- d-----w c:\program files\Common Files\Stardock
2008-09-18 12:25 359,040 ----a-w c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2008-09-18 10:39 --------- d-----w c:\program files\FDRLab
2008-09-18 06:18 --------- d-----w c:\program files\Cavaj Java Decompiler
2008-09-14 09:47 --------- d-----w c:\program files\Audacity 1.3 Beta (Unicode)
2008-09-12 13:01 --------- d-----w c:\documents and settings\Faiz\Application Data\Broadband
2008-04-25 14:18 32,936 ----a-w c:\documents and settings\Faiz\Application Data\GDIPFONTCACHEV1.DAT
2007-10-17 05:50 3,346,944 ----a-w c:\program files\VersionTrackerProWindows40cn0074.msi
2007-09-30 20:18 5,970,944 ----a-w c:\documents and settings\Faiz\irfanview_plugins_400_setup.exe
.

((((((((((((((((((((((((((((( snapshot@2008-11-05_16.17.30.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-05 11:43:23 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_538.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-07 4670968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-06 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-06-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\\WINDOWS\\system32\\logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-10-29 13:09 352256 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-20 22:34 24576 c:\program files\Stardock\Object Desktop\ThemeManager\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.NUB2"= NuB2.dll
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
--a------ 2007-12-04 18:30 79224 c:\progra~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-02 02:52 3739648 c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2007-01-13 09:47 163840 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2007-01-13 09:47 131072 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-08-04 01:06 1667584 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SifyBB]
--a------ 2006-04-21 20:04 127085 c:\program files\Sify Broadband\BBImpSec.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2005-10-26 16:17 159744 c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 04:00 132496 c:\program files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-10-29 13:09 1576176 c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-08-27 23:11 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-03-06 00:16 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-06-07 14:08 4670968 c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a------ 2005-01-07 17:07 61952 c:\windows\system32\HdAShCut.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
"Persistence"=c:\windows\system32\igfxpers.exe
"googletalk"=c:\program files\Google\Google Talk\googletalk.exe /autostart
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe"
"CTCheck"=f:\zen media explorer\CTCheck.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"e:\\Counter Strike\\czero.exe"=
"e:\\Counter Strike\\hltv.exe"=
"e:\\Counter Strike\\hlds.exe"=
"d:\\onceuponatime\\DC++\\DCPlusPlus.exe"=
"d:\\onceuponatime\\Network Assistant\\Nassi.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"f:\\games\\MIDTOWN MADNESS\\midtown.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2008\\3dsmax.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Faiz\\Desktop\\exe files\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\Program Files\\IEPro\\MiniDM.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"d:\\Program Files\\SpeedBit Video Accelerator\\VideoAccelerator.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Java\\jdk1.5.0_16\\jre\\bin\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800
"50069:TCP"= 50069:TCP:utorrent

R2 UxTuneUp;TuneUp Theme Extension;c:\windows\System32\svchost.exe [2004-08-04 14336]
R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);c:\windows\system32\DRIVERS\RMSPPPOE.SYS [2002-10-03 31504]
S3 libusb0;LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120;c:\windows\system32\DRIVERS\libusb0.sys [2007-05-11 29184]
S3 SetupNTGLM7X;SetupNTGLM7X;G:\NTGLM7X.sys [ ]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;c:\windows\System32\TuneUpDefragService.exe [2008-02-15 306432]
S3 z530bus;Sony Ericsson Z530 Driver driver (WDM);c:\windows\system32\DRIVERS\z530bus.sys [2007-10-30 58288]
S3 z530mdfl;Sony Ericsson Z530 USB WMC Modem Filter;c:\windows\system32\DRIVERS\z530mdfl.sys [2007-10-30 8336]
S3 z530mdm;Sony Ericsson Z530 USB WMC Modem Driver;c:\windows\system32\DRIVERS\z530mdm.sys [2007-10-30 94064]
S3 z530mgmt;Sony Ericsson Z530 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\z530mgmt.sys [2007-10-30 85408]
S3 z530obex;Sony Ericsson Z530 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\z530obex.sys [2007-10-30 83344]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-09-19 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClick.exe [2007-12-21 15:17]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-05 17:58:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-05 17:59:04
ComboFix-quarantined-files.txt 2008-11-05 12:29:01
ComboFix2.txt 2008-11-05 12:19:36
ComboFix3.txt 2008-11-05 12:07:41
ComboFix4.txt 2008-11-05 11:46:10
ComboFix5.txt 2008-11-05 12:26:53

Pre-Run: 4,827,783,168 bytes free
Post-Run: 4,830,003,200 bytes free

223


the hjtlog :


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:00:59 PM, on 11/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\ad aware 07\aawservice.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Broadband Pacenet\Pacenet Dialer\PaceDial.exe
C:\Documents and Settings\Faiz\Desktop\Exe Files\IDMan.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: Download all links with IDM - C:\Documents and Settings\Faiz\Desktop\Exe Files\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Documents and Settings\Faiz\Desktop\Exe Files\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Documents and Settings\Faiz\Desktop\Exe Files\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1186238036171
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames.com/downloads/activex/YoYo.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{24DCF250-8DD5-406B-AAC0-497FB10EA533}: NameServer = 25.1.1.1 203.115.71.66
O17 - HKLM\System\CS1\Services\Tcpip\..\{24DCF250-8DD5-406B-AAC0-497FB10EA533}: NameServer = 25.1.1.1 203.115.71.66
O17 - HKLM\System\CS2\Services\Tcpip\..\{24DCF250-8DD5-406B-AAC0-497FB10EA533}: NameServer = 25.1.1.1 203.115.71.66
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\ad aware 07\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: mental ray 3.6 Satellite for Autodesk 3ds Max 2008 32-bit 32-bit (mi-raysat_3dsMax2008_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 7680 bytes



thanks,heres the combofix log:

ComboFix 08-11-04.02 - Faiz 2008-11-05 17:57:22.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.112 [GMT 5.5:30]
Running from: c:\documents and settings\Faiz\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Faiz\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\boot.inf
c:\windows\system32\fiber.exe
c:\windows\system32\imapd.exe
c:\windows\system32\imapdb.dll
c:\windows\system32\imapdb.exe
c:\windows\system32\imapdc.dll
c:\windows\system32\imapdd.dll
c:\windows\system32\imapde.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\boot.inf
c:\windows\system32\fiber.exe
c:\windows\system32\imapd.exe
c:\windows\system32\imapdb.dll
c:\windows\system32\imapdb.exe
c:\windows\system32\imapdc.dll
c:\windows\system32\imapdd.dll
c:\windows\system32\imapde.dll

.
((((((((((((((((((((((((( Files Created from 2008-10-05 to 2008-11-05 )))))))))))))))))))))))))))))))
.

2008-11-05 17:03 . 2008-11-05 17:03 19,663 --a------ C:\FileFind.zip
2008-11-05 14:53 . 2008-11-05 14:55 3,659,204 --a------ C:\Ramchand-Pakistani-pDVD-IMTIYAZ-2.avi
2008-11-05 14:40 . 2008-10-16 09:09 24,220,384 --a------ C:\Ramchand-Pakistani-pDVD-IMTIYAZ-1.avi
2008-11-02 23:15 . 2008-11-02 23:15 4,096 --a------ c:\windows\d3dx.dat
2008-11-02 23:14 . 2008-11-03 00:18 <DIR> d-------- c:\program files\Torque
2008-11-01 23:44 . 2008-11-01 23:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\YoYoGames
2008-11-01 21:58 . 2008-11-01 22:11 <DIR> d-------- c:\program files\Game_Maker7
2008-10-31 21:13 . 2008-11-01 22:14 <DIR> d-------- c:\program files\Dark Basic Software
2008-10-30 22:48 . 2008-11-01 22:14 70 --a------ c:\windows\dbinside.ini
2008-10-24 21:36 . 2008-10-24 21:36 <DIR> d-------- c:\program files\LimeWire
2008-10-23 19:52 . 2008-10-23 20:17 75 --a------ C:\clock.html
2008-10-23 19:45 . 2008-10-25 22:24 4,919 --a------ C:\Clock.class
2008-10-23 19:45 . 2008-10-25 22:24 1,835 --a------ C:\Clock$ClockHand.class
2008-10-23 19:41 . 2008-10-25 22:24 7,199 --a------ C:\Clock.java
2008-10-11 12:34 . 2008-10-11 12:34 65,101,824 --a------ C:\Sarfuu.mpg_New.mpg
2008-10-10 00:19 . 2008-10-10 00:19 <DIR> d-------- c:\documents and settings\Faiz\test
2008-10-10 00:19 . 2008-10-10 00:19 <DIR> d-------- c:\documents and settings\Faiz\classes
2008-10-07 19:30 . 2008-10-07 19:45 <DIR> d-------- c:\documents and settings\Faiz\Application Data\DVD Catalyst3
2008-10-07 19:15 . 2008-10-07 19:15 <DIR> d-------- c:\program files\Bluetooth File Sender
2008-10-05 20:43 . 2005-08-16 12:23 38,422 --a------ c:\windows\system32\drivers\StMp3Rec.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-05 12:27 --------- d-----w c:\documents and settings\Faiz\Application Data\DMCache
2008-11-02 19:08 --------- d-----w c:\documents and settings\Faiz\Application Data\uTorrent
2008-10-31 15:43 --------- d-----w c:\program files\SUPERAntiSpyware
2008-10-31 15:17 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-10-26 17:48 --------- d-----w c:\program files\NetBeans 6.1
2008-10-25 14:53 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-24 16:03 --------- d-----w c:\documents and settings\Faiz\Application Data\LimeWire
2008-10-15 18:19 2,864 ----a-w c:\windows\system32\winsock.dll
2008-10-12 16:28 --------- d-----w c:\documents and settings\Faiz\Application Data\dvdcss
2008-10-09 18:40 --------- d-----w c:\program files\Java
2008-10-05 15:13 --------- d-----w c:\program files\Creative
2008-10-05 15:09 --------- d-----w c:\program files\Yacc Yet Another CSO Compressor
2008-10-03 18:04 --------- d-----w c:\documents and settings\Faiz\Application Data\Audacity
2008-09-30 19:28 --------- d-----w c:\documents and settings\Faiz\Application Data\Subversion
2008-09-30 19:27 --------- d-----w c:\program files\Subversion
2008-09-30 18:18 --------- d-----w c:\program files\Cygwin
2008-09-29 10:00 --------- d-----w c:\program files\PMFplay H.264 Decoder
2008-09-25 07:56 --------- d-----w c:\documents and settings\Faiz\Application Data\Creative
2008-09-25 06:56 --------- d-----w c:\documents and settings\All Users\Application Data\Creative
2008-09-24 14:24 --------- d--h--w c:\program files\Creative Installation Information
2008-09-24 14:10 --------- d-----w c:\program files\Common Files\Creative
2008-09-24 11:35 --------- d-----w c:\program files\EvilLyrics
2008-09-24 11:29 --------- d-----w c:\program files\MIKSOFT
2008-09-21 15:42 2,288,128 ----a-w c:\windows\system32\TUKernel.exe
2008-09-21 11:15 --------- d-----w c:\program files\Winamp
2008-09-21 11:11 --------- d-----w c:\program files\Audacity
2008-09-20 17:15 --------- d-----w c:\program files\Stardock
2008-09-20 17:15 --------- d-----w c:\program files\Common Files\Stardock
2008-09-18 12:25 359,040 ----a-w c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2008-09-18 10:39 --------- d-----w c:\program files\FDRLab
2008-09-18 06:18 --------- d-----w c:\program files\Cavaj Java Decompiler
2008-09-14 09:47 --------- d-----w c:\program files\Audacity 1.3 Beta (Unicode)
2008-09-12 13:01 --------- d-----w c:\documents and settings\Faiz\Application Data\Broadband
2008-04-25 14:18 32,936 ----a-w c:\documents and settings\Faiz\Application Data\GDIPFONTCACHEV1.DAT
2007-10-17 05:50 3,346,944 ----a-w c:\program files\VersionTrackerProWindows40cn0074.msi
2007-09-30 20:18 5,970,944 ----a-w c:\documents and settings\Faiz\irfanview_plugins_400_setup.exe
.

((((((((((((((((((((((((((((( snapshot@2008-11-05_16.17.30.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-05 11:43:23 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_538.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-07 4670968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-06 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-06-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\\WINDOWS\\system32\\logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-10-29 13:09 352256 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-20 22:34 24576 c:\program files\Stardock\Object Desktop\ThemeManager\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.NUB2"= NuB2.dll
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
--a------ 2007-12-04 18:30 79224 c:\progra~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-02 02:52 3739648 c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2007-01-13 09:47 163840 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2007-01-13 09:47 131072 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-08-04 01:06 1667584 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SifyBB]
--a------ 2006-04-21 20:04 127085 c:\program files\Sify Broadband\BBImpSec.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2005-10-26 16:17 159744 c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 04:00 132496 c:\program files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-10-29 13:09 1576176 c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-08-27 23:11 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-03-06 00:16 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-06-07 14:08 4670968 c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a------ 2005-01-07 17:07 61952 c:\windows\system32\HdAShCut.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
"Persistence"=c:\windows\system32\igfxpers.exe
"googletalk"=c:\program files\Google\Google Talk\googletalk.exe /autostart
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe"
"CTCheck"=f:\zen media explorer\CTCheck.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"e:\\Counter Strike\\czero.exe"=
"e:\\Counter Strike\\hltv.exe"=
"e:\\Counter Strike\\hlds.exe"=
"d:\\onceuponatime\\DC++\\DCPlusPlus.exe"=
"d:\\onceuponatime\\Network Assistant\\Nassi.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"f:\\games\\MIDTOWN MADNESS\\midtown.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2008\\3dsmax.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Faiz\\Desktop\\exe files\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\Program Files\\IEPro\\MiniDM.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"d:\\Program Files\\SpeedBit Video Accelerator\\VideoAccelerator.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Java\\jdk1.5.0_16\\jre\\bin\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800
"50069:TCP"= 50069:TCP:utorrent

R2 UxTuneUp;TuneUp Theme Extension;c:\windows\System32\svchost.exe [2004-08-04 14336]
R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);c:\windows\system32\DRIVERS\RMSPPPOE.SYS [2002-10-03 31504]
S3 libusb0;LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120;c:\windows\system32\DRIVERS\libusb0.sys [2007-05-11 29184]
S3 SetupNTGLM7X;SetupNTGLM7X;G:\NTGLM7X.sys [ ]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;c:\windows\System32\TuneUpDefragService.exe [2008-02-15 306432]
S3 z530bus;Sony Ericsson Z530 Driver driver (WDM);c:\windows\system32\DRIVERS\z530bus.sys [2007-10-30 58288]
S3 z530mdfl;Sony Ericsson Z530 USB WMC Modem Filter;c:\windows\system32\DRIVERS\z530mdfl.sys [2007-10-30 8336]
S3 z530mdm;Sony Ericsson Z530 USB WMC Modem Driver;c:\windows\system32\DRIVERS\z530mdm.sys [2007-10-30 94064]
S3 z530mgmt;Sony Ericsson Z530 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\z530mgmt.sys [2007-10-30 85408]
S3 z530obex;Sony Ericsson Z530 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\z530obex.sys [2007-10-30 83344]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-09-19 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClick.exe [2007-12-21 15:17]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-05 17:58:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-05 17:59:04
ComboFix-quarantined-files.txt 2008-11-05 12:29:01
ComboFix2.txt 2008-11-05 12:19:36
ComboFix3.txt 2008-11-05 12:07:41
ComboFix4.txt 2008-11-05 11:46:10
ComboFix5.txt 2008-11-05 12:26:53

Pre-Run: 4,827,783,168 bytes free
Post-Run: 4,830,003,200 bytes free

223


the hjtlog :


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:00:59 PM, on 11/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\ad aware 07\aawservice.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Broadband Pacenet\Pacenet Dialer\PaceDial.exe
C:\Documents and Settings\Faiz\Desktop\Exe Files\IDMan.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: Download all links with IDM - C:\Documents and Settings\Faiz\Desktop\Exe Files\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Documents and Settings\Faiz\Desktop\Exe Files\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Documents and Settings\Faiz\Desktop\Exe Files\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1186238036171
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames.com/downloads/activex/YoYo.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{24DCF250-8DD5-406B-AAC0-497FB10EA533}: NameServer = 25.1.1.1 203.115.71.66
O17 - HKLM\System\CS1\Services\Tcpip\..\{24DCF250-8DD5-406B-AAC0-497FB10EA533}: NameServer = 25.1.1.1 203.115.71.66
O17 - HKLM\System\CS2\Services\Tcpip\..\{24DCF250-8DD5-406B-AAC0-497FB10EA533}: NameServer = 25.1.1.1 203.115.71.66
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\ad aware 07\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: mental ray 3.6 Satellite for Autodesk 3ds Max 2008 32-bit 32-bit (mi-raysat_3dsMax2008_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 7680 bytes

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:00 PM

Posted 05 November 2008 - 07:39 AM

Hi,

Any idea how this FileFind.zip got on your C:\ during our removal attempts? This looks like a zipfile that probably downloaded by you (FileFind.exe maybe). There's no need to use it since I don't know for what you're going to use it anyway.
As far as I can see, we already removed the malware (which was visible in your log).
It may be a good idea to update your Avast and run an extra scan afterwards to delete leftovers if still be present. But before you do.... Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 10.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 10".
  • Click the "Download" button to the right.
  • For Platform, select "Windows"
  • For language, select your language
  • Read the License agreement and then Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement".
  • Click Continue
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • Java™ 6 Update 5
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u10-windows-i586-p.exe to install the newest version.
Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Then change all your passwords!!

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 funky_beats06

funky_beats06
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:01:00 PM

Posted 05 November 2008 - 07:51 AM

Fine, everythings done now and the pc is running fine. iv updated the avast antivirus ,currently downloading the java update. And yes, filefind.zip was downloaded by me off bleepigcomputer, just thought might come handy!!
Gonna change all the passwords now, aaaargh!
Anyways dude, u were of immense help and u were super-fast. thanks once again.

Edited by funky_beats06, 05 November 2008 - 07:54 AM.


#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:00 PM

Posted 05 November 2008 - 07:57 AM

Anyways dude, u were of immense help and u were super-fast. thanks once again.

Still female though, but you couldn't know :thumbsup:

Glad I could help. :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 funky_beats06

funky_beats06
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:01:00 PM

Posted 05 November 2008 - 08:05 AM

lol. your avatar says Malware Killer DOG, which made me think u were a dude.
lol kidding no offense. THANKS yet again , period

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:00 PM

Posted 05 November 2008 - 08:08 AM

You're most welcome :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:00 PM

Posted 07 November 2008 - 02:17 PM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users