Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus Scanner Problem


  • This topic is locked This topic is locked
20 replies to this topic

#1 huMAC

huMAC

  • Members
  • 153 posts
  • OFFLINE
  •  
  • Location:Barling, AR
  • Local time:03:57 PM

Posted 27 November 2008 - 12:08 AM

My computer is constantly being Spammed by virus scanner from the web, it keeps saying I have virus on my computer. Can someone take a look at my log and fix it?


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:05:48 PM, on 11/26/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Object Desktop\ObjectBar\ObjectBar.exe
C:\Program Files\Common Files\stardock\TrayServer.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\RK Launcher\RK Launcher 0.41 Beta Nightly\RKLauncher.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Styler\Styler.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Winamp Remote\bin\Orb.exe
C:\Program Files\Last.fm\LastFM.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.saigonbao.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {cb4b9bee-ec59-40ad-80e7-b05f8fbc722a} - C:\WINDOWS\system32\lizofado.dll
O2 - BHO: Loader Class - {F880A4A8-C436-4AC4-AFD1-AA0BDC9552DD} - C:\Documents and Settings\Chau\My Documents\My Downloads\All\Family Stuff\SmitfraudFix\smitRem\FindeXer Nightly V1.1.0.2\FindeXer.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [1A:Stardock TrayMonitor] "C:\Program Files\Common Files\stardock\TrayServer.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P39 "EPSON Stylus Photo R300 Series (Copy 1)" /O5 "LPT1:" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [RK Launcher] "C:\Program Files\RK Launcher\RK Launcher 0.41 Beta Nightly\RKLauncher.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [nodabusiji] Rundll32.exe "C:\WINDOWS\system32\zuyukuvo.dll",s
O4 - HKLM\..\Run: [30796d21] rundll32.exe "C:\WINDOWS\system32\tepidike.dll",b
O4 - HKLM\..\Run: [CPM334a5ebd] Rundll32.exe "c:\windows\system32\pujorila.dll",a
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /M "Stylus Photo R300" /EF "HKCU"
O4 - HKUS\S-1-5-19\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [nodabusiji] Rundll32.exe "C:\WINDOWS\system32\zuyukuvo.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: Styler.lnk = ?
O4 - Global Startup: RKLauncher.lnk = C:\Program Files\RK Launcher\RK Launcher 0.41 Beta Nightly\RKLauncher.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab50997.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\vasokohi.dll c:\windows\system32\gadijubu.dll c:\windows\system32\habupawe.dll c:\windows\system32\zurufalo.dll c:\windows\system32\pujorila.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\pujorila.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\pujorila.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Microsoft Windows Device Management Service (msnsdrs) - Unknown owner - C:\WINDOWS\system32\msnsd.exe (file missing)
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 10758 bytes



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:57 PM

Posted 27 November 2008 - 07:33 AM

Hi,

I understand that you need help in order to get rid of the malware that is present on your system - But you need to help us first..
I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed!
This is somewhat suicidal in today's digital world.
That's why I want you to install one first!!

* Please install Avira Antivirus: http://www.free-av.com/
This is a free Antivirus.

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.
Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 huMAC

huMAC
  • Topic Starter

  • Members
  • 153 posts
  • OFFLINE
  •  
  • Location:Barling, AR
  • Local time:03:57 PM

Posted 27 November 2008 - 09:48 AM

I do have virus scanner. Currently I'm using SuperAntiSpyware, Spybot-Search and Destroy, and ClamWin.

But I'll install Avira too.

Edited by huMAC, 27 November 2008 - 09:49 AM.


#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:57 PM

Posted 27 November 2008 - 09:51 AM

Hi,

SuperAntispyware and Spybot S&D are Antispywarescanners and no Antivirusscanners. I don't see ClamWin in your log, but then again, this isn't a realtime scanner.
That's why an Antivirus is so important since it always runs in the background as a realtime scanner in order to PREVENT malware in the first place.

Extra note...

O2 - BHO: Loader Class - {F880A4A8-C436-4AC4-AFD1-AA0BDC9552DD} - C:\Documents and Settings\Chau\My Documents\My Downloads\All\Family Stuff\SmitfraudFix\smitRem\FindeXer Nightly V1.1.0.2\FindeXer.dll

You have a strange method of installing programs.

Edited by miekiemoes, 27 November 2008 - 09:53 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 huMAC

huMAC
  • Topic Starter

  • Members
  • 153 posts
  • OFFLINE
  •  
  • Location:Barling, AR
  • Local time:03:57 PM

Posted 27 November 2008 - 09:57 AM

lol, I don't even know what that is =o

But anyway, should I uninstall ClamWin since I'm getting Avira now?

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:57 PM

Posted 27 November 2008 - 09:59 AM

lol, I don't even know what that is =o

If you don't know it, then uninstall it. I guess it willbe called FindeXer in add & remove programs. If you can't find it, just check that entry in HijackThis and click the fix checked button below.

should I uninstall ClamWin since I'm getting Avira now?

Yes.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 huMAC

huMAC
  • Topic Starter

  • Members
  • 153 posts
  • OFFLINE
  •  
  • Location:Barling, AR
  • Local time:03:57 PM

Posted 27 November 2008 - 10:01 AM

I'm just wondering, what should I do with some of the files that my scanner found to be infected? Delete it or quarantine it?

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:57 PM

Posted 27 November 2008 - 11:26 AM

Better to quarantine it first.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 huMAC

huMAC
  • Topic Starter

  • Members
  • 153 posts
  • OFFLINE
  •  
  • Location:Barling, AR
  • Local time:03:57 PM

Posted 27 November 2008 - 11:27 AM

I'm still getting some popups.

Avira AntiVir Personal
Report file date: Thursday, November 27, 2008 08:57

Scanning for 1056330 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 3) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: 4C7B3A00E6404D8

Version information:
BUILD.DAT : 8.2.0.337 16934 Bytes 11/18/2008 13:05:00
AVSCAN.EXE : 8.1.4.10 315649 Bytes 11/27/2008 14:56:55
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 15:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 20:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 15:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 14:56:56
ANTIVIR1.VDF : 7.1.0.56 411136 Bytes 11/9/2008 14:56:56
ANTIVIR2.VDF : 7.1.0.124 376832 Bytes 11/23/2008 14:56:56
ANTIVIR3.VDF : 7.1.0.148 156672 Bytes 11/27/2008 14:56:56
Engineversion : 8.2.0.35
AEVDF.DLL : 8.1.0.6 102772 Bytes 10/14/2008 18:05:56
AESCRIPT.DLL : 8.1.1.15 332156 Bytes 11/27/2008 14:56:56
AESCN.DLL : 8.1.1.5 123251 Bytes 11/27/2008 14:56:56
AERDL.DLL : 8.1.1.3 438645 Bytes 11/27/2008 14:56:56
AEPACK.DLL : 8.1.3.4 393591 Bytes 11/27/2008 14:56:56
AEOFFICE.DLL : 8.1.0.30 196986 Bytes 11/27/2008 14:56:56
AEHEUR.DLL : 8.1.0.71 1487222 Bytes 11/27/2008 14:56:56
AEHELP.DLL : 8.1.2.0 119159 Bytes 11/27/2008 14:56:56
AEGEN.DLL : 8.1.1.5 323956 Bytes 11/27/2008 14:56:56
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/14/2008 18:05:56
AECORE.DLL : 8.1.5.1 172406 Bytes 11/27/2008 14:56:56
AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 18:05:56
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 16:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 17:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 11/27/2008 14:56:56
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 19:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 16:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 20:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/23/2008 01:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 20:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 20:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 21:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 21:34:37

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Thursday, November 27, 2008 08:57

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'Styler.exe' - '1' Module(s) have been scanned
Scan process 'ObjectDock.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'RKLauncher.exe' - '1' Module(s) have been scanned
Scan process 'AGRSMMSG.exe' - '1' Module(s) have been scanned
Scan process 'atiptaxx.exe' - '1' Module(s) have been scanned
Scan process 'E_S4I2F1.EXE' - '1' Module(s) have been scanned
Scan process 'TrayServer.exe' - '1' Module(s) have been scanned
Scan process 'ObjectBar.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'sdmcp.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'PnkBstrA.exe' - '1' Module(s) have been scanned
Scan process 'LSSrvc.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
39 processes with 39 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.
Master boot sector HD2
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.
Master boot sector HD3
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '67' files ).


Starting the file scan:

Begin scan in 'C:\' <Windows HD>
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\All Users\.clamwin\quarantine\infected.2B.tmp.000.000.000.000.000.000.000.000.000.000
[0] Archive type: NSIS
--> [UnknownShellDir]/Yazzle1552OinAdmin.exe
[DETECTION] Is the TR/Dldr.PurityScan.EG.30 Trojan
[DETECTION] Contains recognition pattern of the DR/Dldr.PurityScan.EG.82 dropper
[NOTE] The file was moved to '4994b6da.qua'!
C:\Documents and Settings\All Users\.clamwin\quarantine\infected.4D.tmp.000.000.000.000.000.000.000.000.000.000
[0] Archive type: NSIS
--> [UnknownShellDir]/Yazzle1552OinAdmin.exe
[DETECTION] Is the TR/Dldr.PurityScan.EG.30 Trojan
[DETECTION] Contains recognition pattern of the DR/Dldr.PurityScan.EG.82 dropper
[NOTE] The file was moved to '4994b6e4.qua'!
C:\Documents and Settings\All Users\.clamwin\quarantine\infected.4E.tmp.000.000.000.000.000.000.000.000.000.000
[0] Archive type: NSIS
--> [UnknownShellDir]/Yazzle1552OinAdmin.exe
[DETECTION] Is the TR/Dldr.PurityScan.EG.30 Trojan
[DETECTION] Contains recognition pattern of the DR/Dldr.PurityScan.EG.82 dropper
[NOTE] The file was moved to '4994b6e7.qua'!
C:\Documents and Settings\All Users\.clamwin\quarantine\infected.8.tmp.000.000.000.000.000.000.000.000.000.000
[0] Archive type: NSIS
--> [UnknownShellDir]/Yazzle1552OinAdmin.exe
[DETECTION] Is the TR/Dldr.PurityScan.EG.30 Trojan
[DETECTION] Contains recognition pattern of the DR/Dldr.PurityScan.EG.82 dropper
[NOTE] The file was moved to '4994b6ea.qua'!
C:\Documents and Settings\All Users\.clamwin\quarantine\infected.index[22].htm.000.000.000.000.000.000.000.000
[DETECTION] Contains recognition pattern of the HTML/Rce.Gen HTML script virus
[NOTE] The file was moved to '4994b6ec.qua'!
C:\Documents and Settings\All Users\.clamwin\quarantine\infected._freescan[1].htm
[DETECTION] Contains recognition pattern of the JS/Dldr.Zino.C Java script virus
[NOTE] The file was moved to '4994b706.qua'!
C:\Documents and Settings\Chau\Local Settings\Temporary Internet Files\Content.IE5\LHNSMBRO\_freescan[1].htm
[DETECTION] Contains recognition pattern of the JS/Dldr.Zino.C Java script virus
[NOTE] The file was moved to '49a0ba74.qua'!
C:\Documents and Settings\Chau\Local Settings\Temporary Internet Files\Content.IE5\P730DLME\freescan[1].htm
[DETECTION] Contains recognition pattern of the JS/Agent.1366 Java script virus
[NOTE] The file was moved to '4993bad7.qua'!
C:\Documents and Settings\Chau\My Documents\Downloads\Stardock Object Desktop Suite\Stardock Object Desktop Suite\IconPackager.zip
[0] Archive type: ZIP
--> KeyGen.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '499dbbee.qua'!
C:\Documents and Settings\Chau\My Documents\Downloads\Stardock Object Desktop Suite\Stardock Object Desktop Suite\IconPackager\KeyGen.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '49a7bc75.qua'!
C:\Documents and Settings\Chau\My Documents\My Downloads\All\Impo\SolveigMM.Video.Splitter.v2.0.803.4+KEYGEN\SolveigMM_Video_Splitter_2.0.803.04.exe
[DETECTION] Contains recognition pattern of the PHISH/FraudTool.SpyNoMore.G.63 phishing file/email
[NOTE] The file was moved to '499abcf2.qua'!
C:\System Volume Information\_restore{A0BCCC8B-99D6-4986-8CA9-A82EFDDD58FA}\RP469\A0156210.exe
[DETECTION] Is the TR/Downloader.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{A0BCCC8B-99D6-4986-8CA9-A82EFDDD58FA}\RP469\A0156211.exe
[DETECTION] Is the TR/Downloader.Gen Trojan
[NOTE] The file was moved to '495fc3e4.qua'!
C:\System Volume Information\_restore{A0BCCC8B-99D6-4986-8CA9-A82EFDDD58FA}\RP470\A0156274.sys
[DETECTION] Is the TR/Agent.274944.C Trojan
[NOTE] The file was moved to '495fc3ec.qua'!
C:\System Volume Information\_restore{A0BCCC8B-99D6-4986-8CA9-A82EFDDD58FA}\RP533\A0163545.dll
[DETECTION] Is the TR/Vundo.NA Trojan
[NOTE] The file was moved to '495fc4de.qua'!
C:\System Volume Information\_restore{A0BCCC8B-99D6-4986-8CA9-A82EFDDD58FA}\RP533\A0163550.dll
[DETECTION] Is the TR/Agent.apgs.2 Trojan
[NOTE] The file was moved to '495fc4e1.qua'!
C:\System Volume Information\_restore{A0BCCC8B-99D6-4986-8CA9-A82EFDDD58FA}\RP533\A0163703.dll
[DETECTION] Is the TR/Vundo.NA Trojan
[NOTE] The file was moved to '495fc4e7.qua'!
C:\System Volume Information\_restore{A0BCCC8B-99D6-4986-8CA9-A82EFDDD58FA}\RP533\A0163704.dll
[DETECTION] Is the TR/Vundo.MZ Trojan
[NOTE] The file was moved to '495fc4ea.qua'!
C:\WINDOWS\system32\edbvfct.sys
[DETECTION] Is the TR/Click.VB.brx Trojan
[NOTE] The file was moved to '4990c8bf.qua'!
C:\WINDOWS\system32\hafoboki.dll
[DETECTION] Is the TR/Vundo.MZ Trojan
[NOTE] The file was moved to '4994c8ce.qua'!
C:\WINDOWS\system32\msblds.exe
[DETECTION] Is the TR/Dldr.Delf.lzh Trojan
[NOTE] The file was moved to '4990c903.qua'!
C:\WINDOWS\system32\tmpxr_70021792415.bk
[DETECTION] Is the TR/Agent.ziy Trojan
[NOTE] The file was moved to '499ec91f.qua'!
C:\WINDOWS\system32\yupeyase.dll
[DETECTION] Is the TR/Agent.apgs Trojan
[NOTE] The file was moved to '499ec937.qua'!
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ZHD831DQ\msjdk[1].bin
[DETECTION] Is the TR/Dldr.Delf.lzh Trojan
[NOTE] The file was moved to '4998c94a.qua'!
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ZHD831DQ\msjdk[2].bin
[DETECTION] Is the TR/Dldr.Delf.lzh Trojan
[NOTE] The file was moved to '4998c94d.qua'!
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ZHD831DQ\msjdk[3].bin
[DETECTION] Is the TR/Dldr.Delf.lzh Trojan
[NOTE] The file was moved to '4998c94f.qua'!


End of the scan: Thursday, November 27, 2008 10:21
Used time: 1:24:02 Hour(s)

The scan has been done completely.

13017 Scanning directories
483563 Files were scanned
30 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
1 files were deleted
0 files were repaired
25 files were moved to quarantine
0 files were renamed
1 Files cannot be scanned
483532 Files not concerned
2987 Archives were scanned
4 Warnings
26 Notes






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:24:59 AM, on 11/27/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Object Desktop\ObjectBar\ObjectBar.exe
C:\Program Files\Common Files\stardock\TrayServer.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RK Launcher\RK Launcher 0.41 Beta Nightly\RKLauncher.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Styler\Styler.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.saigonbao.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {cb4b9bee-ec59-40ad-80e7-b05f8fbc722a} - C:\WINDOWS\system32\wegahuwe.dll
O2 - BHO: Loader Class - {F880A4A8-C436-4AC4-AFD1-AA0BDC9552DD} - C:\Documents and Settings\Chau\My Documents\My Downloads\All\Family Stuff\SmitfraudFix\smitRem\FindeXer Nightly V1.1.0.2\FindeXer.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [1A:Stardock TrayMonitor] "C:\Program Files\Common Files\stardock\TrayServer.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P39 "EPSON Stylus Photo R300 Series (Copy 1)" /O5 "LPT1:" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [RK Launcher] "C:\Program Files\RK Launcher\RK Launcher 0.41 Beta Nightly\RKLauncher.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [nodabusiji] Rundll32.exe "C:\WINDOWS\system32\ligasuta.dll",s
O4 - HKLM\..\Run: [CPM334a5ebd] Rundll32.exe "c:\windows\system32\luyehije.dll",a
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /M "Stylus Photo R300" /EF "HKCU"
O4 - HKUS\S-1-5-19\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [nodabusiji] Rundll32.exe "C:\WINDOWS\system32\ligasuta.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: Styler.lnk = ?
O4 - Global Startup: RKLauncher.lnk = C:\Program Files\RK Launcher\RK Launcher 0.41 Beta Nightly\RKLauncher.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab50997.cab
O20 - AppInit_DLLs: c:\windows\system32\gadijubu.dll c:\windows\system32\habupawe.dll c:\windows\system32\zurufalo.dll c:\windows\system32\pujorila.dll C:\WINDOWS\system32\pujawewo.dll c:\windows\system32\luyehije.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\luyehije.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\luyehije.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Microsoft Windows Device Management Service (msnsdrs) - Unknown owner - C:\WINDOWS\system32\msnsd.exe (file missing)
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 11286 bytes



#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:57 PM

Posted 27 November 2008 - 11:43 AM

Hi,

Yes, I know you're still getting popups, but now you have at least more protection in order to prevent further infections.

Do next please (you may want to disable Avira temporary for the next step, so it won't interfere):

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 huMAC

huMAC
  • Topic Starter

  • Members
  • 153 posts
  • OFFLINE
  •  
  • Location:Barling, AR
  • Local time:03:57 PM

Posted 27 November 2008 - 06:18 PM

ComboFix 08-11-27.03 - Chau 2008-11-27 15:54:51.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.194 [GMT -6:00]
Running from: c:\documents and settings\Chau\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Chau\Application Data\inst.exe
C:\install.exe
c:\windows\fmark2.dat
c:\windows\Install.txt
c:\windows\system32\BkavAuto.vxd
c:\windows\system32\drivers\BkavAuto.sys
c:\windows\system32\drivers\SysLib.sys
c:\windows\system32\fivahofi.dll
c:\windows\system32\gerogije.dll
c:\windows\system32\ifohavif.ini
c:\windows\system32\Install.txt
c:\windows\system32\ligasuta.dll
c:\windows\system32\luyehije.dll
c:\windows\system32\pujawewo.dll
c:\windows\system32\wegahuwe.dll
c:\windows\system32\ziniguhe.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AFINDING
-------\Legacy_BKAVAUTO
-------\Legacy_MACIDWE
-------\Legacy_MSNSDRS
-------\Legacy_NOBICYT
-------\Legacy_PERFS
-------\Legacy_ROUTING
-------\Legacy_SOBICYT
-------\Legacy_SYSLIB
-------\Legacy_TDXDOWKC
-------\Legacy_WSERVING
-------\Service_msnsdrs


((((((((((((((((((((((((( Files Created from 2008-10-27 to 2008-11-27 )))))))))))))))))))))))))))))))
.

2008-11-27 08:53 . 2008-11-27 08:53 <DIR> d-------- c:\program files\Avira
2008-11-27 08:53 . 2008-11-27 08:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2008-11-22 20:19 . 2008-11-22 20:19 <DIR> d-------- c:\program files\AviSynth 2.5
2008-11-22 20:19 . 2004-02-22 10:11 719,872 --a------ c:\windows\system32\devil.dll
2008-11-22 20:19 . 2006-10-07 17:43 502,784 --a------ c:\windows\x2.64.exe
2008-11-22 20:19 . 2007-05-17 17:30 318,976 --a------ c:\windows\system32\avisynth.dll
2008-11-22 20:19 . 2005-02-28 13:16 240,128 --a------ c:\windows\system32\x.264.exe
2008-11-22 20:19 . 2006-04-12 09:47 217,073 --a------ c:\windows\meta4.exe
2008-11-22 20:19 . 2004-01-25 00:00 70,656 --a------ c:\windows\system32\yv12vfw.dll
2008-11-22 20:19 . 2004-01-25 00:00 70,656 --a------ c:\windows\system32\i420vfw.dll
2008-11-22 20:19 . 2006-04-05 08:09 66,560 --a------ c:\windows\MOTA113.exe
2008-11-22 20:19 . 2005-07-14 12:31 27,648 --a------ c:\windows\system32\AVSredirect.dll
2008-11-22 20:18 . 2005-02-12 16:00 186,880 -r-hs---- c:\windows\system32\RLOgg.ax
2008-11-22 20:18 . 2005-01-17 16:26 179,200 -r-hs---- c:\windows\system32\DiracSplitter.ax
2008-11-22 20:18 . 2006-08-16 07:53 175,104 -r-hs---- c:\windows\system32\CoreAAC.ax
2008-11-22 20:18 . 2005-02-05 16:00 92,672 -r-hs---- c:\windows\system32\RLVorbisDec.ax
2008-11-22 20:18 . 2005-02-22 09:55 81,920 -r-hs---- c:\windows\system32\aac_parser.ax
2008-11-22 20:18 . 2005-02-12 16:00 67,584 -r-hs---- c:\windows\system32\RLTheoraDec.ax
2008-11-22 20:18 . 2005-02-12 16:00 51,712 -r-hs---- c:\windows\system32\RLSpeexDec.ax
2008-11-20 14:44 . 2008-11-20 14:44 42,320 --a------ c:\windows\system32\xfcodec.dll
2008-11-18 22:56 . 2008-11-18 22:56 <DIR> d-------- c:\program files\alaplaya
2008-11-17 20:20 . 2008-11-17 20:20 <DIR> d-------- c:\program files\Windows Media Connect 2
2008-11-17 20:20 . 2008-11-25 09:44 23,392 --a------ c:\windows\system32\nscompat.tlb
2008-11-17 20:20 . 2008-11-25 09:44 16,832 --a------ c:\windows\system32\amcompat.tlb
2008-11-17 20:18 . 2008-11-17 20:19 <DIR> d-------- c:\windows\system32\drivers\UMDF
2008-11-15 11:31 . 2008-11-15 11:31 <DIR> d-------- c:\windows\Diner Dash Flo Through Time
2008-11-15 11:31 . 2008-11-15 11:31 <DIR> d-------- c:\documents and settings\Chau\Application Data\PlayFirst
2008-11-15 11:31 . 2008-11-15 11:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\PlayFirst
2008-11-13 20:02 . 2005-09-25 20:11 2,494,464 --a------ c:\program files\advrcntr2.dll
2008-11-13 19:58 . 2008-11-13 19:58 <DIR> d-------- c:\program files\avisplit
2008-11-12 20:09 . 2008-10-24 05:21 455,296 --------- c:\windows\system32\DllCache\mrxsmb.sys
2008-11-12 20:08 . 2008-09-04 11:15 1,106,944 --------- c:\windows\system32\DllCache\msxml3.dll
2008-11-03 17:44 . 2008-11-25 09:58 <DIR> d-------- c:\program files\Winamp Remote
2008-11-03 17:44 . 2008-11-03 17:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\OrbNetworks
2008-10-28 16:36 . 2008-10-28 16:36 823,296 --a------ c:\windows\system32\divx_xx0c.dll
2008-10-28 16:36 . 2008-10-28 16:36 823,296 --a------ c:\windows\system32\divx_xx07.dll
2008-10-28 16:35 . 2008-10-28 16:35 815,104 --a------ c:\windows\system32\divx_xx0a.dll
2008-10-28 16:35 . 2008-10-28 16:35 802,816 --a------ c:\windows\system32\divx_xx11.dll
2008-10-28 16:35 . 2008-10-28 16:35 729,088 --a------ c:\windows\system32\divxdec.ax
2008-10-28 16:35 . 2008-10-28 16:35 684,032 --a------ c:\windows\system32\DivX.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-27 21:54 --------- d-----w c:\program files\Warcraft III
2008-11-27 15:29 --------- d-----w c:\documents and settings\Chau\Application Data\Xfire
2008-11-27 14:45 --------- d-----w c:\program files\Xfire
2008-11-27 00:52 --------- d-----w c:\documents and settings\Chau\Application Data\foobar2000
2008-11-26 05:20 --------- d-----w c:\documents and settings\Chau\Application Data\Vso
2008-11-25 14:51 --------- d-----w c:\program files\SUPERAntiSpyware
2008-11-22 00:45 --------- d-----w c:\documents and settings\Chau\Application Data\uTorrent
2008-11-19 04:56 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-19 04:46 --------- d-----w c:\program files\Full Tilt Poker
2008-11-19 03:04 --------- d-----w c:\program files\Miranda IM
2008-11-19 02:53 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-18 02:30 --------- d-----w c:\program files\DivX
2008-11-17 23:46 --------- d-----w c:\program files\Solveig Multimedia
2008-11-17 23:46 --------- d-----w c:\program files\Common Files\Solveig Multimedia
2008-11-14 04:37 --------- d-----w c:\program files\Common Files\Ahead
2008-11-13 16:07 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-13 09:03 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-03 23:45 --------- d-----w c:\program files\Winamp
2008-10-29 19:55 --------- d-----w c:\program files\PokerStars
2008-10-29 18:30 --------- d-----w c:\program files\OGPlanet
2008-10-24 21:52 --------- d-----w c:\documents and settings\Chau\Application Data\Apple Computer
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-22 20:07 --------- d-----w c:\documents and settings\Chau\Application Data\Nexon
2008-10-11 18:50 --------- d-----w c:\documents and settings\Chau\Application Data\EleFun Games
2008-10-09 15:22 --------- d-----w c:\program files\Crimson Editor
2008-10-09 12:47 --------- d-----w c:\program files\TriglowPictures
2008-10-03 04:34 --------- d-----w c:\program files\iTunes
2008-10-03 04:34 --------- d-----w c:\program files\iPod
2008-10-03 04:33 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-02 23:21 --------- d-----w c:\program files\microsoft frontpage
2008-10-02 22:52 --------- d-----w c:\program files\Premium Booster
2008-10-02 22:48 --------- d-----w c:\program files\IrfanView
2008-10-02 22:48 --------- d-----w c:\program files\Image Mender
2008-10-01 18:01 32,000 ----a-w c:\windows\system32\drivers\usbaapl.sys
2008-09-28 14:38 --------- d-----w c:\program files\PD Particles
2008-09-27 20:03 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-15 03:49 47,360 ----a-w c:\documents and settings\Chau\Application Data\pcouffin.sys
2008-01-08 22:54 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-11-25 15:49 815 ----a-w c:\program files\Launch Internet Explorer Browser.lnk
2008-08-17 04:45 32,768 --sha-w c:\windows\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\UserData\index.dat
2007-05-31 00:48 177,440 --sha-w c:\windows\system32\drivers\fidbox.dat
2007-05-31 00:48 4,128 --sha-w c:\windows\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2006-05-08 81920]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"EPSON Stylus Photo R300 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" [2003-06-04 99840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"1A:Stardock TrayMonitor"="c:\program files\Common Files\stardock\TrayServer.exe" [2003-02-14 81920]
"EPSON Stylus Photo R300 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" [2003-06-04 99840]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-15 335872]
"EPSON Stylus Photo R300 Series (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" [2003-06-04 99840]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 57344]
"RK Launcher"="c:\program files\RK Launcher\RK Launcher 0.41 Beta Nightly\RKLauncher.exe" [2007-03-16 708608]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"AGRSMMSG"="AGRSMMSG.exe" [2003-05-23 c:\windows\AGRSMMSG.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnsc"="c:\windows\system32\msnsc.exe" [2006-01-12 62054]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="move" [X]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2006-01-12 44544]

c:\documents and settings\Chau\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2008-02-09 1716224]
Styler.lnk - c:\documents and settings\Chau\Application Data\Microsoft\Installer\{E9ECF354-2422-4FDB-9ABF-D8ADAC0EF941}\_585b207a.exe [2008-01-30 15086]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
RKLauncher.lnk - c:\program files\RK Launcher\RK Launcher 0.41 Beta Nightly\RKLauncher.exe [2007-03-16 708608]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-09-26 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-09-26 07:25 352256 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
2003-08-25 11:25 139264 c:\program files\Common Files\Stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"VIDC.wmv3"= c:\progra~1\COMBIN~1\Filters\wmv9vcm.dll
"msacm.imc"= imc32.acm
"msacm.l3codecp"= l3codecp.acm
"VIDC.i263"= i263_32.drv
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\ff_vfw.dll
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Warcraft III\\Frozen Throne.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\WINDOWS\\system32\\wuauclt.exe"=

S3 ASPI;Advanced SCSI Programming Interface Driver;\??\c:\windows\System32\DRIVERS\ASPI32.sys [2008-04-15 16512]
S3 basic1;basic1;\??\c:\documents and settings\Chau\Desktop\Basic Engine\Basic Engine\basic.sys []
S3 cheetah1;cheetah1;\??\c:\documents and settings\Chau\Desktop\ce13\cheetah.sys []
S3 DADriv1;DADriv1;\??\c:\documents and settings\Chau\Desktop\ITACHIPWNAGE Hack pack\ITACHIPWNAGE Hack pack\DA Engine\DAK32.sys []
S3 g0wkudr1ver;g0wkudr1ver;\??\c:\documents and settings\Chau\My Documents\My Downloads\MS\super\g0wku.sys []
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\Chau\LOCALS~1\Temp\GPE1121.tmp []
S3 geebers12;geebers12;\??\c:\documents and settings\Chau\Desktop\Buffy_Install\Buffy Engine 2.1\nvid888.sys []
S3 GGK;GGK;\??\c:\documents and settings\Chau\Desktop\Basic Engine\Basic Engine\ggk.sys []
S3 iCheat1;iCheat1;\??\c:\documents and settings\Chau\Desktop\iCheat13-\iCheat13-\nvid999.sys []
S3 IlvMoneyDRIVER53;IlvMoneyDRIVER53;\??\c:\documents and settings\Chau\Desktop\Sleepy's_v48_Hackpack_v1.2.0\Sleepy's v48 Hackpack\Engines\MoonLight Engine 1105.1\MoonLight Engine 1105.1\IlvMoney1105.sys []
S3 kaspersky1;kaspersky1;\??\c:\documents and settings\Chau\Desktop\Kaspersky_Engine_2\kaspersky.sys []
S3 MzBot.sys;MzBot.sys;\??\c:\windows\system32\MzBot.sys [2007-04-01 3584]
S3 MzBot;MzBot;\??\C:\MzBot.sys []
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-06-28 42512]
S3 sejt1;sejt1;\??\c:\documents and settings\Chau\Desktop\AkumaEngine33\AkumaEngine33\sejt.sys []
S3 SoRa01;SoRa01;\??\c:\documents and settings\Chau\Desktop\SoRa Remak Engine 2.6\SoRa.sys []
S3 XDva195;XDva195;\??\c:\windows\system32\XDva195.sys []
S3 XDva212;XDva212;\??\c:\windows\system32\XDva212.sys []
S3 XDva215;XDva215;\??\c:\windows\system32\XDva215.sys []
S3 xp1;xp1;\??\c:\documents and settings\Chau\Desktop\xpengine\xp.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c9bb9b70-79bb-11dd-8828-001a70a7081a}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-11-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{cb4b9bee-ec59-40ad-80e7-b05f8fbc722a} - c:\windows\system32\wegahuwe.dll
HKCU-Run-Aim6 - (no file)
MSConfigStartUp-ClamWin - c:\program files\ClamWin\bin\ClamTray.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Chau\Application Data\Mozilla\Firefox\Profiles\tpybvee7.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.apple.com/
FF -: plugin - c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF -: plugin - c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-27 16:05:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
"ImagePath"="\??\c:\documents and settings\Chau\Desktop\zenosengine2
[1].5\zenosengine2.5\zenos.sys"


[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\Chau\LOCALS~1\Temp\GPE1121.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\zenos1]
"ImagePath"="\??\c:\documents and settings\Chau\Desktop\zenosengine2
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(748)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\Ati2evxx.dll
c:\program files\Common Files\Stardock\mcpstub.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Common Files\Stardock\sdmcp.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Object Desktop\ObjectBar\ObjectBar.exe
c:\program files\Styler\Styler.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-11-27 16:14:47 - machine was rebooted [Chau]
ComboFix-quarantined-files.txt 2008-11-27 22:13:50
ComboFix2.txt 2007-08-21 15:50:07

Pre-Run: 107,027,357,696 bytes free
Post-Run: 107,777,318,912 bytes free

278 --- E O F --- 2008-11-19 09:03:13



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:17:15 PM, on 11/27/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Object Desktop\ObjectBar\ObjectBar.exe
C:\Program Files\Common Files\stardock\TrayServer.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RK Launcher\RK Launcher 0.41 Beta Nightly\RKLauncher.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Styler\Styler.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.saigonbao.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Loader Class - {F880A4A8-C436-4AC4-AFD1-AA0BDC9552DD} - C:\Documents and Settings\Chau\My Documents\My Downloads\All\Family Stuff\SmitfraudFix\smitRem\FindeXer Nightly V1.1.0.2\FindeXer.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [1A:Stardock TrayMonitor] "C:\Program Files\Common Files\stardock\TrayServer.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P39 "EPSON Stylus Photo R300 Series (Copy 1)" /O5 "LPT1:" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [RK Launcher] "C:\Program Files\RK Launcher\RK Launcher 0.41 Beta Nightly\RKLauncher.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /M "Stylus Photo R300" /EF "HKCU"
O4 - HKUS\S-1-5-18\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: Styler.lnk = ?
O4 - Global Startup: RKLauncher.lnk = C:\Program Files\RK Launcher\RK Launcher 0.41 Beta Nightly\RKLauncher.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab50997.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 9738 bytes



#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:57 PM

Posted 28 November 2008 - 02:16 AM

Hi,

We'll also have to delete some so called "cheats" you have installed previously since they have a questionable reputation and I'm sure that some are malware as well. Please stay away from gaming cheats in the future, because I'm pretty sure that one or more of them are the cause of your main problem.
Also, I see you're not afraid of visiting cracksites and other illegal sites, because I see a lot of cracks/keygens here as well.
If you visit cracksites, use cracks, you'll ALWAYS get infected. This not only because of the crack itself, but because one single click entering that site may already download and install a huge malware bundle.
You really have to change your surfing habits though, because these malware bundles may contain a keylogger, collecting all your passwords and installing other random malware, compromising your system including infecting other computers. And this all, because you visited some illegal sites.
Also, keep in mind, malware DAMAGES A LOT! And the damage can't always be repaired, so a format and reinstall is the only solution in such cases.
So is it really worth it? Get illegal software for "free", but compromise/break your computer instead.... :thumbsup:
Better to avoid this instead and change your surfing habits. Then this wouldn't have happened.

Don't forget to change your passwords afterwards, once we are done with this thread, because they are known. Don't change them now, because as long as the malware is still present, it will gather the changed passwords as well.


* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\windows\system32\MzBot.sys
c:\windows\system32\msnsc.exe
Folder::
C:\Documents and Settings\Chau\My Documents\My Downloads\All\Family Stuff\SmitfraudFix
c:\documents and settings\Chau\Desktop\zenosengine2
c:\documents and settings\Chau\Desktop\xpengine
c:\documents and settings\Chau\Desktop\SoRa Remak Engine 2.6
c:\documents and settings\Chau\Desktop\AkumaEngine33
c:\documents and settings\Chau\Desktop\Basic Engine
c:\documents and settings\Chau\Desktop\ce13
c:\documents and settings\Chau\Desktop\ITACHIPWNAGE Hack pack
c:\documents and settings\Chau\My Documents\My Downloads\MS\super
c:\documents and settings\Chau\Desktop\Buffy_Install
c:\documents and settings\Chau\Desktop\Basic Engine
c:\documents and settings\Chau\Desktop\iCheat13-
c:\documents and settings\Chau\Desktop\Sleepy's_v48_Hackpack_v1.2.0
c:\documents and settings\Chau\Desktop\Kaspersky_Engine_2
C:\Documents and Settings\Chau\My Documents\My Downloads\All\Impo\SolveigMM.Video.Splitter.v2.0.803.4+KEYGEN
Driver::
zenos1
cheetah1
basic1
DADriv1
g0wkudr1ver
geebers12
iCheat1
GGK
GarenaPEngine
xp1
IlvMoneyDRIVER53
kaspersky1
MzBot
MzBot.sys
sejt1
SoRa01
XDva215
XDva212
XDva195
Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnsc"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000000


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 huMAC

huMAC
  • Topic Starter

  • Members
  • 153 posts
  • OFFLINE
  •  
  • Location:Barling, AR
  • Local time:03:57 PM

Posted 28 November 2008 - 10:49 AM

Wow, I didn't know using hacks for gaming messes up my computer... but I haven't use hacks in like a year though, why is this problem occurring now? I though I was getting these popups because my little brother was looking at inappropriate sites.

But thanks for the advice.


ComboFix 08-11-27.03 - Chau 2008-11-28 9:27:35.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.605 [GMT -6:00]
Running from: c:\documents and settings\Chau\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Chau\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\msnsc.exe
c:\windows\system32\MzBot.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Chau\My Documents\My Downloads\All\Family Stuff\SmitfraudFix
c:\documents and settings\Chau\My Documents\My Downloads\All\Family Stuff\SmitfraudFix\ATF-Cleaner.exe
c:\documents and settings\Chau\My Documents\My Downloads\All\Family Stuff\SmitfraudFix\smitRem\FindeXer Nightly V1.1.0.2\FindeXer.dll
c:\documents and settings\Chau\My Documents\My Downloads\All\Family Stuff\SmitfraudFix\smitRem\FindeXer Nightly V1.1.0.2\ReadMe.txt
c:\documents and settings\Chau\My Documents\My Downloads\All\Family Stuff\SmitfraudFix\smitRem\FindeXer Nightly V1.1.0.2\Register.bat
c:\documents and settings\Chau\My Documents\My Downloads\All\Family Stuff\SmitfraudFix\smitRem\FindeXer Nightly V1.1.0.2\Unregister.bat
c:\documents and settings\Chau\My Documents\My Downloads\All\Impo\SolveigMM.Video.Splitter.v2.0.803.4+KEYGEN
c:\documents and settings\Chau\My Documents\My Downloads\All\Impo\SolveigMM.Video.Splitter.v2.0.803.4+KEYGEN\SolveigMM.Video.Splitter.v2.0.803.4_KEYGEN-FFF.zip
c:\documents and settings\Chau\My Documents\My Downloads\All\Impo\SolveigMM.Video.Splitter.v2.0.803.4+KEYGEN\SolveigMM.Video.Splitter.v2.0.803.4_KEYGEN-FFF\Keygen.exe
c:\windows\system32\msnsc.exe
c:\windows\system32\MzBot.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BASIC1
-------\Legacy_CHEETAH1
-------\Legacy_DADRIV1
-------\Legacy_G0WKUDR1VER
-------\Legacy_GARENAPENGINE
-------\Legacy_GEEBERS12
-------\Legacy_GGK
-------\Legacy_ICHEAT1
-------\Legacy_ILVMONEYDRIVER53
-------\Legacy_KASPERSKY1
-------\Legacy_MZBOT
-------\Legacy_MZBOT.SYS
-------\Legacy_SEJT1
-------\Legacy_SORA01
-------\Legacy_XDVA195
-------\Legacy_XDVA212
-------\Legacy_XDVA215
-------\Legacy_XP1
-------\Legacy_ZENOS1
-------\Service_basic1
-------\Service_cheetah1
-------\Service_DADriv1
-------\Service_g0wkudr1ver
-------\Service_GarenaPEngine
-------\Service_geebers12
-------\Service_GGK
-------\Service_iCheat1
-------\Service_IlvMoneyDRIVER53
-------\Service_kaspersky1
-------\Service_MzBot
-------\Service_MzBot.sys
-------\Service_sejt1
-------\Service_SoRa01
-------\Service_XDva195
-------\Service_XDva212
-------\Service_XDva215
-------\Service_xp1
-------\Service_zenos1


((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-28 )))))))))))))))))))))))))))))))
.

2008-11-27 08:53 . 2008-11-27 08:53 <DIR> d-------- c:\program files\Avira
2008-11-27 08:53 . 2008-11-27 08:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2008-11-22 20:19 . 2008-11-22 20:19 <DIR> d-------- c:\program files\AviSynth 2.5
2008-11-22 20:19 . 2004-02-22 10:11 719,872 --a------ c:\windows\system32\devil.dll
2008-11-22 20:19 . 2006-10-07 17:43 502,784 --a------ c:\windows\x2.64.exe
2008-11-22 20:19 . 2007-05-17 17:30 318,976 --a------ c:\windows\system32\avisynth.dll
2008-11-22 20:19 . 2005-02-28 13:16 240,128 --a------ c:\windows\system32\x.264.exe
2008-11-22 20:19 . 2006-04-12 09:47 217,073 --a------ c:\windows\meta4.exe
2008-11-22 20:19 . 2004-01-25 00:00 70,656 --a------ c:\windows\system32\yv12vfw.dll
2008-11-22 20:19 . 2004-01-25 00:00 70,656 --a------ c:\windows\system32\i420vfw.dll
2008-11-22 20:19 . 2006-04-05 08:09 66,560 --a------ c:\windows\MOTA113.exe
2008-11-22 20:19 . 2005-07-14 12:31 27,648 --a------ c:\windows\system32\AVSredirect.dll
2008-11-22 20:18 . 2005-02-12 16:00 186,880 -r-hs---- c:\windows\system32\RLOgg.ax
2008-11-22 20:18 . 2005-01-17 16:26 179,200 -r-hs---- c:\windows\system32\DiracSplitter.ax
2008-11-22 20:18 . 2006-08-16 07:53 175,104 -r-hs---- c:\windows\system32\CoreAAC.ax
2008-11-22 20:18 . 2005-02-05 16:00 92,672 -r-hs---- c:\windows\system32\RLVorbisDec.ax
2008-11-22 20:18 . 2005-02-22 09:55 81,920 -r-hs---- c:\windows\system32\aac_parser.ax
2008-11-22 20:18 . 2005-02-12 16:00 67,584 -r-hs---- c:\windows\system32\RLTheoraDec.ax
2008-11-22 20:18 . 2005-02-12 16:00 51,712 -r-hs---- c:\windows\system32\RLSpeexDec.ax
2008-11-20 14:44 . 2008-11-20 14:44 42,320 --a------ c:\windows\system32\xfcodec.dll
2008-11-18 22:56 . 2008-11-18 22:56 <DIR> d-------- c:\program files\alaplaya
2008-11-17 20:20 . 2008-11-17 20:20 <DIR> d-------- c:\program files\Windows Media Connect 2
2008-11-17 20:20 . 2008-11-25 09:44 23,392 --a------ c:\windows\system32\nscompat.tlb
2008-11-17 20:20 . 2008-11-25 09:44 16,832 --a------ c:\windows\system32\amcompat.tlb
2008-11-17 20:18 . 2008-11-17 20:19 <DIR> d-------- c:\windows\system32\drivers\UMDF
2008-11-15 11:31 . 2008-11-15 11:31 <DIR> d-------- c:\windows\Diner Dash Flo Through Time
2008-11-15 11:31 . 2008-11-15 11:31 <DIR> d-------- c:\documents and settings\Chau\Application Data\PlayFirst
2008-11-15 11:31 . 2008-11-15 11:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\PlayFirst
2008-11-13 20:02 . 2005-09-25 20:11 2,494,464 --a------ c:\program files\advrcntr2.dll
2008-11-13 19:58 . 2008-11-13 19:58 <DIR> d-------- c:\program files\avisplit
2008-11-12 20:09 . 2008-10-24 05:21 455,296 --------- c:\windows\system32\DllCache\mrxsmb.sys
2008-11-12 20:08 . 2008-09-04 11:15 1,106,944 --------- c:\windows\system32\DllCache\msxml3.dll
2008-11-03 17:44 . 2008-11-25 09:58 <DIR> d-------- c:\program files\Winamp Remote
2008-11-03 17:44 . 2008-11-03 17:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\OrbNetworks
2008-10-28 16:36 . 2008-10-28 16:36 823,296 --a------ c:\windows\system32\divx_xx0c.dll
2008-10-28 16:36 . 2008-10-28 16:36 823,296 --a------ c:\windows\system32\divx_xx07.dll
2008-10-28 16:35 . 2008-10-28 16:35 815,104 --a------ c:\windows\system32\divx_xx0a.dll
2008-10-28 16:35 . 2008-10-28 16:35 802,816 --a------ c:\windows\system32\divx_xx11.dll
2008-10-28 16:35 . 2008-10-28 16:35 729,088 --a------ c:\windows\system32\divxdec.ax
2008-10-28 16:35 . 2008-10-28 16:35 684,032 --a------ c:\windows\system32\DivX.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-28 06:07 --------- d-----w c:\program files\Warcraft III
2008-11-28 00:17 --------- d-----w c:\documents and settings\Chau\Application Data\Xfire
2008-11-27 14:45 --------- d-----w c:\program files\Xfire
2008-11-27 00:52 --------- d-----w c:\documents and settings\Chau\Application Data\foobar2000
2008-11-26 05:20 --------- d-----w c:\documents and settings\Chau\Application Data\Vso
2008-11-25 14:51 --------- d-----w c:\program files\SUPERAntiSpyware
2008-11-22 00:45 --------- d-----w c:\documents and settings\Chau\Application Data\uTorrent
2008-11-19 04:56 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-19 04:46 --------- d-----w c:\program files\Full Tilt Poker
2008-11-19 03:04 --------- d-----w c:\program files\Miranda IM
2008-11-19 02:53 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-18 02:30 --------- d-----w c:\program files\DivX
2008-11-17 23:46 --------- d-----w c:\program files\Solveig Multimedia
2008-11-17 23:46 --------- d-----w c:\program files\Common Files\Solveig Multimedia
2008-11-14 04:37 --------- d-----w c:\program files\Common Files\Ahead
2008-11-13 16:07 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-13 09:03 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-03 23:45 --------- d-----w c:\program files\Winamp
2008-10-29 19:55 --------- d-----w c:\program files\PokerStars
2008-10-29 18:30 --------- d-----w c:\program files\OGPlanet
2008-10-24 21:52 --------- d-----w c:\documents and settings\Chau\Application Data\Apple Computer
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-22 20:07 --------- d-----w c:\documents and settings\Chau\Application Data\Nexon
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 20:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-11 18:50 --------- d-----w c:\documents and settings\Chau\Application Data\EleFun Games
2008-10-09 15:22 --------- d-----w c:\program files\Crimson Editor
2008-10-09 12:47 --------- d-----w c:\program files\TriglowPictures
2008-10-03 04:34 --------- d-----w c:\program files\iTunes
2008-10-03 04:34 --------- d-----w c:\program files\iPod
2008-10-03 04:33 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-02 23:21 --------- d-----w c:\program files\microsoft frontpage
2008-10-02 22:52 --------- d-----w c:\program files\Premium Booster
2008-10-02 22:48 --------- d-----w c:\program files\IrfanView
2008-10-02 22:48 --------- d-----w c:\program files\Image Mender
2008-10-01 18:01 32,000 ----a-w c:\windows\system32\drivers\usbaapl.sys
2008-09-30 22:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-28 14:38 --------- d-----w c:\program files\PD Particles
2008-09-25 08:03 81,920 ----a-w c:\windows\system32\dpl100.dll
2008-09-25 08:03 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
2008-09-25 08:03 57,344 ----a-w c:\windows\system32\dpv11.dll
2008-09-25 08:03 53,248 ----a-w c:\windows\system32\dpuGUI10.dll
2008-09-25 08:03 524,288 ----a-w c:\windows\system32\DivXsm.exe
2008-09-25 08:03 344,064 ----a-w c:\windows\system32\dpus11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu10.dll
2008-09-25 08:03 196,608 ----a-w c:\windows\system32\dtu100.dll
2008-09-25 08:03 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
2008-09-19 21:57 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll
2008-09-19 21:57 129,784 ------w c:\windows\system32\pxafs.dll
2008-09-19 21:57 120,056 ------w c:\windows\system32\pxcpyi64.exe
2008-09-19 21:57 118,520 ------w c:\windows\system32\pxinsi64.exe
2008-09-19 21:55 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-09-19 21:55 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-09-19 21:54 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-06 03:16 1,900,544 ----a-w c:\windows\system32\usbaaplrc.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-29 15:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-08-29 14:53 61,440 ----a-w c:\windows\system32\dnssd.dll
2008-01-15 03:49 47,360 ----a-w c:\documents and settings\Chau\Application Data\pcouffin.sys
2008-01-08 22:54 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-11-25 15:49 815 ----a-w c:\program files\Launch Internet Explorer Browser.lnk
2008-08-17 04:45 32,768 --sha-w c:\windows\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\UserData\index.dat
2007-05-31 00:48 177,440 --sha-w c:\windows\system32\drivers\fidbox.dat
2007-05-31 00:48 4,128 --sha-w c:\windows\system32\drivers\fidbox2.dat
.

-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2006-05-08 81920]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"EPSON Stylus Photo R300 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" [2003-06-04 99840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"1A:Stardock TrayMonitor"="c:\program files\Common Files\stardock\TrayServer.exe" [2003-02-14 81920]
"EPSON Stylus Photo R300 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" [2003-06-04 99840]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-15 335872]
"EPSON Stylus Photo R300 Series (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" [2003-06-04 99840]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 57344]
"RK Launcher"="c:\program files\RK Launcher\RK Launcher 0.41 Beta Nightly\RKLauncher.exe" [2007-03-16 708608]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"AGRSMMSG"="AGRSMMSG.exe" [2003-05-23 c:\windows\AGRSMMSG.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="move" [X]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2006-01-12 44544]

c:\documents and settings\Chau\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2008-02-09 1716224]
Styler.lnk - c:\documents and settings\Chau\Application Data\Microsoft\Installer\{E9ECF354-2422-4FDB-9ABF-D8ADAC0EF941}\_585b207a.exe [2008-01-30 15086]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
RKLauncher.lnk - c:\program files\RK Launcher\RK Launcher 0.41 Beta Nightly\RKLauncher.exe [2007-03-16 708608]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-09-26 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-09-26 07:25 352256 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
2003-08-25 11:25 139264 c:\program files\Common Files\Stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"VIDC.wmv3"= c:\progra~1\COMBIN~1\Filters\wmv9vcm.dll
"msacm.imc"= imc32.acm
"msacm.l3codecp"= l3codecp.acm
"VIDC.i263"= i263_32.drv
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\ff_vfw.dll
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Warcraft III\\Frozen Throne.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\WINDOWS\\system32\\wuauclt.exe"=

S3 ASPI;Advanced SCSI Programming Interface Driver;\??\c:\windows\System32\DRIVERS\ASPI32.sys [2008-04-15 16512]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-06-28 42512]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c9bb9b70-79bb-11dd-8828-001a70a7081a}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-11-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-28 09:35:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(752)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\Ati2evxx.dll
c:\program files\Common Files\Stardock\mcpstub.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Common Files\Stardock\sdmcp.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\WgaTray.exe
c:\program files\Object Desktop\ObjectBar\ObjectBar.exe
c:\program files\Styler\Styler.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-11-28 9:44:52 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-28 15:43:52
ComboFix2.txt 2008-11-27 22:14:48
ComboFix3.txt 2007-08-21 15:50:07

Pre-Run: 107,833,958,400 bytes free
Post-Run: 107,874,762,752 bytes free

295 --- E O F --- 2008-11-19 09:03:13



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:47:09 AM, on 11/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Object Desktop\ObjectBar\ObjectBar.exe
C:\Program Files\Common Files\stardock\TrayServer.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RK Launcher\RK Launcher 0.41 Beta Nightly\RKLauncher.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Styler\Styler.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.saigonbao.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Loader Class - {F880A4A8-C436-4AC4-AFD1-AA0BDC9552DD} - C:\Documents and Settings\Chau\My Documents\My Downloads\All\Family Stuff\SmitfraudFix\smitRem\FindeXer Nightly V1.1.0.2\FindeXer.dll (file missing)
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [1A:Stardock TrayMonitor] "C:\Program Files\Common Files\stardock\TrayServer.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P39 "EPSON Stylus Photo R300 Series (Copy 1)" /O5 "LPT1:" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [RK Launcher] "C:\Program Files\RK Launcher\RK Launcher 0.41 Beta Nightly\RKLauncher.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /M "Stylus Photo R300" /EF "HKCU"
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: Styler.lnk = ?
O4 - Global Startup: RKLauncher.lnk = C:\Program Files\RK Launcher\RK Launcher 0.41 Beta Nightly\RKLauncher.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab50997.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 9606 bytes



#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:57 PM

Posted 28 November 2008 - 02:24 PM

Hi,

Much better - almost done.

Just some leftovers here...

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Loader Class - {F880A4A8-C436-4AC4-AFD1-AA0BDC9552DD} - C:\Documents and Settings\Chau\My Documents\My Downloads\All\Family Stuff\SmitfraudFix\smitRem\FindeXer Nightly V1.1.0.2\FindeXer.dll (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 10.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 10".
  • Click the "Download" button to the right.
  • For Platform, select "Windows"
  • For language, select your language
  • Read the License agreement and then Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement".
  • Click Continue
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • Java™ 6 Update 5
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u10-windows-i586-p.exe to install the newest version.
* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 huMAC

huMAC
  • Topic Starter

  • Members
  • 153 posts
  • OFFLINE
  •  
  • Location:Barling, AR
  • Local time:03:57 PM

Posted 29 November 2008 - 09:50 AM

Its running smoothly so far.

I have a question. At the start up of my computer, there are currently two options, how do you get rid of one so it would boot up automatically?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users