Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

hijackthis log


  • This topic is locked This topic is locked
21 replies to this topic

#1 sko

sko

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:21 PM

Posted 17 December 2008 - 09:01 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:00:32 PM, on 12/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\lxcycoms.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\program files\relevantknowledge\rlvknlg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Creative Professional\Digital Audio System\E-MU PatchMix DSP\EmuPatchMixDSP.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [RelevantKnowledge] c:\program files\relevantknowledge\rlvknlg.exe -boot
O4 - HKLM\..\RunOnce: [SpybotDeletingA7620] command /c del "C:\Documents and Settings\Josh's Super Box\Application Data\ShoppingReport\cs\dwld\WhiteList.xip"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6224] cmd /c del "C:\Documents and Settings\Josh's Super Box\Application Data\ShoppingReport\cs\dwld\WhiteList.xip"
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB9405] command /c del "C:\Documents and Settings\Josh's Super Box\Application Data\ShoppingReport\cs\dwld\WhiteList.xip"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6955] cmd /c del "C:\Documents and Settings\Josh's Super Box\Application Data\ShoppingReport\cs\dwld\WhiteList.xip"
O4 - HKUS\S-1-5-19\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - AppInit_DLLs: c:\program files\relevantknowledge\rlai.dll
O20 - Winlogon Notify: RelevantKnowledge - C:\Program Files\RelevantKnowledge\rlls.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxcy_device - - C:\WINDOWS\system32\lxcycoms.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6289 bytes

BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:21 AM

Posted 24 December 2008 - 09:46 PM

Hello.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

To disable AVG:
  • Please navigate to the system tray on the bottom right hand corner and look for this Posted Image sign.
  • Right click it-> select Quit Control Center.
  • A warning will pop up, click Yes
(AVG7 may be slightly different)

To disable SpyBot's TeaTimer:
You can find instructions with visuals here.
  • Run Spybot-S&D in Advanced Mode. If it is not already set to do this Go to the Mode menu select Advanced Mode.
  • On the left hand side, Click on Tools.
  • Click on the Resident icon in the list.
  • Uncheck Resident TeaTimer and OK any prompts.
  • Download ResetTeaTimer.bat and run it to remove entries set by TeaTimer. If you are not using Internet Explorer, you may not be prompted to download the file when you click it. In that case, right click it and select "Save Target/Link as" and save the file onto your desktop.
    The file should take only a second to finish. Delete this file after use.
Restart your computer for the changes to take affect.

Download and Run ComboFix
If you have already run ComboFix, delete your copy and download a new one. If the computer in question is unable to download ComboFix, transfer it using a removable media (CDs, flash drive).

Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

In your next reply include:
-the ComboFix log
-a new HijackThis or DDS log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#3 sko

sko
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:21 PM

Posted 29 December 2008 - 10:38 AM

Sorry for the delay, my router was messed up so I had no internet access. The only changes I've made are uninstalling all my anti virus programs.

Combofix Log
ComboFix 08-12-28.03 - Josh's Super Box 2008-12-29 9:27:52.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1617 [GMT -6:00]
Running from: c:\documents and settings\Josh's Super Box\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-29 )))))))))))))))))))))))))))))))
.

2008-12-28 12:16 . 2008-12-28 12:16 <DIR> d---s---- c:\documents and settings\Guest\UserData
2008-12-24 00:08 . 2008-12-24 00:08 <DIR> d-------- c:\program files\Propellerhead
2008-12-18 01:56 . 2008-12-18 01:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg7
2008-12-18 00:49 . 2008-12-18 00:49 <DIR> d-------- c:\documents and settings\Josh's Super Box\Application Data\Malwarebytes
2008-12-18 00:48 . 2008-12-18 00:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-18 00:42 . 2003-03-18 14:20 1,060,864 --a------ c:\windows\system32\MFC71.dll
2008-12-17 23:28 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2008-12-17 23:05 . 2008-12-17 23:14 <DIR> d-------- c:\program files\CCleaner
2008-12-17 21:25 . 2008-12-22 14:10 <DIR> d-------- c:\documents and settings\Josh's Super Box\Application Data\Any Video Converter
2008-12-17 19:57 . 2008-12-17 20:00 <DIR> d-------- C:\HJT
2008-12-17 19:56 . 2008-12-17 19:56 153 --a------ c:\windows\wininit.ini
2008-12-17 02:53 . 2008-12-17 03:39 <DIR> d-------- c:\documents and settings\Josh's Super Box\Application Data\Media Player Classic
2008-12-17 02:28 . 2008-12-17 02:28 <DIR> d-------- c:\program files\Common Files\LightScribe
2008-12-17 02:28 . 2008-12-17 02:30 <DIR> d-------- c:\documents and settings\Josh's Super Box\Application Data\Ahead
2008-12-17 02:26 . 2008-12-17 02:39 <DIR> d-------- c:\program files\Common Files\Ahead
2008-12-17 02:19 . 2008-12-17 02:19 67 --a------ c:\windows\DVDRegionFree.INI
2008-12-16 11:06 . 2008-12-16 11:11 <DIR> d-------- c:\program files\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-29 15:31 --------- d-----w c:\program files\lx_cats
2008-12-29 15:31 --------- d-----w c:\program files\DNA
2008-12-29 15:31 --------- d-----w c:\documents and settings\Josh's Super Box\Application Data\DNA
2008-12-29 15:18 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-22 20:11 --------- d-----w c:\program files\Yahoo!
2008-12-17 08:38 --------- d-----w c:\documents and settings\All Users\Application Data\Nero
2008-12-17 07:51 --------- d-----w c:\program files\DivX
2008-11-21 21:47 524,288 ----a-w c:\windows\system32\DivXsm.exe
2008-11-21 21:47 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll
2008-11-21 21:46 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-11-21 21:46 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-11-21 21:44 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 21:44 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll
2008-12-19 09:33 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-19 09:33 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-19 09:33 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-19 09:33 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-19 09:33 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-18 342848]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-03-06 50528]
"SetDefaultMIDI"="MIDIDef.exe" [2005-05-24 c:\windows\MIDIDEF.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"LXCYCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll" [2006-11-21 106496]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720]
"RTHDCPL"="RTHDCPL.EXE" [2006-12-18 c:\windows\RTHDCPL.EXE]
"CTHelper"="CTHELPER.EXE" [2005-05-24 c:\windows\CTHELPER.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2000-02-07 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-03-06 14:50 50528 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
--a------ 2008-12-18 21:38 342848 c:\program files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
--a------ 2007-06-25 08:34 82608 c:\program files\Lexmark 3400 Series\ezprint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
--a------ 2007-06-25 08:35 295600 c:\program files\Lexmark Fax Solutions\fm3032.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcymon.exe]
--a------ 2007-06-25 08:34 291504 c:\program files\Lexmark 3400 Series\lxcymon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-09-16 12:16 1833296 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 c:\program files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 00:00 90112 c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
-ra------ 2006-05-16 04:04 2879488 c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\lxcycoms.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-17 28544]
R2 dvdmmg;dvdmmg;\??\c:\windows\system32\drivers\dvdmmg.sys [2007-09-06 5504]
R2 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service []
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-03-05 24652]
S0 ncsmdcnk;ncsmdcnk;c:\windows\system32\drivers\hnyblufr.sys []
S1 ztx86;ztx86;\??\c:\windows\system32\ztx86.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{02e9be77-b6fe-11dc-9ec3-001a927848de}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c82534a4-6717-11dc-9e77-001a927848de}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Error Nuker - c:\program files\Error Nuker\bin\ErrorNuker.exe
HKLM-Run-avgnt - c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
HKU-Default-Run-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe
MSConfigStartUp-AVG7_CC - c:\progra~1\Grisoft\AVG7\avgcc.exe
MSConfigStartUp-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe
MSConfigStartUp-MSDisp32 - c:\windows\system32\drvtow.dll
MSConfigStartUp-MSDrive - c:\windows\system32\drvlox.dll
MSConfigStartUp-MSMSGS - c:\program files\Messenger\msmsgs.exe
MSConfigStartUp-NBKeyScan - c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
MSConfigStartUp-SUPERAntiSpyware - c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
FF - ProfilePath - c:\documents and settings\Josh's Super Box\Application Data\Mozilla\Firefox\Profiles\y8xgvf0z.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\documents and settings\Josh's Super Box\Application Data\Mozilla\Firefox\Profiles\y8xgvf0z.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll
FF - component: c:\documents and settings\Josh's Super Box\Application Data\Mozilla\Firefox\Profiles\y8xgvf0z.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-29 09:31:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCYCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(724)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\lxcycoms.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\Creative Professional\Digital Audio System\E-MU PatchMix DSP\EmuPatchMixDSP.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Completion time: 2008-12-29 9:32:23 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-29 15:32:21

Pre-Run: 65,958,875,136 bytes free
Post-Run: 66,174,046,208 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

175

Hijackthis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:39:15 AM, on 12/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\lxcycoms.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\DNA\btdna.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Creative Professional\Digital Audio System\E-MU PatchMix DSP\EmuPatchMixDSP.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\Program Files\CCleaner\CCleaner.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxcy_device - - C:\WINDOWS\system32\lxcycoms.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 4862 bytes

Edited by sko, 29 December 2008 - 10:40 AM.


#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:21 AM

Posted 30 December 2008 - 07:09 AM

Hello.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    Rootkit::
    c:\windows\system32\drivers\hnyblufr.sys
    c:\windows\system32\ztx86.sys
    
    Driver::
    ncsmdcnk
    ztx86
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Download and Run Scan with GMER
We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • Close all other running programs. There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>.
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • Click OK.
  • You will be prompted to restart your computer. Please do so.
After the reboot, run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in Safe Mode. However, do not use the MsConfig method to edit the Boot.ini.
Important!:Please do not select the Show all checkbox during the scan..

Please describe what symptoms you have now.

With Regards,
The Panda

#5 sko

sko
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:21 PM

Posted 30 December 2008 - 12:13 PM

The main thing I noticed was when Id sent files to my friends or try to receive them it would take a really long time. Like 10 minutes for 5mb when it use to take seconds. The other thing is every now and then weird noises will play when I'm in a random program our browsing the net. GMER didn't produce anything it said there had been no changes to the system or something close to that.

COMBOFIXLOG


ComboFix 08-12-29.02 - Josh's Super Box 2008-12-30 10:49:24.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1602 [GMT -6:00]
Running from: c:\documents and settings\Josh's Super Box\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Josh's Super Box\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NCSMDCNK
-------\Service_ncsmdcnk
-------\Service_ztx86


((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-30 )))))))))))))))))))))))))))))))
.

2008-12-29 11:48 . 2008-12-29 11:48 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-29 11:48 . 2008-12-29 11:48 1,409 --a------ c:\windows\QTFont.for
2008-12-28 12:16 . 2008-12-28 12:16 <DIR> d---s---- c:\documents and settings\Guest\UserData
2008-12-24 00:08 . 2008-12-24 00:08 <DIR> d-------- c:\program files\Propellerhead
2008-12-18 01:56 . 2008-12-18 01:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg7
2008-12-18 00:49 . 2008-12-18 00:49 <DIR> d-------- c:\documents and settings\Josh's Super Box\Application Data\Malwarebytes
2008-12-18 00:48 . 2008-12-18 00:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-18 00:42 . 2003-03-18 14:20 1,060,864 --a------ c:\windows\system32\MFC71.dll
2008-12-17 23:28 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2008-12-17 23:05 . 2008-12-17 23:14 <DIR> d-------- c:\program files\CCleaner
2008-12-17 21:25 . 2008-12-22 14:10 <DIR> d-------- c:\documents and settings\Josh's Super Box\Application Data\Any Video Converter
2008-12-17 19:57 . 2008-12-29 09:39 <DIR> d-------- C:\HJT
2008-12-17 19:56 . 2008-12-17 19:56 153 --a------ c:\windows\wininit.ini
2008-12-17 02:53 . 2008-12-17 03:39 <DIR> d-------- c:\documents and settings\Josh's Super Box\Application Data\Media Player Classic
2008-12-17 02:28 . 2008-12-17 02:28 <DIR> d-------- c:\program files\Common Files\LightScribe
2008-12-17 02:28 . 2008-12-17 02:30 <DIR> d-------- c:\documents and settings\Josh's Super Box\Application Data\Ahead
2008-12-17 02:26 . 2008-12-17 02:39 <DIR> d-------- c:\program files\Common Files\Ahead
2008-12-17 02:19 . 2008-12-17 02:19 67 --a------ c:\windows\DVDRegionFree.INI
2008-12-16 11:06 . 2008-12-16 11:11 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-21 15:47 . 2008-11-21 15:47 3,596,288 --a------ c:\windows\system32\qt-dx331.dll
2008-11-21 15:47 . 2008-11-21 15:47 524,288 --a------ c:\windows\system32\DivXsm.exe
2008-11-21 15:47 . 2008-11-21 15:47 4,816 --a------ c:\windows\system32\divxsm.tlb
2008-11-21 15:46 . 2008-11-21 15:46 1,044,480 --a------ c:\windows\system32\libdivx.dll
2008-11-21 15:46 . 2008-11-21 15:46 200,704 --a------ c:\windows\system32\ssldivx.dll
2008-11-21 15:44 . 2008-11-21 15:44 161,096 --a------ c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 15:44 . 2008-11-21 15:44 12,288 --a------ c:\windows\system32\DivXWMPExtType.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-30 16:51 --------- d-----w c:\program files\lx_cats
2008-12-30 16:51 --------- d-----w c:\program files\DNA
2008-12-30 16:51 --------- d-----w c:\documents and settings\Josh's Super Box\Application Data\DNA
2008-12-29 16:31 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-22 20:11 --------- d-----w c:\program files\Yahoo!
2008-12-17 08:38 --------- d-----w c:\documents and settings\All Users\Application Data\Nero
2008-12-17 07:51 --------- d-----w c:\program files\DivX
2008-12-19 09:33 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-19 09:33 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-19 09:33 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-19 09:33 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-19 09:33 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-18 342848]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-03-06 50528]
"SetDefaultMIDI"="MIDIDef.exe" [2005-05-24 c:\windows\MIDIDEF.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"LXCYCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll" [2006-11-21 106496]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720]
"RTHDCPL"="RTHDCPL.EXE" [2006-12-18 c:\windows\RTHDCPL.EXE]
"CTHelper"="CTHELPER.EXE" [2005-05-24 c:\windows\CTHELPER.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2000-02-07 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-03-06 14:50 50528 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
--a------ 2008-12-18 21:38 342848 c:\program files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
--a------ 2007-06-25 08:34 82608 c:\program files\Lexmark 3400 Series\ezprint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
--a------ 2007-06-25 08:35 295600 c:\program files\Lexmark Fax Solutions\fm3032.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcymon.exe]
--a------ 2007-06-25 08:34 291504 c:\program files\Lexmark 3400 Series\lxcymon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-09-16 12:16 1833296 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 c:\program files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 00:00 90112 c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
-ra------ 2006-05-16 04:04 2879488 c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\lxcycoms.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-17 28544]
R2 dvdmmg;dvdmmg;\??\c:\windows\system32\drivers\dvdmmg.sys [2007-09-06 5504]
R2 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service []
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-03-05 24652]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{02e9be77-b6fe-11dc-9ec3-001a927848de}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c82534a4-6717-11dc-9e77-001a927848de}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
FF - ProfilePath - c:\documents and settings\Josh's Super Box\Application Data\Mozilla\Firefox\Profiles\y8xgvf0z.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\documents and settings\Josh's Super Box\Application Data\Mozilla\Firefox\Profiles\y8xgvf0z.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll
FF - component: c:\documents and settings\Josh's Super Box\Application Data\Mozilla\Firefox\Profiles\y8xgvf0z.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-30 10:51:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCYCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\lxcycoms.exe
c:\windows\system32\wdfmgr.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\program files\Creative Professional\Digital Audio System\E-MU PatchMix DSP\EmuPatchMixDSP.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-30 10:52:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-30 16:52:24
ComboFix2.txt 2008-12-29 15:32:23

Pre-Run: 66,460,606,464 bytes free
Post-Run: 66,415,185,920 bytes free

167

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:21 AM

Posted 31 December 2008 - 02:49 PM

Sorry for the delay.

Infections are gone :thumbsup: .

View Point Program
Viewpoint Manager and Viewpoint Media Player are considered as foistware instead of malware since it is installed without users approval, but does not have malicious effects. This changed from what we know in 2006 read this article.

I suggest you remove the program(s) through Add and Remove Programs.

F-Secure Online Scan
Let's check with an online scan.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.

Please also include a new HijackThis log.

With Regards,
The Panda

#7 sko

sko
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:21 PM

Posted 31 December 2008 - 05:01 PM

Scanning Report
Wednesday, December 31, 2008 15:42:14 - 15:59:44

Computer name: JOSH
Scanning type: Scan system for malware, rootkits
Target: C:\ E:\ F:\
Result: 2 malware found
TrackingCookie.Atwola (spyware)

* System

TrackingCookie.Revsci (spyware)

* System

Statistics
Scanned:

* Files: 25889
* System: 2921
* Not scanned: 6

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 2
* Submitted: 0

Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

Options
Scanning engines:

* F-Secure USS: 2.40.0
* F-Secure Blacklight: 0.0.0
* F-Secure Hydra: 2.8.8110, 2008-12-31
* F-Secure Pegasus: 1.20.0, 2008-11-17
* F-Secure AVP: 7.0.171, 2008-12-31

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics

Hijackthis Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:01:13 PM, on 12/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\lxcycoms.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Creative Professional\Digital Audio System\E-MU PatchMix DSP\EmuPatchMixDSP.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\JOSH'S~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk32.exe
C:\DOCUME~1\JOSH'S~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fssm32.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxcy_device - - C:\WINDOWS\system32\lxcycoms.exe

--
End of file - 5060 bytes

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:21 AM

Posted 31 December 2008 - 06:59 PM

Hello.

As far as malware goes, you are good to go.

Fix HijackThis Entries
  • Double click the HijackThis icon on your desktop.
  • Close all other open windows.
  • Select Do a System Scan Only.
  • Wait a few moments for the list to be compiled.
  • To the left of each entry you will see a check box. Check the box next to the following entries:

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

    If you no longer see some of the entries, skip them.
  • Close all open windows except HijackThis.
  • Click Posted Image and OK at the prompt.
  • The screen will clear itself.
  • Close out of HijackThis.

Uninstall ComboFix
Remove Combofix now that we're done with it.
  • Click on your Start Menu, then Run....
  • Now type combofix /u in the runbox and click OK. Notice the space between the "x" and "/".
    Posted Image
Uninstalling ComboFix will do the following:
  • Delete ComboFix and its components from your computer.
  • Delete other tools commonly used during the malware removal process.
  • Resets clock settings to standard format.
  • Hide file extensions and hidden/system files.
  • Clear System Restore cache and creates new restore point.
Preventing Malware Infection in the Future
Please also have a look at the following links, giving some advice and suggestions for preventing future infections: For general slowness problems, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.

I can't be of much help with network slowness. Might want to try the Networking forum.

With Regards,
The Panda

#9 sko

sko
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:21 PM

Posted 02 January 2009 - 05:50 PM

Thanks for your help, it is much appreciated.

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:21 AM

Posted 02 January 2009 - 05:59 PM

No problem :thumbsup: .

Since this issue appears to be resolved, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:21 AM

Posted 05 January 2009 - 03:30 PM

Hello.

Topic reopened.

Let's hope you didn't get reinfected.

Download and Run OTScanIt
Download OTScanIt by OldTimer to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program. If you are running on Vista then right-click the program and choose Run as Administrator.
  • Change the Rootkit Scan option from "No" to Yes.
  • Now click the Run Scan button on the toolbar.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Close Notepad (saving the change if necessary).
  • Use the Add Reply button in the forum and Attach the scan back here (do not copy/paste it as it will be too big to fit into the post). It will be located in the OTScanIt folder and named OTScanIt.txt.

With Regards,
The Panda

#12 sko

sko
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:21 PM

Posted 05 January 2009 - 04:11 PM

Here is the Ostscan

Attached Files


Edited by sko, 05 January 2009 - 04:20 PM.


#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:21 AM

Posted 05 January 2009 - 04:35 PM

Hello sko.

Looks like a new wave of Vundo.

Disable Realtime Protection
Antimalware programs can interfere with the tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Disable Avast!'s realtime protection by right clicking on the try icon beside your clock that looks like Posted Image and selecting Stop On-Access Protection.

In the settings:
Posted Image

Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.

This program is for XP and Windows 2000 only.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
If you use Firefox browser also...
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser also...
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Install ERUNT
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

When we are finished with fixing your computer (I will make it clear when we are), you can uninstall ERUNT through Add/Remove Programs. The backups will be stored at C:\WINDOWS\erdnt, and will not be deleted when ERUNT is uninstalled.

Run Fix with OTScanIt
We will run OTScanIt with directives. If you have lost your copy of OTScanIt, download it here and extract it like you did last time.
  • Double click the OTScanIt.exe icon in the OTScanIt folder on your desktop. If you are using Windows Vista, right click OTScanIt.exe and select Run as Administrator.
  • Copy the contents of the codebox below into the "Paste fix here" box.
    [Kill Explorer]
    [Registry - Safe List]
    < BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
    YY -> {292c76ef-f0bb-42b6-b933-e9cdb0956482} [HKLM] -> %SystemRoot%\system32\rrqmik.dll [Reg Error: Value  does not exist or could not be read.]
    YY -> {7A490482-1CDF-4D77-8675-05127FC3DD81} [HKLM] -> %SystemRoot%\system32\fccaBUNF.dll [Reg Error: Value  does not exist or could not be read.]
    < AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
    *AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls
    YY -> rrqmik.dll -> %SystemRoot%\system32\rrqmik.dll
    < AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
    < SecurityProviders [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders
    *SecurityProviders* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders
    YN ->  digeste.dll -> 
    < SecurityProviders [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders
    < LSA Authentication Packages [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
    *LSA Authentication Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
    YY -> C:\WINDOWS\system32\fccaBUNF -> %SystemRoot%\system32\fccaBUNF.dll
    < LSA Authentication Packages [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
    [Files/Folders - Created Within 30 Days]
    NY -> FNUBaccf.ini2 -> %SystemRoot%\System32\FNUBaccf.ini2
    NY -> rrqmik.dll -> %SystemRoot%\System32\rrqmik.dll
    NY -> kmpuwnvu.dll -> %SystemRoot%\System32\kmpuwnvu.dll
    NY -> FNUBaccf.ini -> %SystemRoot%\System32\FNUBaccf.ini
    NY -> fccaBUNF.dll -> %SystemRoot%\System32\fccaBUNF.dll
    NY -> qoMecccd.dll -> %SystemRoot%\System32\qoMecccd.dll
    NY -> xusilqad.job -> %SystemRoot%\tasks\xusilqad.job
    NY -> ddcCUmmm.dll.vir -> %SystemRoot%\System32\ddcCUmmm.dll.vir
    [Empty Temp Folders]
    [Reboot]
  • Close all windows except OTScanIt.
  • Click it Run Fix button.
When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click OK and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt2 will finish moving any files that could not be moved during the fix. Notepad will open with the final results at that time. Post that log back here in your next reply.

Update Java to Version 6 Update 11
Your current version of Java is outdated. Malware creators can exploit the lesser security of older versions. Please uninstall your current version through Add/Remove Programs. Remove all instances of Java, J2SE Runtime, Java Runtime, and Java Runtime Environment. Restart your computer after uninstalling.

Please then install the latest Java, Java SE Runtime Environment (JRE) 6 Update 11 from this page. Follow the prompts and select the appropriate settings for your machine (most likely "Windows"). Click on the "Required File" to download the installer. Double click the installer to run. Delete the installer after use.

Re-enable your protection at this time.

Please post back with:
-the OTScanIt fix log
-a new OTScanIt scan log

With Regards,
The Panda

#14 sko

sko
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:21 PM

Posted 05 January 2009 - 05:05 PM

For some reason when I tried to dl the update it gave me a file I couldnt open, it was a jnlp file. Did I remove the wrong program from my computer?
FIX
Process Explorer.EXE killed successfully!
[Registry - Safe List]
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{292c76ef-f0bb-42b6-b933-e9cdb0956482}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{292c76ef-f0bb-42b6-b933-e9cdb0956482}\ deleted successfully.
C:\WINDOWS\system32\rrqmik.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7A490482-1CDF-4D77-8675-05127FC3DD81}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7A490482-1CDF-4D77-8675-05127FC3DD81}\ deleted successfully.
C:\WINDOWS\system32\fccaBUNF.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:rrqmik.dll deleted successfully.
File C:\WINDOWS\system32\rrqmik.dll not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders: digeste.dll deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages:C:\WINDOWS\system32\fccaBUNF deleted successfully.
File C:\WINDOWS\system32\fccaBUNF.dll not found.
[Files/Folders - Created Within 30 Days]
C:\WINDOWS\System32\FNUBaccf.ini2 moved successfully.
File C:\WINDOWS\System32\rrqmik.dll not found!
C:\WINDOWS\System32\kmpuwnvu.dll moved successfully.
C:\WINDOWS\System32\FNUBaccf.ini moved successfully.
File C:\WINDOWS\System32\fccaBUNF.dll not found!
C:\WINDOWS\System32\qoMecccd.dll moved successfully.
C:\WINDOWS\tasks\xusilqad.job moved successfully.
C:\WINDOWS\System32\ddcCUmmm.dll.vir moved successfully.
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\Josh's Super Box\Local Settings\Temp\Perflib_Perfdata_204.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Josh's Super Box\Local Settings\Temp\Perflib_Perfdata_e3c.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Josh's Super Box\Local Settings\Temp\Perflib_Perfdata_e44.dat scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_670.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
RecycleBin -> emptied.
< End of fix log >
OTScanIt2 by OldTimer - Version 1.0.6.0 fix logfile created on 01052009_155244

Files moved on Reboot...
File C:\Documents and Settings\Josh's Super Box\Local Settings\Temp\Perflib_Perfdata_204.dat not found!
File C:\Documents and Settings\Josh's Super Box\Local Settings\Temp\Perflib_Perfdata_e3c.dat not found!
File C:\Documents and Settings\Josh's Super Box\Local Settings\Temp\Perflib_Perfdata_e44.dat not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_670.dat not found!

Registry entries deleted on Reboot...

New
OTScanIt2 logfile created on: 1/5/2009 4:05:01 PM - Run 6
OTScanIt2 by OldTimer - Version 1.0.6.0	 Folder = C:\Documents and Settings\Josh's Super Box\Desktop\OTScanIt2
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
2.00 Gb Total Physical Memory | 1.55 Gb Available Physical Memory | 77.29% Memory free
3.85 Gb Paging File | 3.49 Gb Available in Paging File | 90.51% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092;
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 75.13 Gb Total Space | 65.14 Gb Free Space | 86.71% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 97.65 Gb Total Space | 97.59 Gb Free Space | 99.93% Space Free | Partition Type: NTFS
Drive F: | 292.97 Gb Total Space | 292.90 Gb Free Space | 99.97% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: JOSH
Current User Name: Josh's Super Box
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On
File Age = 30 Days
 
[Processes - Safe List]
ashdisp.exe -> %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe -> [2008/11/26 11:18:51 | 00,081,000 | ---- | M] (ALWIL Software)
ashserv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> [2008/11/26 11:18:46 | 00,155,160 | ---- | M] (ALWIL Software)
aswupdsv.exe -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> [2008/11/26 11:12:08 | 00,018,752 | ---- | M] (ALWIL Software)
ati2evxx.exe -> %SystemRoot%\system32\ati2evxx.exe -> [2006/12/26 23:57:00 | 00,434,176 | ---- | M] (ATI Technologies Inc.)
ati2evxx.exe -> %SystemRoot%\system32\ati2evxx.exe -> [2006/12/26 23:57:00 | 00,434,176 | ---- | M] (ATI Technologies Inc.)
cli.exe -> %ProgramFiles%\ATI Technologies\ATI.ACE\CLI.exe -> [2006/09/25 08:12:20 | 00,045,056 | ---- | M] (ATI Technologies Inc.)
cli.exe -> %ProgramFiles%\ATI Technologies\ATI.ACE\CLI.exe -> [2006/09/25 08:12:20 | 00,045,056 | ---- | M] (ATI Technologies Inc.)
cli.exe -> %ProgramFiles%\ATI Technologies\ATI.ACE\CLI.exe -> [2006/09/25 08:12:20 | 00,045,056 | ---- | M] (ATI Technologies Inc.)
cthelper.exe -> %SystemRoot%\CTHELPER.EXE -> [2005/05/24 02:28:18 | 00,016,384 | ---- | M] (Creative Technology Ltd)
emupatchmixdsp.exe -> %ProgramFiles%\Creative Professional\Digital Audio System\E-MU PatchMix DSP\EmuPatchMixDSP.exe -> [2005/05/04 04:27:44 | 00,581,755 | ---- | M] (EMU Systems)
firefox.exe -> %ProgramFiles%\Mozilla Firefox\firefox.exe -> [2008/12/19 03:33:08 | 07,678,568 | ---- | M] (Mozilla Corporation)
lssrvc.exe -> %CommonProgramFiles%\LightScribe\LSSrvc.exe -> [2006/12/14 17:49:10 | 00,061,440 | ---- | M] (Hewlett-Packard Company)
lxcycoms.exe -> %SystemRoot%\system32\lxcycoms.exe -> [2007/06/20 04:28:55 | 00,537,264 | ---- | M] ( )
otscanit2.exe -> %UserProfile%\Desktop\OTScanIt2\OTScanIt2.exe -> [2009/01/04 17:00:34 | 00,485,888 | ---- | M] (OldTimer Tools)
rthdcpl.exe -> %SystemRoot%\RTHDCPL.EXE -> [2006/12/18 21:12:00 | 16,062,464 | R--- | M] (Realtek Semiconductor Corp.)
wdfmgr.exe -> %SystemRoot%\system32\wdfmgr.exe -> [2005/01/28 13:44:28 | 00,038,912 | ---- | M] (Microsoft Corporation)
wmiprvse.exe -> %SystemRoot%\system32\wbem\wmiprvse.exe -> [2004/08/03 23:56:58 | 00,218,112 | ---- | M] (Microsoft Corporation)
 
[Win32 Services - Safe List]
(aspnet_state) ASP.NET State Service [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -> [2005/09/23 06:28:32 | 00,029,896 | ---- | M] (Microsoft Corporation)
(aswUpdSv) avast! iAVS4 Control Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> [2008/11/26 11:12:08 | 00,018,752 | ---- | M] (ALWIL Software)
(Ati HotKey Poller) Ati HotKey Poller [Win32_Own | Auto | Running] -> %SystemRoot%\system32\ati2evxx.exe -> [2006/12/26 23:57:00 | 00,434,176 | ---- | M] (ATI Technologies Inc.)
(ATI Smart) ATI Smart [Win32_Own | Auto | Stopped] -> %SystemRoot%\system32\ati2sgag.exe -> [2006/12/27 12:22:00 | 00,520,192 | ---- | M] ()
(avast! Antivirus) avast! Antivirus [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> [2008/11/26 11:18:46 | 00,155,160 | ---- | M] (ALWIL Software)
(avast! Mail Scanner) avast! Mail Scanner [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe -> [2008/11/26 11:18:32 | 00,254,040 | ---- | M] (ALWIL Software)
(avast! Web Scanner) avast! Web Scanner [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe -> [2008/11/26 11:16:23 | 00,352,920 | ---- | M] (ALWIL Software)
(clr_optimization_v2.0.50727_32) .NET Runtime Optimization Service v2.0.50727_X86 [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -> [2005/09/23 06:28:56 | 00,066,240 | ---- | M] (Microsoft Corporation)
(FLEXnet Licensing Service) FLEXnet Licensing Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -> [2008/04/06 10:17:02 | 00,658,432 | ---- | M] (Macrovision Europe Ltd.)
(LightScribeService) LightScribeService Direct Disc Labeling Service [Win32_Own | Auto | Running] -> %CommonProgramFiles%\LightScribe\LSSrvc.exe -> [2006/12/14 17:49:10 | 00,061,440 | ---- | M] (Hewlett-Packard Company)
(lxcy_device) lxcy_device [Win32_Own | Auto | Running] -> %SystemRoot%\system32\lxcycoms.exe -> [2007/06/20 04:28:55 | 00,537,264 | ---- | M] ( )
(MSSQL$SONY_MEDIAMGR) MSSQL$SONY_MEDIAMGR [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe -> [2002/12/17 16:26:22 | 07,520,337 | ---- | M] (Microsoft Corporation)
(MSSQLServerADHelper) MSSQLServerADHelper [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe -> [2002/12/17 16:23:30 | 00,066,112 | ---- | M] (Microsoft Corporation)
(NMIndexingService) NMIndexingService [Win32_Own | Disabled | Stopped] ->  -> File not found
(SQLAgent$SONY_MEDIAMGR) SQLAgent$SONY_MEDIAMGR [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE -> [2002/12/17 16:23:30 | 00,311,872 | ---- | M] (Microsoft Corporation)
(UMWdf) Windows User Mode Driver Framework [Win32_Own | Auto | Running] -> %SystemRoot%\system32\wdfmgr.exe -> [2005/01/28 13:44:28 | 00,038,912 | ---- | M] (Microsoft Corporation)
 
[Driver Services - Safe List]
(Aavmker4) avast! Asynchronous Virus Monitor [Kernel | System | Running] -> %SystemRoot%\system32\drivers\aavmker4.sys -> [2008/11/26 11:15:35 | 00,026,944 | ---- | M] (ALWIL Software)
(aswFsBlk) aswFsBlk [File_System | Auto | Running] -> %SystemRoot%\system32\drivers\aswFsBlk.sys -> [2008/11/26 11:17:25 | 00,020,560 | ---- | M] (ALWIL Software)
(aswMon2) avast! Standard Shield Support [File_System | Auto | Running] -> %SystemRoot%\system32\drivers\aswmon2.sys -> [2008/11/26 11:18:18 | 00,094,032 | ---- | M] (ALWIL Software)
(aswRdr) aswRdr [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\aswRdr.sys -> [2008/11/26 11:16:29 | 00,023,152 | ---- | M] (ALWIL Software)
(aswSP) avast! Self Protection [Kernel | System | Running] -> %SystemRoot%\system32\drivers\aswSP.sys -> [2008/11/26 11:17:36 | 00,111,184 | ---- | M] (ALWIL Software)
(aswTdi) avast! Network Shield Support [Kernel | System | Running] -> %SystemRoot%\system32\drivers\aswTdi.sys -> [2008/11/26 11:16:38 | 00,050,864 | ---- | M] (ALWIL Software)
(ati2mtag) ati2mtag [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\ati2mtag.sys -> [2006/12/27 00:04:00 | 01,918,464 | ---- | M] (ATI Technologies Inc.)
(ctac32k) Creative AC3 Software Decoder [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\ctac32k.sys -> [2005/05/24 02:20:14 | 00,503,296 | R--- | M] (Creative Technology Ltd)
(ctaud2k) Creative Audio Driver (WDM) [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\ctaud2k.sys -> [2005/05/24 02:21:02 | 00,435,712 | R--- | M] (Creative Technology Ltd)
(ctprxy2k) Creative Proxy Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\ctprxy2k.sys -> [2005/05/24 02:21:04 | 00,007,168 | R--- | M] (Creative Technology Ltd)
(ctsfm2k) Creative SoundFont Management Device Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\ctsfm2k.sys -> [2005/05/24 02:20:20 | 00,145,408 | R--- | M] (Creative Technology Ltd)
(dvdmmg) dvdmmg [File_System | Auto | Running] -> %SystemRoot%\system32\drivers\dvdmmg.sys -> [2007/09/06 05:15:22 | 00,005,504 | ---- | M] ()
(emupia) E-mu Plug-in Architecture Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\emupia2k.sys -> [2005/05/24 02:20:18 | 00,076,800 | R--- | M] (Creative Technology Ltd)
(gmer) gmer [Kernel | System | Running] -> %SystemRoot%\system32\drivers\gmer.sys -> [2008/12/30 10:54:31 | 00,085,969 | ---- | M] (GMER)
(ha10kx2k) Creative Hardware Abstract Layer Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\ha10kx2k.sys -> [2005/05/24 02:20:32 | 00,744,448 | R--- | M] (Creative Technology Ltd)
(HDAudBus) Microsoft UAA Bus Driver for High Definition Audio [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\Hdaudbus.sys -> [2005/01/07 16:07:18 | 00,138,752 | ---- | M] (Windows (R) Server 2003 DDK provider)
(IntcAzAudAddService) Service for Realtek HD Audio (WDM) [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\RtkHDAud.sys -> [2006/12/21 02:26:00 | 04,405,248 | R--- | M] (Realtek Semiconductor Corp.)
(iteatapi) ITEATAPI_Service_Install [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\iteatapi.sys -> [2005/10/28 10:11:00 | 00,027,648 | R--- | M] (Integrated Technology Express, Inc.)
(MTsensor) ATK0110 ACPI UTILITY [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\ASACPI.sys -> [2004/08/13 04:56:20 | 00,005,810 | R--- | M] ()
(ossrv) Creative OS Services Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\ctoss2k.sys -> [2005/05/24 02:20:26 | 00,115,712 | R--- | M] (Creative Technology Ltd.)
(pavboot) pavboot [File_System | Boot | Running] -> %SystemRoot%\system32\drivers\pavboot.sys -> [2008/06/19 17:24:30 | 00,028,544 | ---- | M] (Panda Security, S.L.)
(pfc) Padus ASPI Shell [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\pfc.sys -> [2004/04/01 15:30:46 | 00,010,368 | ---- | M] (Padus, Inc.)
(PfModNT) PfModNT [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\pfmodnt.sys -> [2005/05/24 02:28:46 | 00,009,216 | R--- | M] (Creative Technology Ltd.)
(Ptilink) Direct Parallel Link Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\ptilink.sys -> [2001/08/23 07:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.)
(PxHelp20) PxHelp20 [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\pxhelp20.sys -> [2007/03/29 03:00:00 | 00,043,528 | ---- | M] (Sonic Solutions)
(Secdrv) Secdrv [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\secdrv.sys -> [2002/03/25 14:02:14 | 00,027,440 | ---- | M] ()
(tmcomm) tmcomm [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\tmcomm.sys -> [2008/01/27 13:56:07 | 00,102,664 | ---- | M] (Trend Micro Inc.)
(yukonwxp) NDIS5.1 Miniport Driver for Marvell Yukon Ethernet Controller [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\yk51x86.sys -> [2005/05/06 07:27:00 | 00,232,064 | ---- | M] (Marvell)
 
[Registry - Safe List]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> -> 
HKEY_LOCAL_MACHINE\: Main\\"Default_Page_URL" -> http://go.microsoft.com/fwlink/?LinkId=69157 -> 
HKEY_LOCAL_MACHINE\: Main\\"Default_Search_URL" -> http://go.microsoft.com/fwlink/?LinkId=54896 -> 
HKEY_LOCAL_MACHINE\: Main\\"Local Page" -> %SystemRoot%\system32\blank.htm -> 
HKEY_LOCAL_MACHINE\: Main\\"Search Page" -> http://go.microsoft.com/fwlink/?LinkId=54896 -> 
HKEY_LOCAL_MACHINE\: Main\\"Start Page" -> http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home -> 
HKEY_LOCAL_MACHINE\: Search\\"CustomizeSearch" -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm -> 
HKEY_LOCAL_MACHINE\: Search\\"SearchAssistant" -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm -> 
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> -> 
HKEY_CURRENT_USER\: Main\\"Local Page" -> C:\WINDOWS\system32\blank.htm -> 
HKEY_CURRENT_USER\: Main\\"Search Page" -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 
HKEY_CURRENT_USER\: Main\\"Start Page" -> http://www.google.com/ -> 
HKEY_CURRENT_USER\: SearchURL\\"provider" ->  -> 
HKEY_CURRENT_USER\: "ProxyEnable" -> 0 -> 
< FireFox Settings [Default Profile] > -> C:\Documents and Settings\Josh's Super Box\Application Data\Mozilla\FireFox\Profiles\y8xgvf0z.default\prefs.js -> 
browser.search.defaultenginename -> "Google" ->
browser.search.defaulturl -> "http://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=" ->
browser.search.selectedEngine -> "Google" ->
browser.startup.homepage -> "www.google.com" ->
browser.startup.homepage_override.mstone -> "rv:1.8.1.20" ->
< HOSTS File > (27 bytes and 1 lines) -> C:\WINDOWS\System32\drivers\etc\Hosts -> 
127.0.0.1	   localhost
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ -> 
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [AcroIEHlprObj Class] -> [2004/12/14 01:56:50 | 00,063,136 | ---- | M] (Adobe Systems Incorporated)
{1017A80C-6F09-4548-A84D-EDD6AC9525F0} [HKLM] -> %ProgramFiles%\Lexmark Toolbar\toolband.dll [Lexmark Toolbar] -> [2006/08/09 12:37:24 | 00,184,320 | R--- | M] ()
{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Spybot-S&D IE Protection] -> [2008/09/15 14:25:44 | 01,562,960 | RHS- | M] (Safer Networking Limited)
{7A490482-1CDF-4D77-8675-05127FC3DD81} [HKLM] -> %SystemRoot%\system32\fccaBUNF.dll [Reg Error: Value  does not exist or could not be read.] -> File not found
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar -> 
"{1017A80C-6F09-4548-A84D-EDD6AC9525F0}" [HKLM] -> %ProgramFiles%\Lexmark Toolbar\toolband.dll [Lexmark Toolbar] -> [2006/08/09 12:37:24 | 00,184,320 | R--- | M] ()
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ -> 
WebBrowser\\"{1017A80C-6F09-4548-A84D-EDD6AC9525F0}" [HKLM] -> %ProgramFiles%\Lexmark Toolbar\toolband.dll [Lexmark Toolbar] -> [2006/08/09 12:37:24 | 00,184,320 | R--- | M] ()
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
"ATICCC" -> %ProgramFiles%\ATI Technologies\ATI.ACE\CLIStart.exe ["C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"] -> [2006/09/25 08:12:20 | 00,090,112 | ---- | M] ()
"avast!" -> %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe [C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe] -> [2008/11/26 11:18:51 | 00,081,000 | ---- | M] (ALWIL Software)
"CTHelper" -> %SystemRoot%\CTHELPER.EXE [CTHELPER.EXE] -> [2005/05/24 02:28:18 | 00,016,384 | ---- | M] (Creative Technology Ltd)
"LXCYCATS" -> %SystemRoot%\system32\spool\drivers\w32x86\3\lxcytime.dll [rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16] -> [2006/11/21 11:27:06 | 00,106,496 | ---- | M] (Lexmark International Inc.)
"QuickTime Task" -> %ProgramFiles%\QuickTime\QTTask.exe ["C:\Program Files\QuickTime\qttask.exe" -atboottime] -> [2007/06/29 06:24:52 | 00,286,720 | ---- | M] (Apple Inc.)
"RTHDCPL" -> %SystemRoot%\RTHDCPL.EXE [RTHDCPL.EXE] -> [2006/12/18 21:12:00 | 16,062,464 | R--- | M] (Realtek Semiconductor Corp.)
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
"Aim6" -> %ProgramFiles%\AIM6\aim6.exe ["C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp] -> [2008/03/06 14:50:59 | 00,050,528 | ---- | M] (AOL LLC)
"SetDefaultMIDI" -> %SystemRoot%\MIDIDEF.EXE [MIDIDef.exe] -> [2005/05/24 02:17:46 | 00,025,088 | ---- | M] (Creative Technology Ltd)
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup -> 
%AllUsersProfile%\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk -> %ProgramFiles%\Adobe\Acrobat 7.0\Reader\reader_sl.exe -> [2004/12/14 04:44:06 | 00,029,696 | ---- | M] (Adobe Systems Incorporated)
< Josh's Super Box Startup Folder > -> C:\Documents and Settings\Josh's Super Box\Start Menu\Programs\Startup -> 
%UserProfile%\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk -> %ProgramFiles%\ERUNT\AUTOBACK.EXE -> [2005/10/20 12:04:08 | 00,038,912 | ---- | M] ()
< Software Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer -> 
< CurrentVersion Policy Settings - Explorer [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveAutoRun" ->  [67108863] -> File not found
\\"NoDriveTypeAutoRun" ->  [323] -> File not found
\\"NoDrives" ->  [0] -> File not found
< CurrentVersion Policy Settings - System [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
\\"dontdisplaylastusername" ->  [0] -> File not found
\\"legalnoticecaption" ->  [] -> File not found
\\"legalnoticetext" ->  [] -> File not found
\\"shutdownwithoutlogon" ->  [1] -> File not found
\\"undockwithoutlogon" ->  [1] -> File not found
\\"DisableRegistryTools" ->  [0] -> File not found
< CurrentVersion Policy Settings - Explorer [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" ->  [323] -> File not found
\\"NoDriveAutoRun" ->  [67108863] -> File not found
\\"NoDrives" ->  [0] -> File not found
< CurrentVersion Policy Settings - System [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
\\"DisableRegistryTools" ->  [0] -> File not found
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ -> 
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}:{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Menu: Spybot - Search & Destroy Configuration] -> [2008/09/15 14:25:44 | 01,562,960 | RHS- | M] (Safer Networking Limited)
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\ -> 
CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] ->  [Reg Error: Value  does not exist or could not be read.] -> File not found
CmdMapping\\"{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}" [HKLM] ->  [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\"{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}" [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Spybot - Search & Destroy Configuration] -> [2008/09/15 14:25:44 | 01,562,960 | RHS- | M] (Safer Networking Limited)
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ -> 
PluginsPageFriendlyName -> Microsoft ActiveX Gallery -> 
PluginsPage -> http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s -> 
Extension\.spop -> %ProgramFiles%\Internet Explorer\PLUGINS\NPDocBox.dll [] -> [2001/01/30 12:56:24 | 00,225,280 | ---- | M] (InterTrust Technologies Corporation, Inc.)
< Default Prefix > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
"" -> http://
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 5224 domain(s) found. -> 
51 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 77 range(s) found. -> 
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 5225 domain(s) found. -> 
50 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 77 range(s) found. -> 
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ -> 
{30528230-99f7-4bb4-88d8-fa1d4f56a2ab} [HKLM] -> C:\Program Files\Yahoo!\Common\yinsthelper.dll[YInstStarter Class] -> 
{BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} [HKLM] -> http://support.f-secure.com/ols/fscax.cab[F-Secure Online Scanner 3.3] -> 
< DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ -> 
{02402D66-A0A1-4974-97CD-3F0930461DFE} ->	(Marvell Yukon 88E8053 PCI-E Gigabit Ethernet Controller) -> 
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ -> 
AtiExtEvent -> %SystemRoot%\system32\ati2evxx.dll -> [2006/12/26 23:58:00 | 00,110,592 | ---- | M] (ATI Technologies Inc.)
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks -> 
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}" [HKLM] -> Reg Error: Key does not exist or could not be opened. [] -> File not found
< LSA Authentication Packages [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages -> 
*LSA Authentication Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages -> 
C:\WINDOWS\system32\fccaBUNF ->  -> File not found
*MultiFile Done* -> -> 
< Domain Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List -> 
"%windir%\system32\sessmgr.exe" -> C:\WINDOWS\system32\sessmgr.exe [%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019] -> [2004/08/03 23:56:58 | 00,140,800 | ---- | M] (Microsoft Corporation)
"C:\Program Files\MSN Messenger\livecall.exe" -> C:\Program Files\MSN Messenger\livecall.exe [C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)] -> File not found
"C:\Program Files\MSN Messenger\msnmsgr.exe" -> C:\Program Files\MSN Messenger\msnmsgr.exe [C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1] -> File not found
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List -> 
"C:\Program Files\AIM6\aim6.exe" -> C:\Program Files\AIM6\aim6.exe [C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM] -> [2008/03/06 14:50:59 | 00,050,528 | ---- | M] (AOL LLC)
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" -> C:\Program Files\Common Files\AOL\Loader\aolload.exe [C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader] -> [2006/11/03 01:17:27 | 00,010,800 | ---- | M] (AOL LLC)
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -> C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe [C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger] -> [2007/08/30 17:43:18 | 04,670,704 | ---- | M] (Yahoo! Inc.)
"C:\Program Files\Yahoo!\Messenger\YServer.exe" -> C:\Program Files\Yahoo!\Messenger\YServer.exe [C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server] -> [2007/08/30 17:43:18 | 00,091,376 | ---- | M] (Yahoo! Inc.)
"C:\WINDOWS\system32\lxcycoms.exe" -> C:\WINDOWS\system32\lxcycoms.exe [C:\WINDOWS\system32\lxcycoms.exe:*:Disabled:Lexmark Communications System] -> [2007/06/20 04:28:55 | 00,537,264 | ---- | M] ( )
"C:\WINDOWS\system32\sessmgr.exe" -> C:\WINDOWS\system32\sessmgr.exe [C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019] -> [2004/08/03 23:56:58 | 00,140,800 | ---- | M] (Microsoft Corporation)
< SafeBoot AlternateShell [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot -> 
"AlternateShell" -> cmd.exe -> 
< CDROM Autorun Setting [HKEY_LOCAL_MACHINE]> -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom ->
"AutoRun" -> 1 -> 
"DisplayName" -> CD-ROM Driver -> 
"ImagePath" -> %SystemRoot%\system32\drivers\cdrom.sys [System32\DRIVERS\cdrom.sys] -> [2004/08/03 21:59:54 | 00,049,536 | ---- | M] (Microsoft Corporation)
< Drives with AutoRun files > ->  -> 
C:\AUTOEXEC.BAT [] -> %SystemDrive%\AUTOEXEC.BAT [ NTFS ] -> [2007/06/21 05:33:23 | 00,000,000 | ---- | M] ()
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 -> 
\{02e9be77-b6fe-11dc-9ec3-001a927848de}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{02e9be77-b6fe-11dc-9ec3-001a927848de}\Shell
\{02e9be77-b6fe-11dc-9ec3-001a927848de}\Shell\\"" ->  [AutoRun] -> File not found
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{02e9be77-b6fe-11dc-9ec3-001a927848de}\Shell\AutoRun
\{02e9be77-b6fe-11dc-9ec3-001a927848de}\Shell\AutoRun\\"" ->  [Auto&Play] -> File not found
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{02e9be77-b6fe-11dc-9ec3-001a927848de}\Shell\AutoRun\command
\{02e9be77-b6fe-11dc-9ec3-001a927848de}\Shell\AutoRun\command\\"" -> G:\LaunchU3.exe [G:\LaunchU3.exe -a] -> File not found
\{c82534a4-6717-11dc-9e77-001a927848de}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c82534a4-6717-11dc-9e77-001a927848de}\Shell
\{c82534a4-6717-11dc-9e77-001a927848de}\Shell\\"" ->  [AutoRun] -> File not found
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c82534a4-6717-11dc-9e77-001a927848de}\Shell\AutoRun
\{c82534a4-6717-11dc-9e77-001a927848de}\Shell\AutoRun\\"" ->  [Auto&Play] -> File not found
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c82534a4-6717-11dc-9e77-001a927848de}\Shell\AutoRun\command
\{c82534a4-6717-11dc-9e77-001a927848de}\Shell\AutoRun\command\\"" -> H:\LaunchU3.exe [H:\LaunchU3.exe -a] -> File not found
 
 
[Files/Folders - Created Within 30 Days]
30 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> 
1231192931280-integrated.jnlp -> %UserProfile%\Desktop\1231192931280-integrated.jnlp -> [2009/01/05 16:02:15 | 00,001,953 | ---- | C] ()
1231192903687-integrated.jnlp -> %UserProfile%\Desktop\1231192903687-integrated.jnlp -> [2009/01/05 16:01:47 | 00,001,605 | ---- | C] ()
_OTScanIt -> %SystemDrive%\_OTScanIt -> [2009/01/05 15:52:44 | 00,000,000 | ---D | C]
ERUNT AutoBackup.lnk -> %UserProfile%\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk -> [2009/01/05 15:50:59 | 00,000,767 | ---- | C] ()
NTREGOPT.lnk -> %UserProfile%\Desktop\NTREGOPT.lnk -> [2009/01/05 15:50:57 | 00,000,611 | ---- | C] ()
ERUNT.lnk -> %UserProfile%\Desktop\ERUNT.lnk -> [2009/01/05 15:50:57 | 00,000,592 | ---- | C] ()
ERUNT -> %ProgramFiles%\ERUNT -> [2009/01/05 15:50:57 | 00,000,000 | ---D | C]
erunt-setup.exe -> %UserProfile%\Desktop\erunt-setup.exe -> [2009/01/05 15:50:43 | 00,791,393 | ---- | C] (Lars Hederer												)
OTScanIt2 -> %UserProfile%\Desktop\OTScanIt2 -> [2009/01/05 14:51:01 | 00,000,000 | ---D | C]
OTScanIt2.exe -> %UserProfile%\Desktop\OTScanIt2.exe -> [2009/01/05 14:50:30 | 00,657,207 | ---- | C] ()
Instrumentals - Lil Flip - Game Over.mp3 -> %UserProfile%\Desktop\Instrumentals - Lil Flip - Game Over.mp3 -> [2009/01/05 13:50:02 | 05,975,331 | ---- | C] ()
Recent -> %UserProfile%\Recent -> [2009/01/05 13:35:52 | 00,000,000 | RH-D | C]
VundoFix Backups -> %SystemDrive%\VundoFix Backups -> [2009/01/05 10:38:07 | 00,000,000 | ---D | C]
nsreg.dat -> %SystemRoot%\nsreg.dat -> [2009/01/04 21:27:10 | 00,000,000 | ---- | C] ()
Flock -> %UserProfile%\Local Settings\Application Data\Flock -> [2009/01/04 21:27:08 | 00,000,000 | ---D | C]
Flock -> %AppData%\Flock -> [2009/01/04 21:27:08 | 00,000,000 | ---D | C]
Flock -> %ProgramFiles%\Flock -> [2009/01/04 21:27:02 | 00,000,000 | ---D | C]
Top Notch.acd -> %UserProfile%\My Documents\Top Notch.acd -> [2009/01/04 20:55:40 | 00,059,040 | ---- | C] ()
Top Notch.acd-bak -> %UserProfile%\My Documents\Top Notch.acd-bak -> [2009/01/04 20:55:40 | 00,056,608 | ---- | C] ()
Bun_B-Damn_Im_Cold__DJ_EMI_Loop_.mp3.sfk -> %UserProfile%\Desktop\Bun_B-Damn_Im_Cold__DJ_EMI_Loop_.mp3.sfk -> [2009/01/04 20:37:39 | 00,187,140 | ---- | C] ()
Bun_B-Damn_Im_Cold__DJ_EMI_Loop_.mp3 -> %UserProfile%\Desktop\Bun_B-Damn_Im_Cold__DJ_EMI_Loop_.mp3 -> [2009/01/04 20:28:57 | 06,518,586 | ---- | C] ()
MakeEmChill.mp3 -> %UserProfile%\Desktop\MakeEmChill.mp3 -> [2009/01/04 20:14:53 | 02,119,121 | ---- | C] ()
aswTdi.sys -> %SystemRoot%\System32\drivers\aswTdi.sys -> [2009/01/04 19:09:33 | 00,050,864 | ---- | C] (ALWIL Software)
aavmker4.sys -> %SystemRoot%\System32\drivers\aavmker4.sys -> [2009/01/04 19:09:33 | 00,026,944 | ---- | C] (ALWIL Software)
aswRdr.sys -> %SystemRoot%\System32\drivers\aswRdr.sys -> [2009/01/04 19:09:33 | 00,023,152 | ---- | C] (ALWIL Software)
avast! Antivirus.lnk -> %AllUsersProfile%\Desktop\avast! Antivirus.lnk -> [2009/01/04 19:09:33 | 00,001,709 | ---- | C] ()
aswSP.sys -> %SystemRoot%\System32\drivers\aswSP.sys -> [2009/01/04 19:09:32 | 00,111,184 | ---- | C] (ALWIL Software)
AvastSS.scr -> %SystemRoot%\System32\AvastSS.scr -> [2009/01/04 19:09:32 | 00,097,480 | ---- | C] (ALWIL Software)
aswmon2.sys -> %SystemRoot%\System32\drivers\aswmon2.sys -> [2009/01/04 19:09:32 | 00,094,032 | ---- | C] (ALWIL Software)
aswmon.sys -> %SystemRoot%\System32\drivers\aswmon.sys -> [2009/01/04 19:09:32 | 00,093,296 | ---- | C] (ALWIL Software)
aswFsBlk.sys -> %SystemRoot%\System32\drivers\aswFsBlk.sys -> [2009/01/04 19:09:32 | 00,020,560 | ---- | C] (ALWIL Software)
aswBoot.exe -> %SystemRoot%\System32\aswBoot.exe -> [2009/01/04 19:09:21 | 01,236,208 | ---- | C] (ALWIL Software)
actskin4.ocx -> %SystemRoot%\System32\actskin4.ocx -> [2009/01/04 19:09:21 | 00,380,928 | ---- | C] ()
Alwil Software -> %ProgramFiles%\Alwil Software -> [2009/01/04 19:09:19 | 00,000,000 | ---D | C]
SHIET -> %UserProfile%\Desktop\SHIET -> [2009/01/04 18:33:58 | 00,000,000 | ---D | C]
new blends -> %UserProfile%\My Documents\new blends -> [2009/01/04 11:50:28 | 00,000,000 | ---D | C]
pgdfgsvc.exe -> %SystemRoot%\System32\pgdfgsvc.exe -> [2009/01/02 17:21:41 | 00,025,992 | ---- | C] (Sysinternals - www.sysinternals.com)
PageDefrag -> %UserProfile%\Desktop\PageDefrag -> [2009/01/02 17:21:10 | 00,000,000 | ---D | C]
fsaua.data -> %SystemDrive%\fsaua.data -> [2008/12/31 15:40:08 | 00,000,000 | ---D | C]
Sonic Foundry -> %ProgramFiles%\Sonic Foundry -> [2008/12/30 21:42:33 | 00,000,000 | ---D | C]
DebugMode -> %ProgramFiles%\DebugMode -> [2008/12/30 21:42:26 | 00,000,000 | ---D | C]
Dj S.Ko-Camera Phone- The Game Ft Neyo.mp3 -> %UserProfile%\My Documents\Dj S.Ko-Camera Phone- The Game Ft Neyo.mp3 -> [2008/12/30 14:24:49 | 04,204,150 | ---- | C] ()
RECYCLER -> %SystemDrive%\RECYCLER -> [2008/12/30 11:13:29 | 00,000,000 | -HSD | C]
gmer.ini -> %SystemRoot%\gmer.ini -> [2008/12/30 10:54:32 | 00,000,345 | ---- | C] ()
gmer.dll -> %SystemRoot%\gmer.dll -> [2008/12/30 10:54:31 | 00,884,736 | ---- | C] ()
gmer.exe -> %SystemRoot%\gmer.exe -> [2008/12/30 10:54:31 | 00,811,008 | ---- | C] ()
gmer.sys -> %SystemRoot%\System32\drivers\gmer.sys -> [2008/12/30 10:54:31 | 00,085,969 | ---- | C] (GMER)
gmer_uninstall.cmd -> %SystemRoot%\gmer_uninstall.cmd -> [2008/12/30 10:54:31 | 00,000,080 | ---- | C] ()
temp -> %SystemRoot%\temp -> [2008/12/30 10:52:29 | 00,000,000 | ---D | C]
Boot.bak -> %SystemDrive%\Boot.bak -> [2008/12/29 09:27:32 | 00,000,211 | ---- | C] ()
cmldr -> %SystemDrive%\cmldr -> [2008/12/29 09:27:29 | 00,260,272 | ---- | C] ()
cmdcons -> %SystemDrive%\cmdcons -> [2008/12/29 09:27:29 | 00,000,000 | RHSD | C]
ERDNT -> %SystemRoot%\ERDNT -> [2008/12/29 09:26:15 | 00,000,000 | ---D | C]
QTSBandwidthCache -> %AllUsersProfile%\Application Data\QTSBandwidthCache -> [2008/12/24 00:29:05 | 00,001,353 | ---- | C] ()
Propellerhead -> %ProgramFiles%\Propellerhead -> [2008/12/24 00:08:10 | 00,000,000 | ---D | C]
Windows Genuine Advantage -> %AllUsersProfile%\Application Data\Windows Genuine Advantage -> [2008/12/22 14:31:47 | 00,000,000 | ---D | C]
Swangazpt2.mp3 -> %UserProfile%\My Documents\Swangazpt2.mp3 -> [2008/12/19 01:46:27 | 04,239,371 | ---- | C] ()
Avg7 -> %AllUsersProfile%\Application Data\Avg7 -> [2008/12/18 01:56:28 | 00,000,000 | ---D | C]
Malwarebytes -> %AppData%\Malwarebytes -> [2008/12/18 00:49:50 | 00,000,000 | ---D | C]
Malwarebytes -> %AllUsersProfile%\Application Data\Malwarebytes -> [2008/12/18 00:48:42 | 00,000,000 | ---D | C]
MFC71.dll -> %SystemRoot%\System32\MFC71.dll -> [2008/12/18 00:42:31 | 01,060,864 | ---- | C] (Microsoft Corporation)
pavboot.sys -> %SystemRoot%\System32\drivers\pavboot.sys -> [2008/12/17 23:28:48 | 00,028,544 | ---- | C] (Panda Security, S.L.)
CCleaner.lnk -> %UserProfile%\Desktop\CCleaner.lnk -> [2008/12/17 23:05:13 | 00,001,548 | ---- | C] ()
CCleaner -> %ProgramFiles%\CCleaner -> [2008/12/17 23:05:13 | 00,000,000 | ---D | C]
Any Video Converter -> %AppData%\Any Video Converter -> [2008/12/17 21:25:51 | 00,000,000 | ---D | C]
wininit.ini -> %SystemRoot%\wininit.ini -> [2008/12/17 19:56:26 | 00,000,259 | ---- | C] ()
Media Player Classic -> %AppData%\Media Player Classic -> [2008/12/17 02:53:03 | 00,000,000 | ---D | C]
mplayerc.exe -> %UserProfile%\Desktop\mplayerc.exe -> [2008/12/17 02:52:59 | 04,333,568 | ---- | C] (Gabest)
LightScribe -> %CommonProgramFiles%\LightScribe -> [2008/12/17 02:28:47 | 00,000,000 | ---D | C]
Ahead -> %AppData%\Ahead -> [2008/12/17 02:28:07 | 00,000,000 | ---D | C]
Ahead -> %CommonProgramFiles%\Ahead -> [2008/12/17 02:26:01 | 00,000,000 | ---D | C]
DVDRegionFree.INI -> %SystemRoot%\DVDRegionFree.INI -> [2008/12/17 02:19:37 | 00,000,067 | ---- | C] ()
DivX Player.lnk -> %AllUsersProfile%\Desktop\DivX Player.lnk -> [2008/12/17 01:50:59 | 00,000,795 | ---- | C] ()
DivX Converter.lnk -> %AllUsersProfile%\Desktop\DivX Converter.lnk -> [2008/12/17 01:50:53 | 00,000,806 | ---- | C] ()
resumejosh.doc -> %UserProfile%\Desktop\resumejosh.doc -> [2008/12/17 00:04:35 | 00,003,888 | ---- | C] ()
Spybot - Search & Destroy -> %ProgramFiles%\Spybot - Search & Destroy -> [2008/12/16 11:06:10 | 00,000,000 | ---D | C]
DivX Movies.lnk -> %UserProfile%\Desktop\DivX Movies.lnk -> [2008/12/16 03:23:34 | 00,001,502 | ---- | C] ()
 
[Files/Folders - Modified Within 30 Days]
3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> 
30 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> 
1 C:\Documents and Settings\All Users\*.tmp files -> C:\Documents and Settings\All Users\*.tmp -> 
1231192931280-integrated.jnlp -> %UserProfile%\Desktop\1231192931280-integrated.jnlp -> [2009/01/05 16:02:11 | 00,001,953 | ---- | M] ()
1231192903687-integrated.jnlp -> %UserProfile%\Desktop\1231192903687-integrated.jnlp -> [2009/01/05 16:01:43 | 00,001,605 | ---- | M] ()
Perflib_Perfdata_ee0.dat -> %UserProfile%\Local Settings\Temp\Perflib_Perfdata_ee0.dat -> [2009/01/05 15:57:35 | 00,016,384 | ---- | M] ()
Perflib_Perfdata_ed8.dat -> %UserProfile%\Local Settings\Temp\Perflib_Perfdata_ed8.dat -> [2009/01/05 15:57:35 | 00,016,384 | ---- | M] ()
Perflib_Perfdata_2b4.dat -> %UserProfile%\Local Settings\Temp\Perflib_Perfdata_2b4.dat -> [2009/01/05 15:57:22 | 00,016,384 | ---- | M] ()
CONFIG.NT -> %SystemRoot%\System32\CONFIG.NT -> [2009/01/05 15:57:16 | 00,002,626 | ---- | M] ()
Perflib_Perfdata_678.dat -> %SystemRoot%\Temp\Perflib_Perfdata_678.dat -> [2009/01/05 15:56:20 | 00,016,384 | ---- | M] ()
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [2009/01/05 15:56:19 | 00,000,006 | -H-- | M] ()
bootstat.dat -> %SystemRoot%\bootstat.dat -> [2009/01/05 15:56:11 | 00,002,048 | --S- | M] ()
DVCState-{00000001-00000000-00000002-00001102-00000008-40021102}.rfx -> %SystemRoot%\System32\DVCState-{00000001-00000000-00000002-00001102-00000008-40021102}.rfx -> [2009/01/05 15:55:21 | 00,011,564 | ---- | M] ()
BMXCtrlState-{00000001-00000000-00000002-00001102-00000008-40021102}.rfx -> %SystemRoot%\System32\BMXCtrlState-{00000001-00000000-00000002-00001102-00000008-40021102}.rfx -> [2009/01/05 15:55:21 | 00,001,104 | ---- | M] ()
BMXBkpCtrlState-{00000001-00000000-00000002-00001102-00000008-40021102}.rfx -> %SystemRoot%\System32\BMXBkpCtrlState-{00000001-00000000-00000002-00001102-00000008-40021102}.rfx -> [2009/01/05 15:55:21 | 00,001,104 | ---- | M] ()
BMXStateBkp-{00000001-00000000-00000002-00001102-00000008-40021102}.rfx -> %SystemRoot%\System32\BMXStateBkp-{00000001-00000000-00000002-00001102-00000008-40021102}.rfx -> [2009/01/05 15:55:21 | 00,000,064 | ---- | M] ()
BMXState-{00000001-00000000-00000002-00001102-00000008-40021102}.rfx -> %SystemRoot%\System32\BMXState-{00000001-00000000-00000002-00001102-00000008-40021102}.rfx -> [2009/01/05 15:55:21 | 00,000,064 | ---- | M] ()
ntuser.dat -> %UserProfile%\ntuser.dat -> [2009/01/05 15:55:16 | 11,010,048 | ---- | M] ()
ntuser.ini -> %UserProfile%\ntuser.ini -> [2009/01/05 15:55:16 | 00,000,178 | -HS- | M] ()
ERUNT AutoBackup.lnk -> %UserProfile%\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk -> [2009/01/05 15:50:59 | 00,000,767 | ---- | M] ()
NTREGOPT.lnk -> %UserProfile%\Desktop\NTREGOPT.lnk -> [2009/01/05 15:50:57 | 00,000,611 | ---- | M] ()
ERUNT.lnk -> %UserProfile%\Desktop\ERUNT.lnk -> [2009/01/05 15:50:57 | 00,000,592 | ---- | M] ()
erunt-setup.exe -> %UserProfile%\Desktop\erunt-setup.exe -> [2009/01/05 15:50:31 | 00,791,393 | ---- | M] (Lars Hederer												)
OTScanIt2.exe -> %UserProfile%\Desktop\OTScanIt2.exe -> [2009/01/05 14:50:53 | 00,657,207 | ---- | M] ()
Top Notch.acd -> %UserProfile%\My Documents\Top Notch.acd -> [2009/01/05 14:43:08 | 00,059,040 | ---- | M] ()
Top Notch.acd-bak -> %UserProfile%\My Documents\Top Notch.acd-bak -> [2009/01/05 14:23:31 | 00,056,608 | ---- | M] ()
Instrumentals - Lil Flip - Game Over.mp3 -> %UserProfile%\Desktop\Instrumentals - Lil Flip - Game Over.mp3 -> [2009/01/05 13:48:37 | 05,975,331 | ---- | M] ()
IconCache.db -> %UserProfile%\Local Settings\Application Data\IconCache.db -> [2009/01/05 12:02:20 | 03,184,656 | -H-- | M] ()
DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> %UserProfile%\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> [2009/01/05 01:11:45 | 00,012,288 | ---- | M] ()
wininit.ini -> %SystemRoot%\wininit.ini -> [2009/01/05 00:59:23 | 00,000,259 | ---- | M] ()
qmgr0.dat -> %AllUsersProfile%\Application Data\Microsoft\Network\Downloader\qmgr0.dat -> [2009/01/05 00:01:23 | 00,004,232 | ---- | M] ()
qmgr1.dat -> %AllUsersProfile%\Application Data\Microsoft\Network\Downloader\qmgr1.dat -> [2009/01/05 00:00:15 | 00,005,192 | ---- | M] ()
nsreg.dat -> %SystemRoot%\nsreg.dat -> [2009/01/04 21:27:10 | 00,000,000 | ---- | M] ()
Bun_B-Damn_Im_Cold__DJ_EMI_Loop_.mp3.sfk -> %UserProfile%\Desktop\Bun_B-Damn_Im_Cold__DJ_EMI_Loop_.mp3.sfk -> [2009/01/04 20:51:53 | 00,187,140 | ---- | M] ()
Bun_B-Damn_Im_Cold__DJ_EMI_Loop_.mp3 -> %UserProfile%\Desktop\Bun_B-Damn_Im_Cold__DJ_EMI_Loop_.mp3 -> [2009/01/04 20:29:34 | 06,518,586 | ---- | M] ()
avast! Antivirus.lnk -> %AllUsersProfile%\Desktop\avast! Antivirus.lnk -> [2009/01/04 19:09:33 | 00,001,709 | ---- | M] ()
PerfStringBackup.INI -> %SystemRoot%\System32\PerfStringBackup.INI -> [2009/01/04 18:44:41 | 00,497,116 | ---- | M] ()
perfh009.dat -> %SystemRoot%\System32\perfh009.dat -> [2009/01/04 18:44:41 | 00,419,224 | ---- | M] ()
perfc009.dat -> %SystemRoot%\System32\perfc009.dat -> [2009/01/04 18:44:41 | 00,070,232 | ---- | M] ()
pgdfgsvc.exe -> %SystemRoot%\System32\pgdfgsvc.exe -> [2009/01/02 17:21:41 | 00,025,992 | ---- | M] (Sysinternals - www.sysinternals.com)
wpa.dbl -> %SystemRoot%\System32\wpa.dbl -> [2009/01/01 14:49:01 | 00,002,206 | ---- | M] ()
Dj S.Ko-Camera Phone- The Game Ft Neyo.mp3 -> %UserProfile%\My Documents\Dj S.Ko-Camera Phone- The Game Ft Neyo.mp3 -> [2008/12/30 14:24:54 | 04,204,150 | ---- | M] ()
resumejosh.doc -> %UserProfile%\Desktop\resumejosh.doc -> [2008/12/30 13:22:11 | 00,003,888 | ---- | M] ()
gmer.ini -> %SystemRoot%\gmer.ini -> [2008/12/30 11:04:03 | 00,000,345 | ---- | M] ()
gmer.dll -> %SystemRoot%\gmer.dll -> [2008/12/30 10:54:31 | 00,884,736 | ---- | M] ()
gmer.sys -> %SystemRoot%\System32\drivers\gmer.sys -> [2008/12/30 10:54:31 | 00,085,969 | ---- | M] (GMER)
gmer_uninstall.cmd -> %SystemRoot%\gmer_uninstall.cmd -> [2008/12/30 10:54:31 | 00,000,080 | ---- | M] ()
system.ini -> %SystemRoot%\system.ini -> [2008/12/30 10:51:39 | 00,000,227 | ---- | M] ()
hosts -> %SystemRoot%\System32\drivers\etc\hosts -> [2008/12/30 10:51:33 | 00,000,027 | ---- | M] ()
boot.ini -> %SystemDrive%\boot.ini -> [2008/12/29 09:27:32 | 00,000,281 | RHS- | M] ()
QTSBandwidthCache -> %AllUsersProfile%\Application Data\QTSBandwidthCache -> [2008/12/24 00:29:05 | 00,001,353 | ---- | M] ()
Reason.lnk -> %AllUsersProfile%\Desktop\Reason.lnk -> [2008/12/24 00:08:32 | 00,000,722 | ---- | M] ()
Swangazpt2.mp3 -> %UserProfile%\My Documents\Swangazpt2.mp3 -> [2008/12/19 01:52:01 | 04,239,371 | ---- | M] ()
CCleaner.lnk -> %UserProfile%\Desktop\CCleaner.lnk -> [2008/12/17 23:05:13 | 00,001,548 | ---- | M] ()
FNTCACHE.DAT -> %SystemRoot%\System32\FNTCACHE.DAT -> [2008/12/17 21:30:21 | 00,093,480 | ---- | M] ()
GDIPFONTCACHEV1.DAT -> %UserProfile%\Local Settings\Application Data\GDIPFONTCACHEV1.DAT -> [2008/12/17 21:26:13 | 00,013,888 | ---- | M] ()
default.pls -> %UserProfile%\default.pls -> [2008/12/17 02:34:09 | 00,000,136 | ---- | M] ()
NeroDigital.ini -> %SystemRoot%\NeroDigital.ini -> [2008/12/17 02:34:09 | 00,000,069 | ---- | M] ()
DVDRegionFree.INI -> %SystemRoot%\DVDRegionFree.INI -> [2008/12/17 02:19:43 | 00,000,067 | ---- | M] ()
DivX Player.lnk -> %AllUsersProfile%\Desktop\DivX Player.lnk -> [2008/12/17 01:50:59 | 00,000,795 | ---- | M] ()
DivX Converter.lnk -> %AllUsersProfile%\Desktop\DivX Converter.lnk -> [2008/12/17 01:50:53 | 00,000,806 | ---- | M] ()
DivX Movies.lnk -> %UserProfile%\Desktop\DivX Movies.lnk -> [2008/12/17 01:50:41 | 00,001,502 | ---- | M] ()
hosts.20081216-112233.backup -> %SystemRoot%\System32\drivers\etc\hosts.20081216-112233.backup -> [2008/12/16 11:20:21 | 00,290,895 | R--- | M] ()
hhcolreg.dat -> %AllUsersProfile%\Application Data\Microsoft\HTML Help\hhcolreg.dat -> [2007/12/20 02:03:21 | 00,001,307 | ---- | M] ()
data.dat -> %AllUsersProfile%\Application Data\Microsoft\Office\Data\data.dat -> [2000/09/30 17:47:15 | 00,001,538 | ---- | M] ()
< End of report >

Edited by sko, 05 January 2009 - 05:08 PM.


#15 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:21 AM

Posted 05 January 2009 - 05:19 PM

Hello sko.

Looks like that was taken care of.

Run fix with OTScanIt:
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {7A490482-1CDF-4D77-8675-05127FC3DD81} [HKLM] -> %SystemRoot%\system32\fccaBUNF.dll [Reg Error: Value  does not exist or could not be read.]

Then, run a scan with MalwareBytes and post that log.
---
Here is a direct link to the Java update download.

Post back a fresh HijackThis log after please.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users