Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't update windows/anti virus/spyware software


  • This topic is locked This topic is locked
25 replies to this topic

#1 Jimmy Farmer

Jimmy Farmer

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:50 AM

Posted 08 January 2009 - 01:26 AM

Hello all,

I am unable to update windows, when i go to the windows update site i get redirected to msn.com.

I am unable to download updates for any spware software ive downloaded except spybot-it says there are no new updates, im not sure if it ever actually updated however.
With ad-aware it says - no connection to download server.
With Malwarbytes it says - update failed. make sure you are connected to the internet and your firewall is set to allow malwarebytes anti-malware to access the interenet.
With spware doctor it says - error downloading the list of updates. please try again later

I am unable to run live update in norton anti virus - it says unable to connect to norton live live update server. Please check your internet connection.

When i search for things in google or yahoo, when i click the links i get redirected to sites such as info.com and smartbizsearch.com

Those are my problems, im thinking they are all connected somehow as they are all very similar. Ive ran all the spyware programs i have listed above without updating them as i am unable to except spyware doctor, i am unable to run that one at all without first updating.

I recently formatted my computer, the problems were there before and after the format.

Im all out of ideas, ive always been able to fix any problems ive had until now. This is also my 1st time using hijack this so this is all new to me.

Thanks in advance for any help and suggestions


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:49:35 AM, on 1/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.17184)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
C:\Program Files\IVT Corporation\BlueSoleil\BsMobileCS.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe
C:\Program Files\Roxio Creator 2009 Ultimate\5.0\CPMonitor.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\16.1.0.33\IPSBHO.DLL
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [BtTray] "C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatchTray11.exe"
O4 - HKLM\..\Run: [CPMonitor] "C:\Program Files\Roxio Creator 2009 Ultimate\5.0\CPMonitor.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 CMICNFG3.cpl,CMICtrlWnd
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Send by Bluetooth - C:\Program Files\IVT Corporation\BlueSoleil\TransSend\IE\tsinfo.htm
O8 - Extra context menu item: Send via &Message... - C:\Program Files\IVT Corporation\BlueSoleil\TransSend\IE\tssms.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\WINDOWS\system32\skype4com.dll
O23 - Service: Norton 2009 Reset (.norton2009Reset) - Unknown owner - C:\Documents and Settings\All Users\Application Data\Norton\Norton2009Reset.exe
O23 - Service: Roxio SAIB Service (9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269) - Unknown owner - C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BlueSoleilCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
O23 - Service: BsHelpCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
O23 - Service: BsMobileCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BsMobileCS.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe
O23 - Service: Roxio UPnP Renderer 11 - Sonic Solutions - C:\Program Files\Roxio Creator 2009 Ultimate\Digital Home 11\RoxioUPnPRenderer11.exe
O23 - Service: Roxio Upnp Server 11 - Sonic Solutions - C:\Program Files\Roxio Creator 2009 Ultimate\Digital Home 11\RoxioUpnpService11.exe
O23 - Service: LiveShare P2P Server 11 (RoxLiveShare11) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\11.0\SharedCOM\RoxLiveShare11.exe
O23 - Service: RoxMediaDB11 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\11.0\SharedCOM\RoxMediaDB11.exe
O23 - Service: Roxio Hard Drive Watcher 11 (RoxWatch11) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatch11.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 9596 bytes

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:50 AM

Posted 08 January 2009 - 09:13 PM

Hello Jimmy Farmer,

Posted Image

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Jimmy Farmer

Jimmy Farmer
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:50 AM

Posted 09 January 2009 - 08:25 PM

I ran the combofix file and as i was running it, it said my computer didnt have the recover console installed and asked if i wanted it download it. I said yes but the download failed as have all my attempted downloads from microsoft in recent weeks.

Also, while combofix was running it had an error about a file called temp01. I didnt write the exact error down in time before it went away. I think it said something about unable to acess temp01?

Anyhow, here is the combofix log as well as a new hijack this log.

ComboFix 09-01-09.01 - Carloo 2009-01-09 20:14:15.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2483 [GMT -5:00]
Running from: c:\documents and settings\Carloo\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1296 [VPS 090109-0] *On-access scanning disabled* (Updated)
AV: BitDefender Antivirus *On-access scanning enabled* (Outdated)
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated)
FW: BitDefender Firewall *enabled*
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Carloo\Application Data\inst.exe

.
((((((((((((((((((((((((( Files Created from 2008-12-10 to 2009-01-10 )))))))))))))))))))))))))))))))
.

2009-01-09 01:26 . 2009-01-09 01:26 850 --a------ c:\windows\system32\ProductTweaks.xml
2009-01-09 01:26 . 2009-01-09 01:26 385 --a------ c:\windows\system32\user_gensett.xml
2009-01-09 00:36 . 2009-01-09 00:36 <DIR> d-------- c:\windows\system32\logs
2009-01-09 00:36 . 2009-01-09 00:36 <DIR> d-------- c:\documents and settings\Carloo\Application Data\BitDefender
2009-01-09 00:35 . 2009-01-09 01:44 <DIR> d-------- c:\program files\BitDefender
2009-01-09 00:35 . 2009-01-09 00:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\BitDefender
2009-01-09 00:33 . 2009-01-09 00:33 <DIR> d-------- c:\windows\system32\URTTEMP
2009-01-09 00:32 . 2009-01-09 00:36 <DIR> d-------- c:\program files\Common Files\BitDefender
2009-01-08 14:44 . 2009-01-08 14:44 <DIR> d-------- c:\documents and settings\Carloo\Application Data\AVGTOOLBAR
2009-01-08 14:44 . 2009-01-08 14:44 50,968 --a------ c:\windows\system32\avgfwdx.dll
2009-01-08 14:44 . 2009-01-08 14:44 29,208 --a------ c:\windows\system32\drivers\avgfwdx.sys
2009-01-08 14:43 . 2009-01-09 00:07 <DIR> d-------- c:\windows\SxsCaPendDel
2009-01-08 04:29 . 2009-01-08 04:29 <DIR> d-------- c:\program files\Alwil Software
2009-01-08 02:45 . 2009-01-08 02:45 <DIR> d-------- c:\windows\Sun
2009-01-08 00:23 . 2009-01-08 00:23 <DIR> d-------- c:\program files\Trend Micro
2009-01-08 00:06 . 2009-01-08 00:06 <DIR> d-------- c:\documents and settings\Carloo\Application Data\Malwarebytes
2009-01-08 00:06 . 2009-01-04 18:41 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-08 00:06 . 2009-01-04 18:41 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-08 00:05 . 2009-01-08 00:06 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-08 00:05 . 2009-01-08 00:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-28 22:03 . 2008-12-28 22:03 <DIR> d-------- C:\lucky number sl
2008-12-28 22:02 . 2009-01-09 10:38 <DIR> d-------- c:\windows\system32\NtmsData
2008-12-28 12:38 . 2008-12-28 12:40 <DIR> d-------- c:\program files\DVD Decrypter
2008-12-28 02:16 . 2008-12-23 04:30 6,914,048 --a------ c:\windows\system\CMICNFG3.cpl
2008-12-28 02:16 . 2008-12-23 04:30 917,504 --a------ c:\windows\system\CMDS3D3.dll
2008-12-28 02:16 . 2001-11-23 12:08 712,704 --a------ c:\windows\system\AUDIO3D3.dll
2008-12-28 02:16 . 2008-12-23 04:30 262,144 --a------ c:\windows\system32\CMRMDRV3.exe
2008-12-28 02:16 . 2003-04-09 19:10 32,768 --a------ c:\windows\system32\CMUdaProp3.dll
2008-12-28 02:16 . 2003-02-18 18:26 28,672 --a------ c:\windows\system32\CMRMDRV3.dll
2008-12-28 02:16 . 2008-12-28 02:16 4,146 --a------ c:\windows\Cmicnfg3.ini.cfl
2008-12-28 02:16 . 2008-12-28 02:16 172 --a------ c:\windows\system\Cmicnfg3.ini
2008-12-28 02:15 . 2008-12-28 02:15 <DIR> d-------- c:\program files\C-Media PCI Audio
2008-12-28 02:15 . 2008-04-21 15:34 1,405,696 --a------ c:\windows\system32\drivers\cmudax3.sys
2008-12-28 02:15 . 2008-03-06 18:59 274,432 --a------ c:\windows\CmiPCIUninstall.exe
2008-12-28 02:15 . 2008-04-21 11:19 3,418 --a------ c:\windows\Cmicnfg3.ini.cfg
2008-12-28 02:15 . 2008-12-23 04:30 12 --a------ c:\windows\cmudax3.ini
2008-12-28 01:48 . 2008-12-28 01:49 <DIR> d-------- c:\program files\Winamp
2008-12-28 01:48 . 2008-12-28 12:41 <DIR> d-------- c:\documents and settings\Carloo\Application Data\Winamp
2008-12-28 01:08 . 2008-12-28 01:08 <DIR> d-------- c:\program files\IrfanView
2008-12-28 00:56 . 2008-12-28 00:56 <DIR> d-------- c:\documents and settings\Carloo\Application Data\Vso
2008-12-28 00:56 . 2008-12-28 00:56 47,360 --a------ c:\windows\system32\drivers\pcouffin.sys
2008-12-28 00:56 . 2008-12-28 00:56 47,360 --a------ c:\documents and settings\Carloo\Application Data\pcouffin.sys
2008-12-28 00:55 . 2008-12-28 03:35 <DIR> d-------- c:\program files\DVDFab 5
2008-12-28 00:30 . 2008-12-28 00:30 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2008-12-28 00:30 . 2008-04-07 05:38 45,392 -ra------ c:\windows\system32\AdobePDF.dll
2008-12-28 00:30 . 2008-04-07 05:38 22,872 -ra------ c:\windows\system32\AdobePDFUI.dll
2008-12-28 00:24 . 2008-12-28 00:30 <DIR> d-------- c:\program files\Common Files\Adobe
2008-12-25 02:25 . 2008-12-25 02:26 <DIR> d-------- c:\program files\QuickTime
2008-12-25 02:25 . 2008-12-25 02:25 <DIR> d-------- c:\program files\Common Files\Apple
2008-12-25 02:24 . 2008-12-25 02:24 <DIR> d-------- c:\program files\Apple Software Update
2008-12-25 02:24 . 2008-12-25 02:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-12-25 01:26 . 2008-12-25 01:26 <DIR> d-------- c:\program files\Lavasoft
2008-12-25 01:26 . 2008-12-25 01:26 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-25 01:26 . 2008-12-25 01:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-25 00:56 . 2008-12-25 00:56 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Roxio
2008-12-25 00:56 . 2008-12-25 02:44 <DIR> d-------- c:\documents and settings\Carloo\Application Data\Roxio
2008-12-25 00:55 . 2008-12-25 00:55 <DIR> d-------- c:\program files\Spyware Doctor
2008-12-25 00:55 . 2008-12-25 00:55 <DIR> d-------- c:\documents and settings\Carloo\Application Data\PC Tools
2008-12-25 00:55 . 2008-06-10 21:22 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2008-12-25 00:55 . 2008-06-02 15:19 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2008-12-25 00:55 . 2008-06-02 15:19 42,376 --a------ c:\windows\system32\drivers\ikfilesec.sys
2008-12-25 00:55 . 2008-06-02 15:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2008-12-25 00:38 . 2009-01-09 20:09 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-25 00:36 . 2008-12-25 00:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\Uninstall
2008-12-25 00:32 . 2008-08-01 01:00 25,584 --------- c:\windows\system32\drivers\SaibVd32.sys
2008-12-25 00:32 . 2008-08-01 01:00 20,464 --------- c:\windows\system32\drivers\SahdIa32.sys
2008-12-25 00:32 . 2008-08-01 01:00 15,856 --------- c:\windows\system32\drivers\SaibIa32.sys
2008-12-25 00:31 . 2008-12-25 00:31 <DIR> d-------- c:\program files\Roxio
2008-12-25 00:30 . 2008-12-25 00:31 <DIR> d-------- c:\program files\InterActual
2008-12-25 00:22 . 2008-12-25 00:28 <DIR> d-------- c:\program files\Common Files\Sonic Shared
2008-12-25 00:22 . 2008-12-25 00:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Roxio
2008-12-25 00:17 . 2008-12-25 00:29 <DIR> d-------- c:\program files\Roxio Creator 2009 Ultimate
2008-12-25 00:17 . 2008-12-25 00:25 <DIR> d-------- c:\program files\Common Files\Roxio Shared
2008-12-25 00:17 . 2009-01-09 01:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sonic
2008-12-25 00:16 . 2008-12-25 00:16 <DIR> d-------- c:\program files\SmartSound Software
2008-12-25 00:16 . 2008-12-25 02:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\SmartSound Software Inc
2008-12-25 00:15 . 2008-12-25 00:15 <DIR> d-------- c:\program files\MSXML 6.0
2008-12-25 00:11 . 2008-12-25 00:51 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-25 00:11 . 2008-12-25 00:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-23 05:43 . 2008-12-23 13:29 0 --a------ c:\windows\system32\REMOTEDEVICE.INI
2008-12-23 05:42 . 2008-12-28 21:23 4,535 --a------ c:\windows\system32\LOCALSERVICE.INI
2008-12-23 05:42 . 2008-12-28 21:20 97 --a------ c:\windows\system32\LOCALDEVICE.INI
2008-12-23 05:37 . 2008-12-23 05:37 0 --a------ c:\windows\system32\BSPRINT.INI
2008-12-23 05:36 . 2008-12-23 05:36 <DIR> d-------- c:\program files\IVT Corporation
2008-12-23 05:36 . 2008-12-23 05:36 50 --a------ C:\im.ini
2008-12-23 05:12 . 2008-04-14 00:09 14,592 --a------ c:\windows\system32\drivers\kbdhid.sys
2008-12-23 05:12 . 2008-04-14 00:09 14,592 --a--c--- c:\windows\system32\dllcache\kbdhid.sys
2008-12-23 05:12 . 2001-08-17 13:48 12,160 --a------ c:\windows\system32\drivers\mouhid.sys
2008-12-23 05:12 . 2001-08-17 13:48 12,160 --a--c--- c:\windows\system32\dllcache\mouhid.sys
2008-12-23 05:09 . 2008-12-23 05:37 32 --a------ c:\windows\0
2008-12-23 05:09 . 2008-12-23 05:09 0 --a------ c:\windows\system32\0
2008-12-23 05:04 . 2001-08-21 14:47 111,522 --a------ c:\windows\system32\drivers\MR97110.sys
2008-12-23 05:04 . 2001-08-16 17:24 36,864 --a------ c:\windows\system32\mrvfwext.dll
2008-12-23 05:04 . 2001-07-09 09:50 16,290 --a------ c:\windows\Marssnap.wav
2008-12-23 05:04 . 2001-02-21 14:08 15,164 --a------ c:\windows\Marscam.ini
2008-12-23 05:04 . 2001-07-04 13:31 12,106 --a------ c:\windows\Marscam.src
2008-12-23 04:56 . 2008-12-23 04:56 <DIR> d--hsc--- c:\program files\Common Files\WindowsLiveInstaller
2008-12-23 04:55 . 2008-12-23 04:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\WLInstaller
2008-12-23 04:43 . 2008-12-23 04:43 <DIR> d-------- c:\documents and settings\Carloo\Application Data\InterVideo
2008-12-23 04:41 . 2008-12-25 00:51 <DIR> d-------- c:\program files\Google
2008-12-23 04:41 . 2008-12-25 02:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-23 04:40 . 2008-12-23 04:40 <DIR> d-------- c:\program files\InterVideo Information Service
2008-12-23 04:40 . 2008-12-23 04:40 <DIR> d-------- c:\program files\Common Files\Ulead
2008-12-23 04:40 . 2008-12-23 04:40 <DIR> d-------- c:\program files\Common Files\InterVideo
2008-12-23 04:40 . 2008-12-23 04:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\InstallShield
2008-12-23 04:40 . 2006-05-11 18:41 654 --------- c:\windows\remove.iss
2008-12-23 04:39 . 2008-12-23 04:40 <DIR> d-------- c:\program files\InterVideo
2008-12-23 04:31 . 2008-12-23 04:31 <DIR> d-------- c:\program files\C-Media PCI Audio Device
2008-12-23 04:31 . 2008-04-14 00:15 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-12-23 04:31 . 2008-04-14 00:15 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2008-12-23 04:29 . 2008-12-23 04:29 <DIR> d--h----- c:\windows\system32\CanonIJ Uninstaller Information
2008-12-23 04:29 . 2008-12-23 04:29 <DIR> d--h----- c:\program files\CanonBJ
2008-12-23 04:29 . 2008-12-23 04:29 <DIR> d-------- c:\program files\Canon
2008-12-23 04:29 . 2008-12-23 04:29 <DIR> d--h----- c:\documents and settings\All Users\Application Data\CanonBJ
2008-12-23 04:29 . 2008-04-03 05:00 198,656 --a------ c:\windows\system32\CNMLM7K.DLL
2008-12-23 04:29 . 2008-02-07 15:59 195,072 --a------ c:\windows\system32\CNCC150.DLL
2008-12-23 04:29 . 2005-05-30 19:45 139,264 --a------ c:\windows\system32\CNCL150.DLL
2008-12-23 04:29 . 2006-06-29 14:29 106,496 --a------ c:\windows\system32\cncisco.dll
2008-12-23 04:29 . 2008-02-07 15:59 37,888 --a------ c:\windows\system32\CNCI150.DLL
2008-12-23 04:17 . 2001-11-23 12:08 712,704 --a------ c:\windows\system\a3d.dll
2008-12-23 04:17 . 2008-04-14 00:15 52,864 --a------ c:\windows\system32\drivers\DMusic.sys
2008-12-23 04:17 . 2008-04-14 00:15 52,864 --a--c--- c:\windows\system32\dllcache\dmusic.sys
2008-12-23 04:17 . 2008-04-14 00:09 7,552 --a------ c:\windows\system32\drivers\MSKSSRV.sys
2008-12-23 04:17 . 2008-04-14 00:09 7,552 --a--c--- c:\windows\system32\dllcache\mskssrv.sys
2008-12-23 04:17 . 2008-04-14 00:15 6,272 --a------ c:\windows\system32\drivers\splitter.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-25 05:35 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-25 05:16 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-19 15:43 --------- d-----w c:\program files\ATI Technologies
2008-12-19 15:03 --------- d-----w c:\program files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-21 136600]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 213936]
"BtTray"="c:\program files\IVT Corporation\BlueSoleil\BtTray.exe" [2008-08-04 226816]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatchTray11.exe" [2008-08-14 240112]
"CPMonitor"="c:\program files\Roxio Creator 2009 Ultimate\5.0\CPMonitor.exe" [2008-08-10 80368]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-11 640376]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"BDAgent"="c:\program files\BitDefender\BitDefender 2009\bdagent.exe" [2008-08-14 716800]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2009\IEShow.exe" [2008-08-10 69632]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\InterVideo\\DVD8\\WinDVD.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleilCS.exe"=
"c:\\Documents and Settings\\Carloo\\My Documents\\Azureus Downloads\\BlueSoleil 6.2.227.11 + Crack\\BlueSoleil32\\Crack\\BlueSoleilCS.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Spyware Doctor\\pctsGui.exe"=
"c:\\Program Files\\BitDefender\\BitDefender 2009\\uiscan.exe"=
"c:\\Program Files\\BitDefender\\BitDefender 2009\\seccenter.exe"=

R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [2008-01-21 20616]
R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [2008-12-25 20464]
R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [2008-12-25 15856]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-01-08 111184]
R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [2008-12-25 25584]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2008-08-14 102208]
R3 DCamUSBMR;CMOS 100K-R Rev. 1.90;c:\windows\system32\drivers\MR97110.sys [2008-12-23 111522]
R3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [2008-01-21 26248]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-01-08 20560]
R4 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2009\BDVEDISK.sys [2008-07-02 82568]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [2008-07-17 118784]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-01-08 29208]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-01-08 29208]
S3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2008-08-12 108864]
S3 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;c:\program files\Roxio Creator 2009 Ultimate\Digital Home 11\RoxioUPnPRenderer11.exe [2008-08-14 313840]
S3 RoxMediaDB11;RoxMediaDB11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxMediaDB11.exe [2008-08-14 1124848]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-12-25 356920]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?]
S4 .norton2009Reset;Norton 2009 Reset;c:\documents and settings\All Users\Application Data\Norton\Norton2009Reset.exe [2008-12-22 280833]
S4 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe [2008-08-01 125424]
S4 BsMobileCS;BsMobileCS;c:\program files\IVT Corporation\BlueSoleil\BsMobileCS.exe [2008-08-01 143467]
S4 Roxio Upnp Server 11;Roxio Upnp Server 11;c:\program files\Roxio Creator 2009 Ultimate\Digital Home 11\RoxioUpnpService11.exe [2008-08-14 367088]
S4 RoxLiveShare11;LiveShare P2P Server 11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxLiveShare11.exe [2008-08-14 309744]
S4 RoxWatch11;Roxio Hard Drive Watcher 11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatch11.exe [2008-08-14 170480]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - 500AFBBE
*NewlyCreated* - 83B509B4
*Deregistered* - 500afbbe
*Deregistered* - 83b509b4
*Deregistered* - mchInjDrv

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder

2008-12-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-CmPCIaudio - CMICNFG3.cpl


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: Append to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Send by Bluetooth - c:\program files\IVT Corporation\BlueSoleil\TransSend\IE\tsinfo.htm
IE: Send via &Message... - c:\program files\IVT Corporation\BlueSoleil\TransSend\IE\tssms.htm
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-09 20:15:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1272)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-01-09 20:17:39
ComboFix-quarantined-files.txt 2009-01-10 01:17:36

Pre-Run: 214,225,399,808 bytes free
Post-Run: 214,698,770,432 bytes free

255







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:19:33 PM, on 1/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.17184)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Roxio Creator 2009 Ultimate\5.0\CPMonitor.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [BtTray] "C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatchTray11.exe"
O4 - HKLM\..\Run: [CPMonitor] "C:\Program Files\Roxio Creator 2009 Ultimate\5.0\CPMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Send by Bluetooth - C:\Program Files\IVT Corporation\BlueSoleil\TransSend\IE\tsinfo.htm
O8 - Extra context menu item: Send via &Message... - C:\Program Files\IVT Corporation\BlueSoleil\TransSend\IE\tssms.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\WINDOWS\system32\skype4com.dll
O23 - Service: Norton 2009 Reset (.norton2009Reset) - Unknown owner - C:\Documents and Settings\All Users\Application Data\Norton\Norton2009Reset.exe
O23 - Service: Roxio SAIB Service (9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269) - Unknown owner - C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BlueSoleilCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
O23 - Service: BsHelpCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
O23 - Service: BsMobileCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BsMobileCS.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Roxio UPnP Renderer 11 - Sonic Solutions - C:\Program Files\Roxio Creator 2009 Ultimate\Digital Home 11\RoxioUPnPRenderer11.exe
O23 - Service: Roxio Upnp Server 11 - Sonic Solutions - C:\Program Files\Roxio Creator 2009 Ultimate\Digital Home 11\RoxioUpnpService11.exe
O23 - Service: LiveShare P2P Server 11 (RoxLiveShare11) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\11.0\SharedCOM\RoxLiveShare11.exe
O23 - Service: RoxMediaDB11 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\11.0\SharedCOM\RoxMediaDB11.exe
O23 - Service: Roxio Hard Drive Watcher 11 (RoxWatch11) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatch11.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

--
End of file - 10318 bytes

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:50 AM

Posted 10 January 2009 - 08:22 PM

Hello,

Having 4 AntiViruses isn't helping anything at all. Make a choice between Norton, BitDefender, Avast!, and PCTools, then disable or uninstall all the others. You're doing much more harm than good by running all those. You'll also see a marked improvement in performance.

After you have that squared away, please run a scan with the one you kept. Then please do this:

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with the fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts

You can reenable TeaTimer once your system is clean.

Now have another run with ComboFix and post the report in your reply, along with a new HIjackThis log and a description of how it's running now. :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 Jimmy Farmer

Jimmy Farmer
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:50 AM

Posted 12 January 2009 - 03:48 AM

Im not sure what pctools is, im thinking it is from spyware doctor, but im not 100% sure so I uninstalled it anyways.
I wouldnt normally have 4 different antivirus programs installed, but i was hoping one of them would fix something. I kept the avast, what antivirus program do you personally recommend?
I did all that you asked in your last post but to no avail. Now when I attempt to go to the windows update site I get redirected to google instead of msn. However, it appears as tough my web browsing is working correctly again. Recently if i searched for something in a search engine, i would have to click the link at least 2 or 3 times before it would actually go to the site it was supposed to...it would get redirected to some other random sites like my windows update does.

I ran the combofix again. It said there was a new version of combofix and asked if i wanted to update...i did not update it.
I got the same error again as last time. When it gets past stage 50 it says,
"do not run any programs until combofix has finished.
Preparing log report.
findstr: cannot opent temp01"

Anyhow, here are the 2 logs:


ComboFix 09-01-09.01 - Carloo 2009-01-12 3:32:30.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2550 [GMT -5:00]
Running from: c:\documents and settings\Carloo\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1296 [VPS 090111-1] *On-access scanning disabled* (Updated)

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-12-12 to 2009-01-12 )))))))))))))))))))))))))))))))
.

2009-01-12 03:05 . 2009-01-12 03:05 <DIR> d-------- c:\documents and settings\Carloo\Application Data\BitDefender
2009-01-10 19:19 . 2009-01-10 19:19 <DIR> d-------- c:\program files\MSI
2009-01-10 18:59 . 2009-01-10 18:59 <DIR> d-------- C:\00000082
2009-01-10 18:42 . 2009-01-10 18:42 <DIR> d-------- c:\program files\Microsoft Works
2009-01-10 18:41 . 2009-01-10 18:41 <DIR> d-------- c:\program files\Microsoft.NET
2009-01-10 18:37 . 2009-01-10 18:37 <DIR> d-------- c:\windows\SHELLNEW
2009-01-10 18:37 . 2009-01-10 18:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-10 18:36 . 2009-01-10 18:36 <DIR> dr-h----- C:\MSOCache
2009-01-10 18:29 . 2009-01-10 19:36 536 --a------ c:\windows\system\Cmicnfg3.ini
2009-01-09 01:26 . 2009-01-09 01:26 850 --a------ c:\windows\system32\ProductTweaks.xml
2009-01-09 01:26 . 2009-01-09 01:26 385 --a------ c:\windows\system32\user_gensett.xml
2009-01-09 00:36 . 2009-01-09 00:36 <DIR> d-------- c:\windows\system32\logs
2009-01-09 00:33 . 2009-01-09 00:33 <DIR> d-------- c:\windows\system32\URTTEMP
2009-01-09 00:32 . 2009-01-12 02:57 <DIR> d-------- c:\program files\Common Files\BitDefender
2009-01-08 14:44 . 2009-01-08 14:44 <DIR> d-------- c:\documents and settings\Carloo\Application Data\AVGTOOLBAR
2009-01-08 14:44 . 2009-01-08 14:44 50,968 --a------ c:\windows\system32\avgfwdx.dll
2009-01-08 14:44 . 2009-01-08 14:44 29,208 --a------ c:\windows\system32\drivers\avgfwdx.sys
2009-01-08 14:43 . 2009-01-09 00:07 <DIR> d-------- c:\windows\SxsCaPendDel
2009-01-08 04:29 . 2009-01-08 04:29 <DIR> d-------- c:\program files\Alwil Software
2009-01-08 02:45 . 2009-01-08 02:45 <DIR> d-------- c:\windows\Sun
2009-01-08 00:23 . 2009-01-08 00:23 <DIR> d-------- c:\program files\Trend Micro
2009-01-08 00:06 . 2009-01-08 00:06 <DIR> d-------- c:\documents and settings\Carloo\Application Data\Malwarebytes
2009-01-08 00:06 . 2009-01-04 18:41 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-08 00:06 . 2009-01-04 18:41 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-08 00:05 . 2009-01-08 00:06 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-08 00:05 . 2009-01-08 00:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-28 22:03 . 2008-12-28 22:03 <DIR> d-------- C:\lucky number sl
2008-12-28 22:02 . 2009-01-09 10:38 <DIR> d-------- c:\windows\system32\NtmsData
2008-12-28 12:38 . 2008-12-28 12:40 <DIR> d-------- c:\program files\DVD Decrypter
2008-12-28 02:16 . 2009-01-10 18:28 6,914,048 --a------ c:\windows\system\CMICNFG3.cpl
2008-12-28 02:16 . 2009-01-10 18:28 917,504 --a------ c:\windows\system\CMDS3D3.dll
2008-12-28 02:16 . 2001-11-23 12:08 712,704 --a------ c:\windows\system\AUDIO3D3.dll
2008-12-28 02:16 . 2009-01-10 18:28 262,144 --a------ c:\windows\system32\CMRMDRV3.exe
2008-12-28 02:16 . 2003-04-09 19:10 32,768 --a------ c:\windows\system32\CMUdaProp3.dll
2008-12-28 02:16 . 2003-02-18 18:26 28,672 --a------ c:\windows\system32\CMRMDRV3.dll
2008-12-28 02:16 . 2009-01-10 18:29 8,223 --a------ c:\windows\Cmicnfg3.ini.cfl
2008-12-28 02:15 . 2009-01-10 18:28 <DIR> d-------- c:\program files\C-Media PCI Audio
2008-12-28 02:15 . 2008-04-21 15:34 1,405,696 --a------ c:\windows\system32\drivers\cmudax3.sys
2008-12-28 02:15 . 2008-03-06 18:59 274,432 --a------ c:\windows\CmiPCIUninstall.exe
2008-12-28 02:15 . 2009-01-10 18:28 3,418 --a------ c:\windows\Cmicnfg3.ini.cfg
2008-12-28 02:15 . 2007-11-16 15:56 12 --a------ c:\windows\cmudax3.ini
2008-12-28 01:48 . 2008-12-28 01:49 <DIR> d-------- c:\program files\Winamp
2008-12-28 01:48 . 2008-12-28 12:41 <DIR> d-------- c:\documents and settings\Carloo\Application Data\Winamp
2008-12-28 01:08 . 2008-12-28 01:08 <DIR> d-------- c:\program files\IrfanView
2008-12-28 00:56 . 2008-12-28 00:56 <DIR> d-------- c:\documents and settings\Carloo\Application Data\Vso
2008-12-28 00:56 . 2008-12-28 00:56 47,360 --a------ c:\windows\system32\drivers\pcouffin.sys
2008-12-28 00:56 . 2008-12-28 00:56 47,360 --a------ c:\documents and settings\Carloo\Application Data\pcouffin.sys
2008-12-28 00:55 . 2008-12-28 03:35 <DIR> d-------- c:\program files\DVDFab 5
2008-12-28 00:30 . 2008-12-28 00:30 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2008-12-28 00:30 . 2008-04-07 05:38 45,392 -ra------ c:\windows\system32\AdobePDF.dll
2008-12-28 00:30 . 2008-04-07 05:38 22,872 -ra------ c:\windows\system32\AdobePDFUI.dll
2008-12-28 00:24 . 2008-12-28 00:30 <DIR> d-------- c:\program files\Common Files\Adobe
2008-12-25 02:25 . 2008-12-25 02:26 <DIR> d-------- c:\program files\QuickTime
2008-12-25 02:25 . 2008-12-25 02:25 <DIR> d-------- c:\program files\Common Files\Apple
2008-12-25 02:24 . 2008-12-25 02:24 <DIR> d-------- c:\program files\Apple Software Update
2008-12-25 02:24 . 2008-12-25 02:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-12-25 01:26 . 2008-12-25 01:26 <DIR> d-------- c:\program files\Lavasoft
2008-12-25 01:26 . 2008-12-25 01:26 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-25 01:26 . 2008-12-25 01:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-25 00:56 . 2008-12-25 00:56 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Roxio
2008-12-25 00:56 . 2008-12-25 02:44 <DIR> d-------- c:\documents and settings\Carloo\Application Data\Roxio
2008-12-25 00:38 . 2009-01-12 03:10 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-25 00:36 . 2008-12-25 00:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\Uninstall
2008-12-25 00:32 . 2008-08-01 01:00 25,584 --------- c:\windows\system32\drivers\SaibVd32.sys
2008-12-25 00:32 . 2008-08-01 01:00 20,464 --------- c:\windows\system32\drivers\SahdIa32.sys
2008-12-25 00:32 . 2008-08-01 01:00 15,856 --------- c:\windows\system32\drivers\SaibIa32.sys
2008-12-25 00:31 . 2008-12-25 00:31 <DIR> d-------- c:\program files\Roxio
2008-12-25 00:30 . 2008-12-25 00:31 <DIR> d-------- c:\program files\InterActual
2008-12-25 00:22 . 2008-12-25 00:28 <DIR> d-------- c:\program files\Common Files\Sonic Shared
2008-12-25 00:22 . 2008-12-25 00:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Roxio
2008-12-25 00:17 . 2008-12-25 00:29 <DIR> d-------- c:\program files\Roxio Creator 2009 Ultimate
2008-12-25 00:17 . 2008-12-25 00:25 <DIR> d-------- c:\program files\Common Files\Roxio Shared
2008-12-25 00:17 . 2009-01-09 01:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sonic
2008-12-25 00:16 . 2008-12-25 00:16 <DIR> d-------- c:\program files\SmartSound Software
2008-12-25 00:16 . 2008-12-25 02:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\SmartSound Software Inc
2008-12-25 00:15 . 2008-12-25 00:15 <DIR> d-------- c:\program files\MSXML 6.0
2008-12-25 00:11 . 2008-12-25 00:51 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-25 00:11 . 2008-12-25 00:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-23 05:43 . 2008-12-23 13:29 0 --a------ c:\windows\system32\REMOTEDEVICE.INI
2008-12-23 05:42 . 2008-12-28 21:23 4,535 --a------ c:\windows\system32\LOCALSERVICE.INI
2008-12-23 05:42 . 2008-12-28 21:20 97 --a------ c:\windows\system32\LOCALDEVICE.INI
2008-12-23 05:37 . 2008-12-23 05:37 0 --a------ c:\windows\system32\BSPRINT.INI
2008-12-23 05:36 . 2008-12-23 05:36 <DIR> d-------- c:\program files\IVT Corporation
2008-12-23 05:36 . 2008-12-23 05:36 50 --a------ C:\im.ini
2008-12-23 05:12 . 2008-04-14 00:09 14,592 --a------ c:\windows\system32\drivers\kbdhid.sys
2008-12-23 05:12 . 2008-04-14 00:09 14,592 --a--c--- c:\windows\system32\dllcache\kbdhid.sys
2008-12-23 05:12 . 2001-08-17 13:48 12,160 --a------ c:\windows\system32\drivers\mouhid.sys
2008-12-23 05:12 . 2001-08-17 13:48 12,160 --a--c--- c:\windows\system32\dllcache\mouhid.sys
2008-12-23 05:09 . 2008-12-23 05:37 32 --a------ c:\windows\0
2008-12-23 05:09 . 2008-12-23 05:09 0 --a------ c:\windows\system32\0
2008-12-23 05:04 . 2001-08-21 14:47 111,522 --a------ c:\windows\system32\drivers\MR97110.sys
2008-12-23 05:04 . 2001-08-16 17:24 36,864 --a------ c:\windows\system32\mrvfwext.dll
2008-12-23 05:04 . 2001-07-09 09:50 16,290 --a------ c:\windows\Marssnap.wav
2008-12-23 05:04 . 2001-02-21 14:08 15,164 --a------ c:\windows\Marscam.ini
2008-12-23 05:04 . 2001-07-04 13:31 12,106 --a------ c:\windows\Marscam.src
2008-12-23 04:56 . 2008-12-23 04:56 <DIR> d--hsc--- c:\program files\Common Files\WindowsLiveInstaller
2008-12-23 04:55 . 2008-12-23 04:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\WLInstaller
2008-12-23 04:43 . 2008-12-23 04:43 <DIR> d-------- c:\documents and settings\Carloo\Application Data\InterVideo
2008-12-23 04:41 . 2008-12-25 00:51 <DIR> d-------- c:\program files\Google
2008-12-23 04:41 . 2008-12-25 02:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-23 04:40 . 2008-12-23 04:40 <DIR> d-------- c:\program files\InterVideo Information Service
2008-12-23 04:40 . 2008-12-23 04:40 <DIR> d-------- c:\program files\Common Files\Ulead
2008-12-23 04:40 . 2008-12-23 04:40 <DIR> d-------- c:\program files\Common Files\InterVideo
2008-12-23 04:40 . 2008-12-23 04:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\InstallShield
2008-12-23 04:40 . 2006-05-11 18:41 654 --------- c:\windows\remove.iss
2008-12-23 04:39 . 2008-12-23 04:40 <DIR> d-------- c:\program files\InterVideo
2008-12-23 04:31 . 2008-12-23 04:31 <DIR> d-------- c:\program files\C-Media PCI Audio Device
2008-12-23 04:31 . 2008-04-14 00:15 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-12-23 04:31 . 2008-04-14 00:15 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2008-12-23 04:29 . 2008-12-23 04:29 <DIR> d--h----- c:\windows\system32\CanonIJ Uninstaller Information
2008-12-23 04:29 . 2008-12-23 04:29 <DIR> d--h----- c:\program files\CanonBJ
2008-12-23 04:29 . 2008-12-23 04:29 <DIR> d-------- c:\program files\Canon
2008-12-23 04:29 . 2008-12-23 04:29 <DIR> d--h----- c:\documents and settings\All Users\Application Data\CanonBJ
2008-12-23 04:29 . 2008-04-03 05:00 198,656 --a------ c:\windows\system32\CNMLM7K.DLL
2008-12-23 04:29 . 2008-02-07 15:59 195,072 --a------ c:\windows\system32\CNCC150.DLL
2008-12-23 04:29 . 2005-05-30 19:45 139,264 --a------ c:\windows\system32\CNCL150.DLL
2008-12-23 04:29 . 2006-06-29 14:29 106,496 --a------ c:\windows\system32\cncisco.dll
2008-12-23 04:29 . 2008-02-07 15:59 37,888 --a------ c:\windows\system32\CNCI150.DLL
2008-12-23 04:17 . 2001-11-23 12:08 712,704 --a------ c:\windows\system\a3d.dll
2008-12-23 04:17 . 2008-04-14 00:15 52,864 --a------ c:\windows\system32\drivers\DMusic.sys
2008-12-23 04:17 . 2008-04-14 00:15 52,864 --a--c--- c:\windows\system32\dllcache\dmusic.sys
2008-12-23 04:17 . 2008-04-14 00:09 7,552 --a------ c:\windows\system32\drivers\MSKSSRV.sys
2008-12-23 04:17 . 2008-04-14 00:09 7,552 --a--c--- c:\windows\system32\dllcache\mskssrv.sys
2008-12-23 04:17 . 2008-04-14 00:15 6,272 --a------ c:\windows\system32\drivers\splitter.sys
2008-12-23 04:17 . 2008-04-14 00:15 6,272 --a--c--- c:\windows\system32\dllcache\splitter.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-25 05:35 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-25 05:16 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-19 15:43 --------- d-----w c:\program files\ATI Technologies
2008-12-19 15:03 --------- d-----w c:\program files\microsoft frontpage
.

((((((((((((((((((((((((((((( snapshot@2009-01-09_20.16.17.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-10 23:42:33 110,592 ----a-w c:\windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\adodb.dll
+ 2009-01-10 23:42:34 4,608 ----a-w c:\windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\extensibility.dll
+ 2009-01-10 23:42:32 8,007,680 ----a-w c:\windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll
+ 2009-01-10 23:41:30 80,696 ----a-w c:\windows\assembly\GAC\Microsoft.Office.Interop.Access.Dao\12.0.0.0__71e9bce111e9429c\Microsoft.Office.interop.access.dao.dll
+ 2009-01-10 23:42:02 1,276,720 ----a-w c:\windows\assembly\GAC\Microsoft.Office.Interop.Excel\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Excel.dll
+ 2009-01-10 23:42:03 150,320 ----a-w c:\windows\assembly\GAC\Microsoft.Office.Interop.Graph\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Graph.dll
+ 2009-01-10 23:42:04 248,632 ----a-w c:\windows\assembly\GAC\Microsoft.Office.Interop.PowerPoint\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.PowerPoint.dll
+ 2009-01-10 23:42:03 20,280 ----a-w c:\windows\assembly\GAC\Microsoft.Office.Interop.SmartTag\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.SmartTag.dll
+ 2009-01-10 23:42:04 781,104 ----a-w c:\windows\assembly\GAC\Microsoft.Office.Interop.Word\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Word.dll
+ 2009-01-10 23:42:31 13,312 ----a-w c:\windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.stdformat.dll
+ 2009-01-10 23:42:03 371,496 ----a-w c:\windows\assembly\GAC\Microsoft.Vbe.Interop.Forms\11.0.0.0__71e9bce111e9429c\Microsoft.Vbe.Interop.Forms.dll
+ 2009-01-10 23:42:04 64,288 ----a-w c:\windows\assembly\GAC\Microsoft.Vbe.Interop\12.0.0.0__71e9bce111e9429c\Microsoft.Vbe.Interop.dll
+ 2009-01-10 23:42:31 229,376 ----a-w c:\windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\MSCOMCTL.DLL
+ 2009-01-10 23:42:33 4,096 ----a-w c:\windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\msdatasrc.dll
+ 2009-01-10 23:42:03 416,544 ----a-w c:\windows\assembly\GAC\office\12.0.0.0__71e9bce111e9429c\OFFICE.DLL
+ 2009-01-10 23:41:31 12,096 ----a-w c:\windows\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.Excel\12.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.Excel.dll
+ 2009-01-10 23:42:12 12,096 ----a-w c:\windows\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.Graph\12.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.Graph.dll
+ 2009-01-10 23:42:22 12,112 ----a-w c:\windows\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.PowerPoint\12.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.PowerPoint.dll
+ 2009-01-10 23:42:14 12,104 ----a-w c:\windows\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.SmartTag\12.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.SmartTag.dll
+ 2009-01-10 23:42:26 12,096 ----a-w c:\windows\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.Word\12.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.Word.dll
+ 2009-01-10 23:42:16 12,080 ----a-w c:\windows\assembly\GAC\Policy.11.0.Microsoft.Vbe.Interop\12.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Vbe.Interop.dll
+ 2009-01-10 23:42:16 11,544 ----a-w c:\windows\assembly\GAC\Policy.11.0.office\12.0.0.0__71e9bce111e9429c\Policy.11.0.Office.dll
+ 2009-01-10 23:42:31 16,384 ----a-w c:\windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\stdole.dll
+ 2004-11-17 22:33:18 589,880 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109010090400000000000F01FEC\12.0.4518\FP4AUTL.DLL
+ 2004-11-17 22:33:18 450,669 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109010090400000000000F01FEC\12.0.4518\FP4AWEC.DLL
+ 2009-01-10 23:44:16 1,165,584 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2009-01-10 23:44:16 20,240 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-01-10 23:44:16 159,504 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2009-01-10 23:44:16 184,080 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2009-01-10 23:44:16 217,864 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2009-01-10 23:44:16 18,704 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2009-01-10 23:44:17 35,088 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2009-01-10 23:44:16 845,584 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
+ 2009-01-10 23:44:16 922,384 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2009-01-10 23:44:16 272,648 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2009-01-10 23:44:16 888,080 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2009-01-10 23:44:16 1,172,240 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2009-01-10 23:37:36 217,864 ----a-r c:\windows\Installer\{90120000-006E-0409-0000-0000000FF1CE}\misc.exe
+ 2008-01-31 22:18:14 9,216 ----a-w c:\windows\system32\drivers\FlashSys.sys
+ 2006-10-26 19:10:08 1,190,688 ----a-w c:\windows\system32\FM20.DLL
+ 2006-10-26 19:10:06 33,088 ----a-w c:\windows\system32\FM20ENU.DLL
- 2008-12-28 05:58:22 152,384 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-01-10 23:59:11 244,720 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2006-10-26 18:45:04 207,360 ----a-w c:\windows\system32\INKED.DLL
+ 2006-07-24 15:50:38 125,744 ----a-w c:\windows\system32\MSSTDFMT.DLL
+ 2008-04-13 16:21:50 17,920 ----a-w c:\windows\system32\Ntaccess.sys
- 2008-12-28 07:15:28 110,592 ----a-w c:\windows\system32\OpenAL32.dll
+ 2009-01-10 23:29:03 110,592 ----a-w c:\windows\system32\OpenAL32.dll
+ 2008-04-14 05:15:16 60,160 ----a-w c:\windows\system32\ReinstallBackups\0001\DriverFiles\i386\drmk.sys
+ 2008-04-14 05:46:38 141,056 ----a-w c:\windows\system32\ReinstallBackups\0001\DriverFiles\i386\ks.sys
+ 2008-04-14 10:41:58 4,096 ----a-w c:\windows\system32\ReinstallBackups\0001\DriverFiles\i386\ksuser.dll
+ 2008-03-21 17:35:30 146,048 ----a-w c:\windows\system32\ReinstallBackups\0001\DriverFiles\i386\portcls.sys
+ 2008-04-14 05:15:16 49,408 ----a-w c:\windows\system32\ReinstallBackups\0001\DriverFiles\i386\stream.sys
+ 2008-04-14 10:42:46 23,552 ----a-w c:\windows\system32\ReinstallBackups\0001\DriverFiles\i386\wdmaud.drv
+ 2006-07-24 15:50:40 39,728 ----a-w c:\windows\system32\SCP32.DLL
+ 2006-07-24 15:50:40 47,920 ----a-w c:\windows\system32\VBAME.DLL
+ 2006-10-26 18:45:04 293,376 ----a-w c:\windows\system32\WISPTIS.EXE
- 2008-12-28 07:15:29 413,696 ----a-w c:\windows\system32\wrap_oal.dll
+ 2009-01-10 23:29:03 413,696 ----a-w c:\windows\system32\wrap_oal.dll
+ 2009-01-12 08:11:52 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_750.dat
+ 2009-01-12 08:12:07 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_8a0.dat
+ 2006-10-26 18:40:36 40,960 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80CHS.dll
+ 2006-10-26 18:40:36 45,056 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80CHT.dll
+ 2006-10-26 18:40:36 65,536 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80DEU.dll
+ 2006-10-26 18:40:36 57,344 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80ENU.dll
+ 2006-10-26 18:40:36 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80ESP.dll
+ 2006-10-26 18:40:36 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80FRA.dll
+ 2006-10-26 18:40:36 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80ITA.dll
+ 2006-10-26 18:40:36 49,152 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80JPN.dll
+ 2006-10-26 18:40:36 49,152 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80KOR.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-21 136600]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 213936]
"BtTray"="c:\program files\IVT Corporation\BlueSoleil\BtTray.exe" [2008-08-04 226816]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatchTray11.exe" [2008-08-14 240112]
"CPMonitor"="c:\program files\Roxio Creator 2009 Ultimate\5.0\CPMonitor.exe" [2008-08-10 80368]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-11 640376]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"CmPCIaudio"="CMICNFG3.cpl" [BU]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\InterVideo\\DVD8\\WinDVD.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleilCS.exe"=
"c:\\Documents and Settings\\Carloo\\My Documents\\Azureus Downloads\\BlueSoleil 6.2.227.11 + Crack\\BlueSoleil32\\Crack\\BlueSoleilCS.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [2008-01-21 20616]
R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [2008-12-25 20464]
R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [2008-12-25 15856]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-01-08 111184]
R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [2008-12-25 25584]
R3 DCamUSBMR;CMOS 100K-R Rev. 1.90;c:\windows\system32\drivers\MR97110.sys [2008-12-23 111522]
R3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [2008-01-21 26248]
R4 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe [2008-08-01 125424]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-01-08 20560]
R4 BsMobileCS;BsMobileCS;c:\program files\IVT Corporation\BlueSoleil\BsMobileCS.exe [2008-08-01 143467]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-01-08 29208]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-01-08 29208]
S3 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;c:\program files\Roxio Creator 2009 Ultimate\Digital Home 11\RoxioUPnPRenderer11.exe [2008-08-14 313840]
S3 RoxMediaDB11;RoxMediaDB11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxMediaDB11.exe [2008-08-14 1124848]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?]
S4 .norton2009Reset;Norton 2009 Reset;c:\documents and settings\All Users\Application Data\Norton\Norton2009Reset.exe [2008-12-22 280833]
S4 Roxio Upnp Server 11;Roxio Upnp Server 11;c:\program files\Roxio Creator 2009 Ultimate\Digital Home 11\RoxioUpnpService11.exe [2008-08-14 367088]
S4 RoxLiveShare11;LiveShare P2P Server 11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxLiveShare11.exe [2008-08-14 309744]
S4 RoxWatch11;Roxio Hard Drive Watcher 11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatch11.exe [2008-08-14 170480]
.
Contents of the 'Scheduled Tasks' folder

2008-12-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: Append to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send by Bluetooth - c:\program files\IVT Corporation\BlueSoleil\TransSend\IE\tsinfo.htm
IE: Send via &Message... - c:\program files\IVT Corporation\BlueSoleil\TransSend\IE\tssms.htm
Trusted Zone: asia.msi.com.tw
Trusted Zone: global.msi.com.tw
Trusted Zone: www.msi.com.tw

O16 -: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
c:\windows\Downloaded Program Files\MSIWDev.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-12 03:34:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(848)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-01-12 3:36:01
ComboFix-quarantined-files.txt 2009-01-12 08:35:58
ComboFix2.txt 2009-01-10 01:17:40

Pre-Run: 213,360,705,536 bytes free
Post-Run: 213,559,422,976 bytes free

307











Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:37:06 AM, on 1/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.17184)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe
C:\Program Files\Roxio Creator 2009 Ultimate\5.0\CPMonitor.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
C:\Program Files\IVT Corporation\BlueSoleil\BsMobileCS.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [BtTray] "C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatchTray11.exe"
O4 - HKLM\..\Run: [CPMonitor] "C:\Program Files\Roxio Creator 2009 Ultimate\5.0\CPMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 CMICNFG3.cpl,CMICtrlWnd
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send by Bluetooth - C:\Program Files\IVT Corporation\BlueSoleil\TransSend\IE\tsinfo.htm
O8 - Extra context menu item: Send via &Message... - C:\Program Files\IVT Corporation\BlueSoleil\TransSend\IE\tssms.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://asia.msi.com.tw
O15 - Trusted Zone: http://global.msi.com.tw
O15 - Trusted Zone: http://www.msi.com.tw
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\WINDOWS\system32\skype4com.dll
O23 - Service: Norton 2009 Reset (.norton2009Reset) - Unknown owner - C:\Documents and Settings\All Users\Application Data\Norton\Norton2009Reset.exe
O23 - Service: Roxio SAIB Service (9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269) - Unknown owner - C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BlueSoleilCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
O23 - Service: BsHelpCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
O23 - Service: BsMobileCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BsMobileCS.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Roxio UPnP Renderer 11 - Sonic Solutions - C:\Program Files\Roxio Creator 2009 Ultimate\Digital Home 11\RoxioUPnPRenderer11.exe
O23 - Service: Roxio Upnp Server 11 - Sonic Solutions - C:\Program Files\Roxio Creator 2009 Ultimate\Digital Home 11\RoxioUpnpService11.exe
O23 - Service: LiveShare P2P Server 11 (RoxLiveShare11) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\11.0\SharedCOM\RoxLiveShare11.exe
O23 - Service: RoxMediaDB11 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\11.0\SharedCOM\RoxMediaDB11.exe
O23 - Service: Roxio Hard Drive Watcher 11 (RoxWatch11) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatch11.exe

--
End of file - 9653 bytes

#6 Jimmy Farmer

Jimmy Farmer
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:50 AM

Posted 12 January 2009 - 03:57 AM

I spoke too soon, my browsing is still messed up and links are still getting redirected to places they shouldnt be

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:50 AM

Posted 12 January 2009 - 08:13 PM

Hello,

Could you please have another run with MBAM and post the report? :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 Jimmy Farmer

Jimmy Farmer
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:50 AM

Posted 13 January 2009 - 11:43 AM

Malwarebytes' Anti-Malware 1.32
Database version: 1647
Windows 5.1.2600 Service Pack 3

1/13/2009 4:13:54 AM
mbam-log-2009-01-13 (04-13-54).txt

Scan type: Full Scan (C:\|)
Objects scanned: 99486
Time elapsed: 23 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:50 AM

Posted 13 January 2009 - 02:10 PM

Hello,

Thanks. :thumbsup: Do you have a router?
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 Jimmy Farmer

Jimmy Farmer
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:50 AM

Posted 14 January 2009 - 05:58 AM

yes I do have a router

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:50 AM

Posted 14 January 2009 - 02:03 PM

Hello,

Please disconnect your computer from the router, then reset your router and put a password on it. Before you hook it back up, run a scan with your AntiVirus, or Spybot. If it/they come back clean then hook your computer back to the router and see if the redirects stop. :thumbsup:

Let me know how you come out. :)

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 Jimmy Farmer

Jimmy Farmer
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:50 AM

Posted 16 January 2009 - 01:19 AM

I never thought the router could be a cause for concern. In that regard, I have some more info that may or may not be relevant. My computer is a part of a 4 computer network, the computer in which the router is configured is not mine...would that be a potential cause for concern? I havent used that computer in months and dont know what kinda of state its in. My cousin is the primary user on that computer and knowing her that computer could very well be infected with spyware or viruses. If that computer is infected, could that be causing problems acreoss the network?

My browsing on my computer seems to be getting worse with each day that passes. For instance, as i am typing, nothing appears right away, there is a delay of about 3-5 seconds after i stop typing before the text actually shows up. And trying to check my emails has been horrendous lately. It takes a good 5 minutes after i click check mail for the page to load. I have given up even attempting to check my email from home its gotten that bad.
Most sites work without problems, but my email and google or yahoo maps seem to not function properly.

I will attempt to reset the router tomorow as I dont have access to it at the present moment.

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:50 AM

Posted 16 January 2009 - 02:40 AM

Hello,

Yes it could very well be. Check and see if the other folks on the network are having problems. I the meantime, you can test the theory by disconnecting from the network, flush the DNS, run a scan or so, and see how the computer responds without being on the network. The infection I'm wondering about actually infects the router, and not the computer, so resetting the router is the only way to stop the infection.

Click Start>Run> Type in (or copy and paste) ipconfig /flushdns and hit enter. You may not see anything happen, or just a quick flash, but that's normal. Reboot and see if the computer itself is better.

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#14 Jimmy Farmer

Jimmy Farmer
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:50 AM

Posted 19 January 2009 - 02:31 PM

Here is the latest and greatest...

I went on the computer that the router gets configured though and ran mbam and there were only 2 infected objects which i removed. I attempted to create a passord and now im having more problems.
By default the user name was "admin" and the password was blank.
I changed the user name and password. The first 2 times i attempted to sign in again using my new name and password it didnt work, the 3rd time it worked. I thought perhaps i was mistyping something. I then closed my browser and opened it again attempting to login and now i cannot log in at all. My new name and password dont work along with the old name and password. Ive attempted several times and i am certain i am not mistyping anything. I cant figure out how to login now. I dont know if there is a way to reset it to the default settings again?? Im using a d-link router.
Anohter thing that i found very interesting is that computer is running extremely slow...so slow it hurts sitting there watching it. When it is unplugged from the router it runs much better.

#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:50 AM

Posted 19 January 2009 - 03:16 PM

Hello,

There should be a reset button on it somewhere. Sometimes you have to really look for it, but it's there. We're talking paperclip small. When you find that and reset it, that should take it back to default settings, with the generic login of admin/blank.

Beyond that, I really think whatever is wrong is in the router, especially since you've tested it and it runs better without it. Are you able to direct connect to the internet without the router, just to see how the computer runs? Did you ask the other folks on the network if they're having problems too?

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users