Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32.agent.pz


  • This topic is locked This topic is locked
10 replies to this topic

#1 fakdd

fakdd

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 28 May 2007 - 08:36 PM

Do not know when I got this bug. But I read through the forums and found a almost identical problem, did what the posts said and this thing still shows up in the sbybot scan. also in the network connections there is one that says "internet connection". I do not remember when I installed the router if that showed up or not. I have it disabled right now and can still get on the internet. I can not get any properties from it at all, any suggestions on this?

here is my hijackthis log.

Logfile of HijackThis v1.99.1
Scan saved at 8:18:09 PM, on 5/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\SAgent4.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\KWorld Multimedia\DVB Plus\DVBS\Scheduled.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
D:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\FlashGet\FlashGet.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\svchost.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
E:\Downloads\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: H - {C9905EF0-610F-4404-9030-A3F345D069F5} - C:\WINDOWS\system32\comi.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [DTVR Agent] C:\Program Files\KWorld Multimedia\DVB Plus\DVBS\Scheduled.exe
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\Scansoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [SetDefPrt] "C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe"
O4 - HKLM\..\Run: [AVG7_CC] "D:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [FlashGet] "C:\Program Files\FlashGet\FlashGet.exe" /min
O4 - HKLM\..\Run: [DriverMagicLogon] "C:\Program Files\SymplisIT\DriverMagic\dmschedule.exe" /boot
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Install.exe] C:\WINDOWS\svchost.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [AnyDVD] "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [EPSON Stylus Photo R220 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" /P30 "EPSON Stylus Photo R220 Series" /M "Stylus Photo R220" /EF "HKCU"
O4 - HKCU\..\Run: [XPRepairPro2007] C:\Program Files\XP Repair Pro 2007\XPRepairPro.exe /r
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1156962280953
O16 - DPF: {8B0F07E1-00F9-4B1B-9A2F-456DC0F54EBF} (PortDetector Control) - http://vlab1se-ekt2.elementk.com/vlab/ax/PortTester.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - file://F:\webpull\support\disc\ASP\tools\en\bin\npseatools.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat
O20 - Winlogon Notify: RegCompact - C:\WINDOWS\SYSTEM32\RegCompact.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Epson Printer Status Agent4 (StatusAgent4) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\SAgent4.exe

BC AdBot (Login to Remove)

 


m

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:33 PM

Posted 29 May 2007 - 09:17 AM

Hello,

Please uninstall XP Repair Pro 2007 in case you didn't purchase it. This because I have seen it already causing a lot of problems and removing registry keys and others it wasn't supposed to remove.

Then, * Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 fakdd

fakdd
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 29 May 2007 - 08:00 PM

I had already uninstalled the XP Repair Pro 2007.

Here is the HiJack this log:

Logfile of HijackThis v1.99.1
Scan saved at 7:58:31 PM, on 5/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\SAgent4.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\KWorld Multimedia\DVB Plus\DVBS\Scheduled.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
D:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\FlashGet\FlashGet.exe
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
E:\Downloads\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: H - {C9905EF0-610F-4404-9030-A3F345D069F5} - C:\WINDOWS\system32\comi.dll (file missing)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [DTVR Agent] C:\Program Files\KWorld Multimedia\DVB Plus\DVBS\Scheduled.exe
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\Scansoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [SetDefPrt] "C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe"
O4 - HKLM\..\Run: [AVG7_CC] "D:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [FlashGet] "C:\Program Files\FlashGet\FlashGet.exe" /min
O4 - HKLM\..\Run: [DriverMagicLogon] "C:\Program Files\SymplisIT\DriverMagic\dmschedule.exe" /boot
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [AnyDVD] "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [EPSON Stylus Photo R220 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" /P30 "EPSON Stylus Photo R220 Series" /M "Stylus Photo R220" /EF "HKCU"
O4 - HKCU\..\Run: [XPRepairPro2007] C:\Program Files\XP Repair Pro 2007\XPRepairPro.exe /r
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1156962280953
O16 - DPF: {8B0F07E1-00F9-4B1B-9A2F-456DC0F54EBF} (PortDetector Control) - http://vlab1se-ekt2.elementk.com/vlab/ax/PortTester.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - file://F:\webpull\support\disc\ASP\tools\en\bin\npseatools.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: RegCompact - C:\WINDOWS\SYSTEM32\RegCompact.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Epson Printer Status Agent4 (StatusAgent4) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\SAgent4.exe



and here is the combofix txt file


"Mopy" - 2007-05-29 19:48:30 Service Pack 2
ComboFix 07-05.27.V - Running from: "C:\Documents and Settings\Mopy\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


"C:\Program Files\install.log"
"C:\WINDOWS\svchost.exe"
"C:\WINDOWS\system32\perfc000.dat"
"C:\WINDOWS\system32\comi.dll"
"C:\WINDOWS\system32\perfc000.dat"


((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-29 ))))))))))))))))))))))))))))))))))


2007-05-28 19:18 <DIR> d----c--- C:\!KillBox
2007-05-28 13:25 22,169 --a--c--- C:\WINDOWS\zzzx.exe
2007-05-26 13:20 <DIR> d----c--- C:\Program Files\Oldblivion
2007-05-26 12:27 121,856 ---h-c--- C:\WINDOWS\system32\pgwp.exe
2007-05-25 23:37 <DIR> d----c--- C:\webcam driver pack
2007-05-25 22:21 <DIR> d----c--- C:\Program Files\MagicISO
2007-05-25 18:37 <DIR> d----c--- C:\Program Files\MPEG2_Decoders
2007-05-23 23:40 14 --a--c--- C:\Documents and Settings\Mopy\getfile.dat
2007-05-23 23:40 14 --a--c--- C:\DOCUME~1\Mopy\getfile.dat
2007-05-22 23:28 520,192 -----c--- C:\WINDOWS\system32\ati2sgag.exe
2007-05-18 23:46 <DIR> d--hsc--- C:\WINDOWS\ftpcache
2007-05-18 23:45 <DIR> d----c--- C:\Program Files\Ciao Bella
2007-05-18 21:32 <DIR> d----c--- C:\DOCUME~1\Mopy\APPLIC~1\atitray
2007-05-18 21:23 451,072 --a--c--- C:\WINDOWS\Radeon Omega Drivers v3.8.252 Uninstall.exe
2007-05-12 20:37 <DIR> d----c--- C:\DOCUME~1\Casey\APPLIC~1\WinPatrol
2007-05-12 20:37 <DIR> d----c--- C:\DOCUME~1\Casey\APPLIC~1\ATI
2007-05-10 23:53 2,301 --a--c--- C:\WINDOWS\mozver.dat
2007-05-09 22:23 <DIR> d----c--- C:\Program Files\Floppy Image
2007-05-09 22:20 44,304 --a--c--- C:\WINDOWS\system32\msrpfs35.dll
2007-05-09 22:20 415,504 --a--c--- C:\WINDOWS\system32\msrepl35.dll
2007-05-09 22:20 39,424 --a--c--- C:\WINDOWS\system32\JETCOMP.exe
2007-05-09 22:20 368,912 --a--c--- C:\WINDOWS\system32\VBAR332.DLL
2007-05-09 22:20 344,064 --a--c--- C:\WINDOWS\system32\msexch35.dll
2007-05-09 22:20 294,912 --a--c--- C:\WINDOWS\system32\msxbse35.dll
2007-05-09 22:20 262,144 --a--c--- C:\WINDOWS\system32\msrd2x35.dll
2007-05-09 22:20 252,688 --a--c--- C:\WINDOWS\system32\msexcl35.dll
2007-05-09 22:20 250,128 --a--c--- C:\WINDOWS\system32\mspdox35.dll
2007-05-09 22:20 24,848 --a--c--- C:\WINDOWS\system32\msjter35.dll
2007-05-09 22:20 168,720 --a--c--- C:\WINDOWS\system32\msltus35.dll
2007-05-09 22:20 166,672 --a--c--- C:\WINDOWS\system32\mstext35.dll
2007-05-09 22:20 123,664 --a--c--- C:\WINDOWS\system32\msjint35.dll
2007-05-09 22:20 1,238,288 --a--c--- C:\WINDOWS\system32\msjt4jlt.dll
2007-05-09 22:20 1,050,896 --a--c--- C:\WINDOWS\system32\msjet35.dll
2007-05-09 22:20 <DIR> d----c--- C:\Mitchell1
2007-05-07 21:53 <DIR> d----c--- C:\DOCUME~1\Mopy\APPLIC~1\BitTorrent
2007-05-07 21:52 <DIR> d----c--- C:\Program Files\BitTorrent


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-29 01:39:39 -------- dc----w C:\Program Files\FlashGet
2007-05-28 03:09:16 -------- dc----w C:\Program Files\Ahead
2007-05-26 04:30:28 92 -c--a-w C:\WINDOWS\vmreg32.dll
2007-05-23 23:01:16 -------- dc-h--w C:\Program Files\InstallShield Installation Information
2007-05-23 23:01:16 -------- dc----w C:\Program Files\NVIDIA Corporation
2007-05-23 04:32:58 -------- dc----w C:\DOCUME~1\Mopy\APPLIC~1\ATI
2007-05-23 04:29:22 -------- dc----w C:\Program Files\ATI Technologies
2007-05-21 02:08:36 -------- dc----w C:\Program Files\DivX
2007-05-17 22:48:30 -------- dc----w C:\Program Files\SatFinder
2007-05-12 17:21:16 -------- dc----w C:\Program Files\Mystery Case Files - Ravenhearst
2007-04-28 06:49:26 -------- dc----w C:\Program Files\ToGo Game
2007-04-27 01:18:48 -------- dc-h--r C:\DOCUME~1\Mopy\APPLIC~1\yahoo!
2007-04-25 04:32:19 -------- dc----w C:\Program Files\DVBDTV
2007-04-25 03:51:04 -------- dc----w C:\Program Files\XP Smoker
2007-04-25 03:44:55 49,438 -c--a-w C:\WINDOWS\system32\tcpipbak.reg
2007-04-22 02:23:52 -------- dc----w C:\Program Files\Windows Live Safety Center
2007-04-18 06:07:59 76,560 -c--a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2007-04-18 06:07:58 -------- dc----w C:\Program Files\Trend Micro
2007-04-18 05:45:45 -------- dc----w C:\Program Files\Rar Repair Tool
2007-04-13 05:06:05 -------- dc----w C:\Program Files\KeyChanger Office Edition
2007-04-13 05:04:48 -------- dc----w C:\Program Files\KeyRecover Office Edition
2007-04-13 03:23:50 -------- dc----w C:\Program Files\XLink Kai Evolution VII
2007-04-10 23:28:59 -------- dc----w C:\Program Files\Realtek AC97
2007-04-10 23:22:37 -------- dc----w C:\Program Files\C-Media
2007-04-10 23:20:17 -------- dc----w C:\Program Files\A4Tech
2007-04-10 20:01:55 -------- dc----w C:\Program Files\Bethesda Softworks
2007-04-09 18:57:19 639,224 -c--a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-04-04 05:50:47 356,352 -c--a-w C:\WINDOWS\eSellerateEngine.dll
2007-03-31 03:27:58 -------- dc----w C:\Program Files\EA GAMES
2007-03-31 02:59:48 -------- dc----w C:\Program Files\Common Files\Symantec Shared
2007-03-31 02:50:00 3,520 -c--a-w C:\WINDOWS\system32\tmp.reg
2007-03-30 22:50:15 -------- dc----w C:\Program Files\PCPitstop
2007-03-30 08:20:04 -------- dc----w C:\DOCUME~1\Mopy\APPLIC~1\Lavasoft
2007-03-30 08:19:49 -------- dc----w C:\Program Files\Lavasoft
2007-03-30 08:19:11 -------- dc----w C:\Program Files\Common Files\Wise Installation Wizard
2007-03-30 02:40:52 -------- dc----w C:\Program Files\DiskTrix
2007-03-15 16:23:16 497,496 -c--a-w C:\WINDOWS\system32\XceedZip.dll
2007-03-15 16:19:58 526,184 -c--a-w C:\WINDOWS\system32\XceedCry.dll
2007-03-01 00:59:59 50,688 -c--a-w C:\WINDOWS\system32\wbhelp2.dll
2004-08-04 12:00:00 264,385 -csh--w C:\WINDOWS\Fonts\lsass.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-09-07 16:28]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 21:38]
{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}=C:\Program Files\FlashGet\jccatch.dll [2007-01-29 04:46]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=C:\Program Files\Yahoo!\Common\yiesrvc.dll [2006-07-31 15:32]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31 21:33]
{C9905EF0-610F-4404-9030-A3F345D069F5}=C:\WINDOWS\system32\comi.dll []
{F156768E-81EF-470C-9057-481BA8380DBA}=C:\Program Files\FlashGet\getflash.dll [2007-01-14 22:40]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-12-10 09:57]
"DTVR Agent"="C:\Program Files\KWorld Multimedia\DVB Plus\DVBS\Scheduled.exe" [2005-04-26 13:50]
"PaperPort PTD"="C:\Program Files\Scansoft\PaperPort\pptd40nt.exe" [2002-08-12 10:33]
"SetDefPrt"="C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe" [2003-07-10 13:56]
"AVG7_CC"="D:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-04-18 21:56]
"FlashGet"="C:\Program Files\FlashGet\FlashGet.exe" [2007-01-29 22:11]
"DriverMagicLogon"="C:\Program Files\SymplisIT\DriverMagic\dmschedule.exe" [2005-10-14 10:01]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" []
"WheelMouse"="C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe" [2004-08-25 17:31]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-11-05 20:50]
"Cmaudio"="cmicnfg.cpl" []
"PCTVOICE"="pctspk.exe" [2003-12-18 13:45 C:\WINDOWS\system32\pctspk.exe]
"SoundMan"="SOUNDMAN.EXE" []
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 16:41]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2006-12-01 00:16]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-09-13 14:17]
"EPSON Stylus Photo R220 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.exe" [2005-03-09 04:00]
"XPRepairPro2007"="C:\Program Files\XP Repair Pro 2007\XPRepairPro.exe" []
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"=0 (0x0)
"DisableLockWorkstation"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispSettingsPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"NoDispAppearancePage"=0 (0x0)
"NoVisualStyleChoice"=0 (0x0)
"NoColorChoice"=0 (0x0)
"NoSizeChoice"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSetFolders"=0 (0x0)
"NoSetTaskbar"=0 (0x0)
"NoCommonGroups"=0 (0x0)
"NoStartMenuNetworkPlaces"=0 (0x0)
"NoRun"=0 (0x0)
"NoFind"=0 (0x0)
"NoTrayItemsDisplay"=0 (0x0)
"NoToolbarsOnTaskbar"=0 (0x0)
"LockTaskbar"=0 (0x0)
"NoSimpleStartMenu"=0 (0x0)
"HideClock"=0 (0x0)
"NoFavoritesMenu"=0 (0x0)
"NoRecentDocsMenu"=0 (0x0)
"NoNetworkConnections"=0 (0x0)
"NoRecentDocsHistory"=0 (0x0)
"NoSMMyDocs"=0 (0x0)
"NoSMMyPictures"=0 (0x0)
"NoStartMenuMyMusic"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLowDiskSpaceChecks"=0 (0x0)
"NoSetActiveDesktop"=0 (0x0)
"NoActiveDesktopChanges"=0 (0x0)
"NoViewContextMenu"=0 (0x0)
"NoDFSTab"=0 (0x0)
"NoSecurityTab"=0 (0x0)
"NoHardwareTab"=0 (0x0)
"NoToolbarCustomize"=0 (0x0)
"NoBandCustomize"=0 (0x0)
"NoFileMenu"=0 (0x0)
"NoPropertiesMyComputer"=0 (0x0)
"NoFileAssociate"=0 (0x0)
"NoAddPrinter"=0 (0x0)
"NoDeletePrinter"=0 (0x0)
"NoThemesTab"=0 (0x0)
"NoChangeKeyboardNavigationIndicators"=0 (0x0)
"NoChangeAnimation"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\RegCompact]
RegCompact.dll


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Diskeeper"=3 (0x3)



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070528-191833-302
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

backup-20070528-191828-899
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,

backup-20070528-191828-816
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-29 19:52:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-29 19:54:02 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-29 19:53

--- E O F ---

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:33 PM

Posted 30 May 2007 - 04:47 AM

Hello,

Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Please hide your hidden files and folders afterwards again, when we are done with this thread and your problems are solved, because above instructions to set your system to show all files, unhide legit files and folders as well.
And I don't want you to delete them because they may look suspicious. To hide them again, just perform the above instructions in the opposite way.


Delete next files:

C:\!KillBox <== folder, since we don't need what Killbox deleted anyway.
C:\WINDOWS\zzzx.exe
C:\WINDOWS\Fonts\lsass.exe <== do NOT delete the lsass.exe anywhere else!!!!

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O2 - BHO: H - {C9905EF0-610F-4404-9030-A3F345D069F5} - C:\WINDOWS\system32\comi.dll (file missing)
O4 - HKCU\..\Run: [XPRepairPro2007] C:\Program Files\XP Repair Pro 2007\XPRepairPro.exe /r
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)


Check next entries if you don't have DAP installed anymore:

O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm

(I don't recommend DAP anyway since it has a questionable reputation)

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Go to next site:
http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\system32\pgwp.exe

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results in your next reply.

Do the same for next file and upload it at Virustotal as well:

C:\WINDOWS\vmreg32.dll

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click "Delete".
  • Click "Delete Files", "Delete cookies" and "Delete history"
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Please perform this online scan: Kaspersky Webscan
1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
3. Select "Install" to download the ActiveX controls that allows ActiveScan to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. When the download is complete it will say ready, click "Next"
6. Select a target to scan: Click on "My Computer"
7. When the scan is complete choose to save the results as "Save as Text"
8. Post the Kaspersky scan results in your next reply together with a new HijackThislog and the results from Virustotal.
You may need more than one reply to post the logs.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 fakdd

fakdd
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 30 May 2007 - 10:48 PM

ok, here is the the two files that you asked for:

results for pgwp.exe:


Antivirus Version Update Result
AhnLab- V3 2007.5.30.0 05.30.2007 no virus found
AntiVir 7.4.0.29 05.30.2007 TR/Crypt.XPACK.Gen
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 05.30.2007 no virus found
AVG 7.5.0.467 05.30.2007 no virus found
BitDefender 7.2 05.31.2007 no virus found
CAT-QuickHeal 9.00 05.30.2007 (Suspicious) - DNAScan
ClamAV devel-2007 0416 05.30.2007 no virus found
DrWeb 4.33 05.30.2007 Win32.HLLW.SpyBot
eSafe 7.0.15.0 05.30.2007 Suspicious Trojan/Worm
eTrust-Vet 30.7.3678 05.30.2007 no virus found
Ewido 4.0 05.29.2007 no virus found
FileAdvisor 1 05.31.2007 No threat detected
Fortinet 2.85.0.0 05.30.2007 suspicious
F-Prot 4.3.2.48 05.30.2007 no virus found
F-Secure 6.70.13030.0 05.30.2007 no virus found
Ikarus T3.1.1.8 05.30.2007 MalwareScope.Backdoor.Hupigon.17
Kaspersky 4.0.2.24 05.31.2007 no virus found
McAfee 5042 05.30.2007 no virus found
Microsoft 1.2503 05.31.2007 no virus found
NOD32 v22299 05.30.2007 no virus found
Norman 5.80.02 05.30.2007 no virus found
Panda 9.0.0.4 05.30.2007 W32/Spybot.AHI.worm
Prevx1 V2 05.31.2007 Malware.Trojan.Backdoor.Gen
Sophos 4.18.0 05.28.2007 no virus found
Sunbelt 2.2.907.0 05.30.2007 VIPRE.Suspicious
Symantec 10 05.31.2007 no virus found
TheHacker 6.1.6.126 05.30.2007 no virus found
VBA32 3.12.0 05.30.2007 Win32.HLLW.SpyBot
VirusBuster 4.3.23:9 05.30.2007 no virus found
Webwasher-Gateway 6.0.1 05.31.2007 Trojan.Crypt.XPACK.Gen


Aditional Information
File size: 121856 bytes
MD5: cc97ecaf59f8db664d1030361174d6b6
SHA1: 6577d5b06b2841645502b402a16329f3b31a5bb4
Bit9 info: http://fileadvisor.bit9.com/services/extin...d1030361174d6b6
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=311196857526
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.



Here is the vmreg32.dll (there was one vmm32reg.dll also, is the one ok?)

Antivirus Version Update Result
AhnLab- V3 2007.5.30.0 05.30.2007 no virus found
AntiVir 7.4.0.29 05.30.2007 no virus found
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 05.30.2007 no virus found
AVG 7.5.0.467 05.30.2007 no virus found
BitDefender 7.2 05.31.2007 no virus found
CAT-QuickHeal 9.00 05.30.2007 no virus found
ClamAV devel-2007 0416 05.30.2007 no virus found
DrWeb 4.33 05.30.2007 no virus found
eSafe 7.0.15.0 05.30.2007 no virus found
eTrust-Vet 30.7.3678 05.30.2007 no virus found
Ewido 4.0 05.29.2007 no virus found
FileAdvisor 1 05.31.2007 no virus found
Fortinet 2.85.0.0 05.30.2007 no virus found
F-Prot 4.3.2.48 05.30.2007 no virus found
F-Secure 6.70.13030.0 05.30.2007 no virus found
Ikarus T3.1.1.8 05.30.2007 no virus found
Kaspersky 4.0.2.24 05.31.2007 no virus found
McAfee 5042 05.30.2007 no virus found
Microsoft 1.2503 05.31.2007 no virus found
NOD32 v2 2299 05.30.2007 no virus found
Norman 5.80.02 05.30.2007 no virus found
Panda 9.0.0.4 05.30.2007 no virus found
Prevx1 V2 05.31.2007 no virus found
Sophos 4.18.0 05.28.2007 no virus found
Sunbelt 2.2.907.0 05.30.2007 no virus found
Symantec 10 05.31.2007 no virus found
TheHacker 6.1.6.126 05.30.2007 no virus found
VBA32 3.12.0 05.30.2007 no virus found
VirusBuster 4.3.23:9 05.30.2007 no virus found
Webwasher-Gateway 6.0.1 05.31.2007 no virus found

#6 fakdd

fakdd
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 30 May 2007 - 10:51 PM

here is the kaspersky scan log.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, May 30, 2007 10:42:02 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 31/05/2007
Kaspersky Anti-Virus database records: 334498
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 94430
Number of viruses found: 8
Number of infected objects: 20
Number of suspicious objects: 0
Duration of the scan process: 01:47:43

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Mopy\.housecall6.6\Quarantine\count[1].jar.INFECTED.bac_a01632/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\Mopy\.housecall6.6\Quarantine\count[1].jar.INFECTED.bac_a01632/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\Mopy\.housecall6.6\Quarantine\count[1].jar.INFECTED.bac_a01632/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Documents and Settings\Mopy\.housecall6.6\Quarantine\count[1].jar.INFECTED.bac_a01632 ZIP: infected - 3 skipped
C:\Documents and Settings\Mopy\.housecall6.6\Quarantine\count[1].jar.INFECTED.bac_a01632 CryptFF.b: infected - 3 skipped
C:\Documents and Settings\Mopy\.housecall6.6\Quarantine\SetupDTSB.exe.bac_a01632 Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\Documents and Settings\Mopy\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
C:\Documents and Settings\Mopy\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Mopy\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Mopy\Desktop\Unused Desktop Shortcuts\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Mopy\Desktop\Unused Desktop Shortcuts\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Mopy\Desktop\Unused Desktop Shortcuts\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Mopy\Desktop\Unused Desktop Shortcuts\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Mopy\Local Settings\Application Data\ApplicationHistory\cli.exe.c88dbd71.ini.inuse Object is locked skipped
C:\Documents and Settings\Mopy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Mopy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Mopy\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mopy\Local Settings\History\History.IE5\MSHist012007053020070531\index.dat Object is locked skipped
C:\Documents and Settings\Mopy\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mopy\ntuser.dat Object is locked skipped
C:\Documents and Settings\Mopy\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\logs\starwind.2007-05-30.20-31-37.log Object is locked skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
C:\Program Files\XP Smoker\shutdown.exe Infected: not-a-virus:RiskTool.Win32.Shutdown.c skipped
C:\QooBox\Quarantine\C\WINDOWS\svchost.exe.vir Infected: Trojan-Downloader.Win32.Delf.bld skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{363C16E8-C4C5-4769-AA04-FCCF61DE49FF}\RP124\A0025530.exe Infected: Trojan-Downloader.Win32.Delf.bld skipped
C:\System Volume Information\_restore{363C16E8-C4C5-4769-AA04-FCCF61DE49FF}\RP128\A0028858.exe Infected: Trojan-Downloader.Win32.Delf.bld skipped
C:\System Volume Information\_restore{363C16E8-C4C5-4769-AA04-FCCF61DE49FF}\RP128\A0028860.exe Infected: not-a-virus:Downloader.Win32.WinFixer.u skipped
C:\System Volume Information\_restore{363C16E8-C4C5-4769-AA04-FCCF61DE49FF}\RP128\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\dtscsi.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\tv\dish computer stuff\mirc621.exe/stream/data0008 Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
D:\tv\dish computer stuff\mirc621.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
D:\tv\dish computer stuff\mirc621.exe NSIS: infected - 2 skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
I:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.


and the hijack log

Logfile of HijackThis v1.99.1
Scan saved at 10:50:11 PM, on 5/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\SAgent4.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\KWorld Multimedia\DVB Plus\DVBS\Scheduled.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
D:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\utilman.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Mopy\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [DTVR Agent] C:\Program Files\KWorld Multimedia\DVB Plus\DVBS\Scheduled.exe
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\Scansoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [SetDefPrt] "C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe"
O4 - HKLM\..\Run: [AVG7_CC] "D:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [FlashGet] "C:\Program Files\FlashGet\FlashGet.exe" /min
O4 - HKLM\..\Run: [DriverMagicLogon] "C:\Program Files\SymplisIT\DriverMagic\dmschedule.exe" /boot
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [AnyDVD] "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [EPSON Stylus Photo R220 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" /P30 "EPSON Stylus Photo R220 Series" /M "Stylus Photo R220" /EF "HKCU"
O4 - HKCU\..\Run: [XPRepairPro2007] C:\Program Files\XP Repair Pro 2007\XPRepairPro.exe /r
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EA Link\Core.exe" -silent
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1156962280953
O16 - DPF: {8B0F07E1-00F9-4B1B-9A2F-456DC0F54EBF} (PortDetector Control) - http://vlab1se-ekt2.elementk.com/vlab/ax/PortTester.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - file://F:\webpull\support\disc\ASP\tools\en\bin\npseatools.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Epson Printer Status Agent4 (StatusAgent4) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\SAgent4.exe

#7 fakdd

fakdd
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 30 May 2007 - 10:52 PM

and i have a question,

why did some of the scans find something while others didn't?
shouldn't they all have found something?

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:33 PM

Posted 31 May 2007 - 12:57 AM

Hello,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O4 - HKCU\..\Run: [XPRepairPro2007] C:\Program Files\XP Repair Pro 2007\XPRepairPro.exe /r


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Delete next file and folders:

C:\WINDOWS\system32\pgwp.exe <== file
C:\Documents and Settings\Mopy\.housecall6.6\Quarantine <== folder
C:\Qoobox <== folder

The next ones that Kaspersky online flagged as infected are ok and nothing to worry about:

C:\Documents and Settings\Mopy\Desktop\Unused Desktop Shortcuts\SmitfraudFix.exe
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
C:\Program Files\XP Smoker\shutdown.exe Infected: not-a-virus:RiskTool.Win32.Shutdown.c skipped
D:\tv\dish computer stuff\mirc621.exe


Flush your system restore points:
To do this, you have to disable systemrestore and enable it afterwards again.
(note: this will delete all your system restore points and malware that were present in it).

How to disable system restore in XP <= click me for instructions with screenshots
After you disabled System Restore.... Reboot.. and after rebooting, enable it again, so a new systemrestorepoint will be made. A clean one now! :thumbsup:


why did some of the scans find something while others didn't?
shouldn't they all have found something?

Normally yes, but not every scanner is as good in detection

How are things now?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 fakdd

fakdd
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 31 May 2007 - 08:43 PM

thanks for the help. it seems to be running faster and better.

What virus scanner do you recommend?
I have AVG installed and up to date, but it was one that did not find these when scanned.

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:33 PM

Posted 01 June 2007 - 12:43 AM

I am using Avira Antivir, which is free and great in detection: http://www.free-av.com/
Keep in mind, if you decide to install another Antivirus, you should uninstall your AVG first.

Glad I could help. :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:33 PM

Posted 02 June 2007 - 03:53 PM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users