Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
attached is the screenshot of what happen, it keeps popping up every few minutes and i cant remove it please help me
sorry it appears that the screenshot doesnt show on here so here's the link
[URL]http://www.pic4.us/pic/F7V89483.jpg[/URL]
0 
Please post a Hijack This log so that the files associated with the virus/spyware/hijacker can be identified.
Please download HJTsetup.exe from this link http://www.thespykiller.co.uk/files/HJTsetup.exe to your desktop.
Doubleclick on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click "next" in the setup dialogue boxes until you get to the "Select Addition Tasks" dialogue.
Put a check by "Create a desktop icon" then click "Next" again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click "Finish" and it will launch Hijack This.
Click on the "Do a system scan and save a logfile" button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log and post it in this thread.Do not fix anything yet unless you know what you are doing. This is a powerful tool that can crash the computer if used improperly.
0
Logfile of HijackThis v1.99.1
Scan saved at 13:33:27, on 6/4/2550
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Maxthon\Maxthon.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\Hijackthis\HijackThis.exeR3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: 207.210.93.28 game01.us.segaonline.jp
O1 - Hosts: 207.210.93.28 game01.psobb.segaonline.jp
O1 - Hosts: 207.210.93.28 patch01.us.segaonline.jp
O1 - Hosts: 207.210.93.28 patch01.psobb.segaonline.jp
O1 - Hosts: 220.232.214.116 vbseo.xbuser.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.3.19.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Camfrog Toolbar - {AF2A1C5A-1AED-4E92-8BA8-D708EB79537E} - C:\Program Files\Camfrog\CamfrogBar\CamfrogBar.dll (file missing)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Camfrog Toolbar - {AF2A1C5A-1AED-4E92-8BA8-D708EB79537E} - C:\Program Files\Camfrog\CamfrogBar\CamfrogBar.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Launch Ai Booster] "C:\Program Files\ASUS\Ai Booster\OverClk.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: ดาวน์โหลดทั้งหมดโดยใช้ FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: ดาวน์โหลดโดยใช้ FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Administrator\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} (dnlplayer Class) - http://www.digitalwebbooks.com/read...
O16 - DPF: {23D236EA-B936-4B2B-900C-D0E8DBBF9570} (BugsGameStarts Class) - http://audition.playpark.com/login/...
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {8E82893F-7ED1-4811-A247-580DCC0E2629} (SFLauncherTDE Class) - http://www.sf.in.th/activex/Starter...
O17 - HKLM\System\CCS\Services\Tcpip\..\{76EDB05E-3171-416C-ACD2-B15E5ECB9AAC}: NameServer = 203.144.207.29 203.144.207.49
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: winwly32 - winwly32.dll (file missing)
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
0
Run Hijack this, close all windows and browsers except Hijack This, place a check to the left of the following items then press "fix checked":
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O20 - Winlogon Notify: winwly32 - winwly32.dll (file missing)
Exit Hijack This.
Please download SmitFraudFix from this link http://siri.urz.free.fr/Fix/Smitfra... Then extract the contents to your desktop.
!!!! Only run option #1 as runing the other options on an uninfected computer will damage the desktop.!!!!
Open the "SmitfraudFix" folder and double-click "smitfraudfix.cmd"
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.Please download ComboFix to the desktop from this link:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)Please post the log it produces.
0
SmitFraudFix v2.164
Scan done at 14:36:47.35, Sat 04/07/2007
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal modeปปปปปปปปปปปปปปปปปปปปปปปป Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\cmd.exeปปปปปปปปปปปปปปปปปปปปปปปป hosts
ปปปปปปปปปปปปปปปปปปปปปปปป C:\
ปปปปปปปปปปปปปปปปปปปปปปปป C:\WINDOWS
ปปปปปปปปปปปปปปปปปปปปปปปป C:\WINDOWS\system
ปปปปปปปปปปปปปปปปปปปปปปปป C:\WINDOWS\Web
ปปปปปปปปปปปปปปปปปปปปปปปป C:\WINDOWS\system32
ปปปปปปปปปปปปปปปปปปปปปปปป C:\WINDOWS\system32\LogFiles
ปปปปปปปปปปปปปปปปปปปปปปปป C:\Documents and Settings\Administrator
ปปปปปปปปปปปปปปปปปปปปปปปป C:\Documents and Settings\Administrator\Application Data
ปปปปปปปปปปปปปปปปปปปปปปปป Start Menu
ปปปปปปปปปปปปปปปปปปปปปปปป C:\DOCUME~1\ADMINI~1\FAVORI~1
ปปปปปปปปปปปปปปปปปปปปปปปป Desktop
ปปปปปปปปปปปปปปปปปปปปปปปป C:\Program Files
ปปปปปปปปปปปปปปปปปปปปปปปป Corrupted keys
ปปปปปปปปปปปปปปปปปปปปปปปป Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
ปปปปปปปปปปปปปปปปปปปปปปปป Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
ปปปปปปปปปปปปปปปปปปปปปปปป AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!![HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
ปปปปปปปปปปปปปปปปปปปปปปปป Winlogon.System
!!!Attention, following keys are not inevitably infected!!![HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
ปปปปปปปปปปปปปปปปปปปปปปปป pe386-msguard-lzx32-huy32ปปปปปปปปปปปปปปปปปปปปปปปป DNS
ปปปปปปปปปปปปปปปปปปปปปปปป Scanning wininet.dll infection
ปปปปปปปปปปปปปปปปปปปปปปปป End
0
"Administrator" - 07-04-07 14:39:07 Service Pack 2
ComboFix 07-04-05 - Running from: "C:\Documents and Settings\Administrator\Desktop"
((((((((((((((((((((((((((((((( Files Created from 2007-03-07 to 2007-04-07 ))))))))))))))))))))))))))))))))))
2007-04-07 14:36 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-04-07 14:36 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-04-07 14:36 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2007-04-07 14:36 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-04-07 14:36 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2007-04-07 14:36 1,876 --a------ C:\WINDOWS\system32\tmp.reg
2007-04-07 14:32 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL
2007-04-07 14:32 516,784 -ra------ C:\WINDOWS\system32\XceedCry.dll
2007-04-07 14:32 44,544 --a------ C:\WINDOWS\system32\Gif89.dll
2007-04-07 14:32 217,088 --a------ C:\WINDOWS\system32\DartSock.dll
2007-04-07 14:32 118,784 --a------ C:\WINDOWS\system32\DartWeb.dll
2007-04-07 14:32 <DIR> d-------- C:\Program Files\Convar
2007-04-06 03:35 <DIR> dr------- C:\DOCUME~1\ALLUSE~1.WIN\Documents
2007-04-06 03:33 <DIR> d-------- C:\D
2007-04-06 03:27 <DIR> d-------- C:\WINDOWS0
2007-04-06 03:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-04-06 02:09 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-04-06 02:09 39,184 --a------ C:\WINDOWS\system32\Ntrights.exe
2007-04-06 02:09 175,616 --a------ C:\WINDOWS\system32\strings.exe
2007-04-06 02:09 16,384 --a------ C:\WINDOWS\system32\restart.exe
2007-04-06 02:09 126,976 --a------ C:\WINDOWS\system32\zip.exe
2007-04-06 02:09 11,254 --a------ C:\WINDOWS\system32\locate.com
2007-04-05 23:49 <DIR> d-------- C:\!KillBox
2007-04-05 23:41 <DIR> d-------- C:\Program Files\CCleaner
2007-04-05 23:21 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-05 20:47 290,816 ---h----- C:\DOCUME~1\DEFAUL~1.WIN\NTUSER.DAT
2007-04-05 20:46 <DIR> d--hs---- C:\DOCUME~1\ALLUSE~1.WIN\DRM
2007-04-05 20:43 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-04-05 20:43 <DIR> d-------- C:\Program Files\Utilities
2007-04-05 20:43 <DIR> d-------- C:\Program Files\TaskSwitchXP
2007-04-05 20:43 <DIR> d-------- C:\Program Files\Multimedia
2007-04-05 20:43 <DIR> d-------- C:\Program Files\Microsoft PowerToys
2007-04-05 20:43 <DIR> d-------- C:\Program Files\HashTab Shell Extension
2007-04-05 20:43 <DIR> d-------- C:\Program Files\Foxit
2007-03-28 04:18 <DIR> d-------- C:\Program Files\DAEMON Tools
2007-03-28 03:47 <DIR> d-------- C:\somethin
2007-03-26 22:16 1,056 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-03-26 22:11 <DIR> d-------- C:\Program Files\PowerQuest
2007-03-16 02:00 646,392 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-03-09 01:43 155,411 --a------ C:\WINDOWS\system32\drivers\dump_wmimmc.sys
2007-03-09 00:37 <DIR> d-------- C:\Program Files\—zหตฬ’ฬA
2007-03-09 00:14 20,992 --a------ C:\WINDOWS\jestertb.dll
2007-03-08 00:12 14 --a------ C:\DOCUME~1\ADMINI~1\getfile.dat
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-04-07 14:32 -------- d--h----- C:\Program Files\installshield installation information
2007-04-06 22:49 -------- d-------- C:\Program Files\warcraft iii
2007-04-05 23:41 -------- d-------- C:\Program Files\yahoo!
2007-04-05 20:45 -------- d-------- C:\Program Files\movie maker
2007-04-05 20:43 -------- d-------- C:\Program Files\windows nt
2007-04-05 20:43 -------- d-------- C:\Program Files\messenger
2007-04-04 20:39 25 --a------ C:\WINDOWS\system32\grecorder.dll
2007-04-04 05:41 -------- d-------- C:\Program Files\bitcomet
2007-04-03 01:25 -------- d-------- C:\Program Files\super dancer online
2007-03-31 00:25 -------- d-------- C:\Program Files\spss evaluation
2007-03-31 00:20 205 --a------ C:\WINDOWS\system32\lsprst7.dll
2007-03-24 00:34 2560 --a------ C:\WINDOWS\system32\bitcometres.dll
2007-03-10 03:29 43520 --a------ C:\WINDOWS\system32\cmdlineext03.dll
2007-03-09 00:38 -------- d-------- C:\Program Files\—zหตฬ’ฬa
2007-03-02 18:37 -------- d-------- C:\Program Files\maxthon
2007-02-28 06:28 -------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\getrighttogo
2007-02-28 03:11 -------- d-------- C:\Program Files\config
2007-02-28 02:50 -------- d-------- C:\Program Files\flashget
2007-02-27 15:05 -------- d-------- C:\Program Files\divx
2007-02-27 08:13 -------- d-------- C:\Program Files\handmark
2007-02-27 08:00 -------- d-------- C:\Program Files\astraware
2007-02-27 05:40 -------- d-------- C:\Program Files\crosstec
2007-02-27 05:26 -------- d-------- C:\Program Files\asus
2007-02-26 06:30 -------- d-------- C:\Program Files\msn messenger
2007-02-26 00:09 -------- d-------- C:\Program Files\winroute pro
2007-02-25 22:46 -------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\help
2007-02-25 21:57 -------- d-------- C:\Program Files\microsoft intellitype pro
2007-02-25 04:29 -------- d-------- C:\Program Files\microsoft activesync
2007-02-25 03:09 -------- d-------- C:\Program Files\kursk
2007-02-25 02:44 -------- d-------- C:\Program Files\pdamill
2007-02-24 02:31 -------- d-------- C:\Program Files\jamdat
2007-02-24 02:17 -------- d-------- C:\Program Files\myst
2007-02-23 23:28 -------- d-------- C:\Program Files\orions legend of wizards for pocket pc
2007-02-21 00:52 -------- d-------- C:\Program Files\jaya
2007-02-20 18:44 -------- d-------- C:\Program Files\silver coins
2007-02-20 16:57 -------- d-------- C:\Program Files\k-lite codec pack
2007-02-20 03:21 -------- d-------- C:\Program Files\image grabber ii
2007-02-20 00:46 -------- d-------- C:\Program Files\quicktime alternative
2007-02-20 00:46 -------- d-------- C:\Program Files\media player classic
2007-02-20 00:46 -------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\apple computer
2007-02-20 00:45 -------- d-------- C:\Program Files\quicktime
2007-02-19 23:41 -------- d-------- C:\Program Files\itunes
2007-02-19 23:41 -------- d-------- C:\Program Files\ipod
2007-02-19 01:56 -------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\imagenomic
2007-02-19 01:54 -------- d-------- C:\Program Files\imagenomic
2007-02-19 01:52 -------- d-------- C:\Program Files\noiseware professional plug-in
2007-02-19 01:40 1024 --a------ C:\WINDOWS\system32\clauth2.dll
2007-02-19 01:40 1024 --a------ C:\WINDOWS\system32\clauth1.dll
2007-02-19 01:40 0 --a------ C:\WINDOWS\system32\ssprs.dll
2007-02-19 01:40 0 --a------ C:\WINDOWS\system32\serauth2.dll
2007-02-19 01:40 0 --a------ C:\WINDOWS\system32\serauth1.dll
2007-02-19 01:40 0 --a------ C:\WINDOWS\system32\nsprs.dll
2007-02-19 01:38 1025 --a------ C:\WINDOWS\system32\sysprs7.dll
2007-02-17 05:49 -------- d-------- C:\Program Files\winner
2007-02-17 04:51 -------- d-------- C:\Program Files\binaryfish
2007-02-13 17:54 -------- d-------- C:\Program Files\java
2007-02-11 03:58 64608 --a------ C:\WINDOWS\war3unin.dat
2007-02-11 03:58 2829 --a------ C:\WINDOWS\war3unin.pif
2007-02-11 03:58 139264 --a------ C:\WINDOWS\war3unin.exe
2007-02-08 00:58 -------- d-------- C:\Program Files\ultra video splitter
2007-02-01 05:56 639066 --a------ C:\WINDOWS\system32\divx.dll
2007-01-30 12:03 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-01-30 12:03 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-01-30 06:03 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-01-30 05:56 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-01-30 05:56 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-01-19 12:53 51056 --a------ C:\WINDOWS\system32\sirenacm.dll
2007-01-09 18:46 10752 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-01-03 21:48 134002 --a------ C:\DOCUME~1\ADMINI~1\APPLIC~1\cosmos prefs
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"nod32kui"="\"C:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE"
"Launch Ai Booster"="\"C:\\Program Files\\ASUS\\Ai Booster\\OverClk.exe\""
"IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\ipoint.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Y'z ToolBar.lnk]
"path"="C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\Y'z ToolBar.lnk"
"backup"="C:\\WINDOWS\\pss\\Y'z ToolBar.lnkStartup"
"location"="Startup"
"command"="C:\\WINDOWS\\BRICOP~1\\VISTAI~1\\YZTOOL~1\\YZTOOL~1.exe "
"item"="Y'z ToolBar"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.exe "
"item"="Adobe Reader Speed Launch"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HP Digital Imaging Monitor.lnk"
"backup"="C:\\WINDOWS\\pss\\HP Digital Imaging Monitor.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HP\\DIGITA~1\\bin\\hpqtra08.exe "
"item"="HP Digital Imaging Monitor"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HP Photosmart Premier Fast Start.lnk"
"backup"="C:\\WINDOWS\\pss\\HP Photosmart Premier Fast Start.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HP\\DIGITA~1\\bin\\hpqthb08.exe -s"
"item"="HP Photosmart Premier Fast Start"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\Office10\\OSA.exe -b -l"
"item"="Microsoft Office"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsusStartupHelp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AsRunHelp"
"hkey"="HKLM"
"command"="C:\\Program Files\\ASUS\\AASP\\1.00.14\\AsRunHelp.exe"
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NMBgMonitor"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\""
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="daemon"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DXDllRegExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dxdllreg"
"hkey"="HKLM"
"command"="dxdllreg.exe"
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wcescomm"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe\""
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpcmpmgr"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="HPWuSchd"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd.exe\""
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvMcTray"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PDVDServ"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Application Launcher"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Sony Ericsson\\Mobile2\\Application Launcher\\Application Launcher.exe\" /startoptions"
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SOUNDMAN"
"hkey"="HKLM"
"command"="SOUNDMAN.EXE"
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\type32]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="type32"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Microsoft IntelliType Pro\\type32.exe\""
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WrCtrl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wrctrl"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\WinRoute Pro\\wrctrl.exe\""
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=dword:00000002
"wuauserv"=dword:00000002
"iPod Service"=dword:00000003
"helpsvc"=dword:00000002
"ERSvc"=dword:00000002
"Macromedia Licensing Service"=dword:00000003
"Adobe LM Service"=dword:00000003
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"=dword:00000000
"SynchronousUserGroupPolicy"=dword:00000000[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRemoteRecursiveEvents"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=dword:00000001
"NoLowDiskSpaceChecks"=dword:00000001
"NoSaveSettings"=dword:00000000
"NoWindowsUpdate"=dword:00000000[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3de357cf-f717-11da-9511-806d6172696f}]
Shell\AutoRun\command E:\setup.exe[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4af3e04d-4595-11db-9e93-0013d4b52276}]
Shell\Auto\command RavMon.exe e
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.exe Shell32.DLL,ShellExec_RunDLL RavMon.exe e[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{702186dc-9d7c-11db-9eb9-0013d4b52276}]
Shell\1\Command K:\.\RECYCLER\RECYCLER\autorun.exe
Shell\2\Command K:\.\RECYCLER\RECYCLER\autorun.exe
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.exe Shell32.DLL,ShellExec_RunDLL .\RECYCLER\RECYCLER\autorun.exe[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e3729367-f9de-11da-9fdf-0013d4b52276}]
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.exe Shell32.DLL,ShellExec_RunDLL wscript.exe IISDLL.dll.vbs[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e7684646-40e2-11db-a013-0013d4b52276}]
Shell\1\Command .\RECYCLER\RECYCLER\autorun.exe
Shell\2\Command .\RECYCLER\RECYCLER\autorun.exe
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.exe Shell32.DLL,ShellExec_RunDLL .\RECYCLER\RECYCLER\autorun.exe[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ffc4188d-b835-11db-9ec3-0013d4b52276}]
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.exe Shell32.DLL,ShellExec_RunDLL wscript.exe .MS32DLL.dll.vbs[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ffc41924-b835-11db-9ec3-0013d4b52276}]
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.exe Shell32.DLL,ShellExec_RunDLL wscript.exe .MS32DLL.dll.vbs
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\HP DArC Task #Hewlett-Packard#hp psc 1300 series#1150225234.job
********************************************************************catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.netscanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0********************************************************************
Completion time: 07-04-07 14:40:56
C:\ComboFix-quarantined-files.txt ... 07-04-07 14:40
C:\ComboFix2.txt ... 07-04-06 02:37
0
Please download and install
SuperAntiSpyware
Load SUPERAntiSpyware and click the Check for Updates button.
Once the update has finished, click the Scan your Computer button.
Check Perform Complete Scan and then click Next.
SUPERAntiSpyware will now scan your computer, and when it’s finished it will list all the infections it has found.
Make sure that they all have a check next to them, and then click Next.
Click Finish and you will be taken back to the main interface.
It could be possible that it will ask you to reboot your computer in order to delete some files after reboot.
I'll need a log afterwards of what has been found.
To get the log, click Preferences and then click the Statistics/Logs tab. Click the dated log and press View Log and a text file will appear.
Please post the results of the SUPERAntiSpyware log and a new HijackThis log in your next reply.Then post a new Combofix log.
0
SUPERAntiSpyware Scan Log
Generated 04/08/2007 at 02:15 AMApplication Version : 3.6.1000
Core Rules Database Version : 3215
Trace Rules Database Version: 1225Scan type : Quick Scan
Total Scan Time : 00:25:26Memory items scanned : 384
Memory threats detected : 1
Registry items scanned : 940
Registry threats detected : 7
File items scanned : 35334
File threats detected : 14Trojan.Mezzia/Resident
C:\WINDOWS\SYSTEM32\WINWLY32.DLL
C:\WINDOWS\SYSTEM32\WINWLY32.DLLAdware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\administrator@clickbank[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@sdc.krollontrack[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@61483879[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@m1.webstats.motigo[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@revsci[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@1071779307[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@stat.onestat[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@warlog[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@statcounter[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@server.iad.liveperson[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@www.cracks[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@usenext[1].txtTrojan.Unknown Origin
HKLM\SOFTWARE\Microsoft\MSSMGR
HKLM\SOFTWARE\Microsoft\MSSMGR#Brnd
HKLM\SOFTWARE\Microsoft\MSSMGR#BPTV
HKLM\SOFTWARE\Microsoft\MSSMGR#LSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#PSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#BSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#SSTV
0
Logfile of HijackThis v1.99.1
Scan saved at 2:23:55, on 8/4/2550
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Maxthon\Maxthon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exeR3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: 207.210.93.28 game01.us.segaonline.jp
O1 - Hosts: 207.210.93.28 game01.psobb.segaonline.jp
O1 - Hosts: 207.210.93.28 patch01.us.segaonline.jp
O1 - Hosts: 207.210.93.28 patch01.psobb.segaonline.jp
O1 - Hosts: 220.232.214.116 vbseo.xbuser.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.3.19.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Camfrog Toolbar - {AF2A1C5A-1AED-4E92-8BA8-D708EB79537E} - C:\Program Files\Camfrog\CamfrogBar\CamfrogBar.dll (file missing)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Camfrog Toolbar - {AF2A1C5A-1AED-4E92-8BA8-D708EB79537E} - C:\Program Files\Camfrog\CamfrogBar\CamfrogBar.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Launch Ai Booster] "C:\Program Files\ASUS\Ai Booster\OverClk.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: ดาวน์โหลดทั้งหมดโดยใช้ FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: ดาวน์โหลดโดยใช้ FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Administrator\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} (dnlplayer Class) - http://www.digitalwebbooks.com/read...
O16 - DPF: {23D236EA-B936-4B2B-900C-D0E8DBBF9570} (BugsGameStarts Class) - http://audition.playpark.com/login/...
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {8E82893F-7ED1-4811-A247-580DCC0E2629} (SFLauncherTDE Class) - http://www.sf.in.th/activex/Starter...
O17 - HKLM\System\CCS\Services\Tcpip\..\{76EDB05E-3171-416C-ACD2-B15E5ECB9AAC}: NameServer = 203.144.207.29 203.144.207.49
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: winwly32 - winwly32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
0
"Administrator" - 07-04-08 2:24:43 Service Pack 2
ComboFix 07-04-05 - Running from: "C:\Documents and Settings\Administrator\Desktop"
((((((((((((((((((((((((((((((( Files Created from 2007-03-08 to 2007-04-08 ))))))))))))))))))))))))))))))))))
2007-04-08 01:52 0 --a------ C:\WINDOWS\system32\CMMGR32.exe
2007-04-08 01:47 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-04-08 01:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-04-08 01:47 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SUPERAntiSpyware.com
2007-04-07 14:36 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-04-07 14:36 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-04-07 14:36 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2007-04-07 14:36 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-04-07 14:36 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2007-04-07 14:36 1,876 --a------ C:\WINDOWS\system32\tmp.reg
2007-04-07 14:32 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL
2007-04-07 14:32 516,784 -ra------ C:\WINDOWS\system32\XceedCry.dll
2007-04-07 14:32 44,544 --a------ C:\WINDOWS\system32\Gif89.dll
2007-04-07 14:32 217,088 --a------ C:\WINDOWS\system32\DartSock.dll
2007-04-07 14:32 118,784 --a------ C:\WINDOWS\system32\DartWeb.dll
2007-04-07 14:32 <DIR> d-------- C:\Program Files\Convar
2007-04-06 03:35 <DIR> dr------- C:\DOCUME~1\ALLUSE~1.WIN\Documents
2007-04-06 03:33 <DIR> d-------- C:\D
2007-04-06 03:27 <DIR> d-------- C:\WINDOWS0
2007-04-06 03:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-04-06 02:09 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-04-06 02:09 39,184 --a------ C:\WINDOWS\system32\Ntrights.exe
2007-04-06 02:09 175,616 --a------ C:\WINDOWS\system32\strings.exe
2007-04-06 02:09 16,384 --a------ C:\WINDOWS\system32\restart.exe
2007-04-06 02:09 126,976 --a------ C:\WINDOWS\system32\zip.exe
2007-04-06 02:09 11,254 --a------ C:\WINDOWS\system32\locate.com
2007-04-05 23:49 <DIR> d-------- C:\!KillBox
2007-04-05 23:41 <DIR> d-------- C:\Program Files\CCleaner
2007-04-05 20:47 290,816 ---h----- C:\DOCUME~1\DEFAUL~1.WIN\NTUSER.DAT
2007-04-05 20:46 <DIR> d--hs---- C:\DOCUME~1\ALLUSE~1.WIN\DRM
2007-04-05 20:43 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-04-05 20:43 <DIR> d-------- C:\Program Files\Utilities
2007-04-05 20:43 <DIR> d-------- C:\Program Files\TaskSwitchXP
2007-04-05 20:43 <DIR> d-------- C:\Program Files\Multimedia
2007-04-05 20:43 <DIR> d-------- C:\Program Files\Microsoft PowerToys
2007-04-05 20:43 <DIR> d-------- C:\Program Files\HashTab Shell Extension
2007-04-05 20:43 <DIR> d-------- C:\Program Files\Foxit
2007-03-28 04:18 <DIR> d-------- C:\Program Files\DAEMON Tools
2007-03-28 03:47 <DIR> d-------- C:\somethin
2007-03-26 22:16 1,056 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-03-26 22:11 <DIR> d-------- C:\Program Files\PowerQuest
2007-03-16 02:00 646,392 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-03-09 01:43 155,411 --a------ C:\WINDOWS\system32\drivers\dump_wmimmc.sys
2007-03-09 00:37 <DIR> d-------- C:\Program Files\—zหตฬ’ฬA
2007-03-09 00:14 20,992 --a------ C:\WINDOWS\jestertb.dll
2007-03-08 00:12 14 --a------ C:\DOCUME~1\ADMINI~1\getfile.dat
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-04-08 01:47 -------- d-------- C:\Program Files\Common Files\wise installation wizard
2007-04-07 18:54 -------- d-------- C:\Program Files\warcraft iii
2007-04-07 14:32 -------- d--h----- C:\Program Files\installshield installation information
2007-04-05 23:41 -------- d-------- C:\Program Files\yahoo!
2007-04-05 20:45 -------- d-------- C:\Program Files\movie maker
2007-04-05 20:43 -------- d-------- C:\Program Files\windows nt
2007-04-05 20:43 -------- d-------- C:\Program Files\messenger
2007-04-04 20:39 25 --a------ C:\WINDOWS\system32\grecorder.dll
2007-04-04 05:41 -------- d-------- C:\Program Files\bitcomet
2007-04-03 01:25 -------- d-------- C:\Program Files\super dancer online
2007-03-31 00:25 -------- d-------- C:\Program Files\spss evaluation
2007-03-31 00:20 205 --a------ C:\WINDOWS\system32\lsprst7.dll
2007-03-24 00:34 2560 --a------ C:\WINDOWS\system32\bitcometres.dll
2007-03-10 03:29 43520 --a------ C:\WINDOWS\system32\cmdlineext03.dll
2007-03-09 00:38 -------- d-------- C:\Program Files\—zหตฬ’ฬa
2007-03-02 18:37 -------- d-------- C:\Program Files\maxthon
2007-02-28 06:28 -------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\getrighttogo
2007-02-28 03:11 -------- d-------- C:\Program Files\config
2007-02-28 02:50 -------- d-------- C:\Program Files\flashget
2007-02-27 15:05 -------- d-------- C:\Program Files\divx
2007-02-27 08:13 -------- d-------- C:\Program Files\handmark
2007-02-27 08:00 -------- d-------- C:\Program Files\astraware
2007-02-27 05:40 -------- d-------- C:\Program Files\crosstec
2007-02-27 05:26 -------- d-------- C:\Program Files\asus
2007-02-26 06:30 -------- d-------- C:\Program Files\msn messenger
2007-02-26 00:09 -------- d-------- C:\Program Files\winroute pro
2007-02-25 22:46 -------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\help
2007-02-25 21:57 -------- d-------- C:\Program Files\microsoft intellitype pro
2007-02-25 04:29 -------- d-------- C:\Program Files\microsoft activesync
2007-02-25 03:09 -------- d-------- C:\Program Files\kursk
2007-02-25 02:44 -------- d-------- C:\Program Files\pdamill
2007-02-24 02:31 -------- d-------- C:\Program Files\jamdat
2007-02-24 02:17 -------- d-------- C:\Program Files\myst
2007-02-23 23:28 -------- d-------- C:\Program Files\orions legend of wizards for pocket pc
2007-02-21 00:52 -------- d-------- C:\Program Files\jaya
2007-02-20 18:44 -------- d-------- C:\Program Files\silver coins
2007-02-20 16:57 -------- d-------- C:\Program Files\k-lite codec pack
2007-02-20 03:21 -------- d-------- C:\Program Files\image grabber ii
2007-02-20 00:46 -------- d-------- C:\Program Files\quicktime alternative
2007-02-20 00:46 -------- d-------- C:\Program Files\media player classic
2007-02-20 00:46 -------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\apple computer
2007-02-20 00:45 -------- d-------- C:\Program Files\quicktime
2007-02-19 23:41 -------- d-------- C:\Program Files\itunes
2007-02-19 23:41 -------- d-------- C:\Program Files\ipod
2007-02-19 01:56 -------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\imagenomic
2007-02-19 01:54 -------- d-------- C:\Program Files\imagenomic
2007-02-19 01:52 -------- d-------- C:\Program Files\noiseware professional plug-in
2007-02-19 01:40 1024 --a------ C:\WINDOWS\system32\clauth2.dll
2007-02-19 01:40 1024 --a------ C:\WINDOWS\system32\clauth1.dll
2007-02-19 01:40 0 --a------ C:\WINDOWS\system32\ssprs.dll
2007-02-19 01:40 0 --a------ C:\WINDOWS\system32\serauth2.dll
2007-02-19 01:40 0 --a------ C:\WINDOWS\system32\serauth1.dll
2007-02-19 01:40 0 --a------ C:\WINDOWS\system32\nsprs.dll
2007-02-19 01:38 1025 --a------ C:\WINDOWS\system32\sysprs7.dll
2007-02-17 05:49 -------- d-------- C:\Program Files\winner
2007-02-17 04:51 -------- d-------- C:\Program Files\binaryfish
2007-02-13 17:54 -------- d-------- C:\Program Files\java
2007-02-11 03:58 64608 --a------ C:\WINDOWS\war3unin.dat
2007-02-11 03:58 2829 --a------ C:\WINDOWS\war3unin.pif
2007-02-11 03:58 139264 --a------ C:\WINDOWS\war3unin.exe
2007-02-08 00:58 -------- d-------- C:\Program Files\ultra video splitter
2007-02-01 05:56 639066 --a------ C:\WINDOWS\system32\divx.dll
2007-01-30 12:03 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-01-30 12:03 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-01-30 06:03 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-01-30 05:56 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-01-30 05:56 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-01-19 12:53 51056 --a------ C:\WINDOWS\system32\sirenacm.dll
2007-01-09 18:46 10752 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-01-03 21:48 134002 --a------ C:\DOCUME~1\ADMINI~1\APPLIC~1\cosmos prefs
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"H/PC Connection Agent"="\"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe\""
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"nod32kui"="\"C:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE"
"Launch Ai Booster"="\"C:\\Program Files\\ASUS\\Ai Booster\\OverClk.exe\""
"IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\ipoint.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Y'z ToolBar.lnk]
"path"="C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\Y'z ToolBar.lnk"
"backup"="C:\\WINDOWS\\pss\\Y'z ToolBar.lnkStartup"
"location"="Startup"
"command"="C:\\WINDOWS\\BRICOP~1\\VISTAI~1\\YZTOOL~1\\YZTOOL~1.exe "
"item"="Y'z ToolBar"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.exe "
"item"="Adobe Reader Speed Launch"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HP Digital Imaging Monitor.lnk"
"backup"="C:\\WINDOWS\\pss\\HP Digital Imaging Monitor.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HP\\DIGITA~1\\bin\\hpqtra08.exe "
"item"="HP Digital Imaging Monitor"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HP Photosmart Premier Fast Start.lnk"
"backup"="C:\\WINDOWS\\pss\\HP Photosmart Premier Fast Start.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HP\\DIGITA~1\\bin\\hpqthb08.exe -s"
"item"="HP Photosmart Premier Fast Start"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\Office10\\OSA.exe -b -l"
"item"="Microsoft Office"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsusStartupHelp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AsRunHelp"
"hkey"="HKLM"
"command"="C:\\Program Files\\ASUS\\AASP\\1.00.14\\AsRunHelp.exe"
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NMBgMonitor"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\""
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="daemon"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DXDllRegExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dxdllreg"
"hkey"="HKLM"
"command"="dxdllreg.exe"
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wcescomm"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe\""
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpcmpmgr"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="HPWuSchd"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd.exe\""
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvMcTray"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PDVDServ"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Application Launcher"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Sony Ericsson\\Mobile2\\Application Launcher\\Application Launcher.exe\" /startoptions"
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SOUNDMAN"
"hkey"="HKLM"
"command"="SOUNDMAN.EXE"
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\type32]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="type32"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Microsoft IntelliType Pro\\type32.exe\""
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WrCtrl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wrctrl"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\WinRoute Pro\\wrctrl.exe\""
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=dword:00000002
"wuauserv"=dword:00000002
"iPod Service"=dword:00000003
"helpsvc"=dword:00000002
"ERSvc"=dword:00000002
"Macromedia Licensing Service"=dword:00000003
"Adobe LM Service"=dword:00000003
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"=dword:00000000
"SynchronousUserGroupPolicy"=dword:00000000[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRemoteRecursiveEvents"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=dword:00000001
"NoLowDiskSpaceChecks"=dword:00000001
"NoSaveSettings"=dword:00000000
"NoWindowsUpdate"=dword:00000000[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winwly32[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3de357cf-f717-11da-9511-806d6172696f}]
Shell\AutoRun\command E:\setup.exe[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4af3e04d-4595-11db-9e93-0013d4b52276}]
Shell\Auto\command RavMon.exe e
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.exe Shell32.DLL,ShellExec_RunDLL RavMon.exe e[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{702186dc-9d7c-11db-9eb9-0013d4b52276}]
Shell\1\Command K:\.\RECYCLER\RECYCLER\autorun.exe
Shell\2\Command K:\.\RECYCLER\RECYCLER\autorun.exe
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.exe Shell32.DLL,ShellExec_RunDLL .\RECYCLER\RECYCLER\autorun.exe[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e3729367-f9de-11da-9fdf-0013d4b52276}]
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.exe Shell32.DLL,ShellExec_RunDLL wscript.exe IISDLL.dll.vbs[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e7684646-40e2-11db-a013-0013d4b52276}]
Shell\1\Command .\RECYCLER\RECYCLER\autorun.exe
Shell\2\Command .\RECYCLER\RECYCLER\autorun.exe
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.exe Shell32.DLL,ShellExec_RunDLL .\RECYCLER\RECYCLER\autorun.exe[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ffc4188d-b835-11db-9ec3-0013d4b52276}]
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.exe Shell32.DLL,ShellExec_RunDLL wscript.exe .MS32DLL.dll.vbs[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ffc41924-b835-11db-9ec3-0013d4b52276}]
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.exe Shell32.DLL,ShellExec_RunDLL wscript.exe .MS32DLL.dll.vbs
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\HP DArC Task #Hewlett-Packard#hp psc 1300 series#1150225234.job
********************************************************************catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.netscanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0********************************************************************
Completion time: 07-04-08 2:28:10
C:\ComboFix-quarantined-files.txt ... 07-04-08 02:28
C:\ComboFix2.txt ... 07-04-07 14:40
C:\ComboFix3.txt ... 07-04-06 02:37
0
SUPERAntiSpyware Scan Log
Generated 04/08/2007 at 03:12 AMApplication Version : 3.6.1000
Core Rules Database Version : 3215
Trace Rules Database Version: 1225Scan type : Complete Scan
Total Scan Time : 00:42:15Memory items scanned : 337
Memory threats detected : 0
Registry items scanned : 7590
Registry threats detected : 0
File items scanned : 60116
File threats detected : 1Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\administrator@statcounter[2].txt
0
Please download Flash_Disinfector.exe by sUBs and save to your desktop.
NOTE: In the event you already have Flash_Disinfector, this is a new version that I need you to download.
Double-click Flash_Disinfector.exe to run it.
Follow any prompts that may appear.
Wait until the program has finished scanning, then please exit the program.Open notepad (Start Menu > Run > Type notepad and press "ok".
Copy and paste everything into notepad between the x's making regedit4 the top line.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
REGEDIT4[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winwly32]
[-HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3de357cf-f717-11da-9511-806d6172696f}]
[-HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4af3e04d-4595-11db-9e93-0013d4b52276}]
[-HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{702186dc-9d7c-11db-9eb9-0013d4b52276}]
[-HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e3729367-f9de-11da-9fdf-0013d4b52276}]
[-HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e7684646-40e2-11db-a013-0013d4b52276}]
[-HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ffc4188d-b835-11db-9ec3-0013d4b52276}]
[-HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ffc41924-b835-11db-9ec3-0013d4b52276}]
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXGo to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it Fix.reg then save it to your desktop.
Double click Fix.reg (or right click and choose Merge) and it will ask if you want to merge the contents into the registry, choose Yes.
Post a new Hijack This log and a new Combofix log please.
0
Logfile of HijackThis v1.99.1
Scan saved at 16:04:18, on 8/4/2550
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Maxthon\Maxthon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hijackthis\HijackThis.exeR3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: 207.210.93.28 game01.us.segaonline.jp
O1 - Hosts: 207.210.93.28 game01.psobb.segaonline.jp
O1 - Hosts: 207.210.93.28 patch01.us.segaonline.jp
O1 - Hosts: 207.210.93.28 patch01.psobb.segaonline.jp
O1 - Hosts: 220.232.214.116 vbseo.xbuser.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.3.19.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Camfrog Toolbar - {AF2A1C5A-1AED-4E92-8BA8-D708EB79537E} - C:\Program Files\Camfrog\CamfrogBar\CamfrogBar.dll (file missing)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Camfrog Toolbar - {AF2A1C5A-1AED-4E92-8BA8-D708EB79537E} - C:\Program Files\Camfrog\CamfrogBar\CamfrogBar.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Launch Ai Booster] "C:\Program Files\ASUS\Ai Booster\OverClk.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: ดาวน์โหลดทั้งหมดโดยใช้ FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: ดาวน์โหลดโดยใช้ FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Administrator\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} (dnlplayer Class) - http://www.digitalwebbooks.com/read...
O16 - DPF: {23D236EA-B936-4B2B-900C-D0E8DBBF9570} (BugsGameStarts Class) - http://audition.playpark.com/login/...
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {8E82893F-7ED1-4811-A247-580DCC0E2629} (SFLauncherTDE Class) - http://www.sf.in.th/activex/Starter...
O17 - HKLM\System\CCS\Services\Tcpip\..\{76EDB05E-3171-416C-ACD2-B15E5ECB9AAC}: NameServer = 203.144.207.29 203.144.207.49
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
0
"Administrator" - 07-04-08 16:05:40 Service Pack 2
ComboFix 07-04-05 - Running from: "C:\Documents and Settings\Administrator\Desktop"
((((((((((((((((((((((((((((((( Files Created from 2007-03-08 to 2007-04-08 ))))))))))))))))))))))))))))))))))
2007-04-08 15:59 <DIR> drahs---- C:\autorun.inf
2007-04-08 01:52 0 --a------ C:\WINDOWS\system32\CMMGR32.exe
2007-04-08 01:47 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-04-08 01:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-04-08 01:47 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SUPERAntiSpyware.com
2007-04-07 14:36 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-04-07 14:36 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-04-07 14:36 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2007-04-07 14:36 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-04-07 14:36 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2007-04-07 14:36 1,876 --a------ C:\WINDOWS\system32\tmp.reg
2007-04-07 14:32 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL
2007-04-07 14:32 516,784 -ra------ C:\WINDOWS\system32\XceedCry.dll
2007-04-07 14:32 44,544 --a------ C:\WINDOWS\system32\Gif89.dll
2007-04-07 14:32 217,088 --a------ C:\WINDOWS\system32\DartSock.dll
2007-04-07 14:32 118,784 --a------ C:\WINDOWS\system32\DartWeb.dll
2007-04-07 14:32 <DIR> d-------- C:\Program Files\Convar
2007-04-06 03:35 <DIR> dr------- C:\DOCUME~1\ALLUSE~1.WIN\Documents
2007-04-06 03:33 <DIR> d-------- C:\D
2007-04-06 03:27 <DIR> d-------- C:\WINDOWS0
2007-04-06 03:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-04-06 02:09 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-04-06 02:09 39,184 --a------ C:\WINDOWS\system32\Ntrights.exe
2007-04-06 02:09 175,616 --a------ C:\WINDOWS\system32\strings.exe
2007-04-06 02:09 16,384 --a------ C:\WINDOWS\system32\restart.exe
2007-04-06 02:09 126,976 --a------ C:\WINDOWS\system32\zip.exe
2007-04-06 02:09 11,254 --a------ C:\WINDOWS\system32\locate.com
2007-04-05 23:49 <DIR> d-------- C:\!KillBox
2007-04-05 23:41 <DIR> d-------- C:\Program Files\CCleaner
2007-04-05 20:47 290,816 ---h----- C:\DOCUME~1\DEFAUL~1.WIN\NTUSER.DAT
2007-04-05 20:46 <DIR> d--hs---- C:\DOCUME~1\ALLUSE~1.WIN\DRM
2007-04-05 20:43 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-04-05 20:43 <DIR> d-------- C:\Program Files\Utilities
2007-04-05 20:43 <DIR> d-------- C:\Program Files\TaskSwitchXP
2007-04-05 20:43 <DIR> d-------- C:\Program Files\Multimedia
2007-04-05 20:43 <DIR> d-------- C:\Program Files\Microsoft PowerToys
2007-04-05 20:43 <DIR> d-------- C:\Program Files\HashTab Shell Extension
2007-04-05 20:43 <DIR> d-------- C:\Program Files\Foxit
2007-03-28 04:18 <DIR> d-------- C:\Program Files\DAEMON Tools
2007-03-28 03:47 <DIR> d-------- C:\somethin
2007-03-26 22:16 1,056 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-03-26 22:11 <DIR> d-------- C:\Program Files\PowerQuest
2007-03-16 02:00 646,392 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-03-09 01:43 155,411 --a------ C:\WINDOWS\system32\drivers\dump_wmimmc.sys
2007-03-09 00:37 <DIR> d-------- C:\Program Files\—zหตฬ’ฬA
2007-03-09 00:14 20,992 --a------ C:\WINDOWS\jestertb.dll
2007-03-08 00:12 14 --a------ C:\DOCUME~1\ADMINI~1\getfile.dat
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-04-08 01:47 -------- d-------- C:\Program Files\Common Files\wise installation wizard
2007-04-07 18:54 -------- d-------- C:\Program Files\warcraft iii
2007-04-07 14:32 -------- d--h----- C:\Program Files\installshield installation information
2007-04-05 23:41 -------- d-------- C:\Program Files\yahoo!
2007-04-05 20:45 -------- d-------- C:\Program Files\movie maker
2007-04-05 20:43 -------- d-------- C:\Program Files\windows nt
2007-04-05 20:43 -------- d-------- C:\Program Files\messenger
2007-04-04 20:39 25 --a------ C:\WINDOWS\system32\grecorder.dll
2007-04-04 05:41 -------- d-------- C:\Program Files\bitcomet
2007-04-03 01:25 -------- d-------- C:\Program Files\super dancer online
2007-03-31 00:25 -------- d-------- C:\Program Files\spss evaluation
2007-03-31 00:20 205 --a------ C:\WINDOWS\system32\lsprst7.dll
2007-03-24 00:34 2560 --a------ C:\WINDOWS\system32\bitcometres.dll
2007-03-10 03:29 43520 --a------ C:\WINDOWS\system32\cmdlineext03.dll
2007-03-09 00:38 -------- d-------- C:\Program Files\—zหตฬ’ฬa
2007-03-02 18:37 -------- d-------- C:\Program Files\maxthon
2007-02-28 06:28 -------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\getrighttogo
2007-02-28 03:11 -------- d-------- C:\Program Files\config
2007-02-28 02:50 -------- d-------- C:\Program Files\flashget
2007-02-27 15:05 -------- d-------- C:\Program Files\divx
2007-02-27 08:13 -------- d-------- C:\Program Files\handmark
2007-02-27 08:00 -------- d-------- C:\Program Files\astraware
2007-02-27 05:40 -------- d-------- C:\Program Files\crosstec
2007-02-27 05:26 -------- d-------- C:\Program Files\asus
2007-02-26 06:30 -------- d-------- C:\Program Files\msn messenger
2007-02-26 00:09 -------- d-------- C:\Program Files\winroute pro
2007-02-25 22:46 -------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\help
2007-02-25 21:57 -------- d-------- C:\Program Files\microsoft intellitype pro
2007-02-25 04:29 -------- d-------- C:\Program Files\microsoft activesync
2007-02-25 03:09 -------- d-------- C:\Program Files\kursk
2007-02-25 02:44 -------- d-------- C:\Program Files\pdamill
2007-02-24 02:31 -------- d-------- C:\Program Files\jamdat
2007-02-24 02:17 -------- d-------- C:\Program Files\myst
2007-02-23 23:28 -------- d-------- C:\Program Files\orions legend of wizards for pocket pc
2007-02-21 00:52 -------- d-------- C:\Program Files\jaya
2007-02-20 18:44 -------- d-------- C:\Program Files\silver coins
2007-02-20 16:57 -------- d-------- C:\Program Files\k-lite codec pack
2007-02-20 03:21 -------- d-------- C:\Program Files\image grabber ii
2007-02-20 00:46 -------- d-------- C:\Program Files\quicktime alternative
2007-02-20 00:46 -------- d-------- C:\Program Files\media player classic
2007-02-20 00:46 -------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\apple computer
2007-02-20 00:45 -------- d-------- C:\Program Files\quicktime
2007-02-19 23:41 -------- d-------- C:\Program Files\itunes
2007-02-19 23:41 -------- d-------- C:\Program Files\ipod
2007-02-19 01:56 -------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\imagenomic
2007-02-19 01:54 -------- d-------- C:\Program Files\imagenomic
2007-02-19 01:52 -------- d-------- C:\Program Files\noiseware professional plug-in
2007-02-19 01:40 1024 --a------ C:\WINDOWS\system32\clauth2.dll
2007-02-19 01:40 1024 --a------ C:\WINDOWS\system32\clauth1.dll
2007-02-19 01:40 0 --a------ C:\WINDOWS\system32\ssprs.dll
2007-02-19 01:40 0 --a------ C:\WINDOWS\system32\serauth2.dll
2007-02-19 01:40 0 --a------ C:\WINDOWS\system32\serauth1.dll
2007-02-19 01:40 0 --a------ C:\WINDOWS\system32\nsprs.dll
2007-02-19 01:38 1025 --a------ C:\WINDOWS\system32\sysprs7.dll
2007-02-17 05:49 -------- d-------- C:\Program Files\winner
2007-02-17 04:51 -------- d-------- C:\Program Files\binaryfish
2007-02-13 17:54 -------- d-------- C:\Program Files\java
2007-02-11 03:58 64608 --a------ C:\WINDOWS\war3unin.dat
2007-02-11 03:58 2829 --a------ C:\WINDOWS\war3unin.pif
2007-02-11 03:58 139264 --a------ C:\WINDOWS\war3unin.exe
2007-02-08 00:58 -------- d-------- C:\Program Files\ultra video splitter
2007-02-01 05:56 639066 --a------ C:\WINDOWS\system32\divx.dll
2007-01-30 12:03 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-01-30 12:03 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-01-30 06:03 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-01-30 05:56 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-01-30 05:56 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-01-19 12:53 51056 --a------ C:\WINDOWS\system32\sirenacm.dll
2007-01-09 18:46 10752 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-01-03 21:48 134002 --a------ C:\DOCUME~1\ADMINI~1\APPLIC~1\cosmos prefs
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"H/PC Connection Agent"="\"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe\""
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"nod32kui"="\"C:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE"
"Launch Ai Booster"="\"C:\\Program Files\\ASUS\\Ai Booster\\OverClk.exe\""
"IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\ipoint.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Y'z ToolBar.lnk]
"path"="C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\Y'z ToolBar.lnk"
"backup"="C:\\WINDOWS\\pss\\Y'z ToolBar.lnkStartup"
"location"="Startup"
"command"="C:\\WINDOWS\\BRICOP~1\\VISTAI~1\\YZTOOL~1\\YZTOOL~1.exe "
"item"="Y'z ToolBar"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.exe "
"item"="Adobe Reader Speed Launch"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HP Digital Imaging Monitor.lnk"
"backup"="C:\\WINDOWS\\pss\\HP Digital Imaging Monitor.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HP\\DIGITA~1\\bin\\hpqtra08.exe "
"item"="HP Digital Imaging Monitor"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HP Photosmart Premier Fast Start.lnk"
"backup"="C:\\WINDOWS\\pss\\HP Photosmart Premier Fast Start.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HP\\DIGITA~1\\bin\\hpqthb08.exe -s"
"item"="HP Photosmart Premier Fast Start"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\Office10\\OSA.exe -b -l"
"item"="Microsoft Office"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsusStartupHelp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AsRunHelp"
"hkey"="HKLM"
"command"="C:\\Program Files\\ASUS\\AASP\\1.00.14\\AsRunHelp.exe"
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NMBgMonitor"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\""
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="daemon"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DXDllRegExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dxdllreg"
"hkey"="HKLM"
"command"="dxdllreg.exe"
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wcescomm"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe\""
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpcmpmgr"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="HPWuSchd"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd.exe\""
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvMcTray"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PDVDServ"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Application Launcher"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Sony Ericsson\\Mobile2\\Application Launcher\\Application Launcher.exe\" /startoptions"
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SOUNDMAN"
"hkey"="HKLM"
"command"="SOUNDMAN.EXE"
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\type32]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="type32"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Microsoft IntelliType Pro\\type32.exe\""
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WrCtrl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wrctrl"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\WinRoute Pro\\wrctrl.exe\""
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=dword:00000002
"wuauserv"=dword:00000002
"iPod Service"=dword:00000003
"helpsvc"=dword:00000002
"ERSvc"=dword:00000002
"Macromedia Licensing Service"=dword:00000003
"Adobe LM Service"=dword:00000003
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"=dword:00000000
"SynchronousUserGroupPolicy"=dword:00000000[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRemoteRecursiveEvents"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=dword:00000001
"NoLowDiskSpaceChecks"=dword:00000001
"NoSaveSettings"=dword:00000000
"NoWindowsUpdate"=dword:00000000[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3de357cf-f717-11da-9511-806d6172696f}]
Shell\AutoRun\command E:\setup.exe[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4af3e04d-4595-11db-9e93-0013d4b52276}]
Shell\Auto\command RavMon.exe e
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.exe Shell32.DLL,ShellExec_RunDLL RavMon.exe e[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{702186dc-9d7c-11db-9eb9-0013d4b52276}]
Shell\1\Command K:\.\RECYCLER\RECYCLER\autorun.exe
Shell\2\Command K:\.\RECYCLER\RECYCLER\autorun.exe
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.exe Shell32.DLL,ShellExec_RunDLL .\RECYCLER\RECYCLER\autorun.exe[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e3729367-f9de-11da-9fdf-0013d4b52276}]
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.exe Shell32.DLL,ShellExec_RunDLL wscript.exe IISDLL.dll.vbs[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e7684646-40e2-11db-a013-0013d4b52276}]
Shell\1\Command .\RECYCLER\RECYCLER\autorun.exe
Shell\2\Command .\RECYCLER\RECYCLER\autorun.exe
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.exe Shell32.DLL,ShellExec_RunDLL .\RECYCLER\RECYCLER\autorun.exe[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ffc4188d-b835-11db-9ec3-0013d4b52276}]
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.exe Shell32.DLL,ShellExec_RunDLL wscript.exe .MS32DLL.dll.vbs[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ffc41924-b835-11db-9ec3-0013d4b52276}]
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.exe Shell32.DLL,ShellExec_RunDLL wscript.exe .MS32DLL.dll.vbs
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\HP DArC Task #Hewlett-Packard#hp psc 1300 series#1150225234.job
********************************************************************catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.netscanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0********************************************************************
Completion time: 07-04-08 16:08:50
C:\ComboFix-quarantined-files.txt ... 07-04-08 16:08
C:\ComboFix2.txt ... 07-04-08 02:28
C:\ComboFix3.txt ... 07-04-07 14:40
0
Open notepad (Start Menu > Run > Type notepad and press "ok".
Copy and paste everything into notepad between the x's making regedit4 the top line.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
REGEDIT4[-HKLM\SOFTWARE\Microsoft\MSSMGR]
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it Fix.reg then save it to your desktop.
Double click Fix.reg (or right click and choose Merge) and it will ask if you want to merge the contents into the registry, choose Yes.
Go to this link http://vil.nai.com/vil/stinger/ and download and run the "Stinger" version for W32/Rjump.worm. Follow the directions to include all drives contected to your computer.
Post a new combofix log please.
0
it said that that version of stinger is outdated, is it ok? I downloaded that one anyway and by the way thank you very very much jabuck for taking the time to help me step by step to get rid of this virus, really appreciate it.
0
"Administrator" - 07-04-09 2:03:44 Service Pack 2
ComboFix 07-04-05 - Running from: "C:\Documents and Settings\Administrator\Desktop"
((((((((((((((((((((((((((((((( Files Created from 2007-03-09 to 2007-04-09 ))))))))))))))))))))))))))))))))))
2007-04-08 16:32 <DIR> d-------- C:\WINDOWS\system32\AdCache
2007-04-08 15:59 <DIR> drahs---- C:\autorun.inf
2007-04-08 01:52 0 --a------ C:\WINDOWS\system32\CMMGR32.exe
2007-04-08 01:47 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-04-08 01:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-04-08 01:47 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SUPERAntiSpyware.com
2007-04-07 14:36 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-04-07 14:36 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-04-07 14:36 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2007-04-07 14:36 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-04-07 14:36 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2007-04-07 14:36 1,876 --a------ C:\WINDOWS\system32\tmp.reg
2007-04-07 14:32 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL
2007-04-07 14:32 516,784 -ra------ C:\WINDOWS\system32\XceedCry.dll
2007-04-07 14:32 44,544 --a------ C:\WINDOWS\system32\Gif89.dll
2007-04-07 14:32 217,088 --a------ C:\WINDOWS\system32\DartSock.dll
2007-04-07 14:32 118,784 --a------ C:\WINDOWS\system32\DartWeb.dll
2007-04-07 14:32 <DIR> d-------- C:\Program Files\Convar
2007-04-06 03:35 <DIR> dr------- C:\DOCUME~1\ALLUSE~1.WIN\Documents
2007-04-06 03:33 <DIR> d-------- C:\D
2007-04-06 03:27 <DIR> d-------- C:\WINDOWS0
2007-04-06 03:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-04-06 02:09 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-04-06 02:09 39,184 --a------ C:\WINDOWS\system32\Ntrights.exe
2007-04-06 02:09 175,616 --a------ C:\WINDOWS\system32\strings.exe
2007-04-06 02:09 16,384 --a------ C:\WINDOWS\system32\restart.exe
2007-04-06 02:09 126,976 --a------ C:\WINDOWS\system32\zip.exe
2007-04-06 02:09 11,254 --a------ C:\WINDOWS\system32\locate.com
2007-04-05 23:49 <DIR> d-------- C:\!KillBox
2007-04-05 23:41 <DIR> d-------- C:\Program Files\CCleaner
2007-04-05 20:47 290,816 ---h----- C:\DOCUME~1\DEFAUL~1.WIN\NTUSER.DAT
2007-04-05 20:46 <DIR> d--hs---- C:\DOCUME~1\ALLUSE~1.WIN\DRM
2007-04-05 20:43 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-04-05 20:43 <DIR> d-------- C:\Program Files\Utilities
2007-04-05 20:43 <DIR> d-------- C:\Program Files\TaskSwitchXP
2007-04-05 20:43 <DIR> d-------- C:\Program Files\Multimedia
2007-04-05 20:43 <DIR> d-------- C:\Program Files\Microsoft PowerToys
2007-04-05 20:43 <DIR> d-------- C:\Program Files\HashTab Shell Extension
2007-04-05 20:43 <DIR> d-------- C:\Program Files\Foxit
2007-03-28 04:18 <DIR> d-------- C:\Program Files\DAEMON Tools
2007-03-28 03:47 <DIR> d-------- C:\somethin
2007-03-26 22:16 1,056 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-03-26 22:11 <DIR> d-------- C:\Program Files\PowerQuest
2007-03-16 02:00 646,392 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-03-09 01:43 155,411 --a------ C:\WINDOWS\system32\drivers\dump_wmimmc.sys
2007-03-09 00:37 <DIR> d-------- C:\Program Files\—zหตฬ’ฬA
2007-03-09 00:14 20,992 --a------ C:\WINDOWS\jestertb.dll
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-04-08 16:40 -------- d-------- C:\Program Files\flashget
2007-04-08 01:47 -------- d-------- C:\Program Files\Common Files\wise installation wizard
2007-04-07 18:54 -------- d-------- C:\Program Files\warcraft iii
2007-04-07 14:32 -------- d--h----- C:\Program Files\installshield installation information
2007-04-05 23:41 -------- d-------- C:\Program Files\yahoo!
2007-04-05 20:45 -------- d-------- C:\Program Files\movie maker
2007-04-05 20:43 -------- d-------- C:\Program Files\windows nt
2007-04-05 20:43 -------- d-------- C:\Program Files\messenger
2007-04-04 20:39 25 --a------ C:\WINDOWS\system32\grecorder.dll
2007-04-04 05:41 -------- d-------- C:\Program Files\bitcomet
2007-04-03 01:25 -------- d-------- C:\Program Files\super dancer online
2007-03-31 00:25 -------- d-------- C:\Program Files\spss evaluation
2007-03-31 00:20 205 --a------ C:\WINDOWS\system32\lsprst7.dll
2007-03-24 00:34 2560 --a------ C:\WINDOWS\system32\bitcometres.dll
2007-03-10 03:29 43520 --a------ C:\WINDOWS\system32\cmdlineext03.dll
2007-03-09 00:38 -------- d-------- C:\Program Files\—zหตฬ’ฬa
2007-03-02 18:37 -------- d-------- C:\Program Files\maxthon
2007-02-28 06:28 -------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\getrighttogo
2007-02-28 03:11 -------- d-------- C:\Program Files\config
2007-02-27 15:05 -------- d-------- C:\Program Files\divx
2007-02-27 08:13 -------- d-------- C:\Program Files\handmark
2007-02-27 08:00 -------- d-------- C:\Program Files\astraware
2007-02-27 05:40 -------- d-------- C:\Program Files\crosstec
2007-02-27 05:26 -------- d-------- C:\Program Files\asus
2007-02-26 06:30 -------- d-------- C:\Program Files\msn messenger
2007-02-26 00:09 -------- d-------- C:\Program Files\winroute pro
2007-02-25 22:46 -------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\help
2007-02-25 21:57 -------- d-------- C:\Program Files\microsoft intellitype pro
2007-02-25 04:29 -------- d-------- C:\Program Files\microsoft activesync
2007-02-25 03:09 -------- d-------- C:\Program Files\kursk
2007-02-25 02:44 -------- d-------- C:\Program Files\pdamill
2007-02-24 02:31 -------- d-------- C:\Program Files\jamdat
2007-02-24 02:17 -------- d-------- C:\Program Files\myst
2007-02-23 23:28 -------- d-------- C:\Program Files\orions legend of wizards for pocket pc
2007-02-21 00:52 -------- d-------- C:\Program Files\jaya
2007-02-20 18:44 -------- d-------- C:\Program Files\silver coins
2007-02-20 16:57 -------- d-------- C:\Program Files\k-lite codec pack
2007-02-20 03:21 -------- d-------- C:\Program Files\image grabber ii
2007-02-20 00:46 -------- d-------- C:\Program Files\quicktime alternative
2007-02-20 00:46 -------- d-------- C:\Program Files\media player classic
2007-02-20 00:46 -------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\apple computer
2007-02-20 00:45 -------- d-------- C:\Program Files\quicktime
2007-02-19 23:41 -------- d-------- C:\Program Files\itunes
2007-02-19 23:41 -------- d-------- C:\Program Files\ipod
2007-02-19 01:56 -------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\imagenomic
2007-02-19 01:54 -------- d-------- C:\Program Files\imagenomic
2007-02-19 01:52 -------- d-------- C:\Program Files\noiseware professional plug-in
2007-02-19 01:40 1024 --a------ C:\WINDOWS\system32\clauth2.dll
2007-02-19 01:40 1024 --a------ C:\WINDOWS\system32\clauth1.dll
2007-02-19 01:40 0 --a------ C:\WINDOWS\system32\ssprs.dll
2007-02-19 01:40 0 --a------ C:\WINDOWS\system32\serauth2.dll
2007-02-19 01:40 0 --a------ C:\WINDOWS\system32\serauth1.dll
2007-02-19 01:40 0 --a------ C:\WINDOWS\system32\nsprs.dll
2007-02-19 01:38 1025 --a------ C:\WINDOWS\system32\sysprs7.dll
2007-02-17 05:49 -------- d-------- C:\Program Files\winner
2007-02-17 04:51 -------- d-------- C:\Program Files\binaryfish
2007-02-13 17:54 -------- d-------- C:\Program Files\java
2007-02-11 03:58 64608 --a------ C:\WINDOWS\war3unin.dat
2007-02-11 03:58 2829 --a------ C:\WINDOWS\war3unin.pif
2007-02-11 03:58 139264 --a------ C:\WINDOWS\war3unin.exe
2007-02-01 05:56 639066 --a------ C:\WINDOWS\system32\divx.dll
2007-01-30 12:03 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-01-30 12:03 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-01-30 06:03 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-01-30 05:56 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-01-30 05:56 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-01-19 12:53 51056 --a------ C:\WINDOWS\system32\sirenacm.dll
2007-01-09 18:46 10752 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-01-03 21:48 134002 --a------ C:\DOCUME~1\ADMINI~1\APPLIC~1\cosmos prefs
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"H/PC Connection Agent"="\"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe\""
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"nod32kui"="\"C:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE"
"Launch Ai Booster"="\"C:\\Program Files\\ASUS\\Ai Booster\\OverClk.exe\""
"IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\ipoint.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Y'z ToolBar.lnk]
"path"="C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\Y'z ToolBar.lnk"
"backup"="C:\\WINDOWS\\pss\\Y'z ToolBar.lnkStartup"
"location"="Startup"
"command"="C:\\WINDOWS\\BRICOP~1\\VISTAI~1\\YZTOOL~1\\YZTOOL~1.exe "
"item"="Y'z ToolBar"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.exe "
"item"="Adobe Reader Speed Launch"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HP Digital Imaging Monitor.lnk"
"backup"="C:\\WINDOWS\\pss\\HP Digital Imaging Monitor.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HP\\DIGITA~1\\bin\\hpqtra08.exe "
"item"="HP Digital Imaging Monitor"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HP Photosmart Premier Fast Start.lnk"
"backup"="C:\\WINDOWS\\pss\\HP Photosmart Premier Fast Start.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HP\\DIGITA~1\\bin\\hpqthb08.exe -s"
"item"="HP Photosmart Premier Fast Start"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\Office10\\OSA.exe -b -l"
"item"="Microsoft Office"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsusStartupHelp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AsRunHelp"
"hkey"="HKLM"
"command"="C:\\Program Files\\ASUS\\AASP\\1.00.14\\AsRunHelp.exe"
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NMBgMonitor"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\""
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="daemon"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DXDllRegExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dxdllreg"
"hkey"="HKLM"
"command"="dxdllreg.exe"
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wcescomm"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe\""
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpcmpmgr"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="HPWuSchd"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd.exe\""
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvMcTray"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PDVDServ"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Application Launcher"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Sony Ericsson\\Mobile2\\Application Launcher\\Application Launcher.exe\" /startoptions"
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SOUNDMAN"
"hkey"="HKLM"
"command"="SOUNDMAN.EXE"
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\type32]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="type32"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Microsoft IntelliType Pro\\type32.exe\""
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WrCtrl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wrctrl"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\WinRoute Pro\\wrctrl.exe\""
"inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=dword:00000002
"wuauserv"=dword:00000002
"iPod Service"=dword:00000003
"helpsvc"=dword:00000002
"ERSvc"=dword:00000002
"Macromedia Licensing Service"=dword:00000003
"Adobe LM Service"=dword:00000003
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"=dword:00000000
"SynchronousUserGroupPolicy"=dword:00000000[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRemoteRecursiveEvents"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=dword:00000001
"NoLowDiskSpaceChecks"=dword:00000001
"NoSaveSettings"=dword:00000000
"NoWindowsUpdate"=dword:00000000[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3de357cf-f717-11da-9511-806d6172696f}]
Shell\AutoRun\command E:\setup.exe[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4af3e04d-4595-11db-9e93-0013d4b52276}]
Shell\Auto\command RavMon.exe e
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.exe Shell32.DLL,ShellExec_RunDLL RavMon.exe e[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{702186dc-9d7c-11db-9eb9-0013d4b52276}]
Shell\1\Command K:\.\RECYCLER\RECYCLER\autorun.exe
Shell\2\Command K:\.\RECYCLER\RECYCLER\autorun.exe
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.exe Shell32.DLL,ShellExec_RunDLL .\RECYCLER\RECYCLER\autorun.exe[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e3729367-f9de-11da-9fdf-0013d4b52276}]
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.exe Shell32.DLL,ShellExec_RunDLL wscript.exe IISDLL.dll.vbs[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e7684646-40e2-11db-a013-0013d4b52276}]
Shell\1\Command .\RECYCLER\RECYCLER\autorun.exe
Shell\2\Command .\RECYCLER\RECYCLER\autorun.exe
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.exe Shell32.DLL,ShellExec_RunDLL .\RECYCLER\RECYCLER\autorun.exe[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ffc4188d-b835-11db-9ec3-0013d4b52276}]
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.exe Shell32.DLL,ShellExec_RunDLL wscript.exe .MS32DLL.dll.vbs[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ffc41924-b835-11db-9ec3-0013d4b52276}]
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.exe Shell32.DLL,ShellExec_RunDLL wscript.exe .MS32DLL.dll.vbs
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\HP DArC Task #Hewlett-Packard#hp psc 1300 series#1150225234.job
********************************************************************catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.netscanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0********************************************************************
Completion time: 07-04-09 2:06:37
C:\ComboFix-quarantined-files.txt ... 07-04-09 02:06
C:\ComboFix2.txt ... 07-04-08 16:08
C:\ComboFix3.txt ... 07-04-08 02:28
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
