Tech Support Forum - View Single Post

diddy89 · 08-04-2008, 02:38 AM

Alrighty! so since I didn't have the the explorer.exe working for the combofix thing where I drag the XP file, so I used the task manager if that's alright. Also, I couldnt click or type No for the Combofix System Restore thing so it went ahead anyways...but I kept on going and finished the rest of the steps, it fixed the explorer.exe's disappearing act, but I'm still positive there's something wrong, because when it booted after the SDFIX scanning thing, there was a black screen and said, INVALID BOOT.INI File, or missing something like that sorry my memory's pretty bad(but it's not the first time I've seen it just opens occassionaly). Anyways here's my logs

SDFix: Version 1.212
Run by Mohamed on 2008-08-04 at 01:28

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\Mohamed\Desktop\SDFIX\SDFix

Checking Services :

Restoring Default Security Values
Restoring Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\nvrsul32.dll - Deleted

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-04 01:47:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:1d,0a,a4,33,69,ce,b9,0e,15,93,0e,f8,19,a0,0d,97,58,1b,98,d9,5a,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,68,d2,1d,25,89,4c,c4,72,e0,df,8b,96,0c,fb,eb,67,6e,..
"khjeh"=hex:85,a2,26,fc,94,af,06,52,9f,bb,96,0e,9b,36,bb,6a,ec,c9,1c,8c,4e,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:10,0a,17,f8,fc,bf,81,a0,64,a8,f4,8a,c7,ee,46,f3,f0,2f,15,e2,2d,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:2c,e7,23,b5,0a,08,3d,24,e9,e1,73,61,b6,49,4c,2e,cb,96,14,a5,c5,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:d60abf16
"s2"=dword:cd4f5905
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:1d,0a,a4,33,69,ce,b9,0e,15,93,0e,f8,19,a0,0d,97,58,1b,98,d9,5a,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,68,d2,1d,25,89,4c,c4,72,e0,df,8b,96,0c,fb,eb,67,6e,..
"khjeh"=hex:ec,14,ef,7f,9a,49,09,2d,ea,a9,d4,22,76,e1,2a,8e,4f,51,84,19,fc,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:dd,e9,36,88,ee,17,82,2d,30,9a,37,6a,3f,de,ac,7a,6d,6f,82,a0,83,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:32,2a,71,40,a4,b8,f0,66,65,ec,27,33,bb,e4,5f,34,a3,7d,28,50,65,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:91,1f,64,94,f6,ae,6d,64,b9,49,14,90,94,2a,2e,9a,1a,4c,ed,6a,b6,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
"khjeh"=hex:3f,db,b2,94,d9,48,4c,b0,ae,e3,2b,aa,27,34,8d,3b,f7,7e,2d,9a,9c,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:1d,0a,a4,33,69,ce,b9,0e,15,93,0e,f8,19,a0,0d,97,58,1b,98,d9,5a,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,68,d2,1d,25,89,4c,c4,72,e0,df,8b,96,0c,fb,eb,67,6e,..
"khjeh"=hex:ec,14,ef,7f,9a,49,09,2d,ea,a9,d4,22,76,e1,2a,8e,4f,51,84,19,fc,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:dd,e9,36,88,ee,17,82,2d,30,9a,37,6a,3f,de,ac,7a,6d,6f,82,a0,83,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:32,2a,71,40,a4,b8,f0,66,65,ec,27,33,bb,e4,5f,34,a3,7d,28,50,65,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:91,1f,64,94,f6,ae,6d,64,b9,49,14,90,94,2a,2e,9a,1a,4c,ed,6a,b6,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
"khjeh"=hex:3f,db,b2,94,d9,48,4c,b0,ae,e3,2b,aa,27,34,8d,3b,f7,7e,2d,9a,9c,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\pdwpamt.exe"="C:\\pdwpamt.exe:*:Enabled:Server"
"C:\\Documents and Settings\\Mohamed\\My Documents\\Downloads\\Programs\\utorrent.exe"="C:\\Documents and Settings\\Mohamed\\My Documents\\Downloads\\Programs\\utorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Mozilla Firefox"
"C:\\Program Files\\Internet Download Manager\\IDMan.exe"="C:\\Program Files\\Internet Download Manager\\IDMan.exe:*:Enabled:Internet Download Manager"
"C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"="C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe:*:Enabled:Nexon Game Manager"
"C:\\windows\\system32\\wtbedpjq.exe"="C:\\windows\\system32\\wtb"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"="C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe:*:Enabled:Remote Assistance - Windows Messenger and Voice"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"="C:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe:*:Enabled:Java(TM) Platform SE binary"
"C:\\Documents and Settings\\Mohamed\\Local Settings\\Temp\\usmt\\migwiz.exe"="C:\\Documents and Settings\\Mohamed\\Local Settings\\Temp\\usmt\\migwiz.exe:*:Enabled:Files and Settings Transfer Wizard"
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"="C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe:*:Disabled:Veoh Client"
"C:\\Program Files\\Mozilla Firefox 3 Beta 5\\firefox.exe"="C:\\Program Files\\Mozilla Firefox 3 Beta 5\\firefox.exe:*:Enabled:Firefox"
"C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Administrative Tools\\Recycle Bin\\kdja.exe"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Administrative Tools\\Recycle Bin\\kdja.exe:*:Enabled:windows media player streaming service"
"C:\\Program Files\\Microsoft Games\\Halo\\halo.exe"="C:\\Program Files\\Microsoft Games\\Halo\\halo.exe:*:Disabled:Halo"
"C:\\Program Files\\Steam\\steamapps\\mo3al1\\counter-strike source\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\mo3al1\\counter-strike source\\hl2.exe:*:Disabled:hl2"
"C:\\Program Files\\Steam\\steamapps\\farah010\\counter-strike source\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\farah010\\counter-strike source\\hl2.exe:*:Disabled:hl2"
"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"="C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe:*:Disabled:Kaspersky Anti-Virus"
"C:\\Program Files\\PPLive\\PPLive.exe"="C:\\Program Files\\PPLive\\PPLive.exe:*:Disabled:PPLive"
"C:\\Program Files\\PPMate\\ppmnet.exe"="C:\\Program Files\\PPMate\\ppmnet.exe:*:Disabled:PPMate"
"C:\\Program Files\\PPMate\\PPMate\\ppmate.exe"="C:\\Program Files\\PPMate\\PPMate\\ppmate.exe:*:Disabled:PPMate"
"C:\\Program Files\\PPMate\\ppmate.exe"="C:\\Program Files\\PPMate\\ppmate.exe:*:Disabled:PPMate"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\pdwpamt.exe"="C:\\pdwpamt.exe:*:Enabled:Server"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :

File Backups: - C:\DOCUME~1\Mohamed\Desktop\SDFIX\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 13 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Tue 3 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Tue 3 Aug 2004 4,639 A.SH. --- "C:\Program Files\Windows Media Player\mplayer2.exe"
Wed 18 Oct 2006 64,000 A.SH. --- "C:\Program Files\Windows Media Player\wmplayer.exe"
Sun 26 Nov 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 19 Feb 2007 25,600 ...H. --- "C:\Documents and Settings\Mohamed\My Documents\~WRL0001.tmp"
Thu 10 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\a7b63628b39fd8bdb7e535e34d0ea696\BIT2.tmp"
Wed 12 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b04031f0b83ee952189dd8beb4ee929a\BIT2.tmp"
Wed 19 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\cf7ced0e70c80a1e476f1abf49afecb1\BIT141.tmp"
Wed 7 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\BIT3.tmp"
Mon 26 Nov 2007 1,745 ...HR --- "C:\Documents and Settings\Mohamed\Application Data\SecuROM\UserData\securom_v7_01.bak"

Finished!

ComboFix 08-08-03.03 - Mohamed 2008-08-04 2:03:51.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.672 [GMT -6:00]
Running from: C:\Documents and Settings\Mohamed\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Mohamed\Application Data\macromedia\Flash Player\#SharedObjects\9LYCQ8CV\iforex.com
C:\Documents and Settings\Mohamed\Application Data\macromedia\Flash Player\#SharedObjects\9LYCQ8CV\iforex.com\Emerp\Events\flash_object.swf\user_data.sol
C:\Documents and Settings\Mohamed\Application Data\macromedia\Flash Player\#SharedObjects\9LYCQ8CV\interclick.com
C:\Documents and Settings\Mohamed\Application Data\macromedia\Flash Player\#SharedObjects\9LYCQ8CV\interclick.com\ud.sol
C:\Documents and Settings\Mohamed\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com
C:\Documents and Settings\Mohamed\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol
C:\Documents and Settings\Mohamed\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Mohamed\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Mohamed\err.log
C:\Documents and Settings\Mohamed\My Documents\FNTS~1
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\1.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\1_2.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\1_3.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\1_4.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\2.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\2_2.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\2_3.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\2_4.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\2297_1.wmv
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\2297_6.wmv
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\3.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\3_2.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\3_3.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\3_4.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\4.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\4_2.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\4_3.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\4_4.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\anime1.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\anime2.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\anime3.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\anime4.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\anime5.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\anime6.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\clip_1.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\clip_1_2.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\clip_1_3.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\clip_2.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\clip_2_2.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\clip_2_3.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\clip_3.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\clip_3_2.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\clip_3_3.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\clip_4.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\clip_4_2.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\clip_4_3.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\promo10_marked.wmv
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\promo11_marked.wmv
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\promo11_marked_2.wmv
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\promo13_marked.wmv
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\promo2_marked.wmv
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\promo3_marked.wmv
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\promo7_marked.wmv
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\promo7_marked_2.wmv
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\promo8_marked.wmv
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\Thumbs.db
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\V01222_big_02.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\V51730_big_05.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\Thumbs.db
C:\Program Files\Common Files\{2028C~1
C:\Program Files\Common Files\{3028C~1
C:\temp\tn3
C:\windows\BM231bfa42.txt
C:\windows\cookies.ini
C:\windows\pskt.ini
C:\windows\Spyware Remover.ico
C:\WINDOWS\system32\aayIRXbc.ini
C:\WINDOWS\system32\aayIRXbc.ini2
C:\windows\system32\ahevlxbg.ini
C:\windows\system32\ahlxeasb.ini
C:\windows\system32\algrmgnc.ini
C:\windows\system32\attdyogx.ini
C:\windows\system32\avbsoioq.ini
C:\windows\system32\axgaiewt.ini
C:\windows\system32\bfroipub.ini
C:\windows\system32\bidkbhgk.ini
C:\windows\system32\birsbour.ini
C:\windows\system32\boctmaki.ini
C:\windows\system32\boouwqdy.ini
C:\windows\system32\cbntigyh.ini
C:\windows\system32\cbXRIyaa.dll
C:\windows\system32\cgogmzbl.dllbox
C:\windows\system32\components
C:\windows\system32\dbmrbytx.ini
C:\windows\system32\dhikhwka.ini
C:\windows\system32\dhtyxhcm.ini
C:\windows\system32\dmxbfuil.ini
C:\windows\system32\drivers\core.cache.dsk
C:\windows\system32\drvkovr.dll
C:\windows\system32\dywewjpo.ini
C:\windows\system32\eeidqtbm.ini
C:\windows\system32\enuatkux.ini
C:\windows\system32\equjioew.ini
C:\windows\system32\eqwfcoht.ini
C:\windows\system32\ffubenpx.ini
C:\windows\system32\fgwbwhfj.ini
C:\windows\system32\fisqwbrx.ini
C:\windows\system32\fnjcbokd.ini
C:\windows\system32\gacbikud.ini
C:\windows\system32\guhkcnwi.ini
C:\windows\system32\hgybukaw.ini
C:\windows\system32\hilyacmg.ini
C:\windows\system32\ijhtsltj.ini
C:\windows\system32\ilmsytma.ini
C:\windows\system32\jamfbvsg.ini
C:\windows\system32\jvwtkjca.ini
C:\windows\system32\kaiomhcl.ini
C:\WINDOWS\system32\kjkmp.ini
C:\WINDOWS\system32\kjkmp.ini2
C:\windows\system32\lieegofj.ini
C:\windows\system32\ljcqpkqf.ini
C:\windows\system32\llryxkys.ini
C:\windows\system32\lukkiikj.ini
C:\windows\system32\lyogoahv.ini
C:\windows\system32\mcrh.tmp
C:\WINDOWS\system32\mlnmp.bak1
C:\WINDOWS\system32\mlnmp.bak2
C:\windows\system32\mlnmp.ini
C:\WINDOWS\system32\mlnmp.ini2
C:\windows\system32\mlwpkobh.ini
C:\windows\system32\mtyuqcgs.ini
C:\windows\system32\nnasllxi.ini
C:\windows\system32\obtinqtl.ini
C:\windows\system32\ojigpgys.ini
C:\windows\system32\oromycrg.ini
C:\windows\system32\otvipwuw.ini
C:\windows\system32\pggjvvje.ini
C:\windows\system32\phpmwaaf.ini
C:\windows\system32\qnhlmxja.ini
C:\WINDOWS\system32\qqtss.ini
C:\WINDOWS\system32\qqtss.ini2
C:\windows\system32\raujkfxg.ini
C:\windows\system32\rbrjaebw.ini
C:\windows\system32\rjhewohf.ini
C:\windows\system32\sgattpyq.ini
C:\windows\system32\sgjytjqe.ini
C:\windows\system32\shsthgux.ini
C:\windows\system32\sysogg.dll
C:\windows\system32\tjwgukre.ini
C:\windows\system32\tmcourtp.ini
C:\windows\system32\tpbofusv.ini
C:\windows\system32\ujmcrveo.ini
C:\WINDOWS\system32\ututv.ini
C:\WINDOWS\system32\ututv.ini2
C:\windows\system32\uvojdyaf.ini
C:\windows\system32\vcxoqdou.ini
C:\windows\system32\vrbwfqdu.ini
C:\windows\system32\vsprineq.ini
C:\windows\system32\vtpbnyyj.ini
C:\windows\system32\wdddfpxd.ini
C:\windows\system32\whymkflr.ini
C:\windows\system32\wiqjwjos.ini
C:\windows\system32\wyfbtswt.ini
C:\windows\system32\xaqqsmpk.ini
C:\WINDOWS\system32\xbadd.ini
C:\WINDOWS\system32\xbadd.ini2
C:\windows\system32\xgoqfxje.ini
C:\windows\system32\ydyalepu.ini
C:\windows\system32\ygcpytqf.ini
C:\windows\system32\yorqrykr.ini
C:\windows\system32\yxaeitst.ini

.
((((((((((((((((((((((((( Files Created from 2008-07-04 to 2008-08-04 )))))))))))))))))))))))))))))))
.

2008-07-29 13:42 . 2008-07-29 13:42 <DIR> d-------- C:\Deckard
2008-07-29 13:34 . 2008-07-29 13:34 <DIR> d-------- C:\ie-spyad_zo
2008-07-28 17:14 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-07-28 17:08 . 2008-07-28 17:08 <DIR> d-------- C:\Program Files\Panda Security
2008-07-28 16:47 . 2008-07-28 16:47 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-28 16:47 . 2008-07-28 16:47 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-28 16:44 . 2008-07-28 16:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-07-27 02:03 . 2008-07-27 02:03 <DIR> d-------- C:\Documents and Settings\Mohamed\DoctorWeb
2008-07-27 01:11 . 2008-07-27 01:12 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-27 00:25 . 2008-07-27 00:25 60,416 --a------ C:\WINDOWS\ALCFDRTM.VER
2008-07-27 00:25 . 2008-07-27 00:25 60,416 --a------ C:\WINDOWS\ALCFDRTM.EXE
2008-07-25 18:14 . 2008-07-25 18:14 100 --a------ C:\WINDOWS\system32\ikhcore.cfg
2008-07-25 02:59 . 2008-07-25 02:59 <DIR> d-------- C:\Program Files\AVG
2008-07-20 21:14 . 2008-07-20 21:14 <DIR> d-------- C:\Program Files\MP3 Converter Simple
2008-07-20 21:14 . 2002-11-13 11:14 1,703,936 --a------ C:\WINDOWS\system32\NCTAudioFile.dll
2008-07-20 21:04 . 2008-07-20 21:12 <DIR> d-------- C:\Program Files\AtomixMP3
2008-07-11 13:19 . 2008-07-11 13:19 <DIR> d-------- C:\Nexon
2008-07-09 14:35 . 2006-08-16 05:58 100,352 -----c--- C:\WINDOWS\system32\dllcache\6to4svc.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-04 08:02 --------- d-----w C:\Documents and Settings\Mohamed\Application Data\DMCache
2008-08-04 07:18 60,668 --sha-w C:\windows\system32\drivers\fidbox.idx
2008-08-04 07:18 6,223,904 --sha-w C:\windows\system32\drivers\fidbox.dat
2008-08-04 07:18 12,284 --sha-w C:\windows\system32\drivers\fidbox2.idx
2008-08-04 07:18 119,584 --sha-w C:\windows\system32\drivers\fidbox2.dat
2008-08-04 06:58 --------- d-----w C:\Program Files\Mozilla Firefox 3 Beta 5
2008-07-29 19:42 --------- d-----w C:\Documents and Settings\Mohamed\Application Data\Azureus
2008-07-29 06:45 --------- d-----w C:\Program Files\Internet Download Manager
2008-07-28 23:06 --------- d-----r C:\Program Files\TypingMaster
2008-07-28 22:44 --------- d-----w C:\Program Files\Active WebCam
2008-07-28 22:43 --------- d-----w C:\Documents and Settings\Mohamed\Application Data\IDM
2008-07-27 06:12 --------- d-----w C:\Documents and Settings\Mohamed\Application Data\LimeWire
2008-07-22 18:47 --------- d-----w C:\Program Files\Winamp
2008-07-22 18:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-09 14:34 206,256 ----a-w C:\windows\system32\idmmbc.dll
2008-07-02 20:20 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-27 21:25 15,452,536 ----a-w C:\IE7-WindowsXP-x86-enu.exe
2008-06-20 17:41 245,248 ----a-w C:\windows\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\windows\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\windows\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\windows\system32\drivers\tcpip6.sys
2008-06-17 16:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-06-16 09:06 --------- d-----w C:\Documents and Settings\Mohamed\Application Data\FindeXer
2008-06-14 07:49 --------- d-----w C:\Program Files\mkv2vob
2008-06-14 07:49 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-13 13:10 272,128 ------w C:\windows\system32\drivers\bthport.sys
2008-06-11 23:46 --------- d-----w C:\Program Files\Veoh Networks
2008-06-10 20:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-15 06:12 29,480 ----a-w C:\windows\system32\msxml3a.dll
2008-05-14 18:40 166,447 ----a-w C:\windows\Video Cleaner Pro Uninstaller.exe
2008-05-14 08:15 160,373 ----a-w C:\windows\MPEG-4 Booster Pack Uninstaller.exe
2008-05-07 04:55 1,288,192 ----a-w C:\windows\system32\quartz.dll
2008-01-19 22:04 1 ----a-w C:\Documents and Settings\Mohamed\SI.bin
2007-03-18 04:10 144 ----a-w C:\Program Files\VirtualDub.jobs
2005-01-11 04:41 719,360 ----a-w C:\Program Files\VirtualDub.exe
2005-01-11 04:41 115,217 -c--a-w C:\Program Files\VirtualDub.vdi
2005-01-11 04:38 7,168 ----a-w C:\Program Files\vdremote.dll
2005-01-11 04:38 6,656 ----a-w C:\Program Files\vdicmdrv.dll
2005-01-11 04:38 5,120 -c--a-w C:\Program Files\vdsvrlnk.dll
2005-01-11 04:38 16,384 ----a-w C:\Program Files\auxsetup.exe
2005-01-11 04:37 74,186 -c--a-w C:\Program Files\VirtualDub.vdhelp
2004-02-20 06:35 18,321 -c--a-w C:\Program Files\copying
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDMan"="C:\Program Files\Internet Download Manager\IDMan.exe" [2008-07-28 08:08 2610608]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 20:25 81920]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 14:58 495616]
"WeatherEye"="C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe" [2008-05-30 14:45 4501912]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2008-05-15 16:11 3644464]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\windows\system32\NvCpl.dll" [2007-12-05 02:41 8523776]
"NvMediaCenter"="C:\windows\system32\NvMcTray.dll" [2007-12-05 02:41 81920]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-12-03 23:27 185896]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\WINDOWS\\system32\\logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.wmv3"= C:\PROGRA~1\COMBIN~1\Filters\wmv9vcm.dll
"msacm.ac3filter"= ac3filter.acm
"VIDC.FFDS"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DAEMON Tools.lnk]
backup=C:\WINDOWS\pss\DAEMON Tools.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Mohamed^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Mohamed^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS\system32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\windows\system32\dumprep 0 -k [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrevxOne

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-07 00:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a--c--- 2006-10-23 02:48 40048 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS\system32\V0250Cvw.dll]
-ra------ 2006-01-18 18:58 204800 C:\WINDOWS\system32\V0250Cvw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative WebCam Tray]
--------- 2005-10-27 04:00 299008 C:\Program Files\Creative\Shared Files\CamTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
--a------ 2008-07-28 08:08 2610608 C:\Program Files\Internet Download Manager\IDMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2004-10-13 12:21 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-12-05 02:41 8523776 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-12-05 02:41 81920 C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-12-03 23:27 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2006-10-24 23:37 35328 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"vsmon"=2 (0x2)
"usnjsvc"=3 (0x3)
"RichVideo"=2 (0x2)
"PREVXAgent"=2 (0x2)
"ose"=3 (0x3)
"NVSvc"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"IDriverT"=3 (0x3)
"AVG Anti-Spyware Guard"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Internet Download Manager\\IDMan.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\Mozilla Firefox 3 Beta 5\\firefox.exe"=
"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"=

R0 pavboot;pavboot;C:\windows\system32\drivers\pavboot.sys [2008-06-19 17:24]
R1 Asapi;Asapi;C:\windows\system32\drivers\Asapi.sys [2002-04-17 21:27]
R2 NinjaVideo Helper.exe;NinjaVideo Helper;C:\Program Files\NinjaVideo\NinjaVideo Helper\NinjaVideo Helper.exe [2008-04-10 21:01]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\windows\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
S0 Partizan;Partizan;C:\windows\system32\drivers\Partizan.sys []
S3 CEDRIVER53;CEDRIVER53;C:\Program Files\Cheat Engine\dbk32.sys []
S3 Dua1;Dua1;C:\Documents and Settings\Mohamed\Desktop\Maplestory Hacks\Dual Engine\DualEngi.sys []
S3 V0250Dev;Live! Cam Notebook Pro;C:\windows\system32\DRIVERS\V0250Dev.sys [2006-04-05 03:46]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{F8B9E5C0-4DCC-CFCF-ABA5-00401D608516}]
C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools\Recycle Bin\kdja.exe
.
Contents of the 'Scheduled Tasks' folder

2008-07-10 C:\windows\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Uniblue RegistryBooster 2 - C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
Notify-opnmLeEu - opnmLeEu.dll
MSConfigStartUp-msnmsgr - C:\Program Files\MSN Messenger\msnmsgr.exe
MSConfigStartUp-VirusBursters - C:\Program Files\VirusBursters\virusbursters.exe
MSConfigStartUp-Zone Labs Client - C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Mohamed\Application Data\Mozilla\Firefox\Profiles\3de2v76q.default\
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Java\jre1.6.0_03\bin\npjava11.dll
FF -: plugin - C:\Program Files\Java\jre1.6.0_03\bin\npjava12.dll
FF -: plugin - C:\Program Files\Java\jre1.6.0_03\bin\npjava13.dll
FF -: plugin - C:\Program Files\Java\jre1.6.0_03\bin\npjava14.dll
FF -: plugin - C:\Program Files\Java\jre1.6.0_03\bin\npjava32.dll
FF -: plugin - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
FF -: plugin - C:\Program Files\Java\jre1.6.0_03\bin\npoji610.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 5\plugins\npnul32.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 5\plugins\nppdf32.dll
FF -: plugin - C:\Program Files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-04 02:05:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2008-08-04 2:08:40
ComboFix-quarantined-files.txt 2008-08-04 08:07:38

Pre-Run: 23,216,939,008 bytes free
Post-Run: 23,201,193,984 bytes free

380 --- E O F --- 2008-07-10 02:15:20

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:20:28 AM, on 8/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\NinjaVideo\NinjaVideo Helper\NinjaVideo Helper.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\windows\system32\svchost.exe
C:\windows\system32\wscntfy.exe
C:\windows\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\windows\system32\NOTEPAD.EXE
C:\windows\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox 3 Beta 5\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Loader Class - {F880A4A8-C436-4AC4-AFD1-AA0BDC9552DD} - C:\WINDOWS\Resources\Themes\Crystal.Systema Suite\FindeXer Nightly V1.1.0.3\FindeXer.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/229?53a22baa9a8b466ba676dad31deb712d
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/230?53a22baa9a8b466ba676dad31deb712d
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NinjaVideo Helper (NinjaVideo Helper.exe) - NinjaVideo - C:\Program Files\NinjaVideo\NinjaVideo Helper\NinjaVideo Helper.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\windows\system32\spoolsv.exe (file missing)

--
End of file - 5084 bytes

08-04-2008, 02:38 AM	#4 (permalink)
diddy89 Registered User Join Date: Jul 2008 Posts: 16 OS: Windows Vista	Re: Explorer.exe Keeps Closing Alrighty! so since I didn't have the the explorer.exe working for the combofix thing where I drag the XP file, so I used the task manager if that's alright. Also, I couldnt click or type No for the Combofix System Restore thing so it went ahead anyways...but I kept on going and finished the rest of the steps, it fixed the explorer.exe's disappearing act, but I'm still positive there's something wrong, because when it booted after the SDFIX scanning thing, there was a black screen and said, INVALID BOOT.INI File, or missing something like that sorry my memory's pretty bad(but it's not the first time I've seen it just opens occassionaly). Anyways here's my logs SDFix: Version 1.212 Run by Mohamed on 2008-08-04 at 01:28 Microsoft Windows XP [Version 5.1.2600] Running From: C:\DOCUME~1\Mohamed\Desktop\SDFIX\SDFix Checking Services : Restoring Default Security Values Restoring Default Hosts File Rebooting Checking Files : Trojan Files Found: C:\WINDOWS\system32\nvrsul32.dll - Deleted Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-04 01:47:07 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services & system hive ... [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] "p0"="C:\Program Files\DAEMON Tools\" "h0"=dword:00000000 "khjeh"=hex:1d,0a,a4,33,69,ce,b9,0e,15,93,0e,f8,19,a0,0d,97,58,1b,98,d9,5a,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] "a0"=hex:20,01,00,00,68,d2,1d,25,89,4c,c4,72,e0,df,8b,96,0c,fb,eb,67,6e,.. "khjeh"=hex:85,a2,26,fc,94,af,06,52,9f,bb,96,0e,9b,36,bb,6a,ec,c9,1c,8c,4e,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] "khjeh"=hex:10,0a,17,f8,fc,bf,81,a0,64,a8,f4,8a,c7,ee,46,f3,f0,2f,15,e2,2d,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41] "khjeh"=hex:2c,e7,23,b5,0a,08,3d,24,e9,e1,73,61,b6,49,4c,2e,cb,96,14,a5,c5,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] "s1"=dword:d60abf16 "s2"=dword:cd4f5905 "h0"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] "p0"="C:\Program Files\DAEMON Tools\" "h0"=dword:00000000 "khjeh"=hex:1d,0a,a4,33,69,ce,b9,0e,15,93,0e,f8,19,a0,0d,97,58,1b,98,d9,5a,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] "a0"=hex:20,01,00,00,68,d2,1d,25,89,4c,c4,72,e0,df,8b,96,0c,fb,eb,67,6e,.. "khjeh"=hex:ec,14,ef,7f,9a,49,09,2d,ea,a9,d4,22,76,e1,2a,8e,4f,51,84,19,fc,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] "khjeh"=hex:dd,e9,36,88,ee,17,82,2d,30,9a,37,6a,3f,de,ac,7a,6d,6f,82,a0,83,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41] "khjeh"=hex:32,2a,71,40,a4,b8,f0,66,65,ec,27,33,bb,e4,5f,34,a3,7d,28,50,65,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42] "khjeh"=hex:91,1f,64,94,f6,ae,6d,64,b9,49,14,90,94,2a,2e,9a,1a,4c,ed,6a,b6,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43] "khjeh"=hex:3f,db,b2,94,d9,48,4c,b0,ae,e3,2b,aa,27,34,8d,3b,f7,7e,2d,9a,9c,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] "p0"="C:\Program Files\DAEMON Tools\" "h0"=dword:00000000 "khjeh"=hex:1d,0a,a4,33,69,ce,b9,0e,15,93,0e,f8,19,a0,0d,97,58,1b,98,d9,5a,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] "a0"=hex:20,01,00,00,68,d2,1d,25,89,4c,c4,72,e0,df,8b,96,0c,fb,eb,67,6e,.. "khjeh"=hex:ec,14,ef,7f,9a,49,09,2d,ea,a9,d4,22,76,e1,2a,8e,4f,51,84,19,fc,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] "khjeh"=hex:dd,e9,36,88,ee,17,82,2d,30,9a,37,6a,3f,de,ac,7a,6d,6f,82,a0,83,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41] "khjeh"=hex:32,2a,71,40,a4,b8,f0,66,65,ec,27,33,bb,e4,5f,34,a3,7d,28,50,65,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42] "khjeh"=hex:91,1f,64,94,f6,ae,6d,64,b9,49,14,90,94,2a,2e,9a,1a,4c,ed,6a,b6,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43] "khjeh"=hex:3f,db,b2,94,d9,48,4c,b0,ae,e3,2b,aa,27,34,8d,3b,f7,7e,2d,9a,9c,.. scanning hidden registry entries ... [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="" "DeviceNotSelectedTimeout"="15" "GDIProcessHandleQuota"=dword:00002710 "Spooler"="yes" "swapdisk"="" "TransmissionRetryTimeout"="90" "USERProcessHandleQuota"=dword:00002710 scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "C:\\pdwpamt.exe"="C:\\pdwpamt.exe::Enabled:Server" "C:\\Documents and Settings\\Mohamed\\My Documents\\Downloads\\Programs\\utorrent.exe"="C:\\Documents and Settings\\Mohamed\\My Documents\\Downloads\\Programs\\utorrent.exe::Enabled:æTorrent" "C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe::Enabled:LimeWire" "C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe::Enabled:Azureus" "C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe::Enabled:Windows Messenger" "C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe::Enabled:æTorrent" "C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe::Enabled:Mozilla Firefox" "C:\\Program Files\\Internet Download Manager\\IDMan.exe"="C:\\Program Files\\Internet Download Manager\\IDMan.exe::Enabled:Internet Download Manager" "C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"="C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe::Enabled:Nexon Game Manager" "C:\\windows\\system32\\wtbedpjq.exe"="C:\\windows\\system32\\wtb" "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe::Enabled:Windows Live Messenger" "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe::Enabled:Windows Live Messenger (Phone)" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"="C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe::Enabled:Remote Assistance - Windows Messenger and Voice" "C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe::Enabled:iTunes" "C:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"="C:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe::Enabled:Java(TM) Platform SE binary" "C:\\Documents and Settings\\Mohamed\\Local Settings\\Temp\\usmt\\migwiz.exe"="C:\\Documents and Settings\\Mohamed\\Local Settings\\Temp\\usmt\\migwiz.exe::Enabled:Files and Settings Transfer Wizard" "C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"="C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe::Disabled:Veoh Client" "C:\\Program Files\\Mozilla Firefox 3 Beta 5\\firefox.exe"="C:\\Program Files\\Mozilla Firefox 3 Beta 5\\firefox.exe::Enabled:Firefox" "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Administrative Tools\\Recycle Bin\\kdja.exe"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Administrative Tools\\Recycle Bin\\kdja.exe::Enabled:windows media player streaming service" "C:\\Program Files\\Microsoft Games\\Halo\\halo.exe"="C:\\Program Files\\Microsoft Games\\Halo\\halo.exe::Disabled:Halo" "C:\\Program Files\\Steam\\steamapps\\mo3al1\\counter-strike source\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\mo3al1\\counter-strike source\\hl2.exe::Disabled:hl2" "C:\\Program Files\\Steam\\steamapps\\farah010\\counter-strike source\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\farah010\\counter-strike source\\hl2.exe::Disabled:hl2" "C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"="C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe::Disabled:Kaspersky Anti-Virus" "C:\\Program Files\\PPLive\\PPLive.exe"="C:\\Program Files\\PPLive\\PPLive.exe::Disabled:PPLive" "C:\\Program Files\\PPMate\\ppmnet.exe"="C:\\Program Files\\PPMate\\ppmnet.exe::Disabled:PPMate" "C:\\Program Files\\PPMate\\PPMate\\ppmate.exe"="C:\\Program Files\\PPMate\\PPMate\\ppmate.exe::Disabled:PPMate" "C:\\Program Files\\PPMate\\ppmate.exe"="C:\\Program Files\\PPMate\\ppmate.exe::Disabled:PPMate" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "C:\\pdwpamt.exe"="C:\\pdwpamt.exe::Enabled:Server" "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe::Enabled:Windows Live Messenger" "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe::Enabled:Windows Live Messenger (Phone)" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" Remaining Files* : File Backups: - C:\DOCUME~1\Mohamed\Desktop\SDFIX\SDFix\backups\backups.zip Files with Hidden Attributes : Wed 13 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe" Tue 3 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe" Tue 3 Aug 2004 4,639 A.SH. --- "C:\Program Files\Windows Media Player\mplayer2.exe" Wed 18 Oct 2006 64,000 A.SH. --- "C:\Program Files\Windows Media Player\wmplayer.exe" Sun 26 Nov 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak" Mon 19 Feb 2007 25,600 ...H. --- "C:\Documents and Settings\Mohamed\My Documents\~WRL0001.tmp" Thu 10 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\a7b63628b39fd8bdb7e535e34d0ea696\BIT2.tmp" Wed 12 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b04031f0b83ee952189dd8beb4ee929a\BIT2.tmp" Wed 19 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\cf7ced0e70c80a1e476f1abf49afecb1\BIT141.tmp" Wed 7 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\BIT3.tmp" Mon 26 Nov 2007 1,745 ...HR --- "C:\Documents and Settings\Mohamed\Application Data\SecuROM\UserData\securom_v7_01.bak" Finished! ComboFix 08-08-03.03 - Mohamed 2008-08-04 2:03:51.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.672 [GMT -6:00] Running from: C:\Documents and Settings\Mohamed\Desktop\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ---- Previous Run ------- . C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk C:\Documents and Settings\Mohamed\Application Data\macromedia\Flash Player\#SharedObjects\9LYCQ8CV\iforex.com C:\Documents and Settings\Mohamed\Application Data\macromedia\Flash Player\#SharedObjects\9LYCQ8CV\iforex.com\Emerp\Events\flash_object.swf\user_data.sol C:\Documents and Settings\Mohamed\Application Data\macromedia\Flash Player\#SharedObjects\9LYCQ8CV\interclick.com C:\Documents and Settings\Mohamed\Application Data\macromedia\Flash Player\#SharedObjects\9LYCQ8CV\interclick.com\ud.sol C:\Documents and Settings\Mohamed\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com C:\Documents and Settings\Mohamed\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol C:\Documents and Settings\Mohamed\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com C:\Documents and Settings\Mohamed\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol C:\Documents and Settings\Mohamed\err.log C:\Documents and Settings\Mohamed\My Documents\FNTS~1 C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\1.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\1_2.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\1_3.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\1_4.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\2.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\2_2.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\2_3.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\2_4.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\2297_1.wmv C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\2297_6.wmv C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\3.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\3_2.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\3_3.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\3_4.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\4.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\4_2.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\4_3.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\4_4.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\anime1.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\anime2.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\anime3.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\anime4.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\anime5.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\anime6.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\clip_1.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\clip_1_2.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\clip_1_3.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\clip_2.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\clip_2_2.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\clip_2_3.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\clip_3.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\clip_3_2.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\clip_3_3.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\clip_4.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\clip_4_2.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\clip_4_3.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\promo10_marked.wmv C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\promo11_marked.wmv C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\promo11_marked_2.wmv C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\promo13_marked.wmv C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\promo2_marked.wmv C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\promo3_marked.wmv C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\promo7_marked.wmv C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\promo7_marked_2.wmv C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\promo8_marked.wmv C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\Thumbs.db C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\V01222_big_02.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\V51730_big_05.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\Thumbs.db C:\Program Files\Common Files\{2028C~1 C:\Program Files\Common Files\{3028C~1 C:\temp\tn3 C:\windows\BM231bfa42.txt C:\windows\cookies.ini C:\windows\pskt.ini C:\windows\Spyware Remover.ico C:\WINDOWS\system32\aayIRXbc.ini C:\WINDOWS\system32\aayIRXbc.ini2 C:\windows\system32\ahevlxbg.ini C:\windows\system32\ahlxeasb.ini C:\windows\system32\algrmgnc.ini C:\windows\system32\attdyogx.ini C:\windows\system32\avbsoioq.ini C:\windows\system32\axgaiewt.ini C:\windows\system32\bfroipub.ini C:\windows\system32\bidkbhgk.ini C:\windows\system32\birsbour.ini C:\windows\system32\boctmaki.ini C:\windows\system32\boouwqdy.ini C:\windows\system32\cbntigyh.ini C:\windows\system32\cbXRIyaa.dll C:\windows\system32\cgogmzbl.dllbox C:\windows\system32\components C:\windows\system32\dbmrbytx.ini C:\windows\system32\dhikhwka.ini C:\windows\system32\dhtyxhcm.ini C:\windows\system32\dmxbfuil.ini C:\windows\system32\drivers\core.cache.dsk C:\windows\system32\drvkovr.dll C:\windows\system32\dywewjpo.ini C:\windows\system32\eeidqtbm.ini C:\windows\system32\enuatkux.ini C:\windows\system32\equjioew.ini C:\windows\system32\eqwfcoht.ini C:\windows\system32\ffubenpx.ini C:\windows\system32\fgwbwhfj.ini C:\windows\system32\fisqwbrx.ini C:\windows\system32\fnjcbokd.ini C:\windows\system32\gacbikud.ini C:\windows\system32\guhkcnwi.ini C:\windows\system32\hgybukaw.ini C:\windows\system32\hilyacmg.ini C:\windows\system32\ijhtsltj.ini C:\windows\system32\ilmsytma.ini C:\windows\system32\jamfbvsg.ini C:\windows\system32\jvwtkjca.ini C:\windows\system32\kaiomhcl.ini C:\WINDOWS\system32\kjkmp.ini C:\WINDOWS\system32\kjkmp.ini2 C:\windows\system32\lieegofj.ini C:\windows\system32\ljcqpkqf.ini C:\windows\system32\llryxkys.ini C:\windows\system32\lukkiikj.ini C:\windows\system32\lyogoahv.ini C:\windows\system32\mcrh.tmp C:\WINDOWS\system32\mlnmp.bak1 C:\WINDOWS\system32\mlnmp.bak2 C:\windows\system32\mlnmp.ini C:\WINDOWS\system32\mlnmp.ini2 C:\windows\system32\mlwpkobh.ini C:\windows\system32\mtyuqcgs.ini C:\windows\system32\nnasllxi.ini C:\windows\system32\obtinqtl.ini C:\windows\system32\ojigpgys.ini C:\windows\system32\oromycrg.ini C:\windows\system32\otvipwuw.ini C:\windows\system32\pggjvvje.ini C:\windows\system32\phpmwaaf.ini C:\windows\system32\qnhlmxja.ini C:\WINDOWS\system32\qqtss.ini C:\WINDOWS\system32\qqtss.ini2 C:\windows\system32\raujkfxg.ini C:\windows\system32\rbrjaebw.ini C:\windows\system32\rjhewohf.ini C:\windows\system32\sgattpyq.ini C:\windows\system32\sgjytjqe.ini C:\windows\system32\shsthgux.ini C:\windows\system32\sysogg.dll C:\windows\system32\tjwgukre.ini C:\windows\system32\tmcourtp.ini C:\windows\system32\tpbofusv.ini C:\windows\system32\ujmcrveo.ini C:\WINDOWS\system32\ututv.ini C:\WINDOWS\system32\ututv.ini2 C:\windows\system32\uvojdyaf.ini C:\windows\system32\vcxoqdou.ini C:\windows\system32\vrbwfqdu.ini C:\windows\system32\vsprineq.ini C:\windows\system32\vtpbnyyj.ini C:\windows\system32\wdddfpxd.ini C:\windows\system32\whymkflr.ini C:\windows\system32\wiqjwjos.ini C:\windows\system32\wyfbtswt.ini C:\windows\system32\xaqqsmpk.ini C:\WINDOWS\system32\xbadd.ini C:\WINDOWS\system32\xbadd.ini2 C:\windows\system32\xgoqfxje.ini C:\windows\system32\ydyalepu.ini C:\windows\system32\ygcpytqf.ini C:\windows\system32\yorqrykr.ini C:\windows\system32\yxaeitst.ini . ((((((((((((((((((((((((( Files Created from 2008-07-04 to 2008-08-04 ))))))))))))))))))))))))))))))) . 2008-07-29 13:42 . 2008-07-29 13:42 <DIR> d-------- C:\Deckard 2008-07-29 13:34 . 2008-07-29 13:34 <DIR> d-------- C:\ie-spyad_zo 2008-07-28 17:14 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys 2008-07-28 17:08 . 2008-07-28 17:08 <DIR> d-------- C:\Program Files\Panda Security 2008-07-28 16:47 . 2008-07-28 16:47 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-07-28 16:47 . 2008-07-28 16:47 1,409 --a------ C:\WINDOWS\QTFont.for 2008-07-28 16:44 . 2008-07-28 16:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8 2008-07-27 02:03 . 2008-07-27 02:03 <DIR> d-------- C:\Documents and Settings\Mohamed\DoctorWeb 2008-07-27 01:11 . 2008-07-27 01:12 <DIR> d-------- C:\WINDOWS\ERUNT 2008-07-27 00:25 . 2008-07-27 00:25 60,416 --a------ C:\WINDOWS\ALCFDRTM.VER 2008-07-27 00:25 . 2008-07-27 00:25 60,416 --a------ C:\WINDOWS\ALCFDRTM.EXE 2008-07-25 18:14 . 2008-07-25 18:14 100 --a------ C:\WINDOWS\system32\ikhcore.cfg 2008-07-25 02:59 . 2008-07-25 02:59 <DIR> d-------- C:\Program Files\AVG 2008-07-20 21:14 . 2008-07-20 21:14 <DIR> d-------- C:\Program Files\MP3 Converter Simple 2008-07-20 21:14 . 2002-11-13 11:14 1,703,936 --a------ C:\WINDOWS\system32\NCTAudioFile.dll 2008-07-20 21:04 . 2008-07-20 21:12 <DIR> d-------- C:\Program Files\AtomixMP3 2008-07-11 13:19 . 2008-07-11 13:19 <DIR> d-------- C:\Nexon 2008-07-09 14:35 . 2006-08-16 05:58 100,352 -----c--- C:\WINDOWS\system32\dllcache\6to4svc.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-04 08:02 --------- d-----w C:\Documents and Settings\Mohamed\Application Data\DMCache 2008-08-04 07:18 60,668 --sha-w C:\windows\system32\drivers\fidbox.idx 2008-08-04 07:18 6,223,904 --sha-w C:\windows\system32\drivers\fidbox.dat 2008-08-04 07:18 12,284 --sha-w C:\windows\system32\drivers\fidbox2.idx 2008-08-04 07:18 119,584 --sha-w C:\windows\system32\drivers\fidbox2.dat 2008-08-04 06:58 --------- d-----w C:\Program Files\Mozilla Firefox 3 Beta 5 2008-07-29 19:42 --------- d-----w C:\Documents and Settings\Mohamed\Application Data\Azureus 2008-07-29 06:45 --------- d-----w C:\Program Files\Internet Download Manager 2008-07-28 23:06 --------- d-----r C:\Program Files\TypingMaster 2008-07-28 22:44 --------- d-----w C:\Program Files\Active WebCam 2008-07-28 22:43 --------- d-----w C:\Documents and Settings\Mohamed\Application Data\IDM 2008-07-27 06:12 --------- d-----w C:\Documents and Settings\Mohamed\Application Data\LimeWire 2008-07-22 18:47 --------- d-----w C:\Program Files\Winamp 2008-07-22 18:24 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-07-09 14:34 206,256 ----a-w C:\windows\system32\idmmbc.dll 2008-07-02 20:20 --------- d-----w C:\Program Files\Common Files\Adobe 2008-06-27 21:25 15,452,536 ----a-w C:\IE7-WindowsXP-x86-enu.exe 2008-06-20 17:41 245,248 ----a-w C:\windows\system32\mswsock.dll 2008-06-20 10:45 360,320 ----a-w C:\windows\system32\drivers\tcpip.sys 2008-06-20 10:44 138,368 ----a-w C:\windows\system32\drivers\afd.sys 2008-06-20 09:52 225,920 ----a-w C:\windows\system32\drivers\tcpip6.sys 2008-06-17 16:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage 2008-06-16 09:06 --------- d-----w C:\Documents and Settings\Mohamed\Application Data\FindeXer 2008-06-14 07:49 --------- d-----w C:\Program Files\mkv2vob 2008-06-14 07:49 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-06-13 13:10 272,128 ------w C:\windows\system32\drivers\bthport.sys 2008-06-11 23:46 --------- d-----w C:\Program Files\Veoh Networks 2008-06-10 20:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2008-05-15 06:12 29,480 ----a-w C:\windows\system32\msxml3a.dll 2008-05-14 18:40 166,447 ----a-w C:\windows\Video Cleaner Pro Uninstaller.exe 2008-05-14 08:15 160,373 ----a-w C:\windows\MPEG-4 Booster Pack Uninstaller.exe 2008-05-07 04:55 1,288,192 ----a-w C:\windows\system32\quartz.dll 2008-01-19 22:04 1 ----a-w C:\Documents and Settings\Mohamed\SI.bin 2007-03-18 04:10 144 ----a-w C:\Program Files\VirtualDub.jobs 2005-01-11 04:41 719,360 ----a-w C:\Program Files\VirtualDub.exe 2005-01-11 04:41 115,217 -c--a-w C:\Program Files\VirtualDub.vdi 2005-01-11 04:38 7,168 ----a-w C:\Program Files\vdremote.dll 2005-01-11 04:38 6,656 ----a-w C:\Program Files\vdicmdrv.dll 2005-01-11 04:38 5,120 -c--a-w C:\Program Files\vdsvrlnk.dll 2005-01-11 04:38 16,384 ----a-w C:\Program Files\auxsetup.exe 2005-01-11 04:37 74,186 -c--a-w C:\Program Files\VirtualDub.vdhelp 2004-02-20 06:35 18,321 -c--a-w C:\Program Files\copying . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IDMan"="C:\Program Files\Internet Download Manager\IDMan.exe" [2008-07-28 08:08 2610608] "NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 20:25 81920] "RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 14:58 495616] "WeatherEye"="C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe" [2008-05-30 14:45 4501912] "Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2008-05-15 16:11 3644464] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="C:\windows\system32\NvCpl.dll" [2007-12-05 02:41 8523776] "NvMediaCenter"="C:\windows\system32\NvMcTray.dll" [2007-12-05 02:41 81920] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-12-03 23:27 185896] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "UIHost"="C:\\WINDOWS\\system32\\logonui.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.wmv3"= C:\PROGRA~1\COMBIN~1\Filters\wmv9vcm.dll "msacm.ac3filter"= ac3filter.acm "VIDC.FFDS"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk] backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DAEMON Tools.lnk] backup=C:\WINDOWS\pss\DAEMON Tools.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Mohamed^Start Menu^Programs^Startup^Adobe Gamma.lnk] backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^Mohamed^Start Menu^Programs^Startup^LimeWire On Startup.lnk] backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C: HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS\system32 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] C:\windows\system32\dumprep 0 -k [X] HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrevxOne [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader] --a------ 2005-06-07 00:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] --a--c--- 2006-10-23 02:48 40048 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS\system32\V0250Cvw.dll] -ra------ 2006-01-18 18:58 204800 C:\WINDOWS\system32\V0250Cvw.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative WebCam Tray] --------- 2005-10-27 04:00 299008 C:\Program Files\Creative\Shared Files\CamTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan] --a------ 2008-07-28 08:08 2610608 C:\Program Files\Internet Download Manager\IDMan.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] ---hs---- 2004-10-13 12:21 1694208 C:\Program Files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] --a------ 2007-12-05 02:41 8523776 C:\WINDOWS\system32\nvcpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] --a------ 2007-12-05 02:41 81920 C:\WINDOWS\system32\nvmctray.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2006-12-03 23:27 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] --a------ 2006-10-24 23:37 35328 C:\Program Files\Winamp\winampa.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] --a------ 2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "vsmon"=2 (0x2) "usnjsvc"=3 (0x3) "RichVideo"=2 (0x2) "PREVXAgent"=2 (0x2) "ose"=3 (0x3) "NVSvc"=2 (0x2) "Adobe LM Service"=3 (0x3) "IDriverT"=3 (0x3) "AVG Anti-Spyware Guard"=2 (0x2) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\Program Files\\Azureus\\Azureus.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\uTorrent\\utorrent.exe"= "C:\\Program Files\\Mozilla Firefox\\firefox.exe"= "C:\\Program Files\\Internet Download Manager\\IDMan.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"= "C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"= "C:\\Program Files\\Mozilla Firefox 3 Beta 5\\firefox.exe"= "C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"= R0 pavboot;pavboot;C:\windows\system32\drivers\pavboot.sys [2008-06-19 17:24] R1 Asapi;Asapi;C:\windows\system32\drivers\Asapi.sys [2002-04-17 21:27] R2 NinjaVideo Helper.exe;NinjaVideo Helper;C:\Program Files\NinjaVideo\NinjaVideo Helper\NinjaVideo Helper.exe [2008-04-10 21:01] R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\windows\system32\DRIVERS\klim5.sys [2007-12-13 13:28] S0 Partizan;Partizan;C:\windows\system32\drivers\Partizan.sys [] S3 CEDRIVER53;CEDRIVER53;C:\Program Files\Cheat Engine\dbk32.sys [] S3 Dua1;Dua1;C:\Documents and Settings\Mohamed\Desktop\Maplestory Hacks\Dual Engine\DualEngi.sys [] S3 V0250Dev;Live! Cam Notebook Pro;C:\windows\system32\DRIVERS\V0250Dev.sys [2006-04-05 03:46] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{F8B9E5C0-4DCC-CFCF-ABA5-00401D608516}] C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools\Recycle Bin\kdja.exe . Contents of the 'Scheduled Tasks' folder 2008-07-10 C:\windows\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57] . - - - - ORPHANS REMOVED - - - - HKCU-Run-Uniblue RegistryBooster 2 - C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe Notify-opnmLeEu - opnmLeEu.dll MSConfigStartUp-msnmsgr - C:\Program Files\MSN Messenger\msnmsgr.exe MSConfigStartUp-VirusBursters - C:\Program Files\VirusBursters\virusbursters.exe MSConfigStartUp-Zone Labs Client - C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\Mohamed\Application Data\Mozilla\Firefox\Profiles\3de2v76q.default\ FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll FF -: plugin - C:\Program Files\Java\jre1.6.0_03\bin\npjava11.dll FF -: plugin - C:\Program Files\Java\jre1.6.0_03\bin\npjava12.dll FF -: plugin - C:\Program Files\Java\jre1.6.0_03\bin\npjava13.dll FF -: plugin - C:\Program Files\Java\jre1.6.0_03\bin\npjava14.dll FF -: plugin - C:\Program Files\Java\jre1.6.0_03\bin\npjava32.dll FF -: plugin - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll FF -: plugin - C:\Program Files\Java\jre1.6.0_03\bin\npoji610.dll FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 5\plugins\npnul32.dll FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 5\plugins\nppdf32.dll FF -: plugin - C:\Program Files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-04 02:05:04 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... ************************************************************************ . Completion time: 2008-08-04 2:08:40 ComboFix-quarantined-files.txt 2008-08-04 08:07:38 Pre-Run: 23,216,939,008 bytes free Post-Run: 23,201,193,984 bytes free 380 --- E O F --- 2008-07-10 02:15:20 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:20:28 AM, on 8/4/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\windows\System32\smss.exe C:\windows\system32\winlogon.exe C:\windows\system32\services.exe C:\windows\system32\lsass.exe C:\windows\system32\svchost.exe C:\windows\System32\svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\NinjaVideo\NinjaVideo Helper\NinjaVideo Helper.exe C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe C:\windows\system32\svchost.exe C:\windows\system32\wscntfy.exe C:\windows\system32\RUNDLL32.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\RocketDock\RocketDock.exe C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe C:\Program Files\Veoh Networks\Veoh\VeohClient.exe C:\windows\system32\NOTEPAD.EXE C:\windows\explorer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Program Files\Mozilla Firefox 3 Beta 5\firefox.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing) O2 - BHO: Loader Class - {F880A4A8-C436-4AC4-AFD1-AA0BDC9552DD} - C:\WINDOWS\Resources\Themes\Crystal.Systema Suite\FindeXer Nightly V1.1.0.3\FindeXer.dll O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\windows\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe" O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/229?53a22baa9a8b466ba676dad31deb712d O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/230?53a22baa9a8b466ba676dad31deb712d O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633 O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NinjaVideo Helper (NinjaVideo Helper.exe) - NinjaVideo - C:\Program Files\NinjaVideo\NinjaVideo Helper\NinjaVideo Helper.exe O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\windows\system32\spoolsv.exe (file missing) -- End of file - 5084 bytes