Tech Support Forum - View Single Post - cannot install any spyware removing software

j1477 · 05-15-2007, 09:12 AM

ComboFix log:

"Laura" - 2007-05-15 21:53:23 Service Pack 2
ComboFix 07-05.08.3.V - Running from: "C:\Documents and Settings\Laura\Desktop\"

((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-15 ))))))))))))))))))))))))))))))))))

2007-05-13 23:32 26,112 --a------ C:\WINDOWS\system32\nircmd.exe
2007-05-12 22:28 <DIR> d-------- C:\DOCUME~1\Laura\DoctorWeb
2007-05-11 14:49 <DIR> d--hs---- C:\FOUND.001
2007-05-09 20:58 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-05 23:28 <DIR> d--hs---- C:\FOUND.000
2007-05-05 22:56 <DIR> d-------- C:\WINDOWS\Prefetch
2007-05-05 22:18 20,992 --a------ C:\WINDOWS\system32\drivers\RTL8139.sys
2007-05-05 22:16 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2007-05-05 22:16 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2007-05-05 19:07 <DIR> d-------- C:\DOCUME~1\Asraf\APPLIC~1\SUPERAntiSpyware.com
2007-05-05 16:58 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-05-05 16:58 <DIR> d-------- C:\DOCUME~1\Laura\APPLIC~1\SUPERAntiSpyware.com
2007-05-05 16:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-05-05 15:57 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-05-05 15:34 <DIR> d-------- C:\Program Files\Greatis
2007-04-30 09:46 414,272 --a------ C:\WINDOWS\system32\DivXc32f.dll
2007-04-30 09:46 414,272 --a------ C:\WINDOWS\system32\DivXc32.dll
2007-04-30 09:46 <DIR> d-------- C:\temp\DivX_311alpha
2007-04-28 20:11 <DIR> d-------- C:\WINDOWS\exefld
2007-04-19 21:57 <DIR> d-------- C:\download
2007-04-19 21:57 <DIR> d-------- C:\DOCUME~1\Laura\APPLIC~1\Offline Explorer
2007-04-19 21:55 <DIR> d-------- C:\Program Files\Offline Explorer Pro
2007-04-16 02:21 <DIR> d-------- C:\mysqldriver
2007-04-15 19:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\yahoo!

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-05 15:23:04 22,748 ----a-w C:\WINDOWS\system32\emptyregdb.dat
2007-04-13 12:49:36 -------- d-----w C:\Program Files\Canon
2007-04-13 05:53:08 -------- d-----w C:\Program Files\MSECache
2007-04-08 11:16:52 -------- d-----w C:\Program Files\Norton AntiVirus
2007-04-08 11:15:26 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-04-08 10:41:30 -------- d-----w C:\Program Files\Microsoft ActiveSync
2007-04-06 17:43:32 -------- d-----w C:\Program Files\NimoCodec Pack
2007-04-06 07:16:46 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
2007-04-06 06:39:08 -------- d-----w C:\Program Files\Cheetah Burner
2007-04-05 16:18:02 -------- d-----w C:\Program Files\Hero3000
2007-04-05 16:09:34 -------- d-----w C:\Program Files\OrionStudiosX
2007-04-05 13:01:32 -------- d-----w C:\DOCUME~1\Laura\APPLIC~1\Help
2007-04-05 06:15:04 -------- d-----w C:\Program Files\BanglaSoftwareGroup
2007-04-03 13:09:14 -------- d-----w C:\Program Files\Emule Speed Booster
2007-04-03 06:08:54 -------- d-----w C:\Program Files\Webshots
2007-04-03 06:08:54 -------- d-----w C:\DOCUME~1\Laura\APPLIC~1\Webshots
2007-04-03 03:16:52 -------- d-----w C:\DOCUME~1\Laura\APPLIC~1\vlc
2007-04-03 03:09:58 -------- d-----w C:\Program Files\VideoLAN
2007-04-02 19:59:28 -------- d-----w C:\Program Files\TuneUp Utilities 2006
2007-04-02 19:59:28 -------- d-----w C:\DOCUME~1\Laura\APPLIC~1\TuneUp Software
2007-04-02 19:58:30 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-03-30 17:12:46 0 ----a-w C:\CONFIG.SYS
2007-03-30 17:12:46 0 ----a-w C:\AUTOEXEC.BAT
2007-03-29 20:11:04 -------- d-----w C:\Program Files\iMesh
2007-03-29 19:52:54 -------- d-----w C:\Program Files\WinMX Music
2007-03-29 19:30:40 -------- d-----w C:\Program Files\Proxifier
2007-03-29 15:41:22 -------- d-----w C:\Program Files\eMule
2007-03-29 11:12:20 -------- d-----w C:\Program Files\eMule.de
2007-03-29 11:08:44 -------- d-----w C:\DOCUME~1\Laura\APPLIC~1\Google
2007-03-28 14:00:54 -------- d-----w C:\Program Files\WordWeb
2007-03-27 16:48:56 -------- d-----w C:\Program Files\Google
2007-03-27 06:16:52 -------- d-----w C:\Program Files\Alwil Software
2007-03-26 16:28:08 -------- d--h--r C:\DOCUME~1\Laura\APPLIC~1\yahoo!
2007-03-25 20:53:56 -------- d-----w C:\Program Files\Yahoo!
2007-03-25 19:45:04 -------- d-----w C:\Program Files\DAP
2007-03-24 20:46:26 -------- d-----w C:\Program Files\directx
2007-03-24 20:45:22 -------- d-----w C:\Program Files\Multimedia V3.08
2007-03-24 18:43:24 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-03-24 18:43:00 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-03-23 09:34:12 65,536 --sh--w C:\VIDEOROM.BIN
2007-03-23 09:23:46 1,663 --sh--r C:\MSDOS.SYS
2007-03-19 04:20:08 -------- d-----w C:\DOCUME~1\Laura\APPLIC~1\AdobeUM
2007-03-19 04:02:38 -------- d-----w C:\Program Files\Winamp
2007-03-19 04:00:36 -------- d-----w C:\Program Files\Creative
2007-03-19 03:56:58 -------- d-----w C:\Program Files\TC PowerPack
2007-03-18 05

20 -------- d-----w C:\Program Files\microsoft frontpage
2007-03-18 05:03:10 -------- d--h--w C:\Program Files\WindowsUpdate
2007-03-18 05:01:54 -------- d-----w C:\Program Files\Common Files\MSSoap
2007-03-18 05:01:40 -------- d-----w C:\Program Files\Movie Maker
2007-03-18 04:59:46 -------- d-----w C:\Program Files\Online Services
2007-03-18 04:59:34 -------- d-----w C:\Program Files\Messenger
2007-03-18 04:59:30 -------- d-----w C:\Program Files\MSN Gaming Zone
2007-03-18 04:58:42 -------- d-----w C:\Program Files\Windows NT
2007-03-18 04:49:16 -------- d-----w C:\Program Files\Common Files\ODBC
2007-03-18 04:49:12 -------- d-----w C:\Program Files\Common Files\SpeechEngines
2007-03-06 08:50:54 1,101,824 ----a-w C:\WINDOWS\system32\NMSDVDXU.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{0096CC0A-623C-4829-AD9C-19AF0DC9D8FE}"="C:\Program Files\DAP\DAPIEBar.dll"
"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}"="C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SiS Tray"="C:\\WINDOWS\\system32\\sistray.exe"
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\\Program Files\\Google\\Gmail Notifier\\gnotify.exe"
"D066UUtility"="C:\\WINDOWS\\TWAIN_32\\D66U\\D066UUTY.EXE"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0

SafeBoot registry key needs to be repaired. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter HTTPFilter\0\0
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
DcomLaunch DcomLaunch\0TermService\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{20941b4c-de19-11db-8e3e-4c0010523213}]
Shell\AutoRun\command RavMon.exe
Shell\explore\Command RavMon.exe -e
Shell\open\Command RavMon.exe

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Click Maintenance.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-15 21:55:39
Windows 5.1.2600 Service Pack 2 FAT

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 2007-05-15 21:55:53
C:\ComboFix3.txt ... 2007-05-09 20:58
C:\ComboFix-quarantined-files.txt ... 2007-05-15 21:55
C:\ComboFix2.txt ... 2007-05-13 01:26

HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:02:58 PM, on 5/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\eMule\emule.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\TC PowerPack\totalcmd.exe
E:\CD\software\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.0.20:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: DAPBHO Class - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\Program Files\DAP\DAPIEBar.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [D066UUtility] C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: + Offline &Explorer: Download the link - file://C:\Program Files\Offline Explorer Pro\Add_UrlO.htm
O8 - Extra context menu item: + Offline E&xplorer: Download the current page - file://C:\Program Files\Offline Explorer Pro\Add_AllO.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

ComboFix log:

05-15-2007, 09:12 AM	#15 (permalink)
j1477 Registered User Join Date: May 2007 Posts: 27 OS: win XP	Re: cannot install any spyware removing software ComboFix log: "Laura" - 2007-05-15 21:53:23 Service Pack 2 ComboFix 07-05.08.3.V - Running from: "C:\Documents and Settings\Laura\Desktop\" ((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-15 )))))))))))))))))))))))))))))))))) 2007-05-13 23:32 26,112 --a------ C:\WINDOWS\system32\nircmd.exe 2007-05-12 22:28 <DIR> d-------- C:\DOCUME~1\Laura\DoctorWeb 2007-05-11 14:49 <DIR> d--hs---- C:\FOUND.001 2007-05-09 20:58 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-05-05 23:28 <DIR> d--hs---- C:\FOUND.000 2007-05-05 22:56 <DIR> d-------- C:\WINDOWS\Prefetch 2007-05-05 22:18 20,992 --a------ C:\WINDOWS\system32\drivers\RTL8139.sys 2007-05-05 22:16 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll 2007-05-05 22:16 13,312 --a------ C:\WINDOWS\system32\irclass.dll 2007-05-05 19:07 <DIR> d-------- C:\DOCUME~1\Asraf\APPLIC~1\SUPERAntiSpyware.com 2007-05-05 16:58 <DIR> d-------- C:\Program Files\SUPERAntiSpyware 2007-05-05 16:58 <DIR> d-------- C:\DOCUME~1\Laura\APPLIC~1\SUPERAntiSpyware.com 2007-05-05 16:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com 2007-05-05 15:57 <DIR> d-------- C:\WINDOWS\system32\appmgmt 2007-05-05 15:34 <DIR> d-------- C:\Program Files\Greatis 2007-04-30 09:46 414,272 --a------ C:\WINDOWS\system32\DivXc32f.dll 2007-04-30 09:46 414,272 --a------ C:\WINDOWS\system32\DivXc32.dll 2007-04-30 09:46 <DIR> d-------- C:\temp\DivX_311alpha 2007-04-28 20:11 <DIR> d-------- C:\WINDOWS\exefld 2007-04-19 21:57 <DIR> d-------- C:\download 2007-04-19 21:57 <DIR> d-------- C:\DOCUME~1\Laura\APPLIC~1\Offline Explorer 2007-04-19 21:55 <DIR> d-------- C:\Program Files\Offline Explorer Pro 2007-04-16 02:21 <DIR> d-------- C:\mysqldriver 2007-04-15 19:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\yahoo! (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-05-05 15:23:04 22,748 ----a-w C:\WINDOWS\system32\emptyregdb.dat 2007-04-13 12:49:36 -------- d-----w C:\Program Files\Canon 2007-04-13 05:53:08 -------- d-----w C:\Program Files\MSECache 2007-04-08 11:16:52 -------- d-----w C:\Program Files\Norton AntiVirus 2007-04-08 11:15:26 -------- d-----w C:\Program Files\Common Files\Symantec Shared 2007-04-08 10:41:30 -------- d-----w C:\Program Files\Microsoft ActiveSync 2007-04-06 17:43:32 -------- d-----w C:\Program Files\NimoCodec Pack 2007-04-06 07:16:46 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat 2007-04-06 06:39:08 -------- d-----w C:\Program Files\Cheetah Burner 2007-04-05 16:18:02 -------- d-----w C:\Program Files\Hero3000 2007-04-05 16:09:34 -------- d-----w C:\Program Files\OrionStudiosX 2007-04-05 13:01:32 -------- d-----w C:\DOCUME~1\Laura\APPLIC~1\Help 2007-04-05 06:15:04 -------- d-----w C:\Program Files\BanglaSoftwareGroup 2007-04-03 13:09:14 -------- d-----w C:\Program Files\Emule Speed Booster 2007-04-03 06:08:54 -------- d-----w C:\Program Files\Webshots 2007-04-03 06:08:54 -------- d-----w C:\DOCUME~1\Laura\APPLIC~1\Webshots 2007-04-03 03:16:52 -------- d-----w C:\DOCUME~1\Laura\APPLIC~1\vlc 2007-04-03 03:09:58 -------- d-----w C:\Program Files\VideoLAN 2007-04-02 19:59:28 -------- d-----w C:\Program Files\TuneUp Utilities 2006 2007-04-02 19:59:28 -------- d-----w C:\DOCUME~1\Laura\APPLIC~1\TuneUp Software 2007-04-02 19:58:30 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2007-03-30 17:12:46 0 ----a-w C:\CONFIG.SYS 2007-03-30 17:12:46 0 ----a-w C:\AUTOEXEC.BAT 2007-03-29 20:11:04 -------- d-----w C:\Program Files\iMesh 2007-03-29 19:52:54 -------- d-----w C:\Program Files\WinMX Music 2007-03-29 19:30:40 -------- d-----w C:\Program Files\Proxifier 2007-03-29 15:41:22 -------- d-----w C:\Program Files\eMule 2007-03-29 11:12:20 -------- d-----w C:\Program Files\eMule.de 2007-03-29 11:08:44 -------- d-----w C:\DOCUME~1\Laura\APPLIC~1\Google 2007-03-28 14:00:54 -------- d-----w C:\Program Files\WordWeb 2007-03-27 16:48:56 -------- d-----w C:\Program Files\Google 2007-03-27 06:16:52 -------- d-----w C:\Program Files\Alwil Software 2007-03-26 16:28:08 -------- d--h--r C:\DOCUME~1\Laura\APPLIC~1\yahoo! 2007-03-25 20:53:56 -------- d-----w C:\Program Files\Yahoo! 2007-03-25 19:45:04 -------- d-----w C:\Program Files\DAP 2007-03-24 20:46:26 -------- d-----w C:\Program Files\directx 2007-03-24 20:45:22 -------- d-----w C:\Program Files\Multimedia V3.08 2007-03-24 18:43:24 -------- d--h--w C:\Program Files\InstallShield Installation Information 2007-03-24 18:43:00 -------- d-----w C:\Program Files\Common Files\InstallShield 2007-03-23 09:34:12 65,536 --sh--w C:\VIDEOROM.BIN 2007-03-23 09:23:46 1,663 --sh--r C:\MSDOS.SYS 2007-03-19 04:20:08 -------- d-----w C:\DOCUME~1\Laura\APPLIC~1\AdobeUM 2007-03-19 04:02:38 -------- d-----w C:\Program Files\Winamp 2007-03-19 04:00:36 -------- d-----w C:\Program Files\Creative 2007-03-19 03:56:58 -------- d-----w C:\Program Files\TC PowerPack 2007-03-18 0520 -------- d-----w C:\Program Files\microsoft frontpage 2007-03-18 05:03:10 -------- d--h--w C:\Program Files\WindowsUpdate 2007-03-18 05:01:54 -------- d-----w C:\Program Files\Common Files\MSSoap 2007-03-18 05:01:40 -------- d-----w C:\Program Files\Movie Maker 2007-03-18 04:59:46 -------- d-----w C:\Program Files\Online Services 2007-03-18 04:59:34 -------- d-----w C:\Program Files\Messenger 2007-03-18 04:59:30 -------- d-----w C:\Program Files\MSN Gaming Zone 2007-03-18 04:58:42 -------- d-----w C:\Program Files\Windows NT 2007-03-18 04:49:16 -------- d-----w C:\Program Files\Common Files\ODBC 2007-03-18 04:49:12 -------- d-----w C:\Program Files\Common Files\SpeechEngines 2007-03-06 08:50:54 1,101,824 ----a-w C:\WINDOWS\system32\NMSDVDXU.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] "{0096CC0A-623C-4829-AD9C-19AF0DC9D8FE}"="C:\Program Files\DAP\DAPIEBar.dll" "{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}"="C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "SiS Tray"="C:\\WINDOWS\\system32\\sistray.exe" "{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\\Program Files\\Google\\Gmail Notifier\\gnotify.exe" "D066UUtility"="C:\\WINDOWS\\TWAIN_32\\D66U\\D066UUTY.EXE" "AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet" "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages msv1_0\0\0 Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages scecli\0\0 SafeBoot registry key needs to be repaired. This machine cannot enter Safe Mode. [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter HTTPFilter\0\0 LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService DnsCache\0\0 DcomLaunch DcomLaunch\0TermService\0\0 rpcss RpcSs\0\0 imgsvc StiSvc\0\0 termsvcs TermService\0\0 HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{20941b4c-de19-11db-8e3e-4c0010523213}] Shell\AutoRun\command RavMon.exe Shell\explore\Command RavMon.exe -e Shell\open\Command RavMon.exe Contents of the 'Scheduled Tasks' folder C:\WINDOWS\tasks\1-Click Maintenance.job ****************************************************************** catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-05-15 21:55:39 Windows 5.1.2600 Service Pack 2 FAT scanning hidden processes ... scanning hidden services ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ****************************************************************** Completion time: 2007-05-15 21:55:53 C:\ComboFix3.txt ... 2007-05-09 20:58 C:\ComboFix-quarantined-files.txt ... 2007-05-15 21:55 C:\ComboFix2.txt ... 2007-05-13 01:26 HijackThis log: Logfile of HijackThis v1.99.1 Scan saved at 10:02:58 PM, on 5/15/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\eMule\emule.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\TC PowerPack\totalcmd.exe E:\CD\software\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.0.20:3128 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local> O2 - BHO: DAPBHO Class - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\Program Files\DAP\DAPIEBar.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.exe O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe O4 - HKLM\..\Run: [D066UUtility] C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm O8 - Extra context menu item: + Offline &Explorer: Download the link - file://C:\Program Files\Offline Explorer Pro\Add_UrlO.htm O8 - Extra context menu item: + Offline E&xplorer: Download the current page - file://C:\Program Files\Offline Explorer Pro\Add_AllO.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe ComboFix log: