Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > HijackThis Log Help (Inactive)
Reload this Page Malaware~Browser HiJack
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


 
 
LinkBack Thread Tools
Old 11-28-2007, 11:53 PM   #1 (permalink)
Registered User
 
Join Date: Nov 2007
Posts: 1
OS: windows XP


Malaware~Browser HiJack
I started freaking out when I started my PC and saw the Task Manager Disabled when i Ctrl+Alt+Del to kill the process that was doing pop ups. I googled what to do based what i saw and i found this link:

http://www.techsupportforum.com/security-center/hijackthis-log-help/resolved-hjt-threads/190936-your-privacy-guard-malware.html

I believe we were having the same problem so I did what he was told step by step.

Attached are:
1]HiJackThis(initial run while infected)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:13:55 AM, on 11/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Ryan\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O1 - Hosts: 60.12.193.37 auto.search.msn.com
O1 - Hosts: 60.12.193.37 auto.search.msn.es
O1 - Hosts: 60.12.193.37 ie.search.msn.com
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\dapbho.dll (file missing)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O2 - BHO: MSVPS System - {D030D021-9183-4732-833A-AFBC9D51CD98} - C:\WINDOWS\werbetlvm.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: The hdtip - {9C2D86AA-4067-4270-8D51-E6DC5E805D62} - C:\WINDOWS\hdtip.dll
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [RCSystem] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Flashget] C:\Program Files\FlashGet\flashget.exe /min
O4 - HKCU\..\Run: [FreeMem Pro] "C:\PROGRA~1\FREEME~2\fmempro.exe" autostart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [VirtualDrive-Y:] subst.exe Y: C:\MEDIAF~1
O4 - HKCU\..\Run: [VirtualDrive-R:] subst.exe R: C:\ISO-BI~1
O4 - HKCU\..\Run: [Softany Monitor Control] C:\Program Files\Softany\Monitor Control\MonitorControl.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Ryan\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1041415540437
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: gormet - {38F2E571-0E2E-432E-ABF2-53E9A095C48B} - C:\WINDOWS\gormet.dll
O21 - SSODL: pmkret - {7D8BF1F4-25D9-44F8-A92B-2357E5BBBD7E} - C:\WINDOWS\pmkret.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\Ryan\Desktop\sexy wallpaper..jpg

--
End of file - 8669 bytes

2]report.txt(from FixWareout Tool)
Username "Ryan" - 11/29/2007 0:28:33 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

Successfully flushed the DNS Resolver Cache.
System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTDVDDET"="\"C:\\Program Files\\Creative\\Sound Blaster X-Fi\\DVDAudio\\CTDVDDET.EXE\""
"RCSystem"="\"C:\\Program Files\\Creative\\Shared Files\\Module Loader\\DLLML.exe\" RCSystem * -Startup"
"AudioDrvEmulator"="\"C:\\Program Files\\Creative\\Shared Files\\Module Loader\\DLLML.exe\" -1 AudioDrvEmulator \"C:\\Program Files\\Creative\\Shared Files\\Module Loader\\Audio Emulator\\AudDrvEm.dll\""
"VolPanel"="\"C:\\Program Files\\Creative\\Sound Blaster X-Fi\\Volume Panel\\VolPanel.exe\" /r"
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"Flashget"="C:\\Program Files\\FlashGet\\flashget.exe /min"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FreeMem Pro"="\"C:\\PROGRA~1\\FREEME~2\\fmempro.exe\" autostart"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"VirtualDrive-Y:"="subst.exe Y: C:\\MEDIAF~1"
"VirtualDrive-R:"="subst.exe R: C:\\ISO-BI~1"
"Softany Monitor Control"="C:\\Program Files\\Softany\\Monitor Control\\MonitorControl.exe"
"NVIDIA nTune"="\"C:\\Program Files\\NVIDIA Corporation\\nTune\\nTuneCmd.exe\" clear"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

3]C:rapport.txt (SmitfraudFix)
SmitFraudFix v2.256

Scan done at 0:15:45.10, Thu 11/29/2007
Run from C:\Documents and Settings\Ryan\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

60.12.193.37 auto.search.msn.com
60.12.193.37 auto.search.msn.es
60.12.193.37 ie.search.msn.com

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\gormet.dll Deleted
Deleting [HKEY_CLASSES_ROOT\CLSID\{38F2E571-0E2E-432E-ABF2-53E9A095C48B}]
C:\WINDOWS\hdtip.dll Deleted
C:\WINDOWS\monhop.exe Deleted
C:\WINDOWS\pmkret.dll Deleted
Deleting [HKEY_CLASSES_ROOT\CLSID\{7D8BF1F4-25D9-44F8-A92B-2357E5BBBD7E}]
C:\WINDOWS\werbet???.dll Deleted
C:\DOCUME~1\Ryan\Desktop\Error Cleaner.url Deleted
C:\DOCUME~1\Ryan\Desktop\Privacy Protector.url Deleted
C:\DOCUME~1\Ryan\Desktop\Spyware?Malware Protection.url Deleted
C:\DOCUME~1\Ryan\FAVORI~1\Error Cleaner.url Deleted
C:\DOCUME~1\Ryan\FAVORI~1\Privacy Protector.url Deleted
C:\DOCUME~1\Ryan\FAVORI~1\Spyware?Malware Protection.url Deleted
C:\Program Files\RichVideoCodec\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{E4EE8BF1-C472-44CF-B5EC-BA43D2587CB2}: DhcpNameServer=68.87.34.146 68.87.25.194
HKLM\SYSTEM\CS1\Services\Tcpip\..\{E4EE8BF1-C472-44CF-B5EC-BA43D2587CB2}: DhcpNameServer=68.87.34.146 68.87.25.194
HKLM\SYSTEM\CS2\Services\Tcpip\..\{E4EE8BF1-C472-44CF-B5EC-BA43D2587CB2}: DhcpNameServer=68.87.34.146 68.87.25.194
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.34.146 68.87.25.194
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.34.146 68.87.25.194
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=68.87.34.146 68.87.25.194


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

4]C:\Combofix.txt (ComboFix)

ComboFix 07-11-29.3 - Ryan 2007-11-29 0:59:31.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1567 [GMT -5:00]
Running from: C:\Documents and Settings\Ryan\desktop\combofix.exe
Command switches used :: /killall
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\dat.txt
C:\WINDOWS\rs.txt

.
((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-29 )))))))))))))))))))))))))))))))
.

2007-11-28 23:16 . 2007-11-28 23:16 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-11-28 09:07 . 2007-11-28 09:07 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-28 09:07 . 2007-11-28 09:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-28 08:55 . 2007-11-28 08:55 <DIR> d-------- C:\Documents and Settings\Ryan\Application Data\AdwareAlert
2007-11-28 08:49 . 2007-11-28 08:49 512 --a------ C:\ScanSectorLog.dat
2007-11-27 15:35 . 2007-11-27 15:43 139,264 --a------ C:\WINDOWS\War3Unin.exe
2007-11-27 15:35 . 2007-11-27 15:43 51,850 --a------ C:\WINDOWS\War3Unin.dat
2007-11-27 15:35 . 2007-11-27 15:43 2,829 --a------ C:\WINDOWS\War3Unin.pif
2007-11-26 01:36 . 2007-11-27 01:34 4,147 --a------ C:\rollback.ini
2007-11-25 20:51 . 2007-11-29 01:05 1,605,664 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-25 20:51 . 2007-11-29 01:04 32,800 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-11-25 20:51 . 2007-11-29 00:42 23,804 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-25 20:51 . 2007-11-29 00:42 4,904 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-11-25 20:41 . 2007-03-09 00:01 1,087,216 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-11-24 11:35 . 2007-11-24 11:35 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2007-11-24 11:35 . 2007-11-24 11:35 <DIR> d-------- C:\Program Files\AGEIA Technologies
2007-11-22 10:48 . 2007-11-22 10:48 <DIR> d-------- C:\WINDOWS\system32\xlive
2007-11-21 08:08 . 2007-11-21 08:08 <DIR> d-------- C:\Program Files\AMD
2007-11-20 22:16 . 2004-08-03 22:59 43,136 --a------ C:\WINDOWS\system32\drivers\sbp2port.sys
2007-11-20 22:16 . 2004-08-03 22:59 43,136 --a--c--- C:\WINDOWS\system32\dllcache\sbp2port.sys
2007-11-19 21:59 . 2007-11-19 21:59 <DIR> d-------- C:\Documents and Settings\Ryan\Application Data\Microsoft Games
2007-11-19 21:34 . 2007-11-19 21:34 <DIR> d-------- C:\Program Files\DIFX
2007-11-19 21:34 . 2006-07-01 22:39 36,864 --a------ C:\WINDOWS\system32\drivers\AmdK8.sys
2007-11-17 13:27 . 2007-11-17 13:27 <DIR> d-------- C:\Program Files\Ventrilo
2007-11-10 20:37 . 2007-11-10 20:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro
2007-11-10 17:20 . 2007-11-10 17:20 278,984 --a------ C:\WINDOWS\system32\drivers\atksgt.sys
2007-11-10 17:20 . 2007-11-10 17:20 25,416 --a------ C:\WINDOWS\system32\drivers\lirsgt.sys
2007-11-10 17:19 . 2007-07-19 18:14 1,358,192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2007-11-10 17:19 . 2007-07-19 18:14 444,776 --a------ C:\WINDOWS\system32\d3dx10_35.dll
2007-11-10 16:30 . 2007-11-10 16:31 <DIR> d-------- C:\Documents and Settings\Ryan\Application Data\DAEMON Tools Pro
2007-11-10 16:27 . 2007-11-10 20:33 <DIR> d-------- C:\Program Files\DAEMON Tools Pro
2007-11-08 23:57 . 2007-11-08 23:59 <DIR> d-------- C:\WINDOWS\NV30562732.TMP
2007-11-06 07:06 . 2007-11-10 16:48 <DIR> d-------- C:\Program Files\DAEMON Tools
2007-10-29 07:36 . 2007-11-02 18:14 38 --a------ C:\WINDOWS\AviSplitter.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-29 05:42 --------- d-----w C:\Program Files\FlashGet
2007-11-29 04:04 --------- d-----w C:\Documents and Settings\Ryan\Application Data\Azureus
2007-11-28 14:06 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-24 16:51 --------- d-----w C:\Documents and Settings\Ryan\Application Data\InstallShield Installation Information
2007-11-21 13:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-10 21:22 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-11-06 12:25 --------- d-----w C:\Program Files\Java
2007-10-28 21:52 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-10-28 21:52 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-10-28 21:52 8,531,968 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-10-28 21:52 757,760 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-10-28 21:52 7,424,992 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-10-28 21:52 6,901,760 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-10-28 21:52 6,541,312 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-10-28 21:52 5,768,320 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-10-28 21:52 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-10-28 21:52 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-10-28 21:52 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-10-28 21:52 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-10-28 21:52 380,928 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-10-28 21:52 35,328 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-10-28 21:52 35,328 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-10-28 21:52 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-10-28 21:52 3,698,688 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-10-28 21:52 3,407,872 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-10-28 21:52 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-10-28 21:52 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-10-28 21:52 2,486,272 ----a-w C:\WINDOWS\system32\nvwss.dll
2007-10-28 21:52 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll
2007-10-28 21:52 155,716 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2007-10-28 21:52 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe
2007-10-28 21:52 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll
2007-10-28 21:52 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
2007-10-28 21:52 1,478,656 ----a-w C:\WINDOWS\system32\nview.dll
2007-10-28 21:52 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe
2007-10-28 21:52 1,212,416 ----a-w C:\WINDOWS\system32\nvmobls.dll
2007-10-28 21:52 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll
2007-10-25 00:39 4 --shatr C:\Documents and Settings\All Users\Application Data\sysqcl1129139270.dat
2007-10-25 00:38 --------- d-----w C:\Program Files\plasq
2007-10-22 11:45 --------- d-----w C:\Documents and Settings\Ryan\Application Data\CyberLink
2007-10-22 11:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2007-10-22 11:42 --------- d-----w C:\Program Files\CyberLink
2007-10-20 17:26 --------- d-----w C:\Program Files\XP Codec Pack
2007-10-20 16:36 --------- d-----w C:\Program Files\Fusion Media Player
2007-10-20 16:15 --------- d-----w C:\Program Files\ratDVD
2007-10-13 04:19 13,653,824 ----a-w C:\WINDOWS\system32\xlivefnt.dll
2007-10-13 04:19 10,155,840 ----a-w C:\WINDOWS\system32\xlive.dll
2007-10-12 05:21 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-12 05:18 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2007-10-12 05:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Adobe Systems
2007-10-04 03:21 --------- d-----w C:\Documents and Settings\Ryan\Application Data\Skype
2007-09-30 17:37 --------- d-----w C:\Program Files\QuickTime Alternative
2007-09-30 17:37 --------- d-----w C:\Documents and Settings\Ryan\Application Data\Apple Computer
2007-09-30 17:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-09-30 17:36 --------- d-----w C:\Program Files\QuickTime
2007-09-30 17:32 --------- d-----w C:\Program Files\Haali
2007-09-30 15:11 --------- d-----w C:\Program Files\ViVi MP4 Converter 2.1
2007-09-30 15:08 --------- d-----w C:\Documents and Settings\Ryan\Application Data\Bioshock
2007-09-29 16:43 --------- d-----w C:\Program Files\TVersity
2007-09-20 11:53 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2007-09-20 11:53 413,696 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2007-09-18 00:08 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-09-13 14:45 70,944 ----a-w C:\WINDOWS\system32\PhysXLoader.dll
2007-09-03 12:35 966,656 ----a-w C:\WINDOWS\system32\VSFilter.dll
2007-07-19 12:21 7,085,333 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2007-05-23 23:46 45,648 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_05_23_19_42_12_small.dmp.zip
2007-05-23 23:46 121,386 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_05_23_13_47_28_small.dmp.zip
2007-05-23 23:46 104,790 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_05_23_19_42_49_small.dmp.zip
2007-04-20 00:11 45,479 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_04_18_07_56_15_small.dmp.zip
2007-04-20 00:11 117,306 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_04_18_00_23_51_small.dmp.zip
2005-12-14 02:29 46,191 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2005_12_13_21_22_31_small.dmp.zip
2005-12-03 01:24 54,608 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2005_11_30_23_24_45_small.dmp.zip
2005-12-03 01:24 50,037 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2005_11_30_23_20_13_small.dmp.zip
2004-09-28 01:00 26,240 ----a-w C:\WINDOWS\inf\RAMDSK.SYS
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D030D021-9183-4732-833A-AFBC9D51CD98}]
C:\WINDOWS\werbetlvm.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{9C2D86AA-4067-4270-8D51-E6DC5E805D62}"= C:\WINDOWS\hdtip.dll [ ]

[HKEY_CLASSES_ROOT\clsid\{9c2d86aa-4067-4270-8d51-e6dc5e805d62}]
[HKEY_CLASSES_ROOT\hdtip.ToolBar.1]
[HKEY_CLASSES_ROOT\TypeLib\{13F3C16A-B40A-4E77-AAA3-EA79ABB50FE6}]
[HKEY_CLASSES_ROOT\hdtip.ToolBar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FreeMem Pro"="C:\PROGRA~1\FREEME~2\fmempro.exe" [2002-12-19 16:44]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"VirtualDrive-Y:"="subst.exe" [2004-08-04 07:00 C:\WINDOWS\system32\subst.exe]
"VirtualDrive-R:"="subst.exe" [2004-08-04 07:00 C:\WINDOWS\system32\subst.exe]
"Softany Monitor Control"="C:\Program Files\Softany\Monitor Control\MonitorControl.exe" [2007-02-13 22:01]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 11:32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTDVDDET"="C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 00:00]
"RCSystem"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 17:25]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 17:25]
"VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-07-11 10:34]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]
"Flashget"="C:\Program Files\FlashGet\flashget.exe" [2007-09-25 04:29]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)
"NoLogoff"= 0 (0x0)
"NoDesktopCleanupWizard"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AVerTV Timer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AVerTV Timer.lnk
backup=C:\WINDOWS\pss\AVerTV Timer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^JamLab Control Panel Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\JamLab Control Panel Launcher.lnk
backup=C:\WINDOWS\pss\JamLab Control Panel Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MiniEYE-MiniREAD Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MiniEYE-MiniREAD Launch.lnk
backup=C:\WINDOWS\pss\MiniEYE-MiniREAD Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Vongo Tray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Vongo Tray.lnk
backup=C:\WINDOWS\pss\Vongo Tray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ryan^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Ryan\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGEIA PhysX SysTray]
C:\Program Files\AGEIA Technologies\TrayIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSyncU.exe]
2006-06-12 14:32 700416 --------- C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
CTXFIHLP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
C:\Program Files\DAEMON Tools\daemon.exe -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent]
2007-09-06 08:08 136136 --a------ C:\Program Files\DAEMON Tools Pro\DTProAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FlashGet]
C:\Program Files\FlashGet\FlashGet.exe /min

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe -scheduler

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2006-02-23 14:45 278528 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2007-02-07 15:21 54832 --a------ C:\Program Files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 10:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PD0870 STISvc]
RunDLL32.exe P0870Pin.dll,RunDLL32EP 513

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-09-25 01:11 132496 --a------ C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TalkAndWrite]
C:\Documents and Settings\All Users\Application Data\Skype\Plugins\Plugins\1163D2B46CC742E5A3CC9E4157887751\TalkAndWrite.exe /run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 00:00 90112 --------- C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VF0060 STISvc]
RunDLL32.exe V0060Pin.dll,RunDLL32EP 513

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirtualDesktop]
2004-09-27 20:00 70144 --a------ C:\Program Files\Tweak-XP Pro 4\virtuald.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RpcSvr"=3 (0x3)
"ose"=3 (0x3)
"MDM"=2 (0x2)
"IDriverT"=3 (0x3)
"iPodService"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"JamLabInstallerService"=2 (0x2)

R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};\??\C:\Program Files\CyberLink\PowerDVD\000.fcl
R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys
S3 MA763013;M-Audio JamLab;C:\WINDOWS\system32\drivers\MA763013.sys
S3 P0870Dev;Creative WebCam Live! Motion;C:\WINDOWS\system32\DRIVERS\P0870Dev.sys
S3 USBW9967;AVerTV USB;C:\WINDOWS\system32\DRIVERS\2kw9967.sys
S3 V0060VID;Creative WebCam Live! Ultra;C:\WINDOWS\system32\DRIVERS\V0060Vid.sys
S3 WmFilter;Logitech Gaming HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys
S4 JamLabInstallerService;JamLab Installer;C:\Program Files\M-Audio JamLab\Install\JamLabInst.exe
S4 RpcSvr;Access Remote PC Service;C:\Program Files\Access Remote PC\rpcsetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{46d4cc01-1d27-11d7-b5fa-806d6172696f}]
\Shell\AutoRun\command - D:\ASUSACPI.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d4926108-5a12-11da-9e61-0013d4d1ae84}]
\Shell\AutoRun\command - I:\Setup.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2007-11-28 13:55:43 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.ex
- C:\Program Files\AdwareAlert
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-29 01:05:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-29 118
.
--- E O F ---

5]HiJackThis after CleanUp

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:09:29 AM, on 11/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Ryan\Desktop\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\dapbho.dll (file missing)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O2 - BHO: MSVPS System - {D030D021-9183-4732-833A-AFBC9D51CD98} - C:\WINDOWS\werbetlvm.dll (file missing)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: The hdtip - {9C2D86AA-4067-4270-8D51-E6DC5E805D62} - C:\WINDOWS\hdtip.dll (file missing)
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [RCSystem] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Flashget] C:\Program Files\FlashGet\flashget.exe /min
O4 - HKCU\..\Run: [FreeMem Pro] "C:\PROGRA~1\FREEME~2\fmempro.exe" autostart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [VirtualDrive-Y:] subst.exe Y: C:\MEDIAF~1
O4 - HKCU\..\Run: [VirtualDrive-R:] subst.exe R: C:\ISO-BI~1
O4 - HKCU\..\Run: [Softany Monitor Control] C:\Program Files\Softany\Monitor Control\MonitorControl.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Ryan\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1041415540437
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8312 bytes

My Computer is working great... well, no troubles so far. But on post 9 on the link given, TheBruce1 had extra instructions. I'm not sure if its applicable to me or if I should do it to. Do i need to do anything to get some of my settings back?
My internet feels slow, is this normal?


Thanks a bunch!
rabiddawg is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 12-03-2007, 03:12 AM   #2 (permalink)
Expert Analyst, Moderator, Security Team
 
Join Date: Sep 2006
Posts: 1,646
OS: xp


Re: Malaware~Browser HiJack
Good job so far

Delete FixWareout SmitfraudFix and there folders, c:\fixwareout
c:\program files\smithfraudfix

Think Prevention: Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Repeat that proccess about once or twice a month

Launch Notepad (Important, not wordpad or other third party text editor), and copy and paste the contents
of the code box below into a new text file. (dont include the word code)
Save it as file name: cfscript.txt
Code:
file::
C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job
registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D030D021-9183-4732-833A-AFBC9D51CD98}]
[-HKEY_CLASSES_ROOT\clsid\{9c2d86aa-4067-4270-8d51-e6dc5e805d62}]
[-HKEY_CLASSES_ROOT\hdtip.ToolBar.1]
[-HKEY_CLASSES_ROOT\TypeLib\{13F3C16A-B40A-4E77-AAA3-EA79ABB50FE6}]
[-HKEY_CLASSES_ROOT\hdtip.ToolBar]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{9C2D86AA-4067-4270-8D51-E6DC5E805D62}"=-
http://users.pandora.be/bluepatchy/m...s/CFScript.gif
As in the picture above drag and drop cfscript.txt onto combofix.exe
when it is finished a text will open, post it.
__________________


Our help is voluntary. But this site needs donations to operate.
LonnyRJones is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 11:26 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85