Task Manager and Regedit disabled

gervhard · 11-04-2009, 11:33 PM

Original post

Task Manager and Regedit disabled

i believe it was a virus that is doing all this because my PC were all find back then till i downloaded a patch for an online game

IMPORTANT INFO:1.Window XP Service Pack 2
2.Task Manager and Regedit disabled
3.I cant access to any official antivirus website
(except for websites like download.com)
4.Task manager and Regedit are not manually disabled

ok this is what happened...

I start to realised that my pc was infected when i tried to end a task using task manager and i got this error stating that "task manager has been disabled by your administrator" . first i thought it was just a technical error so i start to go through some guide to enable my task manager as it was . Then i found this guide that by running Regedit i could enable my task manager back as it was , but then i also realised that my Regedit was also disabled . Since this computer belong to me and no one is touching it because i'm a single guy who live alone , so i guess it should be a virus .

im quite lost.. i dont know what to do.. even though i go through the tutorials .. sorry im a newbie xD

the dds seems to be not responding and the only thing i got was the logs..
i think this should be it

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-11-05 14:26:20
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\user\LOCALS~1\Temp\kxtdapob.sys

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] afxrd <-- ROOTKIT !!!
Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] auyowstn <-- ROOTKIT !!!
Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] btpdef <-- ROOTKIT !!!
Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] cbdnb <-- ROOTKIT !!!
Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] cbdpaogtp <-- ROOTKIT !!!
Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] ccuegjsj <-- ROOTKIT !!!
Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] cdcyv <-- ROOTKIT !!!
Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] cgbetfmho <-- ROOTKIT !!!
Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] cxhxfsozs <-- ROOTKIT !!!
Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] czkjb <-- ROOTKIT !!!
Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] kldsh <-- ROOTKIT !!!
Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] pjcjmsp <-- ROOTKIT !!!
Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] qdopxlv <-- ROOTKIT !!!
Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] rfmpnt <-- ROOTKIT !!!
Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] rkfbveljt <-- ROOTKIT !!!
Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] rwlubo <-- ROOTKIT !!!
Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] sbyaz <-- ROOTKIT !!!
Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] wqwjitg <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\afxrd@DisplayName Microsoft Helper
Reg HKLM\SYSTEM\CurrentControlSet\Services\afxrd@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\afxrd@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\afxrd@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\afxrd@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\afxrd@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\afxrd@Description Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties
Reg HKLM\SYSTEM\CurrentControlSet\Services\afxrd\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\afxrd\Parameters@ServiceDll C:\WINDOWS\system32\rykbg.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\auyowstn@DisplayName Boot Image
Reg HKLM\SYSTEM\CurrentControlSet\Services\auyowstn@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\auyowstn@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\auyowstn@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\auyowstn@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\auyowstn@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\auyowstn@Description Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\CurrentControlSet\Services\auyowstn\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\auyowstn\Parameters@ServiceDll C:\WINDOWS\system32\rykbg.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\btpdef@DisplayName Helper Installer
Reg HKLM\SYSTEM\CurrentControlSet\Services\btpdef@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\btpdef@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\btpdef@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\btpdef@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\btpdef@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\btpdef@Description Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events.
Reg HKLM\SYSTEM\CurrentControlSet\Services\btpdef\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\btpdef\Parameters@ServiceDll C:\WINDOWS\system32\rykbg.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\cbdnb@DisplayName Shell Time
Reg HKLM\SYSTEM\CurrentControlSet\Services\cbdnb@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\cbdnb@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\cbdnb@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\cbdnb@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\cbdnb@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\cbdnb@Description Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\CurrentControlSet\Services\cbdnb\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\cbdnb\Parameters@ServiceDll C:\WINDOWS\system32\rykbg.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\cbdpaogtp@DisplayName Manager Boot
Reg HKLM\SYSTEM\CurrentControlSet\Services\cbdpaogtp@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\cbdpaogtp@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\cbdpaogtp@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\cbdpaogtp@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\cbdpaogtp@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\cbdpaogtp@Description Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\CurrentControlSet\Services\cbdpaogtp\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\cbdpaogtp\Parameters@ServiceDll C:\WINDOWS\system32\rykbg.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\ccuegjsj@DisplayName Center Shell
Reg HKLM\SYSTEM\CurrentControlSet\Services\ccuegjsj@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\ccuegjsj@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\ccuegjsj@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\ccuegjsj@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\ccuegjsj@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\ccuegjsj@Description Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties
Reg HKLM\SYSTEM\CurrentControlSet\Services\ccuegjsj\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\ccuegjsj\Parameters@ServiceDll C:\WINDOWS\system32\rykbg.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\cdcyv@DisplayName Server Helper
Reg HKLM\SYSTEM\CurrentControlSet\Services\cdcyv@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\cdcyv@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\cdcyv@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\cdcyv@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\cdcyv@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\cdcyv@Description IDS watcher service.
Reg HKLM\SYSTEM\CurrentControlSet\Services\cdcyv\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\cdcyv\Parameters@ServiceDll C:\WINDOWS\system32\rykbg.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\cgbetfmho@DisplayName Config Image
Reg HKLM\SYSTEM\CurrentControlSet\Services\cgbetfmho@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\cgbetfmho@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\cgbetfmho@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\cgbetfmho@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\cgbetfmho@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\cgbetfmho@Description Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties
Reg HKLM\SYSTEM\CurrentControlSet\Services\cgbetfmho\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\cgbetfmho\Parameters@ServiceDll C:\WINDOWS\system32\rykbg.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\cxhxfsozs@DisplayName Server Driver
Reg HKLM\SYSTEM\CurrentControlSet\Services\cxhxfsozs@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\cxhxfsozs@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\cxhxfsozs@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\cxhxfsozs@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\cxhxfsozs@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\cxhxfsozs@Description Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.
Reg HKLM\SYSTEM\CurrentControlSet\Services\cxhxfsozs\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\cxhxfsozs\Parameters@ServiceDll C:\WINDOWS\system32\rykbg.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\czkjb@DisplayName Driver Universal
Reg HKLM\SYSTEM\CurrentControlSet\Services\czkjb@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\czkjb@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\czkjb@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\czkjb@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\czkjb@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\czkjb@Description Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\CurrentControlSet\Services\czkjb\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\czkjb\Parameters@ServiceDll C:\WINDOWS\system32\rykbg.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\kldsh@DisplayName Image Config
Reg HKLM\SYSTEM\CurrentControlSet\Services\kldsh@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\kldsh@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\kldsh@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\kldsh@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\kldsh@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\kldsh@Description Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.
Reg HKLM\SYSTEM\CurrentControlSet\Services\kldsh\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\kldsh\Parameters@ServiceDll C:\WINDOWS\system32\rykbg.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\pjcjmsp@DisplayName Monitor Boot
Reg HKLM\SYSTEM\CurrentControlSet\Services\pjcjmsp@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\pjcjmsp@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\pjcjmsp@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\pjcjmsp@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\pjcjmsp@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\pjcjmsp@Description Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\CurrentControlSet\Services\pjcjmsp\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\pjcjmsp\Parameters@ServiceDll C:\WINDOWS\system32\rykbg.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\qdopxlv@DisplayName System Image
Reg HKLM\SYSTEM\CurrentControlSet\Services\qdopxlv@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\qdopxlv@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\qdopxlv@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\qdopxlv@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\qdopxlv@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\qdopxlv@Description Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\CurrentControlSet\Services\qdopxlv\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\qdopxlv\Parameters@ServiceDll C:\WINDOWS\system32\rykbg.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\rfmpnt@DisplayName Boot Support
Reg HKLM\SYSTEM\CurrentControlSet\Services\rfmpnt@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\rfmpnt@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\rfmpnt@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\rfmpnt@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\rfmpnt@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\rfmpnt@Description Provides Identity Protection Against Cyber Crime.
Reg HKLM\SYSTEM\CurrentControlSet\Services\rfmpnt\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\rfmpnt\Parameters@ServiceDll C:\WINDOWS\system32\rykbg.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\rkfbveljt@DisplayName Security Update
Reg HKLM\SYSTEM\CurrentControlSet\Services\rkfbveljt@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\rkfbveljt@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\rkfbveljt@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\rkfbveljt@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\rkfbveljt@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\rkfbveljt@Description Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\CurrentControlSet\Services\rkfbveljt\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\rkfbveljt\Parameters@ServiceDll C:\WINDOWS\system32\rykbg.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\rwlubo@DisplayName Microsoft Network
Reg HKLM\SYSTEM\CurrentControlSet\Services\rwlubo@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\rwlubo@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\rwlubo@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\rwlubo@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\rwlubo@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\rwlubo@Description IDS watcher service.
Reg HKLM\SYSTEM\CurrentControlSet\Services\rwlubo\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\rwlubo\Parameters@ServiceDll C:\WINDOWS\system32\rykbg.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\sbyaz@DisplayName Time Security
Reg HKLM\SYSTEM\CurrentControlSet\Services\sbyaz@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\sbyaz@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sbyaz@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sbyaz@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\sbyaz@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\sbyaz@Description Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users.
Reg HKLM\SYSTEM\CurrentControlSet\Services\sbyaz\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\sbyaz\Parameters@ServiceDll C:\WINDOWS\system32\rykbg.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\wqwjitg@DisplayName Update System
Reg HKLM\SYSTEM\CurrentControlSet\Services\wqwjitg@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\wqwjitg@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\wqwjitg@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\wqwjitg@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\wqwjitg@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\wqwjitg@Description Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site.
Reg HKLM\SYSTEM\CurrentControlSet\Services\wqwjitg\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\wqwjitg\Parameters@ServiceDll C:\WINDOWS\system32\rykbg.dll
Reg HKLM\SYSTEM\ControlSet002\Services\afxrd@DisplayName Microsoft Helper
Reg HKLM\SYSTEM\ControlSet002\Services\afxrd@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\afxrd@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\afxrd@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\afxrd@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\afxrd@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\afxrd@Description Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties
Reg HKLM\SYSTEM\ControlSet002\Services\afxrd\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\afxrd\Parameters@ServiceDll C:\WINDOWS\system32\rykbg.dll
Reg HKLM\SYSTEM\ControlSet002\Services\auyowstn@DisplayName Boot Image
Reg HKLM\SYSTEM\ControlSet002\Services\auyowstn@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\auyowstn@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\auyowstn@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\auyowstn@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\auyowstn@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\auyowstn@Description Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\ControlSet002\Services\auyowstn\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\auyowstn\Parameters@ServiceDll C:\WINDOWS\system32\rykbg.dll
Reg HKLM\SYSTEM\ControlSet002\Services\btpdef@DisplayName Helper Installer
Reg HKLM\SYSTEM\ControlSet002\Services\btpdef@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\btpdef@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\btpdef@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\btpdef@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\btpdef@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\btpdef@Description Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events.
Reg HKLM\SYSTEM\ControlSet002\Services\btpdef\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\btpdef\Parameters@ServiceDll C:\WINDOWS\system32\rykbg.dll
Reg HKLM\SYSTEM\ControlSet002\Services\cbdnb@DisplayName Shell Time
Reg HKLM\SYSTEM\ControlSet002\Services\cbdnb@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\cbdnb@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\cbdnb@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\cbdnb@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\cbdnb@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\cbdnb@Description Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\ControlSet002\Services\cbdnb\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\cbdnb\Parameters@ServiceDll C:\WINDOWS\system32\rykbg.dll
Reg HKLM\SYSTEM\ControlSet002\Services\cbdpaogtp@DisplayName Manager Boot
Reg HKLM\SYSTEM\ControlSet002\Services\cbdpaogtp@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\cbdpaogtp@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\cbdpaogtp@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\cbdpaogtp@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\cbdpaogtp@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\cbdpaogtp@Description Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\ControlSet002\Services\cbdpaogtp\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\cbdpaogtp\Parameters@ServiceDll C:\WINDOWS\system32\rykbg.dll
Reg HKLM\SYSTEM\ControlSet002\Services\ccuegjsj@DisplayName Center Shell
Reg HKLM\SYSTEM\ControlSet002\Services\ccuegjsj@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\ccuegjsj@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\ccuegjsj@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\ccuegjsj@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\ccuegjsj@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\ccuegjsj@Description Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties
Reg HKLM\SYSTEM\ControlSet002\Services\ccuegjsj\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\ccuegjsj\Parameters@ServiceDll C:\WINDOWS\system32\rykbg.dll
Reg HKLM\SYSTEM\ControlSet002\Services\cdcyv@DisplayName Server Helper
Reg HKLM\SYSTEM\ControlSet002\Services\cdcyv@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\cdcyv@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\cdcyv@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\cdcyv@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\cdcyv@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\cdcyv@Description IDS watcher service.
Reg HKLM\SYSTEM\ControlSet002\Services\cdcyv\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\cdcyv\Parameters@ServiceDll C:\WINDOWS\system32\rykbg.dll
Reg HKLM\SYSTEM\ControlSet002\Services\cgbetfmho@DisplayName Config Image
Reg HKLM\SYSTEM\ControlSet002\Services\cgbetfmho@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\cgbetfmho@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\cgbetfmho@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\cgbetfmho@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\cgbetfmho@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\cgbetfmho@Description Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties
Reg HKLM\SYSTEM\ControlSet002\Services\cgbetfmho\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\cgbetfmho\Parameters@ServiceDll C:\WINDOWS\system32\rykbg.dll
Reg HKLM\SYSTEM\ControlSet002\Services\cxhxfsozs@DisplayName Server Driver
Reg HKLM\SYSTEM\ControlSet002\Services\cxhxfsozs@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\cxhxfsozs@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\cxhxfsozs@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\cxhxfsozs@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\cxhxfsozs@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\cxhxfsozs@Description Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.
Reg HKLM\SYSTEM\ControlSet002\Services\cxhxfsozs\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\cxhxfsozs\Parameters@ServiceDll C:\WINDOWS\system32\rykbg.dll
Reg HKLM\SYSTEM\ControlSet002\Services\czkjb@DisplayName Driver Universal
Reg HKLM\SYSTEM\ControlSet002\Services\czkjb@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\czkjb@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\czkjb@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\czkjb@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\czkjb@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\czkjb@Description Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\ControlSet002\Services\czkjb\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\czkjb\Parameters@ServiceDll C:\WINDOWS\system32\rykbg.dll
Reg HKLM\SYSTEM\ControlSet002\Services\kldsh@DisplayName Image Config
Reg HKLM\SYSTEM\ControlSet002\Services\kldsh@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\kldsh@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\kldsh@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\kldsh@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\kldsh@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\kldsh@Description Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.
Reg HKLM\SYSTEM\ControlSet002\Services\kldsh\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\kldsh\Parameters@ServiceDll C:\WINDOWS\system32\rykbg.dll
Reg HKLM\SYSTEM\ControlSet002\Services\pjcjmsp@DisplayName Monitor Boot
Reg HKLM\SYSTEM\ControlSet002\Services\pjcjmsp@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\pjcjmsp@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\pjcjmsp@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\pjcjmsp@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\pjcjmsp@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\pjcjmsp@Description Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\ControlSet002\Services\pjcjmsp\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\pjcjmsp\Parameters@ServiceDll C:\WINDOWS\system32\rykbg.dll
Reg HKLM\SYSTEM\ControlSet002\Services\qdopxlv@DisplayName System Image
Reg HKLM\SYSTEM\ControlSet002\Services\qdopxlv@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\qdopxlv@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\qdopxlv@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\qdopxlv@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\qdopxlv@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\qdopxlv@Description Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\ControlSet002\Services\qdopxlv\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\qdopxlv\Parameters@ServiceDll C:\WINDOWS\system32\rykbg.dll
Reg HKLM\SYSTEM\ControlSet002\Services\rfmpnt@DisplayName Boot Support
Reg HKLM\SYSTEM\ControlSet002\Services\rfmpnt@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\rfmpnt@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\rfmpnt@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\rfmpnt@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\rfmpnt@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\rfmpnt@Description Provides Identity Protection Against Cyber Crime.
Reg HKLM\SYSTEM\ControlSet002\Services\rfmpnt\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\rfmpnt\Parameters@ServiceDll C:\WINDOWS\system32\rykbg.dll
Reg HKLM\SYSTEM\ControlSet002\Services\rkfbveljt@DisplayName Security Update
Reg HKLM\SYSTEM\ControlSet002\Services\rkfbveljt@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\rkfbveljt@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\rkfbveljt@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\rkfbveljt@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\rkfbveljt@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\rkfbveljt@Description Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\ControlSet002\Services\rkfbveljt\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\rkfbveljt\Parameters@ServiceDll C:\WINDOWS\system32\rykbg.dll
Reg HKLM\SYSTEM\ControlSet002\Services\rwlubo@DisplayName Microsoft Network
Reg HKLM\SYSTEM\ControlSet002\Services\rwlubo@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\rwlubo@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\rwlubo@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\rwlubo@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\rwlubo@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\rwlubo@Description IDS watcher service.
Reg HKLM\SYSTEM\ControlSet002\Services\rwlubo\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\rwlubo\Parameters@ServiceDll C:\WINDOWS\system32\rykbg.dll
Reg HKLM\SYSTEM\ControlSet002\Services\sbyaz@DisplayName Time Security
Reg HKLM\SYSTEM\ControlSet002\Services\sbyaz@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\sbyaz@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\sbyaz@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\sbyaz@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\sbyaz@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\sbyaz@Description Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users.
Reg HKLM\SYSTEM\ControlSet002\Services\sbyaz\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sbyaz\Parameters@ServiceDll C:\WINDOWS\system32\rykbg.dll
Reg HKLM\SYSTEM\ControlSet002\Services\wqwjitg@DisplayName Update System
Reg HKLM\SYSTEM\ControlSet002\Services\wqwjitg@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\wqwjitg@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\wqwjitg@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\wqwjitg@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\wqwjitg@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\wqwjitg@Description Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site.
Reg HKLM\SYSTEM\ControlSet002\Services\wqwjitg\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\wqwjitg\Parameters@ServiceDll C:\WINDOWS\system32\rykbg.dll

---- EOF - GMER 1.0.15 ----

tetonbob · 11-06-2009, 07:06 PM

Hello -

Let's see if we can get some logs from this tool.

Download RSIT by random/random and save it to your desktop.
Double click RSIT.exe to start the tool and click Continue at the disclaimer.
When the scan completes it will open a log named log.txt maximized, and a log named info.txt minimized.
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of log.txt here.
Please attach info.txt to your post.

To attach a file to a new post, simply

Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
copy and paste the following into the "Upload File from your Computer" box:
C:\rsit\info.txt
Click Upload.

---------------------------------------------------------------------------------------------

gervhard · 11-07-2009, 02:47 AM

im sorry to say that i cant visit any website related to anti virus :( i think the virus in my pc stop me from doing that .. i can visit any website , but not anti virus website

tetonbob · 11-07-2009, 08:39 AM

That's not an AntiVirus website. It's a forum, like this one. What happens when you try to visit that link?

Try using the attached file. Download it, unzip it, run it according to the same instructions.

gervhard · 11-07-2009, 09:01 PM

i cant visit that web too :( stupid virus .. thx for uploading tat

gervhard · 11-07-2009, 09:05 PM

well its weird , the file has 304.7 KB and after i download it , it only have 26.70KB and when i opened it . it says "C:\downloads\59796d1257608331-task-manager-regedit-disabled-rsit.zip The archive is either in unknown format or damaged"

sob T_T

tetonbob · 11-07-2009, 09:07 PM

See if this tool runs

Download OTL to your desktop.

Double click the icon to start the tool.

Click Run Scan and let the program run uninterrupted.
When the scan is complete, two text files will be created, OTL.Txt <- this one will be opened in Notepad and Extras.txt, on Desktop.

Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of OTViewIt.Txt and the Extras.txt in your next reply.

tetonbob · 11-07-2009, 09:09 PM

Question....

Do you have access to another machine, and a USB flash drive?

gervhard · 11-08-2009, 06:08 AM

nope . i dont think so

gervhard · 11-08-2009, 06:15 AM

do u have any unofficial website for me to download anti virus program? cause i think my main problem is virus :(

tetonbob · 11-08-2009, 08:46 AM

Well, no...you'll have to find a way to access these tools and get them to your machine, or reinstall your operating system. Is this a legal version of Windows?

Did you try OTL (post #7)? What happens when you try?

gervhard · 11-10-2009, 12:50 AM

there it is :)

OTL logfile created on: 11/10/2009 3:48:02 PM - Run 1
OTL by OldTimer - Version 3.1.4.0 Folder = C:\Downloads
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.48 Mb Total Physical Memory | 152.42 Mb Available Physical Memory | 29.80% Memory free
1.22 Gb Paging File | 0.84 Gb Available in Paging File | 69.24% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 29.29 Gb Total Space | 16.40 Gb Free Space | 55.97% Space Free | Partition Type: NTFS
Drive D: | 47.03 Gb Total Space | 24.73 Gb Free Space | 52.59% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DEADSY
Current User Name: user
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/11/10 15:47:01 | 00,528,896 | ---- | M] (OldTimer Tools) -- C:\Downloads\OTL.exe
PRC - [2009/11/10 15:44:55 | 00,016,384 | ---- | M] () -- C:\Documents and Settings\user\Local Settings\Temp\sgctxb.exe
PRC - [2009/11/10 15:09:01 | 00,016,384 | ---- | M] () -- C:\Documents and Settings\user\Local Settings\Temp\winkkoyys.exe
PRC - [2009/11/10 14:33:17 | 00,016,384 | ---- | M] () -- C:\Documents and Settings\user\Local Settings\Temp\winacui.exe
PRC - [2009/11/10 13:57:24 | 00,016,384 | ---- | M] () -- C:\Documents and Settings\user\Local Settings\Temp\winysfbd.exe
PRC - [2009/11/10 13:21:38 | 00,016,384 | ---- | M] () -- C:\Documents and Settings\user\Local Settings\Temp\winxtvvjp.exe
PRC - [2009/11/10 12:45:54 | 00,016,384 | ---- | M] () -- C:\Documents and Settings\user\Local Settings\Temp\qbax.exe
PRC - [2009/11/10 12:10:08 | 00,016,384 | ---- | M] () -- C:\Documents and Settings\user\Local Settings\Temp\winhjqqe.exe
PRC - [2009/11/10 11:34:26 | 00,016,384 | ---- | M] () -- C:\Documents and Settings\user\Local Settings\Temp\sxbkbj.exe
PRC - [2009/11/10 10:58:46 | 00,016,384 | ---- | M] () -- C:\Documents and Settings\user\Local Settings\Temp\winyeqx.exe
PRC - [2009/11/10 10:23:03 | 00,016,384 | ---- | M] () -- C:\Documents and Settings\user\Local Settings\Temp\winktuigx.exe
PRC - [2009/11/10 09:47:25 | 00,016,384 | ---- | M] () -- C:\Documents and Settings\user\Local Settings\Temp\winaeblni.exe
PRC - [2009/11/10 09:11:46 | 00,016,384 | ---- | M] () -- C:\Documents and Settings\user\Local Settings\Temp\fxfhy.exe
PRC - [2009/11/10 08:36:07 | 00,016,384 | ---- | M] () -- C:\Documents and Settings\user\Local Settings\Temp\winirabw.exe
PRC - [2009/11/10 08:00:28 | 00,016,384 | ---- | M] () -- C:\Documents and Settings\user\Local Settings\Temp\winkstnj.exe
PRC - [2009/11/10 07:24:50 | 00,016,384 | ---- | M] () -- C:\Documents and Settings\user\Local Settings\Temp\winwmecrp.exe
PRC - [2009/11/10 06:49:11 | 00,016,384 | ---- | M] () -- C:\Documents and Settings\user\Local Settings\Temp\winuhlrba.exe
PRC - [2009/11/10 06:13:29 | 00,016,384 | ---- | M] () -- C:\Documents and Settings\user\Local Settings\Temp\rsnsb.exe
PRC - [2009/11/10 05:37:50 | 00,016,384 | ---- | M] () -- C:\Documents and Settings\user\Local Settings\Temp\winxxvob.exe
PRC - [2009/11/10 05:02:11 | 00,016,384 | ---- | M] () -- C:\Documents and Settings\user\Local Settings\Temp\dtexf.exe
PRC - [2009/11/10 04:26:33 | 00,016,384 | ---- | M] () -- C:\Documents and Settings\user\Local Settings\Temp\winexwyv.exe
PRC - [2009/11/10 03:50:53 | 00,016,384 | ---- | M] () -- C:\Documents and Settings\user\Local Settings\Temp\qsavo.exe
PRC - [2009/11/10 03:15:11 | 00,016,384 | ---- | M] () -- C:\Documents and Settings\user\Local Settings\Temp\pxby.exe
PRC - [2009/11/10 02:39:26 | 00,016,384 | ---- | M] () -- C:\Documents and Settings\user\Local Settings\Temp\bdjswl.exe
PRC - [2009/11/10 02:03:42 | 00,016,384 | ---- | M] () -- C:\Documents and Settings\user\Local Settings\Temp\byeea.exe
PRC - [2009/11/10 01:27:51 | 00,016,384 | ---- | M] () -- C:\Documents and Settings\user\Local Settings\Temp\winnqyjsc.exe
PRC - [2009/11/10 01:27:47 | 00,007,680 | ---- | M] () -- C:\Documents and Settings\user\Local Settings\Temp\nyeo.exe
PRC - [2009/11/10 01:27:22 | 00,011,264 | ---- | M] () -- C:\Documents and Settings\user\Local Settings\Temp\snch.exe
PRC - [2009/11/10 00:23:26 | 00,016,384 | ---- | M] () -- C:\Documents and Settings\user\Local Settings\Temp\xhtar.exe
PRC - [2009/11/09 23:47:45 | 00,016,384 | ---- | M] () -- C:\Documents and Settings\user\Local Settings\Temp\winsofdi.exe
PRC - [2009/11/09 23:12:03 | 00,016,384 | ---- | M] () -- C:\Documents and Settings\user\Local Settings\Temp\winybhb.exe
PRC - [2009/11/09 22:35:50 | 00,016,384 | ---- | M] () -- C:\Documents and Settings\user\Local Settings\Temp\winyjkd.exe
PRC - [2009/11/07 13:58:28 | 00,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/07/31 17:05:32 | 02,674,488 | ---- | M] (www.BitComet.com) -- C:\Program Files\others\BitComet\BitComet.exe
PRC - [2006/11/01 00:04:02 | 00,321,088 | ---- | M] (Pure Networks, Inc.) -- C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
PRC - [2006/10/22 05:30:20 | 04,493,312 | ---- | M] () -- C:\AppServ\MySQL\bin\mysqld-nt.exe
PRC - [2004/08/04 20:00:00 | 01,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/08/04 20:00:00 | 00,055,296 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\freecell.exe

========== Modules (SafeList) ==========

MOD - [2009/11/10 15:47:01 | 00,528,896 | ---- | M] (OldTimer Tools) -- C:\Downloads\OTL.exe
MOD - [2004/08/04 20:00:00 | 01,050,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
MOD - [2004/08/04 20:00:00 | 00,185,856 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\framedyn.dll

========== Win32 Services (SafeList) ==========

SRV - [2009/10/18 22:17:58 | 00,202,736 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate1ca4ffde44f4418)
SRV - [2009/09/04 01:51:00 | 03,347,280 | ---- | M] (INCA Internet Co., Ltd.) -- C:\WINDOWS\System32\GameMon.des -- (npggsvc)
SRV - [2009/07/21 23:42:04 | 00,602,112 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller)
SRV - [2009/07/21 10:40:00 | 00,593,920 | ---- | M] () -- C:\WINDOWS\system32\ati2sgag.exe -- (ATI Smart)
SRV - [2006/11/01 00:04:02 | 00,321,088 | ---- | M] (Pure Networks, Inc.) -- C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe -- (nmservice)
SRV - [2006/10/22 05:30:20 | 04,493,312 | ---- | M] () -- C:\AppServ\MySQL\bin\mysqld-nt.exe -- (mysql)
SRV - [2006/10/14 19:21:04 | 00,090,624 | ---- | M] (Pure Networks, Inc.) -- C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe -- (nmraapache)
SRV - [2004/08/04 20:00:00 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\pchealth\helpctr\binaries\pchsvc.dll -- (helpsvc)

========== Driver Services (SafeList) ==========

DRV - File not found -- -- (abp470n5)
DRV - [2009/07/22 00:30:48 | 03,565,056 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2008/10/17 16:50:00 | 00,131,072 | ---- | M] (AhnLab, Inc.) -- C:\WINDOWS\system32\drivers\Mkd2kfNT.sys -- (Mkd2kfNt)
DRV - [2008/10/17 16:50:00 | 00,079,104 | ---- | M] (AhnLab, Inc.) -- C:\WINDOWS\system32\drivers\Mkd2Nadr.sys -- (Mkd2Nadr)
DRV - [2008/05/19 17:36:28 | 00,023,217 | ---- | M] (INCA Internet Co., Ltd.) -- C:\Documents and Settings\user\Desktop\New Folder\Mongolian ms\npkcrypt.sys -- (npkcrypt)
DRV - [2007/03/08 14:34:46 | 04,027,840 | R--- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\system32\drivers\alcxwdm.sys -- (ALCXWDM)
DRV - [2006/11/09 01:38:32 | 00,026,944 | ---- | M] (Pure Networks, Inc.) -- C:\WINDOWS\system32\drivers\purendis.sys -- (purendis)
DRV - [2006/11/09 01:38:12 | 00,025,792 | ---- | M] (Pure Networks, Inc.) -- C:\WINDOWS\system32\drivers\pnarp.sys -- (pnarp)
DRV - [2004/08/04 20:00:00 | 00,027,440 | ---- | M] () -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2004/08/04 20:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2004/06/03 10:40:46 | 00,079,360 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\DRIVERS\nvatabus.sys -- (nvatabus)
DRV - [2004/05/17 14:00:54 | 00,012,928 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2004/05/17 14:00:52 | 00,033,280 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2003/10/29 13:02:00 | 00,021,120 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\DRIVERS\nv_agp.sys -- (nv_agp)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = www.bing.com [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = www.bing.com [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://google.atcomet.com/b/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {B042753D-F57E-4e8e-A01B-7379A6D4CEFB}:1.10
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.5
FF - prefs.js..keyword.URL: "http://mye.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_mye&p="

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/11/07 13:58:49 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/11/07 13:58:49 | 00,000,000 | ---D | M]

[2009/09/12 20:30:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Mozilla\Extensions
[2009/09/12 20:30:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/11/08 19:40:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zur446e0.default\extensions
[2009/09/13 12:53:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zur446e0.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}
[2009/09/12 19:20:23 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/11/07 13:58:49 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/11/07 13:58:21 | 00,023,512 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll
[2009/11/07 13:58:21 | 00,137,176 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll
[2009/07/17 16:40:12 | 00,704,512 | ---- | M] (BitComet) -- C:\Program Files\Mozilla Firefox\plugins\npBitCometAgent.dll
[2009/11/07 13:58:38 | 00,064,984 | ---- | M] (mozilla.org) -- C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
[2006/10/07 05:18:48 | 00,144,984 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nppl3260.dll
[2007/03/06 14:41:00 | 00,131,072 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
[2007/03/06 14:41:02 | 00,131,072 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
[2007/03/06 14:41:02 | 00,131,072 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
[2007/03/06 14:41:04 | 00,131,072 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
[2007/03/06 14:41:04 | 00,131,072 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
[2006/10/07 05:01:00 | 00,081,920 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nprpjplug.dll
[2009/11/07 13:58:41 | 00,001,394 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom.xml
[2009/11/07 13:58:41 | 00,002,193 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\answers.xml
[2009/09/12 20:31:01 | 00,001,499 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\avg_igeared.xml
[2009/11/07 13:58:41 | 00,001,534 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml
[2009/11/07 13:58:41 | 00,002,344 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay.xml
[2009/11/07 13:58:41 | 00,002,371 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.xml
[2009/11/07 13:58:42 | 00,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml
[2009/11/07 13:58:42 | 00,000,792 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo.xml

O1 HOSTS File: (734 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (BitComet Helper) - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\others\BitComet\tools\BitCometBHO_1.3.7.16.dll (BitComet)
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O4 - HKLM..\Run: [AVGIDS] C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe File not found
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [nmapp] C:\Program Files\Pure Networks\Network Magic\nmapp.exe (Pure Networks, Inc.)
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\soundman.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe File not found
O4 - HKCU..\Run: [AnVir Task Manager Pro] C:\Program Files\AnVir Task Manager Pro\AnVir.exe (AnVir Software)
O4 - HKCU..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRun = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: DisallowRun = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRun = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: DisallowRun = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCMD = 0
O8 - Extra context menu item: &D&ownload &with BitComet - C:\Program Files\others\BitComet\BitComet.exe (www.BitComet.com)
O8 - Extra context menu item: &D&ownload all video with BitComet - C:\Program Files\others\BitComet\BitComet.exe (www.BitComet.com)
O8 - Extra context menu item: &D&ownload all with BitComet - C:\Program Files\others\BitComet\BitComet.exe (www.BitComet.com)
O9 - Extra Button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - C:\Program Files\others\BitComet\tools\BitCometBHO_1.3.7.16.dll (BitComet)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\pure-go {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\puresp3.dll (Pure Networks, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/09/12 15:35:22 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{247f751a-adc6-11de-a0ef-0011092c7bb0}\Shell - "" = AutoRun
O33 - MountPoints2\{247f751a-adc6-11de-a0ef-0011092c7bb0}\Shell\Auto\command - "" = F:\servver.exe -- File not found
O33 - MountPoints2\{247f751a-adc6-11de-a0ef-0011092c7bb0}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{3208c87c-c6e7-11de-a1ba-0011092c7bb0}\Shell\AuToplAY\comManD - "" = F:\ccgno.cmd -- File not found
O33 - MountPoints2\{3208c87c-c6e7-11de-a1ba-0011092c7bb0}\Shell\AutoRun\command - "" = F:\ccgno.cmd -- File not found
O33 - MountPoints2\{3208c87c-c6e7-11de-a1ba-0011092c7bb0}\Shell\ExploRE\CoMmand - "" = F:\ccgno.cmd -- File not found
O33 - MountPoints2\{3208c87c-c6e7-11de-a1ba-0011092c7bb0}\Shell\opeN\COMmAND - "" = F:\ccgno.cmd -- File not found
O33 - MountPoints2\{4682a8fd-a8ae-11de-a0cd-0011092c7bb0}\Shell\AutoRun\command - "" = G:\qazwsx\zaqxsw.exe -- File not found
O33 - MountPoints2\{4682a8fd-a8ae-11de-a0cd-0011092c7bb0}\Shell\explore\command - "" = G:\qazwsx\zaqxsw.exe -- File not found
O33 - MountPoints2\{4682a8fd-a8ae-11de-a0cd-0011092c7bb0}\Shell\open\command - "" = G:\qazwsx\zaqxsw.exe -- File not found
O33 - MountPoints2\{e6c0ff7c-9f89-11de-a0a1-0011092c7bb0}\Shell - "" = AutoRun
O33 - MountPoints2\{e6c0ff7c-9f89-11de-a0a1-0011092c7bb0}\Shell\AutoRun - "" = Auto&Play
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/11/05 23:41:17 | 00,000,000 | ---D | C] -- C:\AppServ
[2009/11/05 14:30:30 | 00,000,000 | ---D | C] -- C:\Documents and Settings\user\Local Settings\Application Data\Identities
[2009/11/04 21:41:32 | 00,000,000 | ---D | C] -- C:\Documents and Settings\user\Desktop\New Folder (2)
[2009/11/03 02:56:21 | 00,000,000 | ---D | C] -- C:\Program Files\AnVir Task Manager Pro
[2009/11/03 02:56:19 | 00,000,000 | ---D | C] -- C:\Documents and Settings\user\Local Settings\Application Data\AnVir
[2009/11/03 02:55:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\user\Local Settings\Application Data\Xenocode
[2009/11/03 02:53:41 | 00,000,000 | ---D | C] -- C:\Documents and Settings\user\Desktop\Downloads
[2009/11/03 02:53:36 | 00,000,000 | ---D | C] -- C:\Documents and Settings\user\Application Data\GetRightToGo
[2009/11/03 02:50:05 | 00,000,000 | ---D | C] -- C:\Documents and Settings\user\Desktop\RYL FactorY
[2009/11/03 02:26:16 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/11/03 02:25:58 | 00,069,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ztvcabinet.dll
[2009/11/03 02:25:57 | 00,000,000 | ---D | C] -- C:\Documents and Settings\user\My Documents\Simply Super Software
[2009/11/03 02:25:57 | 00,000,000 | ---D | C] -- C:\Program Files\Trojan Remover
[2009/11/03 02:25:57 | 00,000,000 | ---D | C] -- C:\Documents and Settings\user\Application Data\Simply Super Software
[2009/11/03 02:25:57 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Simply Super Software
[2009/11/02 17:55:35 | 00,348,280 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\TweakUI.exe
[2009/11/02 17:34:03 | 00,000,000 | ---D | C] -- C:\Documents and Settings\user\Local Settings\Application Data\Temp
[2009/11/02 17:29:37 | 00,000,000 | ---D | C] -- C:\WINDOWS\SxsCaPendDel
[2009/11/01 16:58:58 | 00,000,000 | ---D | C] -- C:\Program Files\CIB
[2009/10/31 06:09:41 | 00,000,000 | ---D | C] -- C:\Documents and Settings\user\Application Data\MSNInstaller
[2009/10/22 16:29:48 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\LogFiles
[2009/10/22 14:02:38 | 00,025,792 | ---- | C] (Pure Networks, Inc.) -- C:\WINDOWS\System32\drivers\pnarp.sys
[2009/10/22 14:02:38 | 00,000,000 | ---D | C] -- C:\Program Files\DIFX
[2009/10/22 14:02:34 | 00,026,944 | ---- | C] (Pure Networks, Inc.) -- C:\WINDOWS\System32\drivers\purendis.sys
[2009/10/22 14:02:34 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\DRVSTORE
[2009/10/22 14:02:26 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Pure Networks Shared
[2009/10/22 14:02:23 | 00,000,000 | ---D | C] -- C:\Program Files\Pure Networks
[2009/10/22 14:01:38 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Pure Networks
[2009/10/18 22:30:05 | 00,000,000 | ---D | C] -- C:\Program Files\Winamp
[2009/10/18 22:30:05 | 00,000,000 | ---D | C] -- C:\Documents and Settings\user\Application Data\Winamp
[2009/10/18 22:17:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\user\Local Settings\Application Data\Google
[2009/10/18 22:17:58 | 00,000,000 | ---D | C] -- C:\Program Files\Google
[2009/10/18 22:17:57 | 00,000,000 | R--D | C] -- C:\Documents and Settings\user\My Documents\My Videos
[2009/10/18 22:17:57 | 00,000,000 | ---D | C] -- C:\Program Files\DivX
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2009/11/10 15:48:10 | 02,883,584 | -H-- | M] () -- C:\Documents and Settings\user\NTUSER.DAT
[2009/11/10 15:39:00 | 00,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2009/11/10 00:48:08 | 01,574,706 | -H-- | M] () -- C:\Documents and Settings\user\Local Settings\Application Data\IconCache.db
[2009/11/09 17:39:00 | 00,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2009/11/08 13:14:39 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/11/08 11:59:50 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/11/08 07:14:28 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\user\ntuser.ini
[2009/11/07 00:28:00 | 00,002,278 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/11/05 23:41:22 | 00,039,901 | ---- | M] () -- C:\WINDOWS\php.ini
[2009/11/04 02:16:21 | 00,027,648 | ---- | M] () -- C:\Documents and Settings\user\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/11/03 02:55:19 | 00,034,232 | ---- | M] () -- C:\Documents and Settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/11/02 23:05:00 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\user\Desktop\ROU ASIA.lnk
[2009/11/01 18:17:47 | 00,060,416 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\ALCFDRTM.VER
[2009/11/01 17:45:19 | 00,001,189 | ---- | M] () -- C:\WINDOWS\System32\msexcr.ini
[2009/11/01 16:58:30 | 00,000,269 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/10/22 14:02:41 | 00,001,800 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Network Magic.lnk
[2009/10/22 13:45:00 | 00,000,375 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.ics
[2009/10/18 22:35:48 | 00,000,664 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Winamp.lnk
[2009/10/16 13:22:44 | 00,369,152 | ---- | M] () -- C:\Documents and Settings\user\Desktop\gmer.exe
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/11/05 12:45:42 | 00,369,152 | ---- | C] () -- C:\Documents and Settings\user\Desktop\gmer.exe
[2009/11/03 02:25:58 | 00,162,304 | ---- | C] () -- C:\WINDOWS\System32\ztvunrar36.dll
[2009/11/03 02:25:58 | 00,153,088 | ---- | C] () -- C:\WINDOWS\System32\UNRAR3.dll
[2009/11/03 02:25:58 | 00,077,312 | ---- | C] () -- C:\WINDOWS\System32\ztvunace26.dll
[2009/11/03 02:25:58 | 00,075,264 | ---- | C] () -- C:\WINDOWS\System32\unacev2.dll
[2009/11/02 23:05:00 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\user\Desktop\ROU ASIA.lnk
[2009/11/02 17:55:35 | 00,160,217 | ---- | C] () -- C:\WINDOWS\System32\PowerToysLicense.rtf
[2009/11/01 17:45:18 | 00,001,189 | ---- | C] () -- C:\WINDOWS\System32\msexcr.ini
[2009/10/22 14:02:41 | 00,001,800 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Network Magic.lnk
[2009/10/19 03:29:37 | 00,000,886 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2009/10/19 03:29:37 | 00,000,882 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2009/10/18 22:35:48 | 00,000,664 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Winamp.lnk
[2009/10/04 12:11:11 | 00,027,648 | ---- | C] () -- C:\WINDOWS\System32\AVSredirect.dll
[2009/09/24 10:10:14 | 03,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2009/09/24 10:10:14 | 00,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/09/24 10:10:14 | 00,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/09/24 10:10:13 | 00,010,752 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/09/24 10:10:13 | 00,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2009/09/24 03:54:52 | 00,027,648 | ---- | C] () -- C:\Documents and Settings\user\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/09/12 23:23:36 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\desktop.ini
[2009/09/12 16:40:01 | 00,147,456 | R--- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2009/09/12 16:39:55 | 00,000,164 | R--- | C] () -- C:\WINDOWS\avrack.ini
[2009/09/12 15:51:58 | 01,574,706 | -H-- | C] () -- C:\Documents and Settings\user\Local Settings\Application Data\IconCache.db
[2009/09/12 15:42:59 | 00,034,232 | ---- | C] () -- C:\Documents and Settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/09/12 15:39:59 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\user\Application Data\desktop.ini
[2007/02/20 16:29:50 | 00,039,901 | ---- | C] () -- C:\WINDOWS\php.ini
[2007/02/13 23:27:08 | 01,519,616 | ---- | C] () -- C:\WINDOWS\System32\libmySQL.dll
[2007/02/13 23:27:08 | 00,385,024 | ---- | C] () -- C:\WINDOWS\System32\sablot.dll
[2007/02/13 23:27:08 | 00,057,344 | ---- | C] () -- C:\WINDOWS\System32\mSQL.dll
[2007/02/13 23:27:06 | 00,165,643 | ---- | C] () -- C:\WINDOWS\System32\libmhash.dll
[2007/02/13 23:27:04 | 00,135,168 | ---- | C] () -- C:\WINDOWS\System32\expat.dll
[2004/08/04 20:00:00 | 00,171,376 | RHS- | C] () -- C:\WINDOWS\System32\rykbg.dll
[2004/08/04 20:00:00 | 00,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
[2004/08/04 20:00:00 | 00,000,477 | ---- | C] () -- C:\WINDOWS\win.ini
[2004/08/04 20:00:00 | 00,000,269 | ---- | C] () -- C:\WINDOWS\system.ini

========== Alternate Data Streams ==========

@Alternate Data Stream - 105 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CB0AACC9
< End of report >

tetonbob · 11-10-2009, 08:09 AM

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------

Note: If there are USB flash drives you've used on this machine recently, please ensure they are inserted, or active, when performing the following steps.

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Place combofix.exe on your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.

You can get help on disabling your protection programs here
Double click on combofix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.

ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:

The Recovery Console was successfully installed.

Click on Yes, to continue scanning for malware. Please note: If the Recovery Console does NOT get installed, click on NO, do not continue, and let me know.
Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

---------------------------------------------------------------------------------------------
Ensure your AntiVirus and AntiSpyware applications are re-enabled.

---------------------------------------------------------------------------------------------

gervhard · 11-13-2009, 02:08 AM

ok here is the log

ComboFix 09-11-13.04 - user 11/13/2009 13:04.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.229 [GMT 8:00]
Running from: c:\downloads\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2009-10-13 to 2009-11-13 )))))))))))))))))))))))))))))))
.

2009-11-12 17:30 . 2008-11-08 10:01 2888568 ----a-w- c:\documents and settings\user\Application Data\Simply Super Software\Trojan Remover\riw5DD.exe
2009-11-12 17:16 . 2009-11-12 17:16 -------- d-----w- c:\windows\FULL CLIENT
2009-11-11 20:39 . 2009-11-11 20:43 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\ReaJPEG
2009-11-11 20:38 . 2009-11-11 20:38 -------- d-----w- c:\program files\ReaSoft
2009-11-11 20:38 . 2009-11-11 20:38 -------- d-----w- c:\documents and settings\user\Application Data\ReaSoft
2009-11-11 20:27 . 2009-11-11 20:27 -------- d-----w- c:\program files\IrfanView
2009-11-10 11:30 . 2009-11-13 05:02 -------- d-----w- C:\Downloads
2009-11-10 10:37 . 2009-11-10 10:37 -------- d-----w- c:\program files\AppServ
2009-11-05 15:41 . 2009-11-10 10:37 -------- d-----w- C:\AppServ
2009-11-05 06:30 . 2009-11-05 06:30 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Identities
2009-11-02 18:56 . 2009-11-02 18:56 -------- d-----w- c:\program files\AnVir Task Manager Pro
2009-11-02 18:56 . 2009-11-03 17:29 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\AnVir
2009-11-02 18:55 . 2009-11-02 18:55 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Xenocode
2009-11-02 18:53 . 2009-11-02 18:56 -------- d-----w- c:\documents and settings\user\Application Data\GetRightToGo
2009-11-02 18:26 . 2009-11-12 17:30 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-02 18:25 . 2006-06-19 04:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2009-11-02 18:25 . 2006-05-25 06:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2009-11-02 18:25 . 2005-08-25 16:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2009-11-02 18:25 . 2003-02-02 11:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2009-11-02 18:25 . 2002-03-05 16:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2009-11-02 18:25 . 2009-11-07 22:50 -------- d-----w- c:\program files\Trojan Remover
2009-11-02 18:25 . 2009-11-02 18:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-11-02 18:25 . 2009-11-02 18:25 -------- d-----w- c:\documents and settings\user\Application Data\Simply Super Software
2009-11-02 09:55 . 2003-06-25 08:05 348280 ----a-w- c:\windows\system32\TweakUI.exe
2009-11-02 09:34 . 2009-11-02 09:34 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Temp
2009-11-02 09:29 . 2009-11-02 09:36 -------- d-----w- c:\windows\SxsCaPendDel
2009-10-30 22:09 . 2009-10-30 22:09 -------- d-----w- c:\documents and settings\user\Application Data\MSNInstaller
2009-10-22 08:29 . 2009-10-22 08:29 -------- d-----w- c:\windows\system32\LogFiles
2009-10-22 06:02 . 2009-10-22 06:02 -------- d-----w- c:\program files\DIFX
2009-10-22 06:02 . 2006-11-08 17:38 25792 ----a-w- c:\windows\system32\drivers\pnarp.sys
2009-10-22 06:02 . 2009-10-22 06:02 -------- dc----w- c:\windows\system32\DRVSTORE
2009-10-22 06:02 . 2006-11-08 17:38 26944 ----a-w- c:\windows\system32\drivers\purendis.sys
2009-10-22 06:02 . 2009-10-22 06:02 -------- d-----w- c:\program files\Common Files\Pure Networks Shared
2009-10-22 06:02 . 2009-10-22 06:02 -------- d-----w- c:\program files\Pure Networks
2009-10-22 06:01 . 2009-10-22 06:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Pure Networks
2009-10-22 05:44 . 2004-08-04 12:00 25600 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2009-10-18 14:44 . 2009-10-18 14:44 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-10-18 14:30 . 2009-11-02 09:28 -------- d-----w- c:\program files\Winamp
2009-10-18 14:30 . 2009-10-18 14:38 -------- d-----w- c:\documents and settings\user\Application Data\Winamp
2009-10-18 14:18 . 2009-10-18 14:18 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-10-18 14:17 . 2009-10-18 14:18 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Google
2009-10-18 14:17 . 2009-10-18 14:32 -------- d-----w- c:\program files\Google
2009-10-18 14:17 . 2009-11-10 10:24 -------- d-----w- c:\program files\DivX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-10 10:21 . 2009-09-12 08:39 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-02 18:55 . 2009-09-12 07:42 34232 ----a-w- c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-01 23:34 . 2009-09-12 11:22 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-08 19:16 . 2009-10-08 19:16 -------- d-----w- c:\documents and settings\user\Application Data\Nexon
2009-10-04 17:27 . 2009-10-04 17:27 -------- d-----w- c:\program files\Common Files\INCA Shared
2009-10-04 17:16 . 2009-10-04 17:16 -------- d-----w- c:\program files\directx
2009-10-04 17:05 . 2009-10-04 17:05 -------- d-----w- c:\program files\YouxiLand
2009-10-04 04:11 . 2009-10-04 04:11 -------- d-----w- c:\program files\AviSynth 2.5
2009-10-04 04:10 . 2009-10-04 04:10 -------- d-----w- c:\program files\eRightSoft
2009-09-30 13:41 . 2009-09-30 13:41 -------- d-----w- c:\program files\Common Files\DirectX
2009-09-30 02:21 . 2009-09-13 00:16 1220376 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2009-09-24 02:11 . 2009-09-24 02:11 -------- d-----w- c:\documents and settings\user\Application Data\Media Player Classic
2009-09-24 02:10 . 2009-09-24 02:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-09-24 02:10 . 2009-09-24 02:10 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-09-18 04:46 . 2009-09-13 00:17 3579160 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-09-18 04:46 . 2009-09-18 04:46 2092312 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe
2009-09-13 13:26 . 2009-09-13 13:26 767328 ----a-w- c:\windows\system32\kdfinj.dll
2009-09-13 12:34 . 2009-09-12 07:34 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-09-13 04:53 . 2009-09-13 04:53 1032192 ----a-w- c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\zur446e0.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll
2009-09-13 00:17 . 2009-09-13 00:17 2063640 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-09-13 00:16 . 2009-09-13 00:17 3370264 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-09-12 12:30 . 2009-09-12 12:30 0 ----a-w- c:\windows\nsreg.dat
2009-09-12 11:22 . 2009-09-30 02:22 2405144 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgdiagex.exe
2009-09-12 11:22 . 2009-09-18 04:46 1209112 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgabout.dll
2009-09-12 09:27 . 2009-09-12 09:27 0 ----a-w- c:\windows\ativpsrm.bin
2009-09-12 09:18 . 2009-09-12 08:47 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-12 09:04 . 2009-09-12 09:04 60416 ----a-w- c:\windows\ALCFDRTM.EXE
2009-09-12 07:51 . 2004-08-04 12:00 502272 ----a-w- c:\windows\system32\winlogon.exe
2009-09-12 07:32 . 2009-09-12 07:32 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2006-05-03 09:06 . 2009-10-04 04:10 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2009-10-04 04:10 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30 . 2009-10-04 04:10 216064 --sh--r- c:\windows\system32\nbDX.dll
.

------- Sigcheck -------

[-] 2009-09-12 . 6225F14B8CE08CCBA8B25AD27843C674 . 502272 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-03 1737216]
"AnVir Task Manager Pro"="c:\program files\AnVir Task Manager Pro\AnVir.exe" [2008-11-13 2820832]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-07-21 241664]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2006-10-31 390720]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2006-11-16 655360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\others\\BitComet\\BitComet.exe"=
"c:\\Program Files\\YouxiLand\\ROW\\Login.exe"=
"c:\\Program Files\\YouxiLand\\ROW\\Login.dat"=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=
"c:\\WINDOWS\\SOUNDMAN.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\ATI Technologies\\ATI.ACE\\Core-Static\\CLIStart.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Pure Networks\\Network Magic\\nmapp.exe"=
"c:\\WINDOWS\\system32\\freecell.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7404:TCP"= 7404:TCP:BitComet 7404 TCP
"7404:UDP"= 7404:UDP:BitComet 7404 UDP
"6384:TCP"= 6384:TCP:tdibsu
"67:UDP"= 67:UDP:DHCP Discovery Service

R3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\gkrhmm.sys --> c:\windows\system32\drivers\gkrhmm.sys [?]
S2 gupdate1ca4ffde44f4418;Google Update Service (gupdate1ca4ffde44f4418);c:\program files\Google\Update\GoogleUpdate.exe [10/18/2009 10:18 PM 202736]
S2 zipcsf86;zbeer;\??\c:\docume~1\user\Desktop\NEWFOL~2\bythemrigi.sys --> c:\docume~1\user\Desktop\NEWFOL~2\bythemrigi.sys [?]
S3 Mkd2kfNt;Mkd2kfNt;c:\windows\system32\drivers\Mkd2kfNT.sys [9/13/2009 9:26 PM 131072]
S3 Mkd2Nadr;Mkd2Nadr;c:\windows\system32\drivers\Mkd2Nadr.sys [9/13/2009 9:26 PM 79104]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder

2009-11-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-18 14:17]

2009-11-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-18 14:17]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.atcomet.com/b/
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe" //mailurl:mailto:Royalblood83%22gmail.com@msn.com
IE: &D&ownload &with BitComet - c:\program files\others\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\others\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\others\BitComet\BitComet.exe/AddAllLink.htm
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\zur446e0.default\
FF - prefs.js: keyword.URL - hxxp://mye.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_mye&p=
FF - component: c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\zur446e0.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-13 13:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mysql]
"ImagePath"="c:\appserv\MySQL\bin\mysqld-nt --defaults-file=c:\appserv\MySQL\my.ini mysql"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2052111302-583907252-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1914D400-34CE-732E-C70C-3B4383E1C10A}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iaiacjnidfiljikbem"=hex:6b,61,70,6b,66,62,64,70,69,68,6e,64,62,61,6a,67,66,69,
70,68,64,62,00,00
"hakpmdaljlilggli"=hex:6b,61,70,6b,66,62,64,70,69,68,6e,64,62,61,6a,67,66,69,
70,68,64,62,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(668)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2236)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2009-11-13 13:13
ComboFix-quarantined-files.txt 2009-11-13 05:13
ComboFix2.txt 2009-11-12 21:39

Pre-Run: 13,896,241,152 bytes free
Post-Run: 13,883,285,504 bytes free

- - End Of File - - 47FDC30CA9F0A3DEAF200A6130EDF5F6

tetonbob · 11-13-2009, 09:37 AM

Hello -

Were there problems wth the first run of ComboFix? It seems it was run twice.

Please go to Start > Run and copy/paste the following, then press Enter:

C:\QooBox\ComboFix2.txt

Post the contents of the logfile which will open.

gervhard · 11-13-2009, 02:31 PM

there you go ..

ComboFix 09-11-13.04 - user 11/13/2009 5:25.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.279 [GMT 8:00]
Running from: c:\downloads\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\rykbg.dll
.
---- Previous Run -------
.
c:\windows\system32\AVSredirect.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AFXRD
-------\Legacy_AUYOWSTN
-------\Legacy_BTPDEF
-------\Legacy_CBDNB
-------\Legacy_CBDPAOGTP
-------\Legacy_CCUEGJSJ
-------\Legacy_CDCYV
-------\Legacy_CGBETFMHO
-------\Legacy_CXHXFSOZS
-------\Legacy_CZKJB
-------\Legacy_KLDSH
-------\Legacy_PJCJMSP
-------\Legacy_QDOPXLV
-------\Legacy_RFMPNT
-------\Legacy_RKFBVELJT
-------\Legacy_RWLUBO
-------\Legacy_SBYAZ
-------\Legacy_WQWJITG
-------\Service_afxrd
-------\Service_auyowstn
-------\Service_btpdef
-------\Service_cbdnb
-------\Service_cbdpaogtp
-------\Service_ccuegjsj
-------\Service_cdcyv
-------\Service_cgbetfmho
-------\Service_cxhxfsozs
-------\Service_czkjb
-------\Service_kldsh
-------\Service_pjcjmsp
-------\Service_qdopxlv
-------\Service_rfmpnt
-------\Service_rkfbveljt
-------\Service_rwlubo
-------\Service_sbyaz
-------\Service_wqwjitg
-------\Legacy_AFXRD
-------\Legacy_AUYOWSTN
-------\Legacy_BTPDEF
-------\Legacy_CBDNB
-------\Legacy_CBDPAOGTP
-------\Legacy_CCUEGJSJ
-------\Legacy_CDCYV
-------\Legacy_CGBETFMHO
-------\Legacy_CXHXFSOZS
-------\Legacy_CZKJB
-------\Legacy_KLDSH
-------\Legacy_PJCJMSP
-------\Legacy_QDOPXLV
-------\Legacy_RFMPNT
-------\Legacy_RKFBVELJT
-------\Legacy_RWLUBO
-------\Legacy_SBYAZ
-------\Legacy_WQWJITG

((((((((((((((((((((((((( Files Created from 2009-10-12 to 2009-11-12 )))))))))))))))))))))))))))))))
.

2009-11-12 17:30 . 2008-11-08 10:01 2888568 ----a-w- c:\documents and settings\user\Application Data\Simply Super Software\Trojan Remover\riw5DD.exe
2009-11-12 17:16 . 2009-11-12 17:16 -------- d-----w- c:\windows\FULL CLIENT
2009-11-11 20:39 . 2009-11-11 20:43 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\ReaJPEG
2009-11-11 20:38 . 2009-11-11 20:38 -------- d-----w- c:\program files\ReaSoft
2009-11-11 20:38 . 2009-11-11 20:38 -------- d-----w- c:\documents and settings\user\Application Data\ReaSoft
2009-11-11 20:27 . 2009-11-11 20:27 -------- d-----w- c:\program files\IrfanView
2009-11-10 11:30 . 2009-11-12 21:23 -------- d-----w- C:\Downloads
2009-11-10 10:37 . 2009-11-10 10:37 -------- d-----w- c:\program files\AppServ
2009-11-05 15:41 . 2009-11-10 10:37 -------- d-----w- C:\AppServ
2009-11-05 06:30 . 2009-11-05 06:30 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Identities
2009-11-02 18:56 . 2009-11-02 18:56 -------- d-----w- c:\program files\AnVir Task Manager Pro
2009-11-02 18:56 . 2009-11-03 17:29 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\AnVir
2009-11-02 18:55 . 2009-11-02 18:55 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Xenocode
2009-11-02 18:53 . 2009-11-02 18:56 -------- d-----w- c:\documents and settings\user\Application Data\GetRightToGo
2009-11-02 18:26 . 2009-11-12 17:30 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-02 18:25 . 2006-06-19 04:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2009-11-02 18:25 . 2006-05-25 06:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2009-11-02 18:25 . 2005-08-25 16:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2009-11-02 18:25 . 2003-02-02 11:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2009-11-02 18:25 . 2002-03-05 16:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2009-11-02 18:25 . 2009-11-07 22:50 -------- d-----w- c:\program files\Trojan Remover
2009-11-02 18:25 . 2009-11-02 18:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-11-02 18:25 . 2009-11-02 18:25 -------- d-----w- c:\documents and settings\user\Application Data\Simply Super Software
2009-11-02 09:55 . 2003-06-25 08:05 348280 ----a-w- c:\windows\system32\TweakUI.exe
2009-11-02 09:34 . 2009-11-02 09:34 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Temp
2009-11-02 09:29 . 2009-11-02 09:36 -------- d-----w- c:\windows\SxsCaPendDel
2009-10-30 22:09 . 2009-10-30 22:09 -------- d-----w- c:\documents and settings\user\Application Data\MSNInstaller
2009-10-22 08:29 . 2009-10-22 08:29 -------- d-----w- c:\windows\system32\LogFiles
2009-10-22 06:02 . 2009-10-22 06:02 -------- d-----w- c:\program files\DIFX
2009-10-22 06:02 . 2006-11-08 17:38 25792 ----a-w- c:\windows\system32\drivers\pnarp.sys
2009-10-22 06:02 . 2009-10-22 06:02 -------- dc----w- c:\windows\system32\DRVSTORE
2009-10-22 06:02 . 2006-11-08 17:38 26944 ----a-w- c:\windows\system32\drivers\purendis.sys
2009-10-22 06:02 . 2009-10-22 06:02 -------- d-----w- c:\program files\Common Files\Pure Networks Shared
2009-10-22 06:02 . 2009-10-22 06:02 -------- d-----w- c:\program files\Pure Networks
2009-10-22 06:01 . 2009-10-22 06:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Pure Networks
2009-10-22 05:44 . 2004-08-04 12:00 25600 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2009-10-18 14:44 . 2009-10-18 14:44 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-10-18 14:30 . 2009-11-02 09:28 -------- d-----w- c:\program files\Winamp
2009-10-18 14:30 . 2009-10-18 14:38 -------- d-----w- c:\documents and settings\user\Application Data\Winamp
2009-10-18 14:18 . 2009-10-18 14:18 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-10-18 14:17 . 2009-10-18 14:18 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Google
2009-10-18 14:17 . 2009-10-18 14:32 -------- d-----w- c:\program files\Google
2009-10-18 14:17 . 2009-11-10 10:24 -------- d-----w- c:\program files\DivX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-10 10:21 . 2009-09-12 08:39 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-02 18:55 . 2009-09-12 07:42 34232 ----a-w- c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-01 23:34 . 2009-09-12 11:22 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-08 19:16 . 2009-10-08 19:16 -------- d-----w- c:\documents and settings\user\Application Data\Nexon
2009-10-04 17:27 . 2009-10-04 17:27 -------- d-----w- c:\program files\Common Files\INCA Shared
2009-10-04 17:16 . 2009-10-04 17:16 -------- d-----w- c:\program files\directx
2009-10-04 17:05 . 2009-10-04 17:05 -------- d-----w- c:\program files\YouxiLand
2009-10-04 04:11 . 2009-10-04 04:11 -------- d-----w- c:\program files\AviSynth 2.5
2009-10-04 04:10 . 2009-10-04 04:10 -------- d-----w- c:\program files\eRightSoft
2009-09-30 13:41 . 2009-09-30 13:41 -------- d-----w- c:\program files\Common Files\DirectX
2009-09-30 02:21 . 2009-09-13 00:16 1220376 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2009-09-24 02:11 . 2009-09-24 02:11 -------- d-----w- c:\documents and settings\user\Application Data\Media Player Classic
2009-09-24 02:10 . 2009-09-24 02:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-09-24 02:10 . 2009-09-24 02:10 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-09-18 04:46 . 2009-09-13 00:17 3579160 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-09-18 04:46 . 2009-09-18 04:46 2092312 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe
2009-09-13 13:26 . 2009-09-13 13:26 767328 ----a-w- c:\windows\system32\kdfinj.dll
2009-09-13 12:34 . 2009-09-12 07:34 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-09-13 04:53 . 2009-09-13 04:53 1032192 ----a-w- c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\zur446e0.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll
2009-09-13 00:17 . 2009-09-13 00:17 2063640 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-09-13 00:16 . 2009-09-13 00:17 3370264 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-09-12 12:30 . 2009-09-12 12:30 0 ----a-w- c:\windows\nsreg.dat
2009-09-12 11:22 . 2009-09-30 02:22 2405144 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgdiagex.exe
2009-09-12 11:22 . 2009-09-18 04:46 1209112 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgabout.dll
2009-09-12 09:27 . 2009-09-12 09:27 0 ----a-w- c:\windows\ativpsrm.bin
2009-09-12 09:18 . 2009-09-12 08:47 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-12 09:04 . 2009-09-12 09:04 60416 ----a-w- c:\windows\ALCFDRTM.EXE
2009-09-12 07:51 . 2004-08-04 12:00 502272 ----a-w- c:\windows\system32\winlogon.exe
2009-09-12 07:32 . 2009-09-12 07:32 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2006-05-03 09:06 . 2009-10-04 04:10 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2009-10-04 04:10 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30 . 2009-10-04 04:10 216064 --sh--r- c:\windows\system32\nbDX.dll
.

------- Sigcheck -------

[-] 2009-09-12 . 6225F14B8CE08CCBA8B25AD27843C674 . 502272 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-03 1737216]
"AnVir Task Manager Pro"="c:\program files\AnVir Task Manager Pro\AnVir.exe" [2008-11-13 2820832]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-07-21 241664]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2006-10-31 390720]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2006-11-16 655360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\others\\BitComet\\BitComet.exe"=
"c:\\Program Files\\YouxiLand\\ROW\\Login.exe"=
"c:\\Program Files\\YouxiLand\\ROW\\Login.dat"=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=
"c:\\WINDOWS\\SOUNDMAN.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\ATI Technologies\\ATI.ACE\\Core-Static\\CLIStart.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Pure Networks\\Network Magic\\nmapp.exe"=
"c:\\WINDOWS\\system32\\freecell.exe"=
"c:\\DOCUME~1\\user\\LOCALS~1\\Temp\\wingpxn.exe"=
"c:\\DOCUME~1\\user\\LOCALS~1\\Temp\\winhnvbk.exe"=
"c:\\DOCUME~1\\user\\LOCALS~1\\Temp\\fdrx.exe"=
"c:\\DOCUME~1\\user\\LOCALS~1\\Temp\\ucli.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7404:TCP"= 7404:TCP:BitComet 7404 TCP
"7404:UDP"= 7404:UDP:BitComet 7404 UDP
"6384:TCP"= 6384:TCP:tdibsu
"67:UDP"= 67:UDP:DHCP Discovery Service

R3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\gkrhmm.sys --> c:\windows\system32\drivers\gkrhmm.sys [?]
S2 gupdate1ca4ffde44f4418;Google Update Service (gupdate1ca4ffde44f4418);c:\program files\Google\Update\GoogleUpdate.exe [10/18/2009 10:18 PM 202736]
S2 zipcsf86;zbeer;\??\c:\docume~1\user\Desktop\NEWFOL~2\bythemrigi.sys --> c:\docume~1\user\Desktop\NEWFOL~2\bythemrigi.sys [?]
S3 Mkd2kfNt;Mkd2kfNt;c:\windows\system32\drivers\Mkd2kfNT.sys [9/13/2009 9:26 PM 131072]
S3 Mkd2Nadr;Mkd2Nadr;c:\windows\system32\drivers\Mkd2Nadr.sys [9/13/2009 9:26 PM 79104]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-11-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-18 14:17]

2009-11-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-18 14:17]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.atcomet.com/b/
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe" //mailurl:mailto:Royalblood83%22gmail.com@msn.com
IE: &D&ownload &with BitComet - c:\program files\others\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\others\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\others\BitComet\BitComet.exe/AddAllLink.htm
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\zur446e0.default\
FF - prefs.js: keyword.URL - hxxp://mye.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_mye&p=
FF - component: c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\zur446e0.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-AVGIDS - c:\program files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe
HKLM-Run-TrojanScanner - c:\program files\Trojan Remover\Trjscan.exe
AddRemove-R.Y.L FactorY_is1 - d:\program files\games\RYL FactorY\unins000.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-13 05:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mysql]
"ImagePath"="c:\appserv\MySQL\bin\mysqld-nt --defaults-file=c:\appserv\MySQL\my.ini mysql"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2052111302-583907252-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1914D400-34CE-732E-C70C-3B4383E1C10A}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iaiacjnidfiljikbem"=hex:6b,61,70,6b,66,62,64,70,69,68,6e,64,62,61,6a,67,66,69,
70,68,64,62,00,00
"hakpmdaljlilggli"=hex:6b,61,70,6b,66,62,64,70,69,68,6e,64,62,61,6a,67,66,69,
70,68,64,62,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(668)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3192)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\dwwin.exe
c:\program files\Pure Networks\Network Magic\nmsrvc.exe
c:\docume~1\user\LOCALS~1\Temp\wingpxn.exe
c:\docume~1\user\LOCALS~1\Temp\winhnvbk.exe
c:\docume~1\user\LOCALS~1\Temp\fdrx.exe
c:\windows\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2009-11-13 05:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-12 21:39

Pre-Run: 14,178,705,408 bytes free
Post-Run: 14,022,635,520 bytes free

- - End Of File - - 3E6DCD4F698F14FF8AF2D4F64FE98E3A

tetonbob · 11-13-2009, 02:37 PM

This driver was running from a folder on your desktop

S2 zipcsf86;zbeer;\??\c:\docume~1\user\Desktop\NEWFOL~2\bythemrigi.sys --> c:\docume~1\user\Desktop\NEWFOL~2\bythemrigi.sys [?]

Was this the file you downloaded?

Also

Please go to Start > Run and copy/paste the following, then press Enter:

C:\QooBox\Add-Remove Programs.txt

A text file should open. Please post the contents of that file in your next reply.

gervhard · 11-13-2009, 03:04 PM

i had them downloaded into my C drive(C:/download) and i paste it on my desktop (also in the same drive)

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
AnVir Task Manager Pro
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
AVG Identity Protection
BitComet 1.14
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center HydraVision Full
Catalyst Control Center Localization All
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
FULL CLIENT
Google Update Helper
IrfanView (remove only)
K-Lite Mega Codec Pack 1.69
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.5.5)
MSN
Network Magic
NVIDIA Drivers
ReaJPEG Pro 3.9
Realtek AC'97 Audio
Return of Warrior
Skins
SUPER © Version 2009.bld.36 (June 10, 2009)
Trojan Remover 6.7.4
Tweak UI
WebFldrs XP
Winamp
Windows Driver Package - Pure Networks Address Resolution Protocol (ARP) Driver (11/09/2006 4.0.6313.0)
Windows Driver Package - Pure Networks NDIS Relay Protocol Driver (11/09/2006 4.0.6313.0)
Windows Internet Explorer 8
WinRAR archiver

tetonbob · 11-13-2009, 04:31 PM

It's possible this machine has been infected with Sality virus, which is a file infector. If this is the case, it's possible the best cure will be to format the machine. Before continuing, I need a bit more information.

Please go to: VirusTotal

On the page you'll find a "Browse" button.
Next to the browse button you'll see a box to enter text.
Please copy/paste the following:

c:\windows\system32\winlogon.exe
Then click the "Send File " button just below.
This will scan the file. Please be patient.
If you get a message saying File has already been analyzed: click Reanalyze file now
Once scanned, copy and paste the link to the results page in your next reply.

Next....

Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

cmd /c PEV -l "%systemdrive%\winlogon.*" >Log.txt&Log.txt&del Log.txt

A Notepad file will open. Post the contents of Log.txt in your next reply.

=================================

Also, I don't see an AntiVirus application installed. Any reason why?

tetonbob · 11-21-2009, 06:36 PM

Due to lack of response, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help

11-06-2009, 07:06 PM	#2 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,715 OS: 2000 Pro; XP Pro; XP Home	Re: Task Manager and Regedit disabled Hello - Let's see if we can get some logs from this tool. Download RSIT by random/random and save it to your desktop. Double click RSIT.exe to start the tool and click Continue at the disclaimer. When the scan completes it will open a log named log.txt maximized, and a log named info.txt minimized. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of log.txt here. Please attach info.txt to your post. To attach a file to a new post, simply Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and copy and paste the following into the "Upload File from your Computer" box: C:\rsit\info.txt Click Upload. --------------------------------------------------------------------------------------------- __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

11-07-2009, 02:47 AM	#3 (permalink)
gervhard Registered User Join Date: Nov 2009 Posts: 12 OS: window xp sp2	Re: Task Manager and Regedit disabled im sorry to say that i cant visit any website related to anti virus :( i think the virus in my pc stop me from doing that .. i can visit any website , but not anti virus website

11-07-2009, 09:01 PM	#5 (permalink)
gervhard Registered User Join Date: Nov 2009 Posts: 12 OS: window xp sp2	Re: Task Manager and Regedit disabled i cant visit that web too :( stupid virus .. thx for uploading tat

11-07-2009, 09:05 PM	#6 (permalink)
gervhard Registered User Join Date: Nov 2009 Posts: 12 OS: window xp sp2	Re: Task Manager and Regedit disabled well its weird , the file has 304.7 KB and after i download it , it only have 26.70KB and when i opened it . it says "C:\downloads\59796d1257608331-task-manager-regedit-disabled-rsit.zip The archive is either in unknown format or damaged" sob T_T

11-07-2009, 09:07 PM	#7 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,715 OS: 2000 Pro; XP Pro; XP Home	Re: Task Manager and Regedit disabled See if this tool runs Download OTL to your desktop. Double click the icon to start the tool. Click Run Scan and let the program run uninterrupted. When the scan is complete, two text files will be created, OTL.Txt <- this one will be opened in Notepad and Extras.txt, on Desktop. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of OTViewIt.Txt and the Extras.txt in your next reply. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

11-07-2009, 09:09 PM	#8 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,715 OS: 2000 Pro; XP Pro; XP Home	Re: Task Manager and Regedit disabled Question.... Do you have access to another machine, and a USB flash drive? __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

11-08-2009, 06:08 AM	#9 (permalink)
gervhard Registered User Join Date: Nov 2009 Posts: 12 OS: window xp sp2	Re: Task Manager and Regedit disabled nope . i dont think so

11-08-2009, 06:15 AM	#10 (permalink)
gervhard Registered User Join Date: Nov 2009 Posts: 12 OS: window xp sp2	Re: Task Manager and Regedit disabled do u have any unofficial website for me to download anti virus program? cause i think my main problem is virus :(

11-08-2009, 08:46 AM	#11 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,715 OS: 2000 Pro; XP Pro; XP Home	Re: Task Manager and Regedit disabled Well, no...you'll have to find a way to access these tools and get them to your machine, or reinstall your operating system. Is this a legal version of Windows? Did you try OTL (post #7)? What happens when you try? __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

11-10-2009, 08:09 AM	#13 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,715 OS: 2000 Pro; XP Pro; XP Home	Re: Task Manager and Regedit disabled Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. --------------------------------------------------------------------------------------------- Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate. Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete. Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum. --------------------------------------------------------------------------------------------- Note: If there are USB flash drives you've used on this machine recently, please ensure they are inserted, or active, when performing the following steps. Download ComboFix from one of these locations: Link 1 Link 2 * IMPORTANT !!! Place combofix.exe on your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix. You can get help on disabling your protection programs here Double click on combofix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement. ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says: The Recovery Console was successfully installed. Click on Yes, to continue scanning for malware. Please note: If the Recovery Console does NOT get installed, click on NO, do not continue, and let me know. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal. When finished, it shall produce a log for you. Post that log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall. --------------------------------------------------------------------------------------------- Ensure your AntiVirus and AntiSpyware applications are re-enabled. --------------------------------------------------------------------------------------------- __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

11-13-2009, 02:08 AM	#14 (permalink)
gervhard Registered User Join Date: Nov 2009 Posts: 12 OS: window xp sp2	Re: Task Manager and Regedit disabled ok here is the log ComboFix 09-11-13.04 - user 11/13/2009 13:04.3.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.229 [GMT 8:00] Running from: c:\downloads\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2009-10-13 to 2009-11-13 ))))))))))))))))))))))))))))))) . 2009-11-12 17:30 . 2008-11-08 10:01 2888568 ----a-w- c:\documents and settings\user\Application Data\Simply Super Software\Trojan Remover\riw5DD.exe 2009-11-12 17:16 . 2009-11-12 17:16 -------- d-----w- c:\windows\FULL CLIENT 2009-11-11 20:39 . 2009-11-11 20:43 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\ReaJPEG 2009-11-11 20:38 . 2009-11-11 20:38 -------- d-----w- c:\program files\ReaSoft 2009-11-11 20:38 . 2009-11-11 20:38 -------- d-----w- c:\documents and settings\user\Application Data\ReaSoft 2009-11-11 20:27 . 2009-11-11 20:27 -------- d-----w- c:\program files\IrfanView 2009-11-10 11:30 . 2009-11-13 05:02 -------- d-----w- C:\Downloads 2009-11-10 10:37 . 2009-11-10 10:37 -------- d-----w- c:\program files\AppServ 2009-11-05 15:41 . 2009-11-10 10:37 -------- d-----w- C:\AppServ 2009-11-05 06:30 . 2009-11-05 06:30 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Identities 2009-11-02 18:56 . 2009-11-02 18:56 -------- d-----w- c:\program files\AnVir Task Manager Pro 2009-11-02 18:56 . 2009-11-03 17:29 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\AnVir 2009-11-02 18:55 . 2009-11-02 18:55 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Xenocode 2009-11-02 18:53 . 2009-11-02 18:56 -------- d-----w- c:\documents and settings\user\Application Data\GetRightToGo 2009-11-02 18:26 . 2009-11-12 17:30 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2009-11-02 18:25 . 2006-06-19 04:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll 2009-11-02 18:25 . 2006-05-25 06:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll 2009-11-02 18:25 . 2005-08-25 16:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll 2009-11-02 18:25 . 2003-02-02 11:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll 2009-11-02 18:25 . 2002-03-05 16:00 75264 ----a-w- c:\windows\system32\unacev2.dll 2009-11-02 18:25 . 2009-11-07 22:50 -------- d-----w- c:\program files\Trojan Remover 2009-11-02 18:25 . 2009-11-02 18:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software 2009-11-02 18:25 . 2009-11-02 18:25 -------- d-----w- c:\documents and settings\user\Application Data\Simply Super Software 2009-11-02 09:55 . 2003-06-25 08:05 348280 ----a-w- c:\windows\system32\TweakUI.exe 2009-11-02 09:34 . 2009-11-02 09:34 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Temp 2009-11-02 09:29 . 2009-11-02 09:36 -------- d-----w- c:\windows\SxsCaPendDel 2009-10-30 22:09 . 2009-10-30 22:09 -------- d-----w- c:\documents and settings\user\Application Data\MSNInstaller 2009-10-22 08:29 . 2009-10-22 08:29 -------- d-----w- c:\windows\system32\LogFiles 2009-10-22 06:02 . 2009-10-22 06:02 -------- d-----w- c:\program files\DIFX 2009-10-22 06:02 . 2006-11-08 17:38 25792 ----a-w- c:\windows\system32\drivers\pnarp.sys 2009-10-22 06:02 . 2009-10-22 06:02 -------- dc----w- c:\windows\system32\DRVSTORE 2009-10-22 06:02 . 2006-11-08 17:38 26944 ----a-w- c:\windows\system32\drivers\purendis.sys 2009-10-22 06:02 . 2009-10-22 06:02 -------- d-----w- c:\program files\Common Files\Pure Networks Shared 2009-10-22 06:02 . 2009-10-22 06:02 -------- d-----w- c:\program files\Pure Networks 2009-10-22 06:01 . 2009-10-22 06:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Pure Networks 2009-10-22 05:44 . 2004-08-04 12:00 25600 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll 2009-10-18 14:44 . 2009-10-18 14:44 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google 2009-10-18 14:30 . 2009-11-02 09:28 -------- d-----w- c:\program files\Winamp 2009-10-18 14:30 . 2009-10-18 14:38 -------- d-----w- c:\documents and settings\user\Application Data\Winamp 2009-10-18 14:18 . 2009-10-18 14:18 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google 2009-10-18 14:17 . 2009-10-18 14:18 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Google 2009-10-18 14:17 . 2009-10-18 14:32 -------- d-----w- c:\program files\Google 2009-10-18 14:17 . 2009-11-10 10:24 -------- d-----w- c:\program files\DivX . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-11-10 10:21 . 2009-09-12 08:39 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-11-02 18:55 . 2009-09-12 07:42 34232 ----a-w- c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-11-01 23:34 . 2009-09-12 11:22 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-10-08 19:16 . 2009-10-08 19:16 -------- d-----w- c:\documents and settings\user\Application Data\Nexon 2009-10-04 17:27 . 2009-10-04 17:27 -------- d-----w- c:\program files\Common Files\INCA Shared 2009-10-04 17:16 . 2009-10-04 17:16 -------- d-----w- c:\program files\directx 2009-10-04 17:05 . 2009-10-04 17:05 -------- d-----w- c:\program files\YouxiLand 2009-10-04 04:11 . 2009-10-04 04:11 -------- d-----w- c:\program files\AviSynth 2.5 2009-10-04 04:10 . 2009-10-04 04:10 -------- d-----w- c:\program files\eRightSoft 2009-09-30 13:41 . 2009-09-30 13:41 -------- d-----w- c:\program files\Common Files\DirectX 2009-09-30 02:21 . 2009-09-13 00:16 1220376 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe 2009-09-24 02:11 . 2009-09-24 02:11 -------- d-----w- c:\documents and settings\user\Application Data\Media Player Classic 2009-09-24 02:10 . 2009-09-24 02:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer 2009-09-24 02:10 . 2009-09-24 02:10 -------- d-----w- c:\program files\K-Lite Codec Pack 2009-09-18 04:46 . 2009-09-13 00:17 3579160 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe 2009-09-18 04:46 . 2009-09-18 04:46 2092312 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe 2009-09-13 13:26 . 2009-09-13 13:26 767328 ----a-w- c:\windows\system32\kdfinj.dll 2009-09-13 12:34 . 2009-09-12 07:34 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat 2009-09-13 04:53 . 2009-09-13 04:53 1032192 ----a-w- c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\zur446e0.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll 2009-09-13 00:17 . 2009-09-13 00:17 2063640 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll 2009-09-13 00:16 . 2009-09-13 00:17 3370264 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe 2009-09-12 12:30 . 2009-09-12 12:30 0 ----a-w- c:\windows\nsreg.dat 2009-09-12 11:22 . 2009-09-30 02:22 2405144 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgdiagex.exe 2009-09-12 11:22 . 2009-09-18 04:46 1209112 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgabout.dll 2009-09-12 09:27 . 2009-09-12 09:27 0 ----a-w- c:\windows\ativpsrm.bin 2009-09-12 09:18 . 2009-09-12 08:47 664 ----a-w- c:\windows\system32\d3d9caps.dat 2009-09-12 09:04 . 2009-09-12 09:04 60416 ----a-w- c:\windows\ALCFDRTM.EXE 2009-09-12 07:51 . 2004-08-04 12:00 502272 ----a-w- c:\windows\system32\winlogon.exe 2009-09-12 07:32 . 2009-09-12 07:32 21640 ----a-w- c:\windows\system32\emptyregdb.dat 2006-05-03 09:06 . 2009-10-04 04:10 163328 --sh--r- c:\windows\system32\flvDX.dll 2007-02-21 10:47 . 2009-10-04 04:10 31232 --sh--r- c:\windows\system32\msfDX.dll 2008-03-16 12:30 . 2009-10-04 04:10 216064 --sh--r- c:\windows\system32\nbDX.dll . ------- Sigcheck ------- [-] 2009-09-12 . 6225F14B8CE08CCBA8B25AD27843C674 . 502272 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-03 1737216] "AnVir Task Manager Pro"="c:\program files\AnVir Task Manager Pro\AnVir.exe" [2008-11-13 2820832] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952] "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-07-21 241664] "nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2006-10-31 390720] "SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2006-11-16 655360] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableTaskMgr"= 1 (0x1) "DisableRegistryTools"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "FirewallDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 "UacDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc] "AntiVirusOverride"=dword:00000001 "AntiVirusDisableNotify"=dword:00000001 "FirewallDisableNotify"=dword:00000001 "FirewallOverride"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 "UacDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\others\\BitComet\\BitComet.exe"= "c:\\Program Files\\YouxiLand\\ROW\\Login.exe"= "c:\\Program Files\\YouxiLand\\ROW\\Login.dat"= "c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"= "c:\\WINDOWS\\SOUNDMAN.EXE"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\ATI Technologies\\ATI.ACE\\Core-Static\\CLIStart.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Pure Networks\\Network Magic\\nmapp.exe"= "c:\\WINDOWS\\system32\\freecell.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "7404:TCP"= 7404:TCP:BitComet 7404 TCP "7404:UDP"= 7404:UDP:BitComet 7404 UDP "6384:TCP"= 6384:TCP:tdibsu "67:UDP"= 67:UDP:DHCP Discovery Service R3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\gkrhmm.sys --> c:\windows\system32\drivers\gkrhmm.sys [?] S2 gupdate1ca4ffde44f4418;Google Update Service (gupdate1ca4ffde44f4418);c:\program files\Google\Update\GoogleUpdate.exe [10/18/2009 10:18 PM 202736] S2 zipcsf86;zbeer;\??\c:\docume~1\user\Desktop\NEWFOL~2\bythemrigi.sys --> c:\docume~1\user\Desktop\NEWFOL~2\bythemrigi.sys [?] S3 Mkd2kfNt;Mkd2kfNt;c:\windows\system32\drivers\Mkd2kfNT.sys [9/13/2009 9:26 PM 131072] S3 Mkd2Nadr;Mkd2Nadr;c:\windows\system32\drivers\Mkd2Nadr.sys [9/13/2009 9:26 PM 79104] S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?] --- Other Services/Drivers In Memory --- NewlyCreated - MBR Deregistered - mbr Deregistered - PROCEXP113 . Contents of the 'Scheduled Tasks' folder 2009-11-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-10-18 14:17] 2009-11-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-10-18 14:17] . . ------- Supplementary Scan ------- . uStart Page = hxxp://google.atcomet.com/b/ uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe" //mailurl:mailto:Royalblood83%22gmail.com@msn.com IE: &D&ownload &with BitComet - c:\program files\others\BitComet\BitComet.exe/AddLink.htm IE: &D&ownload all video with BitComet - c:\program files\others\BitComet\BitComet.exe/AddVideo.htm IE: &D&ownload all with BitComet - c:\program files\others\BitComet\BitComet.exe/AddAllLink.htm FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\zur446e0.default\ FF - prefs.js: keyword.URL - hxxp://mye.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_mye&p= FF - component: c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\zur446e0.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); . ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-11-13 13:11 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mysql] "ImagePath"="c:\appserv\MySQL\bin\mysqld-nt --defaults-file=c:\appserv\MySQL\my.ini mysql" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc] "ImagePath"="c:\windows\system32\GameMon.des -service" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-2052111302-583907252-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1914D400-34CE-732E-C70C-3B4383E1C10A}*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) "iaiacjnidfiljikbem"=hex:6b,61,70,6b,66,62,64,70,69,68,6e,64,62,61,6a,67,66,69, 70,68,64,62,00,00 "hakpmdaljlilggli"=hex:6b,61,70,6b,66,62,64,70,69,68,6e,64,62,61,6a,67,66,69, 70,68,64,62,00,00 . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(668) c:\windows\system32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(2236) c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . Completion time: 2009-11-13 13:13 ComboFix-quarantined-files.txt 2009-11-13 05:13 ComboFix2.txt 2009-11-12 21:39 Pre-Run: 13,896,241,152 bytes free Post-Run: 13,883,285,504 bytes free - - End Of File - - 47FDC30CA9F0A3DEAF200A6130EDF5F6

11-13-2009, 09:37 AM	#15 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,715 OS: 2000 Pro; XP Pro; XP Home	Re: Task Manager and Regedit disabled Hello - Were there problems wth the first run of ComboFix? It seems it was run twice. Please go to Start > Run and copy/paste the following, then press Enter: C:\QooBox\ComboFix2.txt Post the contents of the logfile which will open. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

11-13-2009, 02:31 PM	#16 (permalink)
gervhard Registered User Join Date: Nov 2009 Posts: 12 OS: window xp sp2	Re: Task Manager and Regedit disabled there you go .. ComboFix 09-11-13.04 - user 11/13/2009 5:25.2.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.279 [GMT 8:00] Running from: c:\downloads\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\rykbg.dll . ---- Previous Run ------- . c:\windows\system32\AVSredirect.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_AFXRD -------\Legacy_AUYOWSTN -------\Legacy_BTPDEF -------\Legacy_CBDNB -------\Legacy_CBDPAOGTP -------\Legacy_CCUEGJSJ -------\Legacy_CDCYV -------\Legacy_CGBETFMHO -------\Legacy_CXHXFSOZS -------\Legacy_CZKJB -------\Legacy_KLDSH -------\Legacy_PJCJMSP -------\Legacy_QDOPXLV -------\Legacy_RFMPNT -------\Legacy_RKFBVELJT -------\Legacy_RWLUBO -------\Legacy_SBYAZ -------\Legacy_WQWJITG -------\Service_afxrd -------\Service_auyowstn -------\Service_btpdef -------\Service_cbdnb -------\Service_cbdpaogtp -------\Service_ccuegjsj -------\Service_cdcyv -------\Service_cgbetfmho -------\Service_cxhxfsozs -------\Service_czkjb -------\Service_kldsh -------\Service_pjcjmsp -------\Service_qdopxlv -------\Service_rfmpnt -------\Service_rkfbveljt -------\Service_rwlubo -------\Service_sbyaz -------\Service_wqwjitg -------\Legacy_AFXRD -------\Legacy_AUYOWSTN -------\Legacy_BTPDEF -------\Legacy_CBDNB -------\Legacy_CBDPAOGTP -------\Legacy_CCUEGJSJ -------\Legacy_CDCYV -------\Legacy_CGBETFMHO -------\Legacy_CXHXFSOZS -------\Legacy_CZKJB -------\Legacy_KLDSH -------\Legacy_PJCJMSP -------\Legacy_QDOPXLV -------\Legacy_RFMPNT -------\Legacy_RKFBVELJT -------\Legacy_RWLUBO -------\Legacy_SBYAZ -------\Legacy_WQWJITG ((((((((((((((((((((((((( Files Created from 2009-10-12 to 2009-11-12 ))))))))))))))))))))))))))))))) . 2009-11-12 17:30 . 2008-11-08 10:01 2888568 ----a-w- c:\documents and settings\user\Application Data\Simply Super Software\Trojan Remover\riw5DD.exe 2009-11-12 17:16 . 2009-11-12 17:16 -------- d-----w- c:\windows\FULL CLIENT 2009-11-11 20:39 . 2009-11-11 20:43 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\ReaJPEG 2009-11-11 20:38 . 2009-11-11 20:38 -------- d-----w- c:\program files\ReaSoft 2009-11-11 20:38 . 2009-11-11 20:38 -------- d-----w- c:\documents and settings\user\Application Data\ReaSoft 2009-11-11 20:27 . 2009-11-11 20:27 -------- d-----w- c:\program files\IrfanView 2009-11-10 11:30 . 2009-11-12 21:23 -------- d-----w- C:\Downloads 2009-11-10 10:37 . 2009-11-10 10:37 -------- d-----w- c:\program files\AppServ 2009-11-05 15:41 . 2009-11-10 10:37 -------- d-----w- C:\AppServ 2009-11-05 06:30 . 2009-11-05 06:30 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Identities 2009-11-02 18:56 . 2009-11-02 18:56 -------- d-----w- c:\program files\AnVir Task Manager Pro 2009-11-02 18:56 . 2009-11-03 17:29 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\AnVir 2009-11-02 18:55 . 2009-11-02 18:55 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Xenocode 2009-11-02 18:53 . 2009-11-02 18:56 -------- d-----w- c:\documents and settings\user\Application Data\GetRightToGo 2009-11-02 18:26 . 2009-11-12 17:30 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2009-11-02 18:25 . 2006-06-19 04:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll 2009-11-02 18:25 . 2006-05-25 06:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll 2009-11-02 18:25 . 2005-08-25 16:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll 2009-11-02 18:25 . 2003-02-02 11:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll 2009-11-02 18:25 . 2002-03-05 16:00 75264 ----a-w- c:\windows\system32\unacev2.dll 2009-11-02 18:25 . 2009-11-07 22:50 -------- d-----w- c:\program files\Trojan Remover 2009-11-02 18:25 . 2009-11-02 18:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software 2009-11-02 18:25 . 2009-11-02 18:25 -------- d-----w- c:\documents and settings\user\Application Data\Simply Super Software 2009-11-02 09:55 . 2003-06-25 08:05 348280 ----a-w- c:\windows\system32\TweakUI.exe 2009-11-02 09:34 . 2009-11-02 09:34 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Temp 2009-11-02 09:29 . 2009-11-02 09:36 -------- d-----w- c:\windows\SxsCaPendDel 2009-10-30 22:09 . 2009-10-30 22:09 -------- d-----w- c:\documents and settings\user\Application Data\MSNInstaller 2009-10-22 08:29 . 2009-10-22 08:29 -------- d-----w- c:\windows\system32\LogFiles 2009-10-22 06:02 . 2009-10-22 06:02 -------- d-----w- c:\program files\DIFX 2009-10-22 06:02 . 2006-11-08 17:38 25792 ----a-w- c:\windows\system32\drivers\pnarp.sys 2009-10-22 06:02 . 2009-10-22 06:02 -------- dc----w- c:\windows\system32\DRVSTORE 2009-10-22 06:02 . 2006-11-08 17:38 26944 ----a-w- c:\windows\system32\drivers\purendis.sys 2009-10-22 06:02 . 2009-10-22 06:02 -------- d-----w- c:\program files\Common Files\Pure Networks Shared 2009-10-22 06:02 . 2009-10-22 06:02 -------- d-----w- c:\program files\Pure Networks 2009-10-22 06:01 . 2009-10-22 06:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Pure Networks 2009-10-22 05:44 . 2004-08-04 12:00 25600 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll 2009-10-18 14:44 . 2009-10-18 14:44 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google 2009-10-18 14:30 . 2009-11-02 09:28 -------- d-----w- c:\program files\Winamp 2009-10-18 14:30 . 2009-10-18 14:38 -------- d-----w- c:\documents and settings\user\Application Data\Winamp 2009-10-18 14:18 . 2009-10-18 14:18 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google 2009-10-18 14:17 . 2009-10-18 14:18 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Google 2009-10-18 14:17 . 2009-10-18 14:32 -------- d-----w- c:\program files\Google 2009-10-18 14:17 . 2009-11-10 10:24 -------- d-----w- c:\program files\DivX . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-11-10 10:21 . 2009-09-12 08:39 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-11-02 18:55 . 2009-09-12 07:42 34232 ----a-w- c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-11-01 23:34 . 2009-09-12 11:22 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-10-08 19:16 . 2009-10-08 19:16 -------- d-----w- c:\documents and settings\user\Application Data\Nexon 2009-10-04 17:27 . 2009-10-04 17:27 -------- d-----w- c:\program files\Common Files\INCA Shared 2009-10-04 17:16 . 2009-10-04 17:16 -------- d-----w- c:\program files\directx 2009-10-04 17:05 . 2009-10-04 17:05 -------- d-----w- c:\program files\YouxiLand 2009-10-04 04:11 . 2009-10-04 04:11 -------- d-----w- c:\program files\AviSynth 2.5 2009-10-04 04:10 . 2009-10-04 04:10 -------- d-----w- c:\program files\eRightSoft 2009-09-30 13:41 . 2009-09-30 13:41 -------- d-----w- c:\program files\Common Files\DirectX 2009-09-30 02:21 . 2009-09-13 00:16 1220376 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe 2009-09-24 02:11 . 2009-09-24 02:11 -------- d-----w- c:\documents and settings\user\Application Data\Media Player Classic 2009-09-24 02:10 . 2009-09-24 02:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer 2009-09-24 02:10 . 2009-09-24 02:10 -------- d-----w- c:\program files\K-Lite Codec Pack 2009-09-18 04:46 . 2009-09-13 00:17 3579160 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe 2009-09-18 04:46 . 2009-09-18 04:46 2092312 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe 2009-09-13 13:26 . 2009-09-13 13:26 767328 ----a-w- c:\windows\system32\kdfinj.dll 2009-09-13 12:34 . 2009-09-12 07:34 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat 2009-09-13 04:53 . 2009-09-13 04:53 1032192 ----a-w- c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\zur446e0.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll 2009-09-13 00:17 . 2009-09-13 00:17 2063640 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll 2009-09-13 00:16 . 2009-09-13 00:17 3370264 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe 2009-09-12 12:30 . 2009-09-12 12:30 0 ----a-w- c:\windows\nsreg.dat 2009-09-12 11:22 . 2009-09-30 02:22 2405144 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgdiagex.exe 2009-09-12 11:22 . 2009-09-18 04:46 1209112 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgabout.dll 2009-09-12 09:27 . 2009-09-12 09:27 0 ----a-w- c:\windows\ativpsrm.bin 2009-09-12 09:18 . 2009-09-12 08:47 664 ----a-w- c:\windows\system32\d3d9caps.dat 2009-09-12 09:04 . 2009-09-12 09:04 60416 ----a-w- c:\windows\ALCFDRTM.EXE 2009-09-12 07:51 . 2004-08-04 12:00 502272 ----a-w- c:\windows\system32\winlogon.exe 2009-09-12 07:32 . 2009-09-12 07:32 21640 ----a-w- c:\windows\system32\emptyregdb.dat 2006-05-03 09:06 . 2009-10-04 04:10 163328 --sh--r- c:\windows\system32\flvDX.dll 2007-02-21 10:47 . 2009-10-04 04:10 31232 --sh--r- c:\windows\system32\msfDX.dll 2008-03-16 12:30 . 2009-10-04 04:10 216064 --sh--r- c:\windows\system32\nbDX.dll . ------- Sigcheck ------- [-] 2009-09-12 . 6225F14B8CE08CCBA8B25AD27843C674 . 502272 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-03 1737216] "AnVir Task Manager Pro"="c:\program files\AnVir Task Manager Pro\AnVir.exe" [2008-11-13 2820832] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952] "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-07-21 241664] "nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2006-10-31 390720] "SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2006-11-16 655360] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLUA"= 0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableTaskMgr"= 1 (0x1) "DisableRegistryTools"= 1 (0x1) [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system] "DisableTaskMgr"= 1 (0x1) "DisableRegistryTools"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc] "AntiVirusOverride"=dword:00000001 "AntiVirusDisableNotify"=dword:00000001 "FirewallDisableNotify"=dword:00000001 "FirewallOverride"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 "UacDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\others\\BitComet\\BitComet.exe"= "c:\\Program Files\\YouxiLand\\ROW\\Login.exe"= "c:\\Program Files\\YouxiLand\\ROW\\Login.dat"= "c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"= "c:\\WINDOWS\\SOUNDMAN.EXE"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\ATI Technologies\\ATI.ACE\\Core-Static\\CLIStart.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Pure Networks\\Network Magic\\nmapp.exe"= "c:\\WINDOWS\\system32\\freecell.exe"= "c:\\DOCUME~1\\user\\LOCALS~1\\Temp\\wingpxn.exe"= "c:\\DOCUME~1\\user\\LOCALS~1\\Temp\\winhnvbk.exe"= "c:\\DOCUME~1\\user\\LOCALS~1\\Temp\\fdrx.exe"= "c:\\DOCUME~1\\user\\LOCALS~1\\Temp\\ucli.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "7404:TCP"= 7404:TCP:BitComet 7404 TCP "7404:UDP"= 7404:UDP:BitComet 7404 UDP "6384:TCP"= 6384:TCP:tdibsu "67:UDP"= 67:UDP:DHCP Discovery Service R3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\gkrhmm.sys --> c:\windows\system32\drivers\gkrhmm.sys [?] S2 gupdate1ca4ffde44f4418;Google Update Service (gupdate1ca4ffde44f4418);c:\program files\Google\Update\GoogleUpdate.exe [10/18/2009 10:18 PM 202736] S2 zipcsf86;zbeer;\??\c:\docume~1\user\Desktop\NEWFOL~2\bythemrigi.sys --> c:\docume~1\user\Desktop\NEWFOL~2\bythemrigi.sys [?] S3 Mkd2kfNt;Mkd2kfNt;c:\windows\system32\drivers\Mkd2kfNT.sys [9/13/2009 9:26 PM 131072] S3 Mkd2Nadr;Mkd2Nadr;c:\windows\system32\drivers\Mkd2Nadr.sys [9/13/2009 9:26 PM 79104] S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?] --- Other Services/Drivers In Memory --- NewlyCreated - MBR Deregistered - mbr . Contents of the 'Scheduled Tasks' folder 2009-11-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-10-18 14:17] 2009-11-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-10-18 14:17] . . ------- Supplementary Scan ------- . uStart Page = hxxp://google.atcomet.com/b/ uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe" //mailurl:mailto:Royalblood83%22gmail.com@msn.com IE: &D&ownload &with BitComet - c:\program files\others\BitComet\BitComet.exe/AddLink.htm IE: &D&ownload all video with BitComet - c:\program files\others\BitComet\BitComet.exe/AddVideo.htm IE: &D&ownload all with BitComet - c:\program files\others\BitComet\BitComet.exe/AddAllLink.htm FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\zur446e0.default\ FF - prefs.js: keyword.URL - hxxp://mye.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_mye&p= FF - component: c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\zur446e0.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); . - - - - ORPHANS REMOVED - - - - Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) HKLM-Run-AVGIDS - c:\program files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe HKLM-Run-TrojanScanner - c:\program files\Trojan Remover\Trjscan.exe AddRemove-R.Y.L FactorY_is1 - d:\program files\games\RYL FactorY\unins000.exe ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-11-13 05:34 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mysql] "ImagePath"="c:\appserv\MySQL\bin\mysqld-nt --defaults-file=c:\appserv\MySQL\my.ini mysql" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc] "ImagePath"="c:\windows\system32\GameMon.des -service" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-2052111302-583907252-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1914D400-34CE-732E-C70C-3B4383E1C10A}] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) "iaiacjnidfiljikbem"=hex:6b,61,70,6b,66,62,64,70,69,68,6e,64,62,61,6a,67,66,69, 70,68,64,62,00,00 "hakpmdaljlilggli"=hex:6b,61,70,6b,66,62,64,70,69,68,6e,64,62,61,6a,67,66,69, 70,68,64,62,00,00 . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(668) c:\windows\system32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(3192) c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\windows\system32\Ati2evxx.exe c:\windows\system32\dwwin.exe c:\program files\Pure Networks\Network Magic\nmsrvc.exe c:\docume~1\user\LOCALS~1\Temp\wingpxn.exe c:\docume~1\user\LOCALS~1\Temp\winhnvbk.exe c:\docume~1\user\LOCALS~1\Temp\fdrx.exe c:\windows\system32\imapi.exe . ************************************************************************* . Completion time: 2009-11-13 05:39 - machine was rebooted ComboFix-quarantined-files.txt 2009-11-12 21:39 Pre-Run: 14,178,705,408 bytes free Post-Run: 14,022,635,520 bytes free - - End Of File - - 3E6DCD4F698F14FF8AF2D4F64FE98E3A

11-13-2009, 02:37 PM	#17 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,715 OS: 2000 Pro; XP Pro; XP Home	Re: Task Manager and Regedit disabled This driver was running from a folder on your desktop S2 zipcsf86;zbeer;\??\c:\docume~1\user\Desktop\NEWFOL~2\bythemrigi.sys --> c:\docume~1\user\Desktop\NEWFOL~2\bythemrigi.sys [?] Was this the file you downloaded? Also Please go to Start > Run and copy/paste the following, then press Enter: C:\QooBox\Add-Remove Programs.txt A text file should open. Please post the contents of that file in your next reply. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

11-13-2009, 03:04 PM	#18 (permalink)
gervhard Registered User Join Date: Nov 2009 Posts: 12 OS: window xp sp2	Re: Task Manager and Regedit disabled i had them downloaded into my C drive(C:/download) and i paste it on my desktop (also in the same drive) Adobe Flash Player 10 ActiveX Adobe Flash Player 10 Plugin AnVir Task Manager Pro ATI - Software Uninstall Utility ATI Catalyst Control Center ATI Display Driver AVG Identity Protection BitComet 1.14 Catalyst Control Center - Branding Catalyst Control Center Core Implementation Catalyst Control Center Graphics Full Existing Catalyst Control Center Graphics Full New Catalyst Control Center Graphics Light Catalyst Control Center Graphics Previews Common Catalyst Control Center HydraVision Full Catalyst Control Center Localization All ccc-core-preinstall ccc-core-static ccc-utility CCC Help Chinese Standard CCC Help Chinese Traditional CCC Help Czech CCC Help Danish CCC Help Dutch CCC Help English CCC Help Finnish CCC Help French CCC Help German CCC Help Greek CCC Help Hungarian CCC Help Italian CCC Help Japanese CCC Help Korean CCC Help Norwegian CCC Help Polish CCC Help Portuguese CCC Help Russian CCC Help Spanish CCC Help Swedish CCC Help Thai CCC Help Turkish FULL CLIENT Google Update Helper IrfanView (remove only) K-Lite Mega Codec Pack 1.69 Microsoft Visual C++ 2005 Redistributable Mozilla Firefox (3.5.5) MSN Network Magic NVIDIA Drivers ReaJPEG Pro 3.9 Realtek AC'97 Audio Return of Warrior Skins SUPER © Version 2009.bld.36 (June 10, 2009) Trojan Remover 6.7.4 Tweak UI WebFldrs XP Winamp Windows Driver Package - Pure Networks Address Resolution Protocol (ARP) Driver (11/09/2006 4.0.6313.0) Windows Driver Package - Pure Networks NDIS Relay Protocol Driver (11/09/2006 4.0.6313.0) Windows Internet Explorer 8 WinRAR archiver

11-13-2009, 04:31 PM	#19 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,715 OS: 2000 Pro; XP Pro; XP Home	Re: Task Manager and Regedit disabled It's possible this machine has been infected with Sality virus, which is a file infector. If this is the case, it's possible the best cure will be to format the machine. Before continuing, I need a bit more information. Please go to: VirusTotal On the page you'll find a "Browse" button. Next to the browse button you'll see a box to enter text. Please copy/paste the following: c:\windows\system32\winlogon.exe Then click the "Send File " button just below. This will scan the file. Please be patient. If you get a message saying File has already been analyzed: click Reanalyze file now Once scanned, copy and paste the link to the results page in your next reply. Next.... Go Start > Run and copy/paste the following single-line command into the Run box and click OK: *cmd /c PEV -l "%systemdrive%\winlogon." >Log.txt&Log.txt&del Log.txt A Notepad file will open. Post the contents of Log.txt in your next reply. ================================= Also, I don't see an AntiVirus application installed. Any reason why? __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? ** Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

11-21-2009, 06:36 PM	#20 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,715 OS: 2000 Pro; XP Pro; XP Home	Re: Task Manager and Regedit disabled Due to lack of response, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here: NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009