Corrupt Norton, almost all webpages are redirected to microsoft.com - Page 2

randomrandom · 10-02-2006, 10:24 AM

Spybot would pop up each time i ran this scan asking "do you want to allow this registry change" and after i accepted the changes, combofix would close. I did that the first time today, but then i reran combofix with spybot disabled and it gave me this log....

********************************************************
Combofix
********************************************************
User1 - 06-10-02 9:21:35.76 Service Pack 1
ComboFix 06.09.27 - Running from: "C:\Documents and Settings\User1\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-09-01 to 2006-10-01 ))))))))))))))))))))))))))))))))))

2006-09-27 22:19 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-09-27 22:19 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-09-27 22:19 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-09-27 21:54 13 --a------ C:\dumwnmifc.sys
2006-09-27 21:54 13 --a------ C:\dumwnmicf.sys
2006-09-27 21:54 13 --a------ C:\dumwnmicf.dll
2006-09-25 14:47 90,112 --a------ C:\WINDOWS\system32\RegDACL.exe
2006-09-25 14:47 7,483 --a------ C:\clean.bat
2006-09-25 14:47 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-09-25 14:47 4,096 --a------ C:\WINDOWS\system32\reboot.exe
2006-09-25 14:47 38,400 --a------ C:\WINDOWS\system32\moveex.exe
2006-09-23 15:24 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2006-09-23 15:24 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2006-09-23 13:41 38,912 --a------ C:\WINDOWS\system32\wpd_ci.dll
2006-09-23 13:41 10,752 --a------ C:\WINDOWS\system32\wpdtrace.dll
2006-09-23 13:09 9,728 --a------ C:\WINDOWS\system32\mstinit.exe
2006-09-23 13:09 81,408 --a------ C:\WINDOWS\system32\msoert2.dll
2006-09-23 13:09 77,824 --a------ C:\WINDOWS\system32\isign32.dll
2006-09-23 13:09 73,728 --a------ C:\WINDOWS\system32\ils.dll
2006-09-23 13:09 69,632 --a------ C:\WINDOWS\system32\icwdial.dll
2006-09-23 13:09 65,536 --a------ C:\WINDOWS\system32\msconf.dll
2006-09-23 13:09 63,488 --a------ C:\WINDOWS\system32\srclient.dll
2006-09-23 13:09 61,440 --a------ C:\WINDOWS\system32\icwphbk.dll
2006-09-23 13:09 587,776 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-09-23 13:09 47,616 --a------ C:\WINDOWS\system32\inetres.dll
2006-09-23 13:09 40,960 --a------ C:\WINDOWS\system32\safrslv.dll
2006-09-23 13:09 39,424 --a------ C:\WINDOWS\system32\safrcdlg.dll
2006-09-23 13:09 33,280 --a------ C:\WINDOWS\system32\racpldlg.dll
2006-09-23 13:09 32,768 --a------ C:\WINDOWS\system32\mnmsrvc.exe
2006-09-23 13:09 32,256 --a------ C:\WINDOWS\system32\mnmdd.dll
2006-09-23 13:09 28,672 --a------ C:\WINDOWS\system32\isrdbg32.dll
2006-09-23 13:09 266,240 --a------ C:\WINDOWS\system32\inetcfg.dll
2006-09-23 13:09 26,624 --a------ C:\WINDOWS\system32\safrdm.dll
2006-09-23 13:09 250,368 --a------ C:\WINDOWS\system32\mstask.dll
2006-09-23 13:09 24,576 --a------ C:\WINDOWS\system32\nmmkcert.dll
2006-09-23 13:09 228,864 --a------ C:\WINDOWS\system32\msoeacct.dll
2006-09-23 13:09 226,304 --a------ C:\WINDOWS\system32\srrstr.dll
2006-09-23 13:09 221,696 --a------ C:\WINDOWS\system32\qmgr.dll
2006-09-23 13:09 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2006-09-23 13:09 159,232 --a------ C:\WINDOWS\system32\schedsvc.dll
2006-09-23 13:09 158,720 --a------ C:\WINDOWS\system32\srsvc.dll
2006-09-23 13:08 9,728 --a------ C:\WINDOWS\system32\xolehlp.dll
2006-09-23 13:08 869,376 --a------ C:\WINDOWS\system32\msdtctm.dll
2006-09-23 13:08 85,504 --a------ C:\WINDOWS\system32\catsrvps.dll
2006-09-23 13:08 83,968 --a------ C:\WINDOWS\system32\mtxoci.dll
2006-09-23 13:08 82,432 --a------ C:\WINDOWS\system32\comrepl.dll
2006-09-23 13:08 61,952 --a------ C:\WINDOWS\system32\rdshost.exe
2006-09-23 13:08 6,144 --a------ C:\WINDOWS\system32\msdtc.exe
2006-09-23 13:08 56,832 --a------ C:\WINDOWS\system32\colbact.dll
2006-09-23 13:08 54,784 --a------ C:\WINDOWS\system32\msdtclog.dll
2006-09-23 13:08 495,616 --a------ C:\WINDOWS\system32\comuid.dll
2006-09-23 13:08 489,984 --a------ C:\WINDOWS\system32\hypertrm.dll
2006-09-23 13:08 468,480 --a------ C:\WINDOWS\system32\clbcatq.dll
2006-09-23 13:08 215,040 --a------ C:\WINDOWS\system32\catsrv.dll
2006-09-23 13:08 18,432 --a------ C:\WINDOWS\system32\qprocess.exe
2006-09-23 13:08 179,200 --a------ C:\WINDOWS\system32\accwiz.exe
2006-09-23 13:08 151,040 --a------ C:\WINDOWS\system32\msdtcuiu.dll
2006-09-23 13:08 124,416 --a------ C:\WINDOWS\system32\sndrec32.exe
2006-09-23 13:08 100,864 --a------ C:\WINDOWS\system32\clbcatex.dll
2006-09-23 13:07 98,816 --a------ C:\WINDOWS\system32\clipbrd.exe
2006-09-23 13:07 9,216 --a------ C:\WINDOWS\system32\wuauserv.dll
2006-09-23 13:07 9,216 --a------ C:\WINDOWS\system32\icaapi.dll
2006-09-23 13:07 88,064 --a------ C:\WINDOWS\system32\tscfgwmi.dll
2006-09-23 13:07 75,912 --a------ C:\WINDOWS\system32\rdpwsx.dll
2006-09-23 13:07 598,016 --a------ C:\WINDOWS\system32\mstscax.dll
2006-09-23 13:07 582,656 --a------ C:\WINDOWS\system32\catsrvut.dll
2006-09-23 13:07 57,856 --a------ C:\WINDOWS\system32\licwmi.dll
2006-09-23 13:07 56,320 --a------ C:\WINDOWS\system32\remotepg.dll
2006-09-23 13:07 534,016 --a------ C:\WINDOWS\system32\spider.exe
2006-09-23 13:07 53,248 --a------ C:\WINDOWS\system32\servdeps.dll
2006-09-23 13:07 44,032 --a------ C:\WINDOWS\system32\rdpclip.exe
2006-09-23 13:07 40,960 --a------ C:\WINDOWS\system32\tscupgrd.exe
2006-09-23 13:07 388,608 --a------ C:\WINDOWS\system32\mstsc.exe
2006-09-23 13:07 359,936 --a------ C:\WINDOWS\system32\msdtcprx.dll
2006-09-23 13:07 339,968 --a------ C:\WINDOWS\system32\mspaint.exe
2006-09-23 13:07 32,768 --a------ C:\WINDOWS\system32\cfgbkend.dll
2006-09-23 13:07 200,192 --a------ C:\WINDOWS\system32\termsrv.dll
2006-09-23 13:07 174,592 --a------ C:\WINDOWS\system32\cmprops.dll
2006-09-23 13:07 16,384 --a------ C:\WINDOWS\system32\mmfutil.dll
2006-09-23 13:07 14,848 --a------ C:\WINDOWS\system32\rdpsnd.dll
2006-09-23 13:07 135,680 --a------ C:\WINDOWS\system32\rdchost.dll
2006-09-23 13:07 129,024 --a------ C:\WINDOWS\system32\sessmgr.exe
2006-09-23 13:07 124,184 --a------ C:\WINDOWS\system32\wuauclt.exe
2006-09-23 13:07 12,288 --a------ C:\WINDOWS\system32\rdsaddin.exe
2006-09-23 13:07 116,736 --a------ C:\WINDOWS\system32\mplay32.exe
2006-09-23 13:07 1,343,768 --a------ C:\WINDOWS\system32\wuaueng.dll
2006-09-23 13:07 1,172,992 --a------ C:\WINDOWS\system32\comsvcs.dll
2006-09-23 12:12 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2006-09-23 12:11 71,168 --a------ C:\WINDOWS\system32\storprop.dll
2006-09-21 17:28 182,784 --ah----- C:\WINDOWS\system32\dxmamcia.dll
2006-09-21 17:08 84,992 --a------ C:\WINDOWS\system32\ATL70.DLL
2006-09-21 17:08 81,920 --------- C:\WINDOWS\system32\vdrmux.dll
2006-09-21 17:08 76,800 --------- C:\WINDOWS\system32\Lfwmf13n.dll
2006-09-21 17:08 73,728 --------- C:\WINDOWS\system32\MMAviAx.dll
2006-09-21 17:08 73,728 --------- C:\WINDOWS\system32\lffax13n.dll
2006-09-21 17:08 65,536 --------- C:\WINDOWS\system32\Lfpct13n.dll
2006-09-21 17:08 46,592 --------- C:\WINDOWS\system32\vdrcodec.dll
2006-09-21 17:08 453,120 --------- C:\WINDOWS\system32\ltkrn13n.dll
2006-09-21 17:08 44,544 --------- C:\WINDOWS\system32\msxml4a.dll
2006-09-21 17:08 40,960 --------- C:\WINDOWS\system32\langserv.dll
2006-09-21 17:08 393,216 --------- C:\WINDOWS\system32\LFCMP13n.DLL
2006-09-21 17:08 32,768 --------- C:\WINDOWS\system32\MLPagAx.dll
2006-09-21 17:08 30,208 --------- C:\WINDOWS\system32\lfbmp13n.dll
2006-09-21 17:08 294,912 --------- C:\WINDOWS\system32\pvmjpg21.dll
2006-09-21 17:08 278,016 --------- C:\WINDOWS\system32\LFJ2K13n.dll
2006-09-21 17:08 24,576 --------- C:\WINDOWS\system32\lftga13n.dll
2006-09-21 17:08 204,881 --------- C:\WINDOWS\system32\DiskIO.dll
2006-09-21 17:08 18,432 --------- C:\WINDOWS\system32\Cachex.dll
2006-09-21 17:08 155,721 --------- C:\WINDOWS\system32\RALMain.dll
2006-09-21 17:08 153,088 --------- C:\WINDOWS\system32\ltfil13n.DLL
2006-09-21 17:08 143,360 --------- C:\WINDOWS\system32\lftif13n.dll
2006-09-21 17:08 114,759 --------- C:\WINDOWS\system32\Aviprax.dll
2006-09-21 17:08 1,693,696 --------- C:\WINDOWS\system32\LTCLR13n.dll
2006-09-21 17:05 964,608 --a------ C:\WINDOWS\system32\MFC70U.DLL
2006-09-21 17:05 65,536 --a------ C:\WINDOWS\system32\MFC71DEU.DLL
2006-09-21 17:05 61,440 --a------ C:\WINDOWS\system32\pclepim1.dll
2006-09-21 17:05 61,440 --a------ C:\WINDOWS\system32\MFC71ITA.DLL
2006-09-21 17:05 61,440 --a------ C:\WINDOWS\system32\MFC71FRA.DLL
2006-09-21 17:05 61,440 --a------ C:\WINDOWS\system32\MFC71ESP.DLL
2006-09-21 17:05 57,344 --a------ C:\WINDOWS\system32\MFC71ENU.DLL
2006-09-21 17:05 49,152 --a------ C:\WINDOWS\system32\PCLEGetGuid.dll
2006-09-21 17:05 49,152 --a------ C:\WINDOWS\system32\MFC71KOR.DLL
2006-09-21 17:05 49,152 --a------ C:\WINDOWS\system32\MFC71JPN.DLL
2006-09-21 17:05 45,056 --a------ C:\WINDOWS\system32\MFC71CHT.DLL
2006-09-21 17:05 40,960 --a------ C:\WINDOWS\system32\MFC71CHS.DLL
2006-09-17 18:01 82,432 --------- C:\WINDOWS\system32\msxml4r.dll
2006-09-17 18:01 54,784 --a------ C:\WINDOWS\system32\msvci70.dll
2006-09-17 18:01 442,368 --a------ C:\WINDOWS\system32\vp6vfw.dll
2006-09-17 18:01 265,785 --a------ C:\WINDOWS\system32\pixomatic.dll
2006-09-17 18:01 22,016 --a------ C:\WINDOWS\system32\borlndmm.dll
2006-09-17 18:01 188,416 --a------ C:\WINDOWS\system32\eax.dll
2006-09-17 18:01 1,500,160 --a------ C:\WINDOWS\system32\cc3260mt.dll
2006-09-17 18:01 1,230,336 --------- C:\WINDOWS\system32\msxml4.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-10-02 00:09 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-10-01 23:27 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-01 12:43 778656 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-10-01 00:48 -------- d-------- C:\Program Files\Windows Media Player
2006-10-01 00:44 -------- d-------- C:\Program Files\U.S. Robotics 802.11g WLAN
2006-10-01 00:35 -------- d-------- C:\Program Files\Internet Explorer
2006-09-27 23:37 -------- d--h----- C:\Program Files\WindowsUpdate
2006-09-27 22:29 -------- d-------- C:\Program Files\CleanUp!
2006-09-27 21:55 -------- d-------- C:\Program Files\HaxFix
2006-09-27 15:50 -------- d-------- C:\Documents and Settings\User1\Application Data\DMCache
2006-09-26 19:25 -------- d-------- C:\Program Files\RegistryFix
2006-09-25 20:18 -------- d-------- C:\Program Files\Unlocker
2006-09-25 18:27 -------- d-------- C:\Documents and Settings\User1\Application Data\AVG7
2006-09-25 18:26 23424 --a------ C:\WINDOWS\system32\drivers\avgmfrs.sys
2006-09-25 18:25 4288 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-09-25 18:25 27904 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-09-25 18:25 -------- d-------- C:\Program Files\Grisoft
2006-09-25 18:14 -------- d-------- C:\Program Files\Norton Internet Security
2006-09-25 18:14 -------- d-------- C:\Documents and Settings\User1\Application Data\Symantec
2006-09-25 18:13 -------- d-------- C:\Program Files\Symantec
2006-09-25 18:12 10344 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
2006-09-24 23:00 -------- d-------- C:\Documents and Settings\User1\Application Data\Mozilla
2006-09-24 13:04 8329 --a------ C:\Documents and Settings\User1\Application Data\.googlewebacchosts
2006-09-24 09:07 -------- d-------- C:\Program Files\Alwil Software
2006-09-23 21:53 -------- d-------- C:\Program Files\Pinnacle
2006-09-23 13:09 -------- d-------- C:\Program Files\Outlook Express
2006-09-23 13:09 -------- d-------- C:\Program Files\NetMeeting
2006-09-23 13:09 -------- d-------- C:\Program Files\Movie Maker
2006-09-23 13:08 -------- d-------- C:\Program Files\Windows NT
2006-09-21 17:08 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-09-21 17:07 -------- d-------- C:\Program Files\SmartSound Software
2006-09-21 17:04 -------- d-------- C:\Program Files\Trillian
2006-09-18 16:28 -------- d-------- C:\Program Files\Internet Download Manager
2006-09-18 16:28 -------- d-------- C:\Documents and Settings\User1\Application Data\IDM
2006-09-17 21:11 14848 --a------ C:\WINDOWS\system32\BASSMOD.dll
2006-09-17 18:11 -------- d-------- C:\Program Files\GTA-SanAndreas
2006-09-16 23:24 -------- d-------- C:\Documents and Settings\User1\Application Data\Sun
2006-09-16 10:07 -------- d-------- C:\Documents and Settings\User1\Application Data\Google
2006-09-15 22:04 48816 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2006-09-15 22:04 109744 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2006-09-14 14:44 -------- d-------- C:\Program Files\Winamp
2006-09-10 19:43 -------- d-------- C:\Documents and Settings\User1\Application Data\AdobeUM
2006-09-10 18:24 -------- d---s---- C:\Documents and Settings\User1\Application Data\Microsoft
2006-09-10 10:34 -------- d-------- C:\Program Files\Java
2006-09-07 22:32 -------- d-------- C:\Program Files\Save Flash
2006-08-29 01:28 140984 --a------ C:\WINDOWS\system32\idmmbc.dll
2006-08-24 20:40 -------- d-------- C:\Program Files\GeoVid
2006-08-22 18:32 22768 --a------ C:\WINDOWS\system32\drivers\usbsermpt.sys
2006-08-22 18:32 -------- d-------- C:\Program Files\Motorola Phone Tools
2006-08-22 18:25 -------- d-------- C:\Program Files\mobile PhoneTools
2006-08-22 18:05 -------- d-------- C:\Program Files\LiveUpdate
2006-08-22 00:22 72748 --a------ C:\WINDOWS\unins001.exe
2006-08-22 00:22 72748 --a------ C:\WINDOWS\unins000.exe
2006-08-22 00:22 -------- d-------- C:\Program Files\Temp
2006-08-22 00:22 -------- d-------- C:\Program Files\Anark
2006-08-21 23:49 -------- d-------- C:\Program Files\OceanDive
2006-08-21 05:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 02:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 02:14 128896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-21 00:44 -------- d-------- C:\Program Files\SereneScreen
2006-08-19 11:23 -------- d-------- C:\Documents and Settings\User1\Application Data\RipIt4Me
2006-08-19 09:43 -------- d-------- C:\Program Files\PgcEdit
2006-08-18 15:30 -------- d-------- C:\Documents and Settings\User1\Application Data\Adobe
2006-08-07 16:02 534208 --a------ C:\WINDOWS\system32\SymNeti.dll
2006-08-07 16:02 31936 --a------ C:\WINDOWS\system32\drivers\symids.sys
2006-08-07 16:02 28352 --a------ C:\WINDOWS\system32\drivers\symndis.sys
2006-08-07 16:02 24768 --a------ C:\WINDOWS\system32\drivers\symredrv.sys
2006-08-07 16:02 195776 --a------ C:\WINDOWS\system32\drivers\symtdi.sys
2006-08-07 16:02 161472 --a------ C:\WINDOWS\system32\SymRedir.dll
2006-08-07 16:02 110784 --a------ C:\WINDOWS\system32\drivers\symfw.sys
2006-08-07 16:01 12992 --a------ C:\WINDOWS\system32\drivers\symdns.sys
2006-08-03 20:59 48 ---hs---- C:\Documents and Settings\User1\Application Data\.zreglib
2006-08-03 20:54 -------- d-------- C:\Program Files\Rip it 4 Me
2006-08-02 11:41 -------- d-------- C:\Program Files\BitComet

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteCenter"="C:\\Program Files\\Creative\\MediaSource\\RemoteControl\\RCMan.EXE"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\""
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE"
"CTSysVol"="C:\\Program Files\\Creative\\SBAudigy2ZS\\Surround Mixer\\CTSysVol.exe /r"
"CTDVDDET"="C:\\Program Files\\Creative\\SBAudigy2ZS\\DVDAudio\\CTDVDDET.EXE"
"SBDrvDet"="C:\\Program Files\\Creative\\SB Drive Det\\SBDrvDet.exe /r"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"IS CfgWiz"="\"C:\\Program Files\\Norton Internet Security\\cfgwiz.exe\" /GUID {F073BDC9-0D67-4ff0-879E-27241C843828} /MODE CfgWiz /CMDLINE \"REBOOT\""
"SSC_UserPrompt"="\"C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"
"PinnacleDriverCheck"="C:\\WINDOWS\\system32\\PSDrvCheck.exe -CheckReg"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"AllowLegacyWebView"=dword:00000001
"AllowUnhashedWebView"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
"backup"="C:\\WINDOWS\\pss\\InterVideo WinCinema Manager.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\INTERV~1\\Common\\Bin\\WINCIN~1.EXE "
"item"="InterVideo WinCinema Manager"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NeroCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Symantec NetDriver Monitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SNDMon"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\UpdReg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UpdReg"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\UpdReg.EXE"
"inimapping"="0"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dxmamcia
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winbjt32
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wnmicf

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\wnmicf.sys
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\wnmifc.sys

Completion time: 06-10-02 9:21:45.90
ComboFix.txt
ComboFix2.txt
ComboFix3.txt

Ried · 10-02-2006, 11:12 AM

Nice job...keep TeaTimer disabled and this time, run combofix from the Run command using the command I gave you in my previous reply.

Post the ComboFix.txt again, along with a new HijackThis log.

randomrandom · 10-04-2006, 09:54 PM

Great news! I got AVG anti-virus to finally uninstall (i had to uninstall it in safe-mode because it wouldnt in normal mode) and now my computer is on its way back to being normal again!
1) I have my wireless internet connection back
2) "Control Panel" and "My network Connections" do not crash anymore
3) I was able to reinstall Norton Antivirus 2006 which cleaned quite a few of the viruses out....
4) I uninstalled Spybot which allows all of my other programs to finally work right (ie. combofix, and norton)
5) Internet Explorer is back up and running as well, no more redirecting or crashing!!!! HOORAY!!!!

6) This is the best one.... My computer shuts down normally again!

Unfortunately, My startup time is still abmysal (windows still hangs for 2-5 minutes on the "windows is starting up" screen). I hope these new logs can help fix this!

*****************************************************
Combofix Log
*****************************************************
User1 - 06-10-04 20:45:17.35 Service Pack 1
ComboFix 06.09.27 - Running from: "C:\Documents and Settings\User1\desktop"
Command switches used :: /v d3dishsv wmneprfl dxmamcia

((((((((((((((((((((((((((((((( Files Created from 2006-09-04 to 2006-10-04 ))))))))))))))))))))))))))))))))))

2006-10-04 17:01 48,816 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2006-10-04 15:00 331,776 --a------ C:\WINDOWS\system32\winhttp.dll
2006-10-04 15:00 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2006-09-27 22:19 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-09-27 22:19 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-09-27 22:19 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-09-27 21:54 13 --a------ C:\dumwnmifc.sys
2006-09-27 21:54 13 --a------ C:\dumwnmicf.sys
2006-09-27 21:54 13 --a------ C:\dumwnmicf.dll
2006-09-25 14:47 90,112 --a------ C:\WINDOWS\system32\RegDACL.exe
2006-09-25 14:47 7,483 --a------ C:\clean.bat
2006-09-25 14:47 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-09-25 14:47 4,096 --a------ C:\WINDOWS\system32\reboot.exe
2006-09-25 14:47 38,400 --a------ C:\WINDOWS\system32\moveex.exe
2006-09-23 15:24 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2006-09-23 15:24 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2006-09-23 13:09 9,728 --a------ C:\WINDOWS\system32\mstinit.exe
2006-09-23 13:09 81,408 --a------ C:\WINDOWS\system32\msoert2.dll
2006-09-23 13:09 77,824 --a------ C:\WINDOWS\system32\isign32.dll
2006-09-23 13:09 73,728 --a------ C:\WINDOWS\system32\ils.dll
2006-09-23 13:09 69,632 --a------ C:\WINDOWS\system32\icwdial.dll
2006-09-23 13:09 65,536 --a------ C:\WINDOWS\system32\msconf.dll
2006-09-23 13:09 63,488 --a------ C:\WINDOWS\system32\srclient.dll
2006-09-23 13:09 61,440 --a------ C:\WINDOWS\system32\icwphbk.dll
2006-09-23 13:09 587,776 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-09-23 13:09 47,616 --a------ C:\WINDOWS\system32\inetres.dll
2006-09-23 13:09 40,960 --a------ C:\WINDOWS\system32\safrslv.dll
2006-09-23 13:09 39,424 --a------ C:\WINDOWS\system32\safrcdlg.dll
2006-09-23 13:09 361,984 --a------ C:\WINDOWS\system32\qmgr.dll
2006-09-23 13:09 33,280 --a------ C:\WINDOWS\system32\racpldlg.dll
2006-09-23 13:09 32,768 --a------ C:\WINDOWS\system32\mnmsrvc.exe
2006-09-23 13:09 32,256 --a------ C:\WINDOWS\system32\mnmdd.dll
2006-09-23 13:09 28,672 --a------ C:\WINDOWS\system32\isrdbg32.dll
2006-09-23 13:09 266,240 --a------ C:\WINDOWS\system32\inetcfg.dll
2006-09-23 13:09 26,624 --a------ C:\WINDOWS\system32\safrdm.dll
2006-09-23 13:09 250,368 --a------ C:\WINDOWS\system32\mstask.dll
2006-09-23 13:09 24,576 --a------ C:\WINDOWS\system32\nmmkcert.dll
2006-09-23 13:09 228,864 --a------ C:\WINDOWS\system32\msoeacct.dll
2006-09-23 13:09 226,304 --a------ C:\WINDOWS\system32\srrstr.dll
2006-09-23 13:09 159,232 --a------ C:\WINDOWS\system32\schedsvc.dll
2006-09-23 13:09 158,720 --a------ C:\WINDOWS\system32\srsvc.dll
2006-09-23 13:08 9,728 --a------ C:\WINDOWS\system32\xolehlp.dll
2006-09-23 13:08 869,376 --a------ C:\WINDOWS\system32\msdtctm.dll
2006-09-23 13:08 85,504 --a------ C:\WINDOWS\system32\catsrvps.dll
2006-09-23 13:08 83,968 --a------ C:\WINDOWS\system32\mtxoci.dll
2006-09-23 13:08 82,432 --a------ C:\WINDOWS\system32\comrepl.dll
2006-09-23 13:08 61,952 --a------ C:\WINDOWS\system32\rdshost.exe
2006-09-23 13:08 6,144 --a------ C:\WINDOWS\system32\msdtc.exe
2006-09-23 13:08 56,832 --a------ C:\WINDOWS\system32\colbact.dll
2006-09-23 13:08 54,784 --a------ C:\WINDOWS\system32\msdtclog.dll
2006-09-23 13:08 495,616 --a------ C:\WINDOWS\system32\comuid.dll
2006-09-23 13:08 489,984 --a------ C:\WINDOWS\system32\hypertrm.dll
2006-09-23 13:08 468,480 --a------ C:\WINDOWS\system32\clbcatq.dll
2006-09-23 13:08 215,040 --a------ C:\WINDOWS\system32\catsrv.dll
2006-09-23 13:08 18,432 --a------ C:\WINDOWS\system32\qprocess.exe
2006-09-23 13:08 179,200 --a------ C:\WINDOWS\system32\accwiz.exe
2006-09-23 13:08 151,040 --a------ C:\WINDOWS\system32\msdtcuiu.dll
2006-09-23 13:08 124,416 --a------ C:\WINDOWS\system32\sndrec32.exe
2006-09-23 13:08 100,864 --a------ C:\WINDOWS\system32\clbcatex.dll
2006-09-23 13:07 98,816 --a------ C:\WINDOWS\system32\clipbrd.exe
2006-09-23 13:07 9,216 --a------ C:\WINDOWS\system32\wuauserv.dll
2006-09-23 13:07 9,216 --a------ C:\WINDOWS\system32\icaapi.dll
2006-09-23 13:07 88,064 --a------ C:\WINDOWS\system32\tscfgwmi.dll
2006-09-23 13:07 75,912 --a------ C:\WINDOWS\system32\rdpwsx.dll
2006-09-23 13:07 598,016 --a------ C:\WINDOWS\system32\mstscax.dll
2006-09-23 13:07 582,656 --a------ C:\WINDOWS\system32\catsrvut.dll
2006-09-23 13:07 57,856 --a------ C:\WINDOWS\system32\licwmi.dll
2006-09-23 13:07 56,320 --a------ C:\WINDOWS\system32\remotepg.dll
2006-09-23 13:07 534,016 --a------ C:\WINDOWS\system32\spider.exe
2006-09-23 13:07 53,248 --a------ C:\WINDOWS\system32\servdeps.dll
2006-09-23 13:07 44,032 --a------ C:\WINDOWS\system32\rdpclip.exe
2006-09-23 13:07 40,960 --a------ C:\WINDOWS\system32\tscupgrd.exe
2006-09-23 13:07 388,608 --a------ C:\WINDOWS\system32\mstsc.exe
2006-09-23 13:07 359,936 --a------ C:\WINDOWS\system32\msdtcprx.dll
2006-09-23 13:07 339,968 --a------ C:\WINDOWS\system32\mspaint.exe
2006-09-23 13:07 32,768 --a------ C:\WINDOWS\system32\cfgbkend.dll
2006-09-23 13:07 200,192 --a------ C:\WINDOWS\system32\termsrv.dll
2006-09-23 13:07 174,592 --a------ C:\WINDOWS\system32\cmprops.dll
2006-09-23 13:07 16,384 --a------ C:\WINDOWS\system32\mmfutil.dll
2006-09-23 13:07 14,848 --a------ C:\WINDOWS\system32\rdpsnd.dll
2006-09-23 13:07 135,680 --a------ C:\WINDOWS\system32\rdchost.dll
2006-09-23 13:07 129,024 --a------ C:\WINDOWS\system32\sessmgr.exe
2006-09-23 13:07 124,184 --a------ C:\WINDOWS\system32\wuauclt.exe
2006-09-23 13:07 12,288 --a------ C:\WINDOWS\system32\rdsaddin.exe
2006-09-23 13:07 116,736 --a------ C:\WINDOWS\system32\mplay32.exe
2006-09-23 13:07 1,343,768 --a------ C:\WINDOWS\system32\wuaueng.dll
2006-09-23 13:07 1,172,992 --a------ C:\WINDOWS\system32\comsvcs.dll
2006-09-23 12:12 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2006-09-23 12:11 71,168 --a------ C:\WINDOWS\system32\storprop.dll
2006-09-21 17:08 84,992 --a------ C:\WINDOWS\system32\ATL70.DLL
2006-09-21 17:08 81,920 --------- C:\WINDOWS\system32\vdrmux.dll
2006-09-21 17:08 76,800 --------- C:\WINDOWS\system32\Lfwmf13n.dll
2006-09-21 17:08 73,728 --------- C:\WINDOWS\system32\MMAviAx.dll
2006-09-21 17:08 73,728 --------- C:\WINDOWS\system32\lffax13n.dll
2006-09-21 17:08 65,536 --------- C:\WINDOWS\system32\Lfpct13n.dll
2006-09-21 17:08 46,592 --------- C:\WINDOWS\system32\vdrcodec.dll
2006-09-21 17:08 453,120 --------- C:\WINDOWS\system32\ltkrn13n.dll
2006-09-21 17:08 44,544 --------- C:\WINDOWS\system32\msxml4a.dll
2006-09-21 17:08 40,960 --------- C:\WINDOWS\system32\langserv.dll
2006-09-21 17:08 393,216 --------- C:\WINDOWS\system32\LFCMP13n.DLL
2006-09-21 17:08 32,768 --------- C:\WINDOWS\system32\MLPagAx.dll
2006-09-21 17:08 30,208 --------- C:\WINDOWS\system32\lfbmp13n.dll
2006-09-21 17:08 294,912 --------- C:\WINDOWS\system32\pvmjpg21.dll
2006-09-21 17:08 278,016 --------- C:\WINDOWS\system32\LFJ2K13n.dll
2006-09-21 17:08 24,576 --------- C:\WINDOWS\system32\lftga13n.dll
2006-09-21 17:08 204,881 --------- C:\WINDOWS\system32\DiskIO.dll
2006-09-21 17:08 18,432 --------- C:\WINDOWS\system32\Cachex.dll
2006-09-21 17:08 155,721 --------- C:\WINDOWS\system32\RALMain.dll
2006-09-21 17:08 153,088 --------- C:\WINDOWS\system32\ltfil13n.DLL
2006-09-21 17:08 143,360 --------- C:\WINDOWS\system32\lftif13n.dll
2006-09-21 17:08 114,759 --------- C:\WINDOWS\system32\Aviprax.dll
2006-09-21 17:08 1,693,696 --------- C:\WINDOWS\system32\LTCLR13n.dll
2006-09-21 17:05 964,608 --a------ C:\WINDOWS\system32\MFC70U.DLL
2006-09-21 17:05 65,536 --a------ C:\WINDOWS\system32\MFC71DEU.DLL
2006-09-21 17:05 61,440 --a------ C:\WINDOWS\system32\pclepim1.dll
2006-09-21 17:05 61,440 --a------ C:\WINDOWS\system32\MFC71ITA.DLL
2006-09-21 17:05 61,440 --a------ C:\WINDOWS\system32\MFC71FRA.DLL
2006-09-21 17:05 61,440 --a------ C:\WINDOWS\system32\MFC71ESP.DLL
2006-09-21 17:05 57,344 --a------ C:\WINDOWS\system32\MFC71ENU.DLL
2006-09-21 17:05 49,152 --a------ C:\WINDOWS\system32\PCLEGetGuid.dll
2006-09-21 17:05 49,152 --a------ C:\WINDOWS\system32\MFC71KOR.DLL
2006-09-21 17:05 49,152 --a------ C:\WINDOWS\system32\MFC71JPN.DLL
2006-09-21 17:05 45,056 --a------ C:\WINDOWS\system32\MFC71CHT.DLL
2006-09-21 17:05 40,960 --a------ C:\WINDOWS\system32\MFC71CHS.DLL
2006-09-17 18:01 82,432 --------- C:\WINDOWS\system32\msxml4r.dll
2006-09-17 18:01 54,784 --a------ C:\WINDOWS\system32\msvci70.dll
2006-09-17 18:01 442,368 --a------ C:\WINDOWS\system32\vp6vfw.dll
2006-09-17 18:01 265,785 --a------ C:\WINDOWS\system32\pixomatic.dll
2006-09-17 18:01 22,016 --a------ C:\WINDOWS\system32\borlndmm.dll
2006-09-17 18:01 188,416 --a------ C:\WINDOWS\system32\eax.dll
2006-09-17 18:01 1,500,160 --a------ C:\WINDOWS\system32\cc3260mt.dll
2006-09-17 18:01 1,230,336 --------- C:\WINDOWS\system32\msxml4.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-10-04 20:21 -------- d-------- C:\Program Files\Trillian
2006-10-04 20:17 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-10-04 20:06 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-04 17:21 -------- d-------- C:\Program Files\Norton Internet Security
2006-10-04 17:20 -------- d-------- C:\Program Files\Symantec
2006-10-04 17:02 10344 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
2006-10-04 17:01 -------- d-------- C:\Program Files\Common Files
2006-10-04 15:39 -------- d-------- C:\Program Files\Windows Media Player
2006-10-04 15:33 -------- d-------- C:\Program Files\Symantec Technical Support
2006-10-04 15:07 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-10-04 14:53 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-04 14:53 -------- d-------- C:\Program Files\U.S. Robotics 802.11g WLAN
2006-10-01 00:35 -------- d-------- C:\Program Files\Internet Explorer
2006-09-27 23:37 -------- d--h----- C:\Program Files\WindowsUpdate
2006-09-27 22:29 -------- d-------- C:\Program Files\CleanUp!
2006-09-27 21:55 -------- d-------- C:\Program Files\HaxFix
2006-09-27 15:50 -------- d-------- C:\Documents and Settings\User1\Application Data\DMCache
2006-09-26 19:25 -------- d-------- C:\Program Files\RegistryFix
2006-09-25 20:18 -------- d-------- C:\Program Files\Unlocker
2006-09-25 18:25 -------- d-------- C:\Program Files\Grisoft
2006-09-25 18:14 -------- d-------- C:\Documents and Settings\User1\Application Data\Symantec
2006-09-24 23:00 -------- d-------- C:\Documents and Settings\User1\Application Data\Mozilla
2006-09-24 13:04 8329 --a------ C:\Documents and Settings\User1\Application Data\.googlewebacchosts
2006-09-24 09:07 -------- d-------- C:\Program Files\Alwil Software
2006-09-23 21:53 -------- d-------- C:\Program Files\Pinnacle
2006-09-23 13:09 -------- d-------- C:\Program Files\Outlook Express
2006-09-23 13:09 -------- d-------- C:\Program Files\NetMeeting
2006-09-23 13:09 -------- d-------- C:\Program Files\Movie Maker
2006-09-23 13:09 -------- d-------- C:\Program Files\Common Files\System
2006-09-23 13:08 -------- d-------- C:\Program Files\Windows NT
2006-09-21 17:07 -------- d-------- C:\Program Files\SmartSound Software
2006-09-18 16:28 -------- d-------- C:\Program Files\Internet Download Manager
2006-09-18 16:28 -------- d-------- C:\Documents and Settings\User1\Application Data\IDM
2006-09-17 21:11 14848 --a------ C:\WINDOWS\system32\BASSMOD.dll
2006-09-17 18:11 -------- d-------- C:\Program Files\GTA-SanAndreas
2006-09-16 23:24 -------- d-------- C:\Documents and Settings\User1\Application Data\Sun
2006-09-16 10:07 -------- d-------- C:\Documents and Settings\User1\Application Data\Google
2006-09-15 22:04 109744 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2006-09-14 14:44 -------- d-------- C:\Program Files\Winamp
2006-09-10 19:43 -------- d-------- C:\Documents and Settings\User1\Application Data\AdobeUM
2006-09-10 18:24 -------- d---s---- C:\Documents and Settings\User1\Application Data\Microsoft
2006-09-10 10:34 -------- d-------- C:\Program Files\Java
2006-09-07 22:32 -------- d-------- C:\Program Files\Save Flash
2006-08-29 01:28 140984 --a------ C:\WINDOWS\system32\idmmbc.dll
2006-08-24 20:40 -------- d-------- C:\Program Files\GeoVid
2006-08-22 18:32 22768 --a------ C:\WINDOWS\system32\drivers\usbsermpt.sys
2006-08-22 18:32 -------- d-------- C:\Program Files\Motorola Phone Tools
2006-08-22 18:25 -------- d-------- C:\Program Files\mobile PhoneTools
2006-08-22 18:05 -------- d-------- C:\Program Files\LiveUpdate
2006-08-22 00:22 72748 --a------ C:\WINDOWS\unins001.exe
2006-08-22 00:22 72748 --a------ C:\WINDOWS\unins000.exe
2006-08-22 00:22 -------- d-------- C:\Program Files\Temp
2006-08-22 00:22 -------- d-------- C:\Program Files\Anark
2006-08-21 23:49 -------- d-------- C:\Program Files\OceanDive
2006-08-21 05:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 02:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 02:14 128896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-21 00:44 -------- d-------- C:\Program Files\SereneScreen
2006-08-19 11:23 -------- d-------- C:\Documents and Settings\User1\Application Data\RipIt4Me
2006-08-19 09:43 -------- d-------- C:\Program Files\PgcEdit
2006-08-18 15:30 -------- d-------- C:\Documents and Settings\User1\Application Data\Adobe
2006-08-07 16:02 534208 --a------ C:\WINDOWS\system32\SymNeti.dll
2006-08-07 16:02 31936 --a------ C:\WINDOWS\system32\drivers\symids.sys
2006-08-07 16:02 28352 --a------ C:\WINDOWS\system32\drivers\symndis.sys
2006-08-07 16:02 24768 --a------ C:\WINDOWS\system32\drivers\symredrv.sys
2006-08-07 16:02 195776 --a------ C:\WINDOWS\system32\drivers\symtdi.sys
2006-08-07 16:02 161472 --a------ C:\WINDOWS\system32\SymRedir.dll
2006-08-07 16:02 110784 --a------ C:\WINDOWS\system32\drivers\symfw.sys
2006-08-07 16:01 12992 --a------ C:\WINDOWS\system32\drivers\symdns.sys
2006-08-03 20:59 48 ---hs---- C:\Documents and Settings\User1\Application Data\.zreglib

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteCenter"="C:\\Program Files\\Creative\\MediaSource\\RemoteControl\\RCMan.EXE"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE"
"CTSysVol"="C:\\Program Files\\Creative\\SBAudigy2ZS\\Surround Mixer\\CTSysVol.exe /r"
"CTDVDDET"="C:\\Program Files\\Creative\\SBAudigy2ZS\\DVDAudio\\CTDVDDET.EXE"
"SBDrvDet"="C:\\Program Files\\Creative\\SB Drive Det\\SBDrvDet.exe /r"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"
"PinnacleDriverCheck"="C:\\WINDOWS\\system32\\PSDrvCheck.exe -CheckReg"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"SSC_UserPrompt"="\"C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"AllowLegacyWebView"=dword:00000001
"AllowUnhashedWebView"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
"backup"="C:\\WINDOWS\\pss\\InterVideo WinCinema Manager.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\INTERV~1\\Common\\Bin\\WINCIN~1.EXE "
"item"="InterVideo WinCinema Manager"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NeroCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Symantec NetDriver Monitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SNDMon"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\UpdReg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UpdReg"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\UpdReg.EXE"
"inimapping"="0"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winbjt32
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wnmicf

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\wnmicf.sys
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\wnmifc.sys

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - User1.job

Completion time: 06-10-04 20:46:10.49
ComboFix.txt
ComboFix2.txt
ComboFix3.txt

******************************************************
HJT Log
******************************************************

Logfile of HijackThis v1.99.1
Scan saved at 20:46, on 06-10-04
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\U.S. Robotics 802.11g WLAN\USRWLANG.exe
C:\WINDOWS\System32\WgaTray.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Registration .LNK = C:\Program Files\Ubisoft\Demo\Blazing Angels Squadrons of WWII Demo\RegistrationReminder.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: U.S. Robotics 802.11g Wireless Network Utility.lnk = ?
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...l/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - https://www-secure.symantec.com/tech...rl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/tech...rl/tgctlsr.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1159425430187
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc1.webresponse.one.microso.../TLIEFlash.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: d3dishsv.dll wmneprfl.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winbjt32 - C:\WINDOWS\
O20 - Winlogon Notify: wnmicf - wnmicf.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Ried · 10-05-2006, 11:46 AM

Almost there.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out these instructions.

Once again, it is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

***************************************************

Download KillBox. (it's important that you get version v2.0.0.175). We'll use it shortly.

***************************************************

From Normal Mode:

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries:

O20 - AppInit_DLLs: d3dishsv.dll wmneprfl.dll
O20 - Winlogon Notify: winbjt32 - C:\WINDOWS\
O20 - Winlogon Notify: wnmicf - wnmicf.dll (file missing)

Click 'Fix Checked' and close HijackThis.

-----------------------------------------------------

Go to <<Start>> then <<Run>> then paste in the single line command then click OK

"%userprofile%\desktop\combofix.exe" /v d3dishsv wmneprfl

When finished, it shall produce a log for you. Post that log in your next reply along with a new HijackThis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

-----------------------------------------------------

Launch KillBox.exe & select the following options:

Delete on Reboot
All files (if available)

Copy the file names below to the clipboard by highlighting them and pressing Ctrl-C:

C:\dumwnmifc.sys
C:\dumwnmicf.sys
C:\dumwnmicf.dll

Select/tick the following:
* Delete on Reboot
* End Explorer Shell While Killing File
Click the RED X button.

Click Yes at the 'Delete on Reboot' prompt. Click Yes at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.
* If you received a message such as: "PendingFileRenameOperations registry data has been removed by external process", you have to manually restart Windows.

***************************************************

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply along with a new HijackThis log.

randomrandom · 10-06-2006, 05:11 PM

I got this error after i did the "fix checked" in HJT what should i do?

An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: d3dishsv.dll wmneprfl.dll)
Error #5 - Invalid procedure call or argument

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2800.1106
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan.

Ried · 10-06-2006, 06:24 PM

Keep going. If you've stopped and closed HijackThis, begin again, ignore that message, and continue with the remaining instructions.

randomrandom · 10-07-2006, 11:53 AM

I got this error message every time i tried to use killbox on a file:
"PendingFileRenameOperations registry data has been removed by external process"

I restarted windows manually and did killbox again, and i still got this same error. Hopefully that just means that the files im trying to delete are gone.

Here are the logs you wanted:

******************************************************
Combofix
******************************************************
User1 - 06-10-07 10:46:43.87 Service Pack 1
ComboFix 06.09.27 - Running from: "C:\Documents and Settings\User1\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-09-07 to 2006-10-07 ))))))))))))))))))))))))))))))))))

2006-10-07 10:22 68,608 --a------ C:\WINDOWS\system32\locator.exe
2006-10-07 10:22 67,584 --a------ C:\WINDOWS\system32\magnify.exe
2006-10-07 10:22 544,256 --a------ C:\WINDOWS\system32\crypt32.dll
2006-10-07 10:22 53,760 --a------ C:\WINDOWS\system32\cryptsvc.dll
2006-10-07 10:22 51,200 --a------ C:\WINDOWS\system32\narrator.exe
2006-10-07 10:22 238,080 --a------ C:\WINDOWS\system32\newdev.dll
2006-10-07 10:22 212,480 --a------ C:\WINDOWS\system32\osk.exe
2006-10-07 10:22 179,200 --a------ C:\WINDOWS\system32\accwiz.exe
2006-10-07 10:22 125,440 --a------ C:\WINDOWS\system32\shmedia.dll
2006-10-07 10:21 831,519 --a------ C:\WINDOWS\system32\mswdat10.dll
2006-10-07 10:21 614,431 --a------ C:\WINDOWS\system32\mswstr10.dll
2006-10-07 10:21 552,989 --a------ C:\WINDOWS\system32\msrepl40.dll
2006-10-07 10:21 53,279 --a------ C:\WINDOWS\system32\msjter40.dll
2006-10-07 10:21 512,029 --a------ C:\WINDOWS\system32\msexch40.dll
2006-10-07 10:21 50,176 --a------ C:\WINDOWS\system32\dpwsockx.dll
2006-10-07 10:21 421,919 --a------ C:\WINDOWS\system32\msrd2x40.dll
2006-10-07 10:21 380,957 --a------ C:\WINDOWS\system32\expsrv.dll
2006-10-07 10:21 358,976 --a------ C:\WINDOWS\system32\msjetoledb40.dll
2006-10-07 10:21 348,189 --a------ C:\WINDOWS\system32\msxbde40.dll
2006-10-07 10:21 348,189 --a------ C:\WINDOWS\system32\mspbde40.dll
2006-10-07 10:21 32,256 --a------ C:\WINDOWS\system32\msgsvc.dll
2006-10-07 10:21 319,517 --a------ C:\WINDOWS\system32\msexcl40.dll
2006-10-07 10:21 315,423 --a------ C:\WINDOWS\system32\msrd3x40.dll
2006-10-07 10:21 30,749 --a------ C:\WINDOWS\system32\vbajet32.dll
2006-10-07 10:21 258,077 --a------ C:\WINDOWS\system32\mstext40.dll
2006-10-07 10:21 241,693 --a------ C:\WINDOWS\system32\msjtes40.dll
2006-10-07 10:21 214,528 --a------ C:\WINDOWS\system32\dplayx.dll
2006-10-07 10:21 213,023 --a------ C:\WINDOWS\system32\msltus40.dll
2006-10-07 10:21 151,583 --a------ C:\WINDOWS\system32\msjint40.dll
2006-10-07 10:21 1,507,356 --a------ C:\WINDOWS\system32\msjet40.dll
2006-10-07 10:16 260,096 --a------ C:\WINDOWS\system32\mstask.dll
2006-10-07 10:16 172,544 --a------ C:\WINDOWS\system32\schedsvc.dll
2006-10-07 10:16 10,752 --a------ C:\WINDOWS\system32\mstinit.exe
2006-10-07 10:06 947,472 --a------ C:\WINDOWS\system32\msjava.dll
2006-10-07 10:06 63,248 --a------ C:\WINDOWS\system32\javaprxy.dll
2006-10-07 10:06 49,424 --a------ C:\WINDOWS\system32\clspack.exe
2006-10-07 10:06 46,352 --a------ C:\WINDOWS\setdebug.exe
2006-10-07 10:06 404,752 --a------ C:\WINDOWS\system32\javart.dll
2006-10-07 10:06 313,856 --a------ C:\WINDOWS\system32\dx3j.dll
2006-10-07 10:06 286,992 --a------ C:\WINDOWS\system32\vmhelper.dll
2006-10-07 10:06 21,264 --a------ C:\WINDOWS\system32\msjdbc10.dll
2006-10-07 10:06 187,152 --a------ C:\WINDOWS\system32\javacypt.dll
2006-10-07 10:06 172,304 --a------ C:\WINDOWS\system32\jview.exe
2006-10-07 10:06 171,792 --a------ C:\WINDOWS\system32\wjview.exe
2006-10-07 10:06 171,280 --a------ C:\WINDOWS\system32\jit.dll
2006-10-07 10:06 154,384 --a------ C:\WINDOWS\system32\msawt.dll
2006-10-07 10:06 15,120 --a------ C:\WINDOWS\system32\jdbgmgr.exe
2006-10-07 10:06 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2006-10-07 10:06 113 --a------ C:\WINDOWS\system32\zonedon.reg
2006-10-07 10:06 113 --a------ C:\WINDOWS\system32\zonedoff.reg
2006-10-05 15:34 593,408 --a------ C:\WINDOWS\system32\h323msp.dll
2006-10-05 15:34 548,352 --a------ C:\WINDOWS\system32\rtcdll.dll
2006-10-05 15:34 439,808 --a------ C:\WINDOWS\system32\ipnathlp.dll
2006-10-05 15:34 36,864 --a------ C:\WINDOWS\system32\mf3216.dll
2006-10-05 15:34 26,112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
2006-10-04 20:01 991,232 --a------ C:\WINDOWS\system32\esent.dll
2006-10-04 17:01 48,816 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2006-10-04 15:00 331,776 --a------ C:\WINDOWS\system32\winhttp.dll
2006-10-04 15:00 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2006-09-27 22:19 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-09-27 22:19 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-09-27 22:19 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-09-25 14:47 90,112 --a------ C:\WINDOWS\system32\RegDACL.exe
2006-09-25 14:47 7,483 --a------ C:\clean.bat
2006-09-25 14:47 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-09-25 14:47 4,096 --a------ C:\WINDOWS\system32\reboot.exe
2006-09-25 14:47 38,400 --a------ C:\WINDOWS\system32\moveex.exe
2006-09-23 15:24 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2006-09-23 15:24 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2006-09-23 13:09 91,136 --a------ C:\WINDOWS\system32\MSOERT2.DLL
2006-09-23 13:09 77,824 --a------ C:\WINDOWS\system32\isign32.dll
2006-09-23 13:09 73,728 --a------ C:\WINDOWS\system32\ils.dll
2006-09-23 13:09 69,632 --a------ C:\WINDOWS\system32\icwdial.dll
2006-09-23 13:09 65,536 --a------ C:\WINDOWS\system32\msconf.dll
2006-09-23 13:09 63,488 --a------ C:\WINDOWS\system32\srclient.dll
2006-09-23 13:09 61,440 --a------ C:\WINDOWS\system32\icwphbk.dll
2006-09-23 13:09 596,480 --a------ C:\WINDOWS\system32\INETCOMM.DLL
2006-09-23 13:09 47,616 --a------ C:\WINDOWS\system32\INETRES.DLL
2006-09-23 13:09 40,960 --a------ C:\WINDOWS\system32\safrslv.dll
2006-09-23 13:09 39,424 --a------ C:\WINDOWS\system32\safrcdlg.dll
2006-09-23 13:09 361,984 --a------ C:\WINDOWS\system32\qmgr.dll
2006-09-23 13:09 33,280 --a------ C:\WINDOWS\system32\racpldlg.dll
2006-09-23 13:09 32,768 --a------ C:\WINDOWS\system32\mnmsrvc.exe
2006-09-23 13:09 32,256 --a------ C:\WINDOWS\system32\mnmdd.dll
2006-09-23 13:09 28,672 --a------ C:\WINDOWS\system32\isrdbg32.dll
2006-09-23 13:09 266,240 --a------ C:\WINDOWS\system32\inetcfg.dll
2006-09-23 13:09 26,624 --a------ C:\WINDOWS\system32\safrdm.dll
2006-09-23 13:09 24,576 --a------ C:\WINDOWS\system32\nmmkcert.dll
2006-09-23 13:09 229,376 --a------ C:\WINDOWS\system32\MSOEACCT.DLL
2006-09-23 13:09 226,816 --a------ C:\WINDOWS\system32\srrstr.dll
2006-09-23 13:09 158,720 --a------ C:\WINDOWS\system32\srsvc.dll
2006-09-23 13:08 974,336 --a------ C:\WINDOWS\system32\msdtctm.dll
2006-09-23 13:08 89,600 --a------ C:\WINDOWS\system32\comrepl.dll
2006-09-23 13:08 85,504 --a------ C:\WINDOWS\system32\catsrvps.dll
2006-09-23 13:08 61,952 --a------ C:\WINDOWS\system32\rdshost.exe
2006-09-23 13:08 6,144 --a------ C:\WINDOWS\system32\msdtc.exe
2006-09-23 13:08 54,784 --a------ C:\WINDOWS\system32\msdtclog.dll
2006-09-23 13:08 499,200 --a------ C:\WINDOWS\system32\comuid.dll
2006-09-23 13:08 220,672 --a------ C:\WINDOWS\system32\catsrv.dll
2006-09-23 13:08 18,432 --a------ C:\WINDOWS\system32\qprocess.exe
2006-09-23 13:08 150,528 --a------ C:\WINDOWS\system32\msdtcuiu.dll
2006-09-23 13:08 124,416 --a------ C:\WINDOWS\system32\sndrec32.exe
2006-09-23 13:08 110,080 --a------ C:\WINDOWS\system32\clbcatex.dll
2006-09-23 13:08 11,776 --a------ C:\WINDOWS\system32\xolehlp.dll
2006-09-23 13:07 98,816 --a------ C:\WINDOWS\system32\clipbrd.exe
2006-09-23 13:07 9,216 --a------ C:\WINDOWS\system32\wuauserv.dll
2006-09-23 13:07 9,216 --a------ C:\WINDOWS\system32\icaapi.dll
2006-09-23 13:07 88,064 --a------ C:\WINDOWS\system32\tscfgwmi.dll
2006-09-23 13:07 75,912 --a------ C:\WINDOWS\system32\rdpwsx.dll
2006-09-23 13:07 598,016 --a------ C:\WINDOWS\system32\mstscax.dll
2006-09-23 13:07 581,632 --a------ C:\WINDOWS\system32\catsrvut.dll
2006-09-23 13:07 57,856 --a------ C:\WINDOWS\system32\licwmi.dll
2006-09-23 13:07 56,320 --a------ C:\WINDOWS\system32\remotepg.dll
2006-09-23 13:07 534,016 --a------ C:\WINDOWS\system32\spider.exe
2006-09-23 13:07 53,248 --a------ C:\WINDOWS\system32\servdeps.dll
2006-09-23 13:07 44,032 --a------ C:\WINDOWS\system32\rdpclip.exe
2006-09-23 13:07 40,960 --a------ C:\WINDOWS\system32\tscupgrd.exe
2006-09-23 13:07 388,608 --a------ C:\WINDOWS\system32\mstsc.exe
2006-09-23 13:07 368,640 --a------ C:\WINDOWS\system32\msdtcprx.dll
2006-09-23 13:07 339,968 --a------ C:\WINDOWS\system32\mspaint.exe
2006-09-23 13:07 32,768 --a------ C:\WINDOWS\system32\cfgbkend.dll
2006-09-23 13:07 200,192 --a------ C:\WINDOWS\system32\termsrv.dll
2006-09-23 13:07 174,592 --a------ C:\WINDOWS\system32\cmprops.dll
2006-09-23 13:07 16,384 --a------ C:\WINDOWS\system32\mmfutil.dll
2006-09-23 13:07 14,848 --a------ C:\WINDOWS\system32\rdpsnd.dll
2006-09-23 13:07 135,680 --a------ C:\WINDOWS\system32\rdchost.dll
2006-09-23 13:07 129,024 --a------ C:\WINDOWS\system32\sessmgr.exe
2006-09-23 13:07 124,184 --a------ C:\WINDOWS\system32\wuauclt.exe
2006-09-23 13:07 12,288 --a------ C:\WINDOWS\system32\rdsaddin.exe
2006-09-23 13:07 116,736 --a------ C:\WINDOWS\system32\mplay32.exe
2006-09-23 13:07 1,343,768 --a------ C:\WINDOWS\system32\wuaueng.dll
2006-09-23 12:12 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2006-09-23 12:11 71,168 --a------ C:\WINDOWS\system32\storprop.dll
2006-09-21 17:08 84,992 --a------ C:\WINDOWS\system32\ATL70.DLL
2006-09-21 17:08 81,920 --------- C:\WINDOWS\system32\vdrmux.dll
2006-09-21 17:08 76,800 --------- C:\WINDOWS\system32\Lfwmf13n.dll
2006-09-21 17:08 73,728 --------- C:\WINDOWS\system32\MMAviAx.dll
2006-09-21 17:08 73,728 --------- C:\WINDOWS\system32\lffax13n.dll
2006-09-21 17:08 65,536 --------- C:\WINDOWS\system32\Lfpct13n.dll
2006-09-21 17:08 46,592 --------- C:\WINDOWS\system32\vdrcodec.dll
2006-09-21 17:08 453,120 --------- C:\WINDOWS\system32\ltkrn13n.dll
2006-09-21 17:08 44,544 --------- C:\WINDOWS\system32\msxml4a.dll
2006-09-21 17:08 40,960 --------- C:\WINDOWS\system32\langserv.dll
2006-09-21 17:08 393,216 --------- C:\WINDOWS\system32\LFCMP13n.DLL
2006-09-21 17:08 32,768 --------- C:\WINDOWS\system32\MLPagAx.dll
2006-09-21 17:08 30,208 --------- C:\WINDOWS\system32\lfbmp13n.dll
2006-09-21 17:08 294,912 --------- C:\WINDOWS\system32\pvmjpg21.dll
2006-09-21 17:08 278,016 --------- C:\WINDOWS\system32\LFJ2K13n.dll
2006-09-21 17:08 24,576 --------- C:\WINDOWS\system32\lftga13n.dll
2006-09-21 17:08 204,881 --------- C:\WINDOWS\system32\DiskIO.dll
2006-09-21 17:08 18,432 --------- C:\WINDOWS\system32\Cachex.dll
2006-09-21 17:08 155,721 --------- C:\WINDOWS\system32\RALMain.dll
2006-09-21 17:08 153,088 --------- C:\WINDOWS\system32\ltfil13n.DLL
2006-09-21 17:08 143,360 --------- C:\WINDOWS\system32\lftif13n.dll
2006-09-21 17:08 114,759 --------- C:\WINDOWS\system32\Aviprax.dll
2006-09-21 17:08 1,693,696 --------- C:\WINDOWS\system32\LTCLR13n.dll
2006-09-21 17:05 964,608 --a------ C:\WINDOWS\system32\MFC70U.DLL
2006-09-21 17:05 65,536 --a------ C:\WINDOWS\system32\MFC71DEU.DLL
2006-09-21 17:05 61,440 --a------ C:\WINDOWS\system32\pclepim1.dll
2006-09-21 17:05 61,440 --a------ C:\WINDOWS\system32\MFC71ITA.DLL
2006-09-21 17:05 61,440 --a------ C:\WINDOWS\system32\MFC71FRA.DLL
2006-09-21 17:05 61,440 --a------ C:\WINDOWS\system32\MFC71ESP.DLL
2006-09-21 17:05 57,344 --a------ C:\WINDOWS\system32\MFC71ENU.DLL
2006-09-21 17:05 49,152 --a------ C:\WINDOWS\system32\PCLEGetGuid.dll
2006-09-21 17:05 49,152 --a------ C:\WINDOWS\system32\MFC71KOR.DLL
2006-09-21 17:05 49,152 --a------ C:\WINDOWS\system32\MFC71JPN.DLL
2006-09-21 17:05 45,056 --a------ C:\WINDOWS\system32\MFC71CHT.DLL
2006-09-21 17:05 40,960 --a------ C:\WINDOWS\system32\MFC71CHS.DLL
2006-09-17 18:01 82,432 --------- C:\WINDOWS\system32\msxml4r.dll
2006-09-17 18:01 54,784 --a------ C:\WINDOWS\system32\msvci70.dll
2006-09-17 18:01 442,368 --a------ C:\WINDOWS\system32\vp6vfw.dll
2006-09-17 18:01 265,785 --a------ C:\WINDOWS\system32\pixomatic.dll
2006-09-17 18:01 22,016 --a------ C:\WINDOWS\system32\borlndmm.dll
2006-09-17 18:01 188,416 --a------ C:\WINDOWS\system32\eax.dll
2006-09-17 18:01 1,500,160 --a------ C:\WINDOWS\system32\cc3260mt.dll
2006-09-17 18:01 1,230,336 --------- C:\WINDOWS\system32\msxml4.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-10-07 10:22 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-10-07 09:47 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-10-07 00:15 -------- d-------- C:\Program Files\Trillian
2006-10-06 23:22 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-05 19:32 -------- d-------- C:\Documents and Settings\User1\Application Data\DMCache
2006-10-05 15:34 -------- d-------- C:\Program Files\Windows Media Player
2006-10-05 15:34 -------- d-------- C:\Program Files\NetMeeting
2006-10-05 15:32 -------- d-------- C:\Program Files\Outlook Express
2006-10-05 15:32 -------- d-------- C:\Program Files\Common Files\System
2006-10-04 17:21 -------- d-------- C:\Program Files\Norton Internet Security
2006-10-04 17:20 -------- d-------- C:\Program Files\Symantec
2006-10-04 17:02 10344 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
2006-10-04 17:01 -------- d-------- C:\Program Files\Common Files
2006-10-04 15:33 -------- d-------- C:\Program Files\Symantec Technical Support
2006-10-04 14:53 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-04 14:53 -------- d-------- C:\Program Files\U.S. Robotics 802.11g WLAN
2006-10-01 00:35 -------- d-------- C:\Program Files\Internet Explorer
2006-09-27 23:37 -------- d--h----- C:\Program Files\WindowsUpdate
2006-09-27 22:29 -------- d-------- C:\Program Files\CleanUp!
2006-09-27 21:55 -------- d-------- C:\Program Files\HaxFix
2006-09-26 19:25 -------- d-------- C:\Program Files\RegistryFix
2006-09-25 20:18 -------- d-------- C:\Program Files\Unlocker
2006-09-25 18:25 -------- d-------- C:\Program Files\Grisoft
2006-09-25 18:14 -------- d-------- C:\Documents and Settings\User1\Application Data\Symantec
2006-09-24 23:00 -------- d-------- C:\Documents and Settings\User1\Application Data\Mozilla
2006-09-24 13:04 8329 --a------ C:\Documents and Settings\User1\Application Data\.googlewebacchosts
2006-09-24 09:07 -------- d-------- C:\Program Files\Alwil Software
2006-09-23 21:53 -------- d-------- C:\Program Files\Pinnacle
2006-09-23 13:09 -------- d-------- C:\Program Files\Movie Maker
2006-09-23 13:08 -------- d-------- C:\Program Files\Windows NT
2006-09-21 17:07 -------- d-------- C:\Program Files\SmartSound Software
2006-09-18 16:28 -------- d-------- C:\Program Files\Internet Download Manager
2006-09-18 16:28 -------- d-------- C:\Documents and Settings\User1\Application Data\IDM
2006-09-17 21:11 14848 --a------ C:\WINDOWS\system32\BASSMOD.dll
2006-09-17 18:11 -------- d-------- C:\Program Files\GTA-SanAndreas
2006-09-16 23:24 -------- d-------- C:\Documents and Settings\User1\Application Data\Sun
2006-09-16 10:07 -------- d-------- C:\Documents and Settings\User1\Application Data\Google
2006-09-15 22:04 109744 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2006-09-14 14:44 -------- d-------- C:\Program Files\Winamp
2006-09-10 19:43 -------- d-------- C:\Documents and Settings\User1\Application Data\AdobeUM
2006-09-10 18:24 -------- d---s---- C:\Documents and Settings\User1\Application Data\Microsoft
2006-09-10 10:34 -------- d-------- C:\Program Files\Java
2006-09-07 22:32 -------- d-------- C:\Program Files\Save Flash
2006-08-29 01:28 140984 --a------ C:\WINDOWS\system32\idmmbc.dll
2006-08-24 20:40 -------- d-------- C:\Program Files\GeoVid
2006-08-22 18:32 22768 --a------ C:\WINDOWS\system32\drivers\usbsermpt.sys
2006-08-22 18:32 -------- d-------- C:\Program Files\Motorola Phone Tools
2006-08-22 18:25 -------- d-------- C:\Program Files\mobile PhoneTools
2006-08-22 18:05 -------- d-------- C:\Program Files\LiveUpdate
2006-08-22 00:22 72748 --a------ C:\WINDOWS\unins001.exe
2006-08-22 00:22 72748 --a------ C:\WINDOWS\unins000.exe
2006-08-22 00:22 -------- d-------- C:\Program Files\Temp
2006-08-22 00:22 -------- d-------- C:\Program Files\Anark
2006-08-21 23:49 -------- d-------- C:\Program Files\OceanDive
2006-08-21 05:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 02:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 02:14 128896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-21 00:44 -------- d-------- C:\Program Files\SereneScreen
2006-08-19 11:23 -------- d-------- C:\Documents and Settings\User1\Application Data\RipIt4Me
2006-08-19 09:43 -------- d-------- C:\Program Files\PgcEdit
2006-08-18 15:30 -------- d-------- C:\Documents and Settings\User1\Application Data\Adobe
2006-08-07 16:02 534208 --a------ C:\WINDOWS\system32\SymNeti.dll
2006-08-07 16:02 31936 --a------ C:\WINDOWS\system32\drivers\symids.sys
2006-08-07 16:02 28352 --a------ C:\WINDOWS\system32\drivers\symndis.sys
2006-08-07 16:02 24768 --a------ C:\WINDOWS\system32\drivers\symredrv.sys
2006-08-07 16:02 195776 --a------ C:\WINDOWS\system32\drivers\symtdi.sys
2006-08-07 16:02 161472 --a------ C:\WINDOWS\system32\SymRedir.dll
2006-08-07 16:02 110784 --a------ C:\WINDOWS\system32\drivers\symfw.sys
2006-08-07 16:01 12992 --a------ C:\WINDOWS\system32\drivers\symdns.sys
2006-08-03 20:59 48 ---hs---- C:\Documents and Settings\User1\Application Data\.zreglib
2006-07-21 01:30 72704 --a------ C:\WINDOWS\system32\hlink.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteCenter"="C:\\Program Files\\Creative\\MediaSource\\RemoteControl\\RCMan.EXE"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE"
"CTSysVol"="C:\\Program Files\\Creative\\SBAudigy2ZS\\Surround Mixer\\CTSysVol.exe /r"
"CTDVDDET"="C:\\Program Files\\Creative\\SBAudigy2ZS\\DVDAudio\\CTDVDDET.EXE"
"SBDrvDet"="C:\\Program Files\\Creative\\SB Drive Det\\SBDrvDet.exe /r"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"
"PinnacleDriverCheck"="C:\\WINDOWS\\system32\\PSDrvCheck.exe -CheckReg"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"SSC_UserPrompt"="\"C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"AllowLegacyWebView"=dword:00000001
"AllowUnhashedWebView"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
"backup"="C:\\WINDOWS\\pss\\InterVideo WinCinema Manager.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\INTERV~1\\Common\\Bin\\WINCIN~1.EXE "
"item"="InterVideo WinCinema Manager"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NeroCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Symantec NetDriver Monitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SNDMon"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\UpdReg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UpdReg"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\UpdReg.EXE"
"inimapping"="0"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\wnmicf.sys
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\wnmifc.sys

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - User1.job

Completion time: Sat 10/07/06 10:47:35.01
ComboFix.txt
ComboFix2.txt
ComboFix3.txt

********************************************************
HJT
********************************************************
Logfile of HijackThis v1.99.1
Scan saved at 10:48:12 AM, on 10/7/06
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\WgaTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\U.S. Robotics 802.11g WLAN\USRWLANG.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Registration .LNK = C:\Program Files\Ubisoft\Demo\Blazing Angels Squadrons of WWII Demo\RegistrationReminder.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: U.S. Robotics 802.11g Wireless Network Utility.lnk = ?
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...l/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - https://www-secure.symantec.com/tech...rl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/tech...rl/tgctlsr.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1159425430187
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc1.webresponse.one.microso.../TLIEFlash.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Ried · 10-07-2006, 06:29 PM

Hi,

We're are just about through here.

I'd like to see another Haxfix log.

Run Haxfix.exe:

Select the option to - Make logfile - Type 1 & press`Enter'.
Haxfix will produce a log for you to post back here.

randomrandom · 10-07-2006, 08:16 PM

HAXFIX logfile - by Marckie
______________
version 4.20.1
Sat 10/07/06 19:14:11.62

checking for haxdoor
--------------------
checking for a3d files....
a3d files found
p2s2.a3d

checking for matching notify keys....
no matching notify keys found

checking for matching services....
matching services found
Aspi32
wnmifc

checking for matching safeboot services....
matching safeboot services found
wnmicf.sys
wnmifc.sys

checking for other haxdoorfiles....

Checking for goldun
-------------------

checking for SSODL keys....
no ssodl keys found

checking for notify keys....
no notify keys found

checking for services....
no services found

checking for other goldunfiles....

Finished

Ried · 10-07-2006, 08:26 PM

Ok, that's what I thought.

Open this folder program files > haxfix and double click on fix.bat (or double click on fix.bat desktop icon)
Close all other open windows since this step requires a reboot
Select option 2. Run auto fix by typing 2 and then pressing "Enter"

If an infection is found, you'll get a message to close all other open windows.

Close all open windows except the red dos window from haxfix and then press "Enter"
The computer will reboot
After reboot a logfile will open > (c:\haxfix.txt)
Post the contents of that logfile.

Run combofix.exe again and post the ComboFix.txt here as well.

Ried · 10-07-2006, 08:27 PM

Before you proceed with my previous instructions, do this first:

Using Internet Explorer, download ResetTeaTimer.bat.

If you are using Firefox, right click the above link and choose ‘Save As’. Save it to your desktop.

Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

randomrandom · 10-08-2006, 11:35 AM

HAXFIX logfile - by Marckie
--------------
version 4.20.1
Sun 10/08/06 10:28:22.46

--- Auto Haxdoorfix ---

searching for files:

searching for services....
service wnmifc found
[SWSC] DeleteService SUCCESS

--- Goldunfix ---

searching for files:

searching for SSODLkeys:
no SSODLkeys found

searching for notifykeys:
no notifykeys found

searching for services:
no services found

.....rebooting the computer.....

searching for ssodlkeys

not needed

searching for notifykeys

not needed

searching for services

service wnmifc not found

searching for safeboot services

safeboot service wnmicf.sys not found
safeboot service wnmifc.sys not found

searching for files

wnmifc.sys exists
deleting wnmifc.sys
wnmifc.sys has been deleted

wnmicf.sys exists
deleting wnmicf.sys
wnmicf.sys has been deleted

checking for other files

xg.ffc exists
deleting xg.ffc
xg.ffc has been deleted

checking for a3d files

p2s2.a3d
deleting a3d files
a3d files are deleted

Finished

randomrandom · 10-08-2006, 12:06 PM

This is super important. You know how i had to restart my computer for the HAXFIX to delete the viruses? well after i did THAT restart, i restarted again and a windows box came up telling me that due to significant hardware changes, i must reactivate my hardware within the next three days! So i click on the register windows button, and it tells me to go to:
Start-All Programs-Accessories-System Tools-Activate Windows

except..... I DONT HAVE THIS ICON!

So i go to the microsoft website, and being its typically completely unhelpful self , suggests that my copy of windows is counterfit. This is completely untrue because i bought this copy and have the origional disk. I have been using this same copy of windows since i got my computer (about 2-3 years ago) and havent had any kind of problem like this.

Did haxfix couse this???????????

Seriously i cant believe this is happening.........this is the LAST thing that i needed.............

randomrandom · 10-08-2006, 12:38 PM

ah, sorry for the 3 in a row post (it wouldnt let me edit the post before this one), but this whole situation scared me bad... like this-->

ok so i reactivated windows by phone, and it is supposedly successfully activated now. I restarted my comp to make sure that it was ACTUALLY successful, and i didnt get that error message this time.

but im STILL wondering what caused this..... any suggestions?

Ried · 10-08-2006, 03:58 PM

Hiya,

I am relieved you were able to rectify that situation.

i've seen that happen before, albeit not often and no, Haxfix did not cause this problem, the haxdoor infection did. We need to go a bit deeper.

Download gmer from http://www.gmer.net & unzip it to desktop

Launch gmer.exe by double-clicking it. Select the rootkit tab & make sure the 'Show All' button is unticked.

Press scan & when it has finished press copy & paste the log back here.

---------------------------------

Run combofix.exe again and post that log here as well.

randomrandom · 10-08-2006, 10:04 PM

OK Here are the logs you requested....

*****************************************************
Gmer Log
*****************************************************
GMER 1.0.11.11390 - http://www.gmer.net
Rootkit 2006-10-08 21:01:18
Windows 5.1.2600 Service Pack 1

---- System - GMER 1.0.11 ----

SSDT 86459768 ZwAlertResumeThread
SSDT 863CC928 ZwAlertThread
SSDT 86415300 ZwAllocateVirtualMemory
SSDT Vax347b.sys ZwClose
SSDT 8643C7A0 ZwConnectPort
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwCreateKey
SSDT 8641DBD8 ZwCreateMutant
SSDT Vax347b.sys ZwCreatePagingFile
SSDT 86415AF0 ZwCreateThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwDeleteKey
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwDeleteValueKey
SSDT Vax347b.sys ZwEnumerateKey
SSDT Vax347b.sys ZwEnumerateValueKey
SSDT 86416A68 ZwFreeVirtualMemory
SSDT 8641CFD0 ZwImpersonateAnonymousToken
SSDT 86473958 ZwImpersonateThread
SSDT 863FB640 ZwMapViewOfSection
SSDT 8641DC10 ZwOpenEvent
SSDT Vax347b.sys ZwOpenKey
SSDT \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys ZwOpenProcess
SSDT 85F96128 ZwOpenProcessToken
SSDT 85F95F28 ZwOpenThreadToken
SSDT Vax347b.sys ZwQueryKey
SSDT 8657DA68 ZwQueryValueKey
SSDT 85C61308 ZwResumeThread
SSDT 85F95F60 ZwSetContextThread
SSDT 86416D88 ZwSetInformationProcess
SSDT 855125F8 ZwSetInformationThread
SSDT Vax347b.sys ZwSetSystemPowerState
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwSetValueKey
SSDT 8641DD68 ZwSuspendProcess
SSDT 85F96240 ZwSuspendThread
SSDT \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys ZwTerminateProcess
SSDT 864165E8 ZwTerminateThread
SSDT 86416C00 ZwUnmapViewOfSection
SSDT 86414DB0 ZwWriteVirtualMemory

---- Devices - GMER 1.0.11 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 8672BA80
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_READ 865A42C0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 8631DF00
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_NAMED_PIPE 8631DF00
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 8631DF00
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 8631DF00
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 8631DF00
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_INFORMATION 8631DF00
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_INFORMATION 8631DF00
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_EA 8631DF00
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_EA 8631DF00
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 8631DF00
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_VOLUME_INFORMATION 8631DF00
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_VOLUME_INFORMATION 8631DF00
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DIRECTORY_CONTROL 8631DF00
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FILE_SYSTEM_CONTROL 8631DF00
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 8631DF00
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 8631DF00
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 8631DF00
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_LOCK_CONTROL 8631DF00
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLEANUP 8631DF00
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_MAILSLOT 8631DF00
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_SECURITY 8631DF00
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_SECURITY 8631DF00
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 8631DF00
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 8631DF00
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CHANGE 8631DF00
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_QUOTA 8631DF00
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_QUOTA 8631DF00
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 8631DF00
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_READ 86521BF0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_CREATE 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_CREATE_NAMED_PIPE 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_CLOSE 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_READ 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_WRITE 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_QUERY_INFORMATION 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_SET_INFORMATION 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_QUERY_EA 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_SET_EA 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_FLUSH_BUFFERS 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_QUERY_VOLUME_INFORMATION 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_SET_VOLUME_INFORMATION 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_DIRECTORY_CONTROL 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_FILE_SYSTEM_CONTROL 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_DEVICE_CONTROL 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_INTERNAL_DEVICE_CONTROL 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_SHUTDOWN 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_LOCK_CONTROL 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_CLEANUP 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_CREATE_MAILSLOT 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_QUERY_SECURITY 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_SET_SECURITY 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_POWER 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_SYSTEM_CONTROL 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_DEVICE_CHANGE 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_QUERY_QUOTA 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_SET_QUOTA 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_PNP 86368440
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE 86368440
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE_NAMED_PIPE 86368440
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLOSE 86368440
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_READ 86368440
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_WRITE 86368440
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_INFORMATION 86368440
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_INFORMATION 86368440
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_EA 86368440
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_EA 86368440
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_FLUSH_BUFFERS 86368440
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_VOLUME_INFORMATION 86368440
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_VOLUME_INFORMATION 86368440
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DIRECTORY_CONTROL 86368440
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_FILE_SYSTEM_CONTROL 86368440
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CONTROL 86368440
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_INTERNAL_DEVICE_CONTROL 86368440
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SHUTDOWN 86368440
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_LOCK_CONTROL 86368440
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLEANUP 86368440
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE_MAILSLOT 86368440
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_SECURITY 86368440
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_SECURITY 86368440
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_POWER 86368440
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SYSTEM_CONTROL 86368440
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CHANGE 86368440
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_QUOTA 86368440
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_QUOTA 86368440
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_PNP 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CREATE 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CREATE_NAMED_PIPE 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CLOSE 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_READ 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_WRITE 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_INFORMATION 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_INFORMATION 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_EA 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_EA 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_FLUSH_BUFFERS 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_VOLUME_INFORMATION 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_VOLUME_INFORMATION 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_DIRECTORY_CONTROL 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_FILE_SYSTEM_CONTROL 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_DEVICE_CONTROL 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_INTERNAL_DEVICE_CONTROL 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SHUTDOWN 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_LOCK_CONTROL 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CLEANUP 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CREATE_MAILSLOT 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_SECURITY 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_SECURITY 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_POWER 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SYSTEM_CONTROL 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_DEVICE_CHANGE 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_QUOTA 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_QUOTA 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_PNP 86368440
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE 86368440
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE_NAMED_PIPE 86368440
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CLOSE 86368440
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_READ 86368440
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_WRITE 86368440
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_INFORMATION 86368440
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_INFORMATION 86368440
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_EA 86368440
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_EA 86368440
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_FLUSH_BUFFERS 86368440
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_VOLUME_INFORMATION 86368440
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_VOLUME_INFORMATION 86368440
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DIRECTORY_CONTROL 86368440
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_FILE_SYSTEM_CONTROL 86368440
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CONTROL 86368440
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_INTERNAL_DEVICE_CONTROL 86368440
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SHUTDOWN 86368440
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_LOCK_CONTROL 86368440
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CLEANUP 86368440
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE_MAILSLOT 86368440
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_SECURITY 86368440
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_SECURITY 86368440
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_POWER 86368440
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SYSTEM_CONTROL 86368440
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CHANGE 86368440
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_QUOTA 86368440
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_QUOTA 86368440
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_PNP 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_CREATE 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_CREATE_NAMED_PIPE 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_CLOSE 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_READ 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_WRITE 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_QUERY_INFORMATION 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_SET_INFORMATION 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_QUERY_EA 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_SET_EA 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_FLUSH_BUFFERS 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_QUERY_VOLUME_INFORMATION 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_SET_VOLUME_INFORMATION 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_DIRECTORY_CONTROL 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_FILE_SYSTEM_CONTROL 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_DEVICE_CONTROL 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_INTERNAL_DEVICE_CONTROL 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_SHUTDOWN 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_LOCK_CONTROL 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_CLEANUP 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_CREATE_MAILSLOT 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_QUERY_SECURITY 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_SET_SECURITY 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_POWER 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_SYSTEM_CONTROL 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_DEVICE_CHANGE 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_QUERY_QUOTA 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_SET_QUOTA 86368440
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_PNP 86368440
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE 8631DF00
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_NAMED_PIPE 8631DF00
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLOSE 8631DF00
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_READ 8631DF00
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_WRITE 8631DF00
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_INFORMATION 8631DF00
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_INFORMATION 8631DF00
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_EA 8631DF00
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_EA 8631DF00
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FLUSH_BUFFERS 8631DF00
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_VOLUME_INFORMATION 8631DF00
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_VOLUME_INFORMATION 8631DF00
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DIRECTORY_CONTROL 8631DF00
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FILE_SYSTEM_CONTROL 8631DF00
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CONTROL 8631DF00
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_INTERNAL_DEVICE_CONTROL 8631DF00
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SHUTDOWN 8631DF00
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_LOCK_CONTROL 8631DF00
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLEANUP 8631DF00
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_MAILSLOT 8631DF00
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_SECURITY 8631DF00
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_SECURITY 8631DF00
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_POWER 8631DF00
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SYSTEM_CONTROL 8631DF00
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CHANGE 8631DF00
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_QUOTA 8631DF00
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_QUOTA 8631DF00
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_PNP 8631DF00
Device \FileSystem\Srv \Device\LanmanServer IRP_MJ_READ 862879B8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_READ 865219A0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_READ 865219A0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_READ 8643DB98
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_READ 86448F48
Device \FileSystem\Fastfat \Fat IRP_MJ_READ 865A42C0
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer IRP_MJ_READ 863CD758
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer IRP_MJ_READ 863CD758
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer IRP_MJ_READ 863CD758
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer IRP_MJ_READ 863CD758
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer IRP_MJ_READ 863CD758
Device \FileSystem\Cdfs \Cdfs IRP_MJ_READ 86519A90

---- Modules - GMER 1.0.11 ----

Module _________ F77BA000

---- Registry - GMER 1.0.11 ----

Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xE2 0x63 0x26 0xF1 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x6A 0x9C 0xD6 0x61 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x25 0xDA 0xEC 0x7E ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x86 0x8C 0x21 0x01 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xCD 0x44 0xCD 0xB9 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xB0 0x18 0xED 0xA7 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x31 0x77 0xE1 0xBA ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0xAA 0x52 0xC6 0x00 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0xF6 0x0F 0x4E 0x58 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0x37 0xA4 0xAA 0xC3 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0xF8 0x31 0x0F 0xA9 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0xFA 0xEA 0x66 0x7F ...

---- Files - GMER 1.0.11 ----

ADS ...

---- EOF - GMER 1.0.11 ----

******************************************************

******************************************************
Combofix Log
******************************************************
User1 - 06-10-08 21:02:57.95 Service Pack 1
ComboFix 06.09.27 - Running from: "C:\Documents and Settings\User1\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-09-08 to 2006-10-08 ))))))))))))))))))))))))))))))))))

2006-10-07 11:05 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2006-10-07 10:22 68,608 --a------ C:\WINDOWS\system32\locator.exe
2006-10-07 10:22 67,584 --a------ C:\WINDOWS\system32\magnify.exe
2006-10-07 10:22 544,256 --a------ C:\WINDOWS\system32\crypt32.dll
2006-10-07 10:22 53,760 --a------ C:\WINDOWS\system32\cryptsvc.dll
2006-10-07 10:22 51,200 --a------ C:\WINDOWS\system32\narrator.exe
2006-10-07 10:22 238,080 --a------ C:\WINDOWS\system32\newdev.dll
2006-10-07 10:22 212,480 --a------ C:\WINDOWS\system32\osk.exe
2006-10-07 10:22 179,200 --a------ C:\WINDOWS\system32\accwiz.exe
2006-10-07 10:22 125,440 --a------ C:\WINDOWS\system32\shmedia.dll
2006-10-07 10:21 831,519 --a------ C:\WINDOWS\system32\mswdat10.dll
2006-10-07 10:21 614,431 --a------ C:\WINDOWS\system32\mswstr10.dll
2006-10-07 10:21 552,989 --a------ C:\WINDOWS\system32\msrepl40.dll
2006-10-07 10:21 53,279 --a------ C:\WINDOWS\system32\msjter40.dll
2006-10-07 10:21 512,029 --a------ C:\WINDOWS\system32\msexch40.dll
2006-10-07 10:21 50,176 --a------ C:\WINDOWS\system32\dpwsockx.dll
2006-10-07 10:21 421,919 --a------ C:\WINDOWS\system32\msrd2x40.dll
2006-10-07 10:21 380,957 --a------ C:\WINDOWS\system32\expsrv.dll
2006-10-07 10:21 358,976 --a------ C:\WINDOWS\system32\msjetoledb40.dll
2006-10-07 10:21 348,189 --a------ C:\WINDOWS\system32\msxbde40.dll
2006-10-07 10:21 348,189 --a------ C:\WINDOWS\system32\mspbde40.dll
2006-10-07 10:21 32,256 --a------ C:\WINDOWS\system32\msgsvc.dll
2006-10-07 10:21 319,517 --a------ C:\WINDOWS\system32\msexcl40.dll
2006-10-07 10:21 315,423 --a------ C:\WINDOWS\system32\msrd3x40.dll
2006-10-07 10:21 30,749 --a------ C:\WINDOWS\system32\vbajet32.dll
2006-10-07 10:21 258,077 --a------ C:\WINDOWS\system32\mstext40.dll
2006-10-07 10:21 241,693 --a------ C:\WINDOWS\system32\msjtes40.dll
2006-10-07 10:21 214,528 --a------ C:\WINDOWS\system32\dplayx.dll
2006-10-07 10:21 213,023 --a------ C:\WINDOWS\system32\msltus40.dll
2006-10-07 10:21 151,583 --a------ C:\WINDOWS\system32\msjint40.dll
2006-10-07 10:21 1,507,356 --a------ C:\WINDOWS\system32\msjet40.dll
2006-10-07 10:16 260,096 --a------ C:\WINDOWS\system32\mstask.dll
2006-10-07 10:16 172,544 --a------ C:\WINDOWS\system32\schedsvc.dll
2006-10-07 10:16 10,752 --a------ C:\WINDOWS\system32\mstinit.exe
2006-10-07 10:06 947,472 --a------ C:\WINDOWS\system32\msjava.dll
2006-10-07 10:06 63,248 --a------ C:\WINDOWS\system32\javaprxy.dll
2006-10-07 10:06 49,424 --a------ C:\WINDOWS\system32\clspack.exe
2006-10-07 10:06 46,352 --a------ C:\WINDOWS\setdebug.exe
2006-10-07 10:06 404,752 --a------ C:\WINDOWS\system32\javart.dll
2006-10-07 10:06 313,856 --a------ C:\WINDOWS\system32\dx3j.dll
2006-10-07 10:06 286,992 --a------ C:\WINDOWS\system32\vmhelper.dll
2006-10-07 10:06 21,264 --a------ C:\WINDOWS\system32\msjdbc10.dll
2006-10-07 10:06 187,152 --a------ C:\WINDOWS\system32\javacypt.dll
2006-10-07 10:06 172,304 --a------ C:\WINDOWS\system32\jview.exe
2006-10-07 10:06 171,792 --a------ C:\WINDOWS\system32\wjview.exe
2006-10-07 10:06 171,280 --a------ C:\WINDOWS\system32\jit.dll
2006-10-07 10:06 154,384 --a------ C:\WINDOWS\system32\msawt.dll
2006-10-07 10:06 15,120 --a------ C:\WINDOWS\system32\jdbgmgr.exe
2006-10-07 10:06 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2006-10-07 10:06 113 --a------ C:\WINDOWS\system32\zonedon.reg
2006-10-07 10:06 113 --a------ C:\WINDOWS\system32\zonedoff.reg
2006-10-05 15:34 593,408 --a------ C:\WINDOWS\system32\h323msp.dll
2006-10-05 15:34 548,352 --a------ C:\WINDOWS\system32\rtcdll.dll
2006-10-05 15:34 439,808 --a------ C:\WINDOWS\system32\ipnathlp.dll
2006-10-05 15:34 36,864 --a------ C:\WINDOWS\system32\mf3216.dll
2006-10-05 15:34 26,112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
2006-10-04 20:01 991,232 --a------ C:\WINDOWS\system32\esent.dll
2006-10-04 17:01 48,816 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2006-10-04 15:00 331,776 --a------ C:\WINDOWS\system32\winhttp.dll
2006-10-04 15:00 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2006-09-27 22:19 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-09-27 22:19 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-09-27 22:19 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-09-25 14:47 90,112 --a------ C:\WINDOWS\system32\RegDACL.exe
2006-09-25 14:47 7,483 --a------ C:\clean.bat
2006-09-25 14:47 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-09-25 14:47 4,096 --a------ C:\WINDOWS\system32\reboot.exe
2006-09-25 14:47 38,400 --a------ C:\WINDOWS\system32\moveex.exe
2006-09-23 15:24 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2006-09-23 15:24 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2006-09-23 13:09 91,136 --a------ C:\WINDOWS\system32\MSOERT2.DLL
2006-09-23 13:09 77,824 --a------ C:\WINDOWS\system32\isign32.dll
2006-09-23 13:09 73,728 --a------ C:\WINDOWS\system32\ils.dll
2006-09-23 13:09 69,632 --a------ C:\WINDOWS\system32\icwdial.dll
2006-09-23 13:09 65,536 --a------ C:\WINDOWS\system32\msconf.dll
2006-09-23 13:09 63,488 --a------ C:\WINDOWS\system32\srclient.dll
2006-09-23 13:09 61,440 --a------ C:\WINDOWS\system32\icwphbk.dll
2006-09-23 13:09 596,480 --a------ C:\WINDOWS\system32\INETCOMM.DLL
2006-09-23 13:09 47,616 --a------ C:\WINDOWS\system32\INETRES.DLL
2006-09-23 13:09 40,960 --a------ C:\WINDOWS\system32\safrslv.dll
2006-09-23 13:09 39,424 --a------ C:\WINDOWS\system32\safrcdlg.dll
2006-09-23 13:09 361,984 --a------ C:\WINDOWS\system32\qmgr.dll
2006-09-23 13:09 33,280 --a------ C:\WINDOWS\system32\racpldlg.dll
2006-09-23 13:09 32,768 --a------ C:\WINDOWS\system32\mnmsrvc.exe
2006-09-23 13:09 32,256 --a------ C:\WINDOWS\system32\mnmdd.dll
2006-09-23 13:09 28,672 --a------ C:\WINDOWS\system32\isrdbg32.dll
2006-09-23 13:09 266,240 --a------ C:\WINDOWS\system32\inetcfg.dll
2006-09-23 13:09 26,624 --a------ C:\WINDOWS\system32\safrdm.dll
2006-09-23 13:09 24,576 --a------ C:\WINDOWS\system32\nmmkcert.dll
2006-09-23 13:09 229,376 --a------ C:\WINDOWS\system32\MSOEACCT.DLL
2006-09-23 13:09 226,816 --a------ C:\WINDOWS\system32\srrstr.dll
2006-09-23 13:09 158,720 --a------ C:\WINDOWS\system32\srsvc.dll
2006-09-23 13:08 974,336 --a------ C:\WINDOWS\system32\msdtctm.dll
2006-09-23 13:08 89,600 --a------ C:\WINDOWS\system32\comrepl.dll
2006-09-23 13:08 85,504 --a------ C:\WINDOWS\system32\catsrvps.dll
2006-09-23 13:08 61,952 --a------ C:\WINDOWS\system32\rdshost.exe
2006-09-23 13:08 6,144 --a------ C:\WINDOWS\system32\msdtc.exe
2006-09-23 13:08 54,784 --a------ C:\WINDOWS\system32\msdtclog.dll
2006-09-23 13:08 499,200 --a------ C:\WINDOWS\system32\comuid.dll
2006-09-23 13:08 220,672 --a------ C:\WINDOWS\system32\catsrv.dll
2006-09-23 13:08 18,432 --a------ C:\WINDOWS\system32\qprocess.exe
2006-09-23 13:08 150,528 --a------ C:\WINDOWS\system32\msdtcuiu.dll
2006-09-23 13:08 124,416 --a------ C:\WINDOWS\system32\sndrec32.exe
2006-09-23 13:08 110,080 --a------ C:\WINDOWS\system32\clbcatex.dll
2006-09-23 13:08 11,776 --a------ C:\WINDOWS\system32\xolehlp.dll
2006-09-23 13:07 98,816 --a------ C:\WINDOWS\system32\clipbrd.exe
2006-09-23 13:07 9,216 --a------ C:\WINDOWS\system32\wuauserv.dll
2006-09-23 13:07 9,216 --a------ C:\WINDOWS\system32\icaapi.dll
2006-09-23 13:07 88,064 --a------ C:\WINDOWS\system32\tscfgwmi.dll
2006-09-23 13:07 75,912 --a------ C:\WINDOWS\system32\rdpwsx.dll
2006-09-23 13:07 598,016 --a------ C:\WINDOWS\system32\mstscax.dll
2006-09-23 13:07 581,632 --a------ C:\WINDOWS\system32\catsrvut.dll
2006-09-23 13:07 57,856 --a------ C:\WINDOWS\system32\licwmi.dll
2006-09-23 13:07 56,320 --a------ C:\WINDOWS\system32\remotepg.dll
2006-09-23 13:07 534,016 --a------ C:\WINDOWS\system32\spider.exe
2006-09-23 13:07 53,248 --a------ C:\WINDOWS\system32\servdeps.dll
2006-09-23 13:07 44,032 --a------ C:\WINDOWS\system32\rdpclip.exe
2006-09-23 13:07 40,960 --a------ C:\WINDOWS\system32\tscupgrd.exe
2006-09-23 13:07 388,608 --a------ C:\WINDOWS\system32\mstsc.exe
2006-09-23 13:07 368,640 --a------ C:\WINDOWS\system32\msdtcprx.dll
2006-09-23 13:07 339,968 --a------ C:\WINDOWS\system32\mspaint.exe
2006-09-23 13:07 32,768 --a------ C:\WINDOWS\system32\cfgbkend.dll
2006-09-23 13:07 200,192 --a------ C:\WINDOWS\system32\termsrv.dll
2006-09-23 13:07 174,592 --a------ C:\WINDOWS\system32\cmprops.dll
2006-09-23 13:07 16,384 --a------ C:\WINDOWS\system32\mmfutil.dll
2006-09-23 13:07 14,848 --a------ C:\WINDOWS\system32\rdpsnd.dll
2006-09-23 13:07 135,680 --a------ C:\WINDOWS\system32\rdchost.dll
2006-09-23 13:07 129,024 --a------ C:\WINDOWS\system32\sessmgr.exe
2006-09-23 13:07 124,184 --a------ C:\WINDOWS\system32\wuauclt.exe
2006-09-23 13:07 12,288 --a------ C:\WINDOWS\system32\rdsaddin.exe
2006-09-23 13:07 116,736 --a------ C:\WINDOWS\system32\mplay32.exe
2006-09-23 13:07 1,343,768 --a------ C:\WINDOWS\system32\wuaueng.dll
2006-09-23 12:12 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2006-09-23 12:11 71,168 --a------ C:\WINDOWS\system32\storprop.dll
2006-09-21 17:08 84,992 --a------ C:\WINDOWS\system32\ATL70.DLL
2006-09-21 17:08 81,920 --------- C:\WINDOWS\system32\vdrmux.dll
2006-09-21 17:08 76,800 --------- C:\WINDOWS\system32\Lfwmf13n.dll
2006-09-21 17:08 73,728 --------- C:\WINDOWS\system32\MMAviAx.dll
2006-09-21 17:08 73,728 --------- C:\WINDOWS\system32\lffax13n.dll
2006-09-21 17:08 65,536 --------- C:\WINDOWS\system32\Lfpct13n.dll
2006-09-21 17:08 46,592 --------- C:\WINDOWS\system32\vdrcodec.dll
2006-09-21 17:08 453,120 --------- C:\WINDOWS\system32\ltkrn13n.dll
2006-09-21 17:08 44,544 --------- C:\WINDOWS\system32\msxml4a.dll
2006-09-21 17:08 40,960 --------- C:\WINDOWS\system32\langserv.dll
2006-09-21 17:08 393,216 --------- C:\WINDOWS\system32\LFCMP13n.DLL
2006-09-21 17:08 32,768 --------- C:\WINDOWS\system32\MLPagAx.dll
2006-09-21 17:08 30,208 --------- C:\WINDOWS\system32\lfbmp13n.dll
2006-09-21 17:08 294,912 --------- C:\WINDOWS\system32\pvmjpg21.dll
2006-09-21 17:08 278,016 --------- C:\WINDOWS\system32\LFJ2K13n.dll
2006-09-21 17:08 24,576 --------- C:\WINDOWS\system32\lftga13n.dll
2006-09-21 17:08 204,881 --------- C:\WINDOWS\system32\DiskIO.dll
2006-09-21 17:08 18,432 --------- C:\WINDOWS\system32\Cachex.dll
2006-09-21 17:08 155,721 --------- C:\WINDOWS\system32\RALMain.dll
2006-09-21 17:08 153,088 --------- C:\WINDOWS\system32\ltfil13n.DLL
2006-09-21 17:08 143,360 --------- C:\WINDOWS\system32\lftif13n.dll
2006-09-21 17:08 114,759 --------- C:\WINDOWS\system32\Aviprax.dll
2006-09-21 17:08 1,693,696 --------- C:\WINDOWS\system32\LTCLR13n.dll
2006-09-21 17:05 964,608 --a------ C:\WINDOWS\system32\MFC70U.DLL
2006-09-21 17:05 65,536 --a------ C:\WINDOWS\system32\MFC71DEU.DLL
2006-09-21 17:05 61,440 --a------ C:\WINDOWS\system32\pclepim1.dll
2006-09-21 17:05 61,440 --a------ C:\WINDOWS\system32\MFC71ITA.DLL
2006-09-21 17:05 61,440 --a------ C:\WINDOWS\system32\MFC71FRA.DLL
2006-09-21 17:05 61,440 --a------ C:\WINDOWS\system32\MFC71ESP.DLL
2006-09-21 17:05 57,344 --a------ C:\WINDOWS\system32\MFC71ENU.DLL
2006-09-21 17:05 49,152 --a------ C:\WINDOWS\system32\PCLEGetGuid.dll
2006-09-21 17:05 49,152 --a------ C:\WINDOWS\system32\MFC71KOR.DLL
2006-09-21 17:05 49,152 --a------ C:\WINDOWS\system32\MFC71JPN.DLL
2006-09-21 17:05 45,056 --a------ C:\WINDOWS\system32\MFC71CHT.DLL
2006-09-21 17:05 40,960 --a------ C:\WINDOWS\system32\MFC71CHS.DLL
2006-09-17 18:01 82,432 --------- C:\WINDOWS\system32\msxml4r.dll
2006-09-17 18:01 54,784 --a------ C:\WINDOWS\system32\msvci70.dll
2006-09-17 18:01 442,368 --a------ C:\WINDOWS\system32\vp6vfw.dll
2006-09-17 18:01 265,785 --a------ C:\WINDOWS\system32\pixomatic.dll
2006-09-17 18:01 22,016 --a------ C:\WINDOWS\system32\borlndmm.dll
2006-09-17 18:01 188,416 --a------ C:\WINDOWS\system32\eax.dll
2006-09-17 18:01 1,500,160 --a------ C:\WINDOWS\system32\cc3260mt.dll
2006-09-17 18:01 1,230,336 --------- C:\WINDOWS\system32\msxml4.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-10-08 21:00 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-08 20:09 -------- d-------- C:\Program Files\Trillian
2006-10-08 10:28 -------- d-------- C:\Program Files\HaxFix
2006-10-08 09:56 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-10-08 09:55 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-10-08 09:51 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-10-05 19:32 -------- d-------- C:\Documents and Settings\User1\Application Data\DMCache
2006-10-05 15:34 -------- d-------- C:\Program Files\Windows Media Player
2006-10-05 15:34 -------- d-------- C:\Program Files\NetMeeting
2006-10-05 15:32 -------- d-------- C:\Program Files\Outlook Express
2006-10-05 15:32 -------- d-------- C:\Program Files\Common Files\System
2006-10-04 17:21 -------- d-------- C:\Program Files\Norton Internet Security
2006-10-04 17:20 -------- d-------- C:\Program Files\Symantec
2006-10-04 17:02 10344 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
2006-10-04 17:01 -------- d-------- C:\Program Files\Common Files
2006-10-04 15:33 -------- d-------- C:\Program Files\Symantec Technical Support
2006-10-04 14:53 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-04 14:53 -------- d-------- C:\Program Files\U.S. Robotics 802.11g WLAN
2006-10-01 00:35 -------- d-------- C:\Program Files\Internet Explorer
2006-09-27 23:37 -------- d--h----- C:\Program Files\WindowsUpdate
2006-09-27 22:29 -------- d-------- C:\Program Files\CleanUp!
2006-09-26 19:25 -------- d-------- C:\Program Files\RegistryFix
2006-09-25 20:18 -------- d-------- C:\Program Files\Unlocker
2006-09-25 18:25 -------- d-------- C:\Program Files\Grisoft
2006-09-25 18:14 -------- d-------- C:\Documents and Settings\User1\Application Data\Symantec
2006-09-24 23:00 -------- d-------- C:\Documents and Settings\User1\Application Data\Mozilla
2006-09-24 13:04 8329 --a------ C:\Documents and Settings\User1\Application Data\.googlewebacchosts
2006-09-24 09:07 -------- d-------- C:\Program Files\Alwil Software
2006-09-23 21:53 -------- d-------- C:\Program Files\Pinnacle
2006-09-23 13:09 -------- d-------- C:\Program Files\Movie Maker
2006-09-23 13:08 -------- d-------- C:\Program Files\Windows NT
2006-09-21 17:07 -------- d-------- C:\Program Files\SmartSound Software
2006-09-18 16:28 -------- d-------- C:\Program Files\Internet Download Manager
2006-09-18 16:28 -------- d-------- C:\Documents and Settings\User1\Application Data\IDM
2006-09-17 21:11 14848 --a------ C:\WINDOWS\system32\BASSMOD.dll
2006-09-17 18:11 -------- d-------- C:\Program Files\GTA-SanAndreas
2006-09-16 23:24 -------- d-------- C:\Documents and Settings\User1\Application Data\Sun
2006-09-16 10:07 -------- d-------- C:\Documents and Settings\User1\Application Data\Google
2006-09-15 22:04 109744 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2006-09-14 14:44 -------- d-------- C:\Program Files\Winamp
2006-09-10 19:43 -------- d-------- C:\Documents and Settings\User1\Application Data\AdobeUM
2006-09-10 18:24 -------- d---s---- C:\Documents and Settings\User1\Application Data\Microsoft
2006-09-10 10:34 -------- d-------- C:\Program Files\Java
2006-09-07 22:32 -------- d-------- C:\Program Files\Save Flash
2006-08-29 01:28 140984 --a------ C:\WINDOWS\system32\idmmbc.dll
2006-08-24 20:40 -------- d-------- C:\Program Files\GeoVid
2006-08-22 18:32 22768 --a------ C:\WINDOWS\system32\drivers\usbsermpt.sys
2006-08-22 18:32 -------- d-------- C:\Program Files\Motorola Phone Tools
2006-08-22 18:25 -------- d-------- C:\Program Files\mobile PhoneTools
2006-08-22 18:05 -------- d-------- C:\Program Files\LiveUpdate
2006-08-22 00:22 72748 --a------ C:\WINDOWS\unins001.exe
2006-08-22 00:22 72748 --a------ C:\WINDOWS\unins000.exe
2006-08-22 00:22 -------- d-------- C:\Program Files\Temp
2006-08-22 00:22 -------- d-------- C:\Program Files\Anark
2006-08-21 23:49 -------- d-------- C:\Program Files\OceanDive
2006-08-21 05:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 02:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 02:14 128896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-21 00:44 -------- d-------- C:\Program Files\SereneScreen
2006-08-19 11:23 -------- d-------- C:\Documents and Settings\User1\Application Data\RipIt4Me
2006-08-19 09:43 -------- d-------- C:\Program Files\PgcEdit
2006-08-18 15:30 -------- d-------- C:\Documents and Settings\User1\Application Data\Adobe
2006-08-07 16:02 534208 --a------ C:\WINDOWS\system32\SymNeti.dll
2006-08-07 16:02 161472 --a------ C:\WINDOWS\system32\SymRedir.dll
2006-08-03 20:59 48 ---hs---- C:\Documents and Settings\User1\Application Data\.zreglib
2006-07-21 01:30 72704 --a------ C:\WINDOWS\system32\hlink.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteCenter"="C:\\Program Files\\Creative\\MediaSource\\RemoteControl\\RCMan.EXE"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE"
"CTSysVol"="C:\\Program Files\\Creative\\SBAudigy2ZS\\Surround Mixer\\CTSysVol.exe /r"
"CTDVDDET"="C:\\Program Files\\Creative\\SBAudigy2ZS\\DVDAudio\\CTDVDDET.EXE"
"SBDrvDet"="C:\\Program Files\\Creative\\SB Drive Det\\SBDrvDet.exe /r"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"
"PinnacleDriverCheck"="C:\\WINDOWS\\system32\\PSDrvCheck.exe -CheckReg"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"SSC_UserPrompt"="\"C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"AllowLegacyWebView"=dword:00000001
"AllowUnhashedWebView"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
"backup"="C:\\WINDOWS\\pss\\InterVideo WinCinema Manager.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\INTERV~1\\Common\\Bin\\WINCIN~1.EXE "
"item"="InterVideo WinCinema Manager"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NeroCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Symantec NetDriver Monitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SNDMon"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\UpdReg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UpdReg"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\UpdReg.EXE"
"inimapping"="0"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - User1.job

Completion time: Sun 10/08/06 21:03:12.15
ComboFix.txt
ComboFix2.txt
ComboFix3.txt

Ried · 10-09-2006, 07:36 AM

Hi,

Haxdoor appears to be gone. How is the system behaving now?

I'd like you to run a different online scan this time to look for any remnants that may be lurking:

Please perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply along with a new HijackThis log.

randomrandom · 10-09-2006, 08:18 AM

sorry disregard this post

Ried · 10-09-2006, 08:26 AM

Such a tease, randomrandom.

randomrandom · 10-09-2006, 06:10 PM

Quote:

Originally Posted by Ried

Such a tease, randomrandom.

I think you should include a "delete post" option

, i was going to post a log, but then i realized that it was with an out of date kasparsky version. So i rescanned, and here are the logs.

It decided to scan files in norton's quarantine files which is interesting i think

. I was shocked at the viruses it found until i saw the filepaths

*****************************************************
Kaspersky Scan Log
*****************************************************

October 09, 2006 5:00:43 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 9/10/2006
Kaspersky Anti-Virus database records: 216881
Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
E:\
Scan Statistics
Total number of scanned objects 115128
Number of viruses found 14
Number of infected objects 75 / 0
Number of suspicious objects 0
Duration of the scan process 01:35:46

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Confid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Content.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Privacy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Restrict.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\WebHist.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\HPPAppActivity.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\HPPHomePageActivity.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2006-10-09_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0A3733B2.exe Infected: Trojan.Win32.Opnis.l skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0AE51EAB.exe Infected: Trojan.Win32.Opnis.l skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\171F3CE8.exe Infected: Trojan.Win32.Opnis.l skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\19BC7014.exe Infected: Trojan.Win32.Opnis.l skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1AEC5B93.exe Infected: Backdoor.Win32.Delf.ats skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\24BE363C.EXE Infected: Trojan-Downloader.Win32.Agent.aox skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2F287D39.exe/data0002 Infected: Trojan.Win32.VB.ami skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2F287D39.exe NSIS: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2F287D39.exe CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\32814309.exe Infected: Trojan.Win32.Opnis.l skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\38A350BF.exe Infected: Trojan.Win32.Opnis.l skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\38A77ABB.exe Infected: Trojan.Win32.Opnis.l skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\38AA24B8.exe Infected: Trojan.Win32.Opnis.l skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3C1F16EA.sys Infected: Backdoor.Win32.Haxdoor.ii skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\43366AE9.exe Infected: Trojan-Proxy.Win32.Small.bo skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\43E4785D.DLL Infected: Backdoor.Win32.Haxdoor.lc skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4D725F5B.exe Infected: Trojan.Win32.Opnis.l skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\50790760.exe Infected: Trojan.Win32.Opnis.l skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\51575EE8.exe Infected: Trojan.Win32.Opnis.l skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\51DA1BF7.exe/stream/data0001 Infected: Trojan.Win32.VB.ami skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\51DA1BF7.exe/stream Infected: Trojan.Win32.VB.ami skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\51DA1BF7.exe NSIS: infected - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\51DA1BF7.exe CryptFF: infected - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\56893EC8.dll Infected: Trojan-PSW.Win32.Sinowal.k skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\56933CBD.exe Infected: Trojan-Proxy.Win32.Small.bo skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\569666B9.dll Infected: Trojan-PSW.Win32.Sinowal.ay skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\569666B9.htm Infected: Trojan-Proxy.Win32.Small.bo skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\569A10B6.exe Infected: Trojan-Proxy.Win32.Wopla.ac skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\569D3AB2.exe Infected: Backdoor.Win32.Delf.ats skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\57601A44.exe Infected: Trojan.Win32.Opnis.l skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5A3B5810.exe Infected: Trojan.Win32.Opnis.l skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5B0F3D25.sys Infected: Backdoor.Win32.Haxdoor.ii skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5C0544BF.dll Infected: not-virus:Hoax.Win32.Renos.ds skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5C5F608C.tmp/stream/data0001 Infected: Trojan.Win32.VB.ami skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5C5F608C.tmp/stream Infected: Trojan.Win32.VB.ami skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5C5F608C.tmp NSIS: infected - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5C5F608C.tmp CryptFF: infected - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\61A61EDE.tmp/stream/data0001 Infected: Trojan.Win32.VB.ami skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\61A61EDE.tmp/stream Infected: Trojan.Win32.VB.ami skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\61A61EDE.tmp NSIS: infected - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\61A61EDE.tmp CryptFF: infected - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6632260B.exe/data0002 Infected: Trojan.Win32.VB.ami skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6632260B.exe NSIS: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6632260B.exe CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\690D62E6.tmp/data0002 Infected: Trojan.Win32.VB.ami skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\690D62E6.tmp NSIS: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\690D62E6.tmp CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6A87143C.exe Infected: Trojan-Proxy.Win32.Small.bo skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7062684D.tmp/data0002 Infected: Trojan.Win32.VB.ami skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7062684D.tmp NSIS: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7062684D.tmp CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7EBC2A1A.exe Infected: Trojan.Win32.Opnis.l skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\User1\Application Data\Symantec\PendingAlertsQueue.log Object is locked skipped
C:\Documents and Settings\User1\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\User1\Desktop\Projects\ImTOO.DVD.to.PSP.Converter.v4.0.52.0630.Incl.Keygen-Lz0\installer.exe/stream/data0001 Infected: Trojan-Clicker.Win32.VB.fh skipped
C:\Documents and Settings\User1\Desktop\Projects\ImTOO.DVD.to.PSP.Converter.v4.0.52.0630.Incl.Keygen-Lz0\installer.exe/stream Infected: Trojan-Clicker.Win32.VB.fh skipped
C:\Documents and Settings\User1\Desktop\Projects\ImTOO.DVD.to.PSP.Converter.v4.0.52.0630.Incl.Keygen-Lz0\installer.exe NSIS: infected - 2 skipped
C:\Documents and Settings\User1\Desktop\Projects\ImTOO.DVD.to.PSP.Converter.v4.0.52.0630.Incl.Keygen-Lz0.rar/installer.exe/stream/data0001 Infected: Trojan-Clicker.Win32.VB.fh skipped
C:\Documents and Settings\User1\Desktop\Projects\ImTOO.DVD.to.PSP.Converter.v4.0.52.0630.Incl.Keygen-Lz0.rar/installer.exe/stream Infected: Trojan-Clicker.Win32.VB.fh skipped
C:\Documents and Settings\User1\Desktop\Projects\ImTOO.DVD.to.PSP.Converter.v4.0.52.0630.Incl.Keygen-Lz0.rar/installer.exe Infected: Trojan-Clicker.Win32.VB.fh skipped
C:\Documents and Settings\User1\Desktop\Projects\ImTOO.DVD.to.PSP.Converter.v4.0.52.0630.Incl.Keygen-Lz0.rar RAR: infected - 3 skipped
C:\Documents and Settings\User1\Desktop\Projects\Save[1].Flash.v3.0.0067.WinALL.Cracked.ViRiLiTY.zip.rar/installer.exe/data0002 Infected: Trojan-Clicker.MSIL.Xone.a skipped
C:\Documents and Settings\User1\Desktop\Projects\Save[1].Flash.v3.0.0067.WinALL.Cracked.ViRiLiTY.zip.rar/installer.exe Infected: Trojan-Clicker.MSIL.Xone.a skipped
C:\Documents and Settings\User1\Desktop\Projects\Save[1].Flash.v3.0.0067.WinALL.Cracked.ViRiLiTY.zip.rar ZIP: infected - 2 skipped
C:\Documents and Settings\User1\Desktop\Projects\Sony.ACID.Pro.v6.0a.Incl.Keygen-SSG.rar/installer.exe/stream/data0001 Infected: Trojan-Clicker.Win32.VB.fh skipped
C:\Documents and Settings\User1\Desktop\Projects\Sony.ACID.Pro.v6.0a.Incl.Keygen-SSG.rar/installer.exe/stream Infected: Trojan-Clicker.Win32.VB.fh skipped
C:\Documents and Settings\User1\Desktop\Projects\Sony.ACID.Pro.v6.0a.Incl.Keygen-SSG.rar/installer.exe Infected: Trojan-Clicker.Win32.VB.fh skipped
C:\Documents and Settings\User1\Desktop\Projects\Sony.ACID.Pro.v6.0a.Incl.Keygen-SSG.rar RAR: infected - 3 skipped
C:\Documents and Settings\User1\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\User1\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\User1\Local Settings\Application Data\Mozilla\Firefox\Profiles\b8ou4xz7.default\Cache\D9E7D4FDd01 Infected: Trojan.Win32.Agent.vg skipped
C:\Documents and Settings\User1\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\User1\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\User1\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\User1\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\logs\starwind.2006-10-09.07-11-52.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\AntiSpam\Log\Spam.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMNot.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMReg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMRSt.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Savrt\0460NAV~.TMP Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Savrt\0507NAV~.TMP Object is locked skipped
C:\Program Files\Save Flash\installer.exe/data0002 Infected: Trojan-Clicker.MSIL.Xone.a skipped
C:\Program Files\Save Flash\installer.exe NSIS: infected - 1 skipped
C:\Program Files\Save Flash\patch_.exe/data0002 Infected: Trojan-Clicker.MSIL.Xone.a skipped
C:\Program Files\Save Flash\patch_.exe NSIS: infected - 1 skipped
C:\Program Files\Save Flash\Save[1].Flash.v3.0.0067.WinALL.Cracked.ViRiLiTY.zip\installer.exe/data0002 Infected: Trojan-Clicker.MSIL.Xone.a skipped
C:\Program Files\Save Flash\Save[1].Flash.v3.0.0067.WinALL.Cracked.ViRiLiTY.zip\installer.exe NSIS: infected - 1 skipped
C:\Program Files\Save Flash\Save[1].Flash.v3.0.0067.WinALL.Cracked.ViRiLiTY.zip\patch_.exe/data0002 Infected: Trojan-Clicker.MSIL.Xone.a skipped
C:\Program Files\Save Flash\Save[1].Flash.v3.0.0067.WinALL.Cracked.ViRiLiTY.zip\patch_.exe NSIS: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{40933F81-2282-414E-AFF1-432B1564D997}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\{00000000-00000000-0000000C-00001102-00000004-20021102}.CDF Object is locked skipped
Scan process completed.

******************************************************
HJT Log
******************************************************
Logfile of HijackThis v1.99.1
Scan saved at 5:02:30 PM, on 10/9/06
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\System32\WgaTray.exe
C:\Program Files\U.S. Robotics 802.11g WLAN\USRWLANG.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Registration .LNK = C:\Program Files\Ubisoft\Demo\Blazing Angels Squadrons of WWII Demo\RegistrationReminder.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: U.S. Robotics 802.11g Wireless Network Utility.lnk = ?
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...l/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - https://www-secure.symantec.com/tech...rl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/tech...rl/tgctlsr.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1159425430187
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc1.webresponse.one.microso.../TLIEFlash.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

10-02-2006, 10:24 AM	#21 (permalink)
randomrandom Registered User Join Date: Sep 2006 Posts: 31 OS: XP home edition	spybot is a problem child Spybot would pop up each time i ran this scan asking "do you want to allow this registry change" and after i accepted the changes, combofix would close. I did that the first time today, but then i reran combofix with spybot disabled and it gave me this log.... ****************************************************** Combofix ****************************************************** User1 - 06-10-02 9:21:35.76 Service Pack 1 ComboFix 06.09.27 - Running from: "C:\Documents and Settings\User1\Desktop" ((((((((((((((((((((((((((((((( Files Created from 2006-09-01 to 2006-10-01 )))))))))))))))))))))))))))))))))) 2006-09-27 22:19 53,248 --a------ C:\WINDOWS\system32\Process.exe 2006-09-27 22:19 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2006-09-27 22:19 135,168 --a------ C:\WINDOWS\system32\swreg.exe 2006-09-27 21:54 13 --a------ C:\dumwnmifc.sys 2006-09-27 21:54 13 --a------ C:\dumwnmicf.sys 2006-09-27 21:54 13 --a------ C:\dumwnmicf.dll 2006-09-25 14:47 90,112 --a------ C:\WINDOWS\system32\RegDACL.exe 2006-09-25 14:47 7,483 --a------ C:\clean.bat 2006-09-25 14:47 40,960 --a------ C:\WINDOWS\system32\swsc.exe 2006-09-25 14:47 4,096 --a------ C:\WINDOWS\system32\reboot.exe 2006-09-25 14:47 38,400 --a------ C:\WINDOWS\system32\moveex.exe 2006-09-23 15:24 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll 2006-09-23 15:24 13,312 --a------ C:\WINDOWS\system32\irclass.dll 2006-09-23 13:41 38,912 --a------ C:\WINDOWS\system32\wpd_ci.dll 2006-09-23 13:41 10,752 --a------ C:\WINDOWS\system32\wpdtrace.dll 2006-09-23 13:09 9,728 --a------ C:\WINDOWS\system32\mstinit.exe 2006-09-23 13:09 81,408 --a------ C:\WINDOWS\system32\msoert2.dll 2006-09-23 13:09 77,824 --a------ C:\WINDOWS\system32\isign32.dll 2006-09-23 13:09 73,728 --a------ C:\WINDOWS\system32\ils.dll 2006-09-23 13:09 69,632 --a------ C:\WINDOWS\system32\icwdial.dll 2006-09-23 13:09 65,536 --a------ C:\WINDOWS\system32\msconf.dll 2006-09-23 13:09 63,488 --a------ C:\WINDOWS\system32\srclient.dll 2006-09-23 13:09 61,440 --a------ C:\WINDOWS\system32\icwphbk.dll 2006-09-23 13:09 587,776 --a------ C:\WINDOWS\system32\inetcomm.dll 2006-09-23 13:09 47,616 --a------ C:\WINDOWS\system32\inetres.dll 2006-09-23 13:09 40,960 --a------ C:\WINDOWS\system32\safrslv.dll 2006-09-23 13:09 39,424 --a------ C:\WINDOWS\system32\safrcdlg.dll 2006-09-23 13:09 33,280 --a------ C:\WINDOWS\system32\racpldlg.dll 2006-09-23 13:09 32,768 --a------ C:\WINDOWS\system32\mnmsrvc.exe 2006-09-23 13:09 32,256 --a------ C:\WINDOWS\system32\mnmdd.dll 2006-09-23 13:09 28,672 --a------ C:\WINDOWS\system32\isrdbg32.dll 2006-09-23 13:09 266,240 --a------ C:\WINDOWS\system32\inetcfg.dll 2006-09-23 13:09 26,624 --a------ C:\WINDOWS\system32\safrdm.dll 2006-09-23 13:09 250,368 --a------ C:\WINDOWS\system32\mstask.dll 2006-09-23 13:09 24,576 --a------ C:\WINDOWS\system32\nmmkcert.dll 2006-09-23 13:09 228,864 --a------ C:\WINDOWS\system32\msoeacct.dll 2006-09-23 13:09 226,304 --a------ C:\WINDOWS\system32\srrstr.dll 2006-09-23 13:09 221,696 --a------ C:\WINDOWS\system32\qmgr.dll 2006-09-23 13:09 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll 2006-09-23 13:09 159,232 --a------ C:\WINDOWS\system32\schedsvc.dll 2006-09-23 13:09 158,720 --a------ C:\WINDOWS\system32\srsvc.dll 2006-09-23 13:08 9,728 --a------ C:\WINDOWS\system32\xolehlp.dll 2006-09-23 13:08 869,376 --a------ C:\WINDOWS\system32\msdtctm.dll 2006-09-23 13:08 85,504 --a------ C:\WINDOWS\system32\catsrvps.dll 2006-09-23 13:08 83,968 --a------ C:\WINDOWS\system32\mtxoci.dll 2006-09-23 13:08 82,432 --a------ C:\WINDOWS\system32\comrepl.dll 2006-09-23 13:08 61,952 --a------ C:\WINDOWS\system32\rdshost.exe 2006-09-23 13:08 6,144 --a------ C:\WINDOWS\system32\msdtc.exe 2006-09-23 13:08 56,832 --a------ C:\WINDOWS\system32\colbact.dll 2006-09-23 13:08 54,784 --a------ C:\WINDOWS\system32\msdtclog.dll 2006-09-23 13:08 495,616 --a------ C:\WINDOWS\system32\comuid.dll 2006-09-23 13:08 489,984 --a------ C:\WINDOWS\system32\hypertrm.dll 2006-09-23 13:08 468,480 --a------ C:\WINDOWS\system32\clbcatq.dll 2006-09-23 13:08 215,040 --a------ C:\WINDOWS\system32\catsrv.dll 2006-09-23 13:08 18,432 --a------ C:\WINDOWS\system32\qprocess.exe 2006-09-23 13:08 179,200 --a------ C:\WINDOWS\system32\accwiz.exe 2006-09-23 13:08 151,040 --a------ C:\WINDOWS\system32\msdtcuiu.dll 2006-09-23 13:08 124,416 --a------ C:\WINDOWS\system32\sndrec32.exe 2006-09-23 13:08 100,864 --a------ C:\WINDOWS\system32\clbcatex.dll 2006-09-23 13:07 98,816 --a------ C:\WINDOWS\system32\clipbrd.exe 2006-09-23 13:07 9,216 --a------ C:\WINDOWS\system32\wuauserv.dll 2006-09-23 13:07 9,216 --a------ C:\WINDOWS\system32\icaapi.dll 2006-09-23 13:07 88,064 --a------ C:\WINDOWS\system32\tscfgwmi.dll 2006-09-23 13:07 75,912 --a------ C:\WINDOWS\system32\rdpwsx.dll 2006-09-23 13:07 598,016 --a------ C:\WINDOWS\system32\mstscax.dll 2006-09-23 13:07 582,656 --a------ C:\WINDOWS\system32\catsrvut.dll 2006-09-23 13:07 57,856 --a------ C:\WINDOWS\system32\licwmi.dll 2006-09-23 13:07 56,320 --a------ C:\WINDOWS\system32\remotepg.dll 2006-09-23 13:07 534,016 --a------ C:\WINDOWS\system32\spider.exe 2006-09-23 13:07 53,248 --a------ C:\WINDOWS\system32\servdeps.dll 2006-09-23 13:07 44,032 --a------ C:\WINDOWS\system32\rdpclip.exe 2006-09-23 13:07 40,960 --a------ C:\WINDOWS\system32\tscupgrd.exe 2006-09-23 13:07 388,608 --a------ C:\WINDOWS\system32\mstsc.exe 2006-09-23 13:07 359,936 --a------ C:\WINDOWS\system32\msdtcprx.dll 2006-09-23 13:07 339,968 --a------ C:\WINDOWS\system32\mspaint.exe 2006-09-23 13:07 32,768 --a------ C:\WINDOWS\system32\cfgbkend.dll 2006-09-23 13:07 200,192 --a------ C:\WINDOWS\system32\termsrv.dll 2006-09-23 13:07 174,592 --a------ C:\WINDOWS\system32\cmprops.dll 2006-09-23 13:07 16,384 --a------ C:\WINDOWS\system32\mmfutil.dll 2006-09-23 13:07 14,848 --a------ C:\WINDOWS\system32\rdpsnd.dll 2006-09-23 13:07 135,680 --a------ C:\WINDOWS\system32\rdchost.dll 2006-09-23 13:07 129,024 --a------ C:\WINDOWS\system32\sessmgr.exe 2006-09-23 13:07 124,184 --a------ C:\WINDOWS\system32\wuauclt.exe 2006-09-23 13:07 12,288 --a------ C:\WINDOWS\system32\rdsaddin.exe 2006-09-23 13:07 116,736 --a------ C:\WINDOWS\system32\mplay32.exe 2006-09-23 13:07 1,343,768 --a------ C:\WINDOWS\system32\wuaueng.dll 2006-09-23 13:07 1,172,992 --a------ C:\WINDOWS\system32\comsvcs.dll 2006-09-23 12:12 4,096 --a------ C:\WINDOWS\system32\ksuser.dll 2006-09-23 12:11 71,168 --a------ C:\WINDOWS\system32\storprop.dll 2006-09-21 17:28 182,784 --ah----- C:\WINDOWS\system32\dxmamcia.dll 2006-09-21 17:08 84,992 --a------ C:\WINDOWS\system32\ATL70.DLL 2006-09-21 17:08 81,920 --------- C:\WINDOWS\system32\vdrmux.dll 2006-09-21 17:08 76,800 --------- C:\WINDOWS\system32\Lfwmf13n.dll 2006-09-21 17:08 73,728 --------- C:\WINDOWS\system32\MMAviAx.dll 2006-09-21 17:08 73,728 --------- C:\WINDOWS\system32\lffax13n.dll 2006-09-21 17:08 65,536 --------- C:\WINDOWS\system32\Lfpct13n.dll 2006-09-21 17:08 46,592 --------- C:\WINDOWS\system32\vdrcodec.dll 2006-09-21 17:08 453,120 --------- C:\WINDOWS\system32\ltkrn13n.dll 2006-09-21 17:08 44,544 --------- C:\WINDOWS\system32\msxml4a.dll 2006-09-21 17:08 40,960 --------- C:\WINDOWS\system32\langserv.dll 2006-09-21 17:08 393,216 --------- C:\WINDOWS\system32\LFCMP13n.DLL 2006-09-21 17:08 32,768 --------- C:\WINDOWS\system32\MLPagAx.dll 2006-09-21 17:08 30,208 --------- C:\WINDOWS\system32\lfbmp13n.dll 2006-09-21 17:08 294,912 --------- C:\WINDOWS\system32\pvmjpg21.dll 2006-09-21 17:08 278,016 --------- C:\WINDOWS\system32\LFJ2K13n.dll 2006-09-21 17:08 24,576 --------- C:\WINDOWS\system32\lftga13n.dll 2006-09-21 17:08 204,881 --------- C:\WINDOWS\system32\DiskIO.dll 2006-09-21 17:08 18,432 --------- C:\WINDOWS\system32\Cachex.dll 2006-09-21 17:08 155,721 --------- C:\WINDOWS\system32\RALMain.dll 2006-09-21 17:08 153,088 --------- C:\WINDOWS\system32\ltfil13n.DLL 2006-09-21 17:08 143,360 --------- C:\WINDOWS\system32\lftif13n.dll 2006-09-21 17:08 114,759 --------- C:\WINDOWS\system32\Aviprax.dll 2006-09-21 17:08 1,693,696 --------- C:\WINDOWS\system32\LTCLR13n.dll 2006-09-21 17:05 964,608 --a------ C:\WINDOWS\system32\MFC70U.DLL 2006-09-21 17:05 65,536 --a------ C:\WINDOWS\system32\MFC71DEU.DLL 2006-09-21 17:05 61,440 --a------ C:\WINDOWS\system32\pclepim1.dll 2006-09-21 17:05 61,440 --a------ C:\WINDOWS\system32\MFC71ITA.DLL 2006-09-21 17:05 61,440 --a------ C:\WINDOWS\system32\MFC71FRA.DLL 2006-09-21 17:05 61,440 --a------ C:\WINDOWS\system32\MFC71ESP.DLL 2006-09-21 17:05 57,344 --a------ C:\WINDOWS\system32\MFC71ENU.DLL 2006-09-21 17:05 49,152 --a------ C:\WINDOWS\system32\PCLEGetGuid.dll 2006-09-21 17:05 49,152 --a------ C:\WINDOWS\system32\MFC71KOR.DLL 2006-09-21 17:05 49,152 --a------ C:\WINDOWS\system32\MFC71JPN.DLL 2006-09-21 17:05 45,056 --a------ C:\WINDOWS\system32\MFC71CHT.DLL 2006-09-21 17:05 40,960 --a------ C:\WINDOWS\system32\MFC71CHS.DLL 2006-09-17 18:01 82,432 --------- C:\WINDOWS\system32\msxml4r.dll 2006-09-17 18:01 54,784 --a------ C:\WINDOWS\system32\msvci70.dll 2006-09-17 18:01 442,368 --a------ C:\WINDOWS\system32\vp6vfw.dll 2006-09-17 18:01 265,785 --a------ C:\WINDOWS\system32\pixomatic.dll 2006-09-17 18:01 22,016 --a------ C:\WINDOWS\system32\borlndmm.dll 2006-09-17 18:01 188,416 --a------ C:\WINDOWS\system32\eax.dll 2006-09-17 18:01 1,500,160 --a------ C:\WINDOWS\system32\cc3260mt.dll 2006-09-17 18:01 1,230,336 --------- C:\WINDOWS\system32\msxml4.dll (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2006-10-02 00:09 -------- d-------- C:\Program Files\ewido anti-spyware 4.0 2006-10-01 23:27 -------- d-------- C:\Program Files\Mozilla Firefox 2006-10-01 12:43 778656 --a------ C:\WINDOWS\system32\drivers\avg7core.sys 2006-10-01 00:48 -------- d-------- C:\Program Files\Windows Media Player 2006-10-01 00:44 -------- d-------- C:\Program Files\U.S. Robotics 802.11g WLAN 2006-10-01 00:35 -------- d-------- C:\Program Files\Internet Explorer 2006-09-27 23:37 -------- d--h----- C:\Program Files\WindowsUpdate 2006-09-27 22:29 -------- d-------- C:\Program Files\CleanUp! 2006-09-27 21:55 -------- d-------- C:\Program Files\HaxFix 2006-09-27 15:50 -------- d-------- C:\Documents and Settings\User1\Application Data\DMCache 2006-09-26 19:25 -------- d-------- C:\Program Files\RegistryFix 2006-09-25 20:18 -------- d-------- C:\Program Files\Unlocker 2006-09-25 18:27 -------- d-------- C:\Documents and Settings\User1\Application Data\AVG7 2006-09-25 18:26 23424 --a------ C:\WINDOWS\system32\drivers\avgmfrs.sys 2006-09-25 18:25 4288 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys 2006-09-25 18:25 27904 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys 2006-09-25 18:25 -------- d-------- C:\Program Files\Grisoft 2006-09-25 18:14 -------- d-------- C:\Program Files\Norton Internet Security 2006-09-25 18:14 -------- d-------- C:\Documents and Settings\User1\Application Data\Symantec 2006-09-25 18:13 -------- d-------- C:\Program Files\Symantec 2006-09-25 18:12 10344 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys 2006-09-24 23:00 -------- d-------- C:\Documents and Settings\User1\Application Data\Mozilla 2006-09-24 13:04 8329 --a------ C:\Documents and Settings\User1\Application Data\.googlewebacchosts 2006-09-24 09:07 -------- d-------- C:\Program Files\Alwil Software 2006-09-23 21:53 -------- d-------- C:\Program Files\Pinnacle 2006-09-23 13:09 -------- d-------- C:\Program Files\Outlook Express 2006-09-23 13:09 -------- d-------- C:\Program Files\NetMeeting 2006-09-23 13:09 -------- d-------- C:\Program Files\Movie Maker 2006-09-23 13:08 -------- d-------- C:\Program Files\Windows NT 2006-09-21 17:08 -------- d--h----- C:\Program Files\InstallShield Installation Information 2006-09-21 17:07 -------- d-------- C:\Program Files\SmartSound Software 2006-09-21 17:04 -------- d-------- C:\Program Files\Trillian 2006-09-18 16:28 -------- d-------- C:\Program Files\Internet Download Manager 2006-09-18 16:28 -------- d-------- C:\Documents and Settings\User1\Application Data\IDM 2006-09-17 21:11 14848 --a------ C:\WINDOWS\system32\BASSMOD.dll 2006-09-17 18:11 -------- d-------- C:\Program Files\GTA-SanAndreas 2006-09-16 23:24 -------- d-------- C:\Documents and Settings\User1\Application Data\Sun 2006-09-16 10:07 -------- d-------- C:\Documents and Settings\User1\Application Data\Google 2006-09-15 22:04 48816 --a------ C:\WINDOWS\system32\S32EVNT1.DLL 2006-09-15 22:04 109744 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS 2006-09-14 14:44 -------- d-------- C:\Program Files\Winamp 2006-09-10 19:43 -------- d-------- C:\Documents and Settings\User1\Application Data\AdobeUM 2006-09-10 18:24 -------- d---s---- C:\Documents and Settings\User1\Application Data\Microsoft 2006-09-10 10:34 -------- d-------- C:\Program Files\Java 2006-09-07 22:32 -------- d-------- C:\Program Files\Save Flash 2006-08-29 01:28 140984 --a------ C:\WINDOWS\system32\idmmbc.dll 2006-08-24 20:40 -------- d-------- C:\Program Files\GeoVid 2006-08-22 18:32 22768 --a------ C:\WINDOWS\system32\drivers\usbsermpt.sys 2006-08-22 18:32 -------- d-------- C:\Program Files\Motorola Phone Tools 2006-08-22 18:25 -------- d-------- C:\Program Files\mobile PhoneTools 2006-08-22 18:05 -------- d-------- C:\Program Files\LiveUpdate 2006-08-22 00:22 72748 --a------ C:\WINDOWS\unins001.exe 2006-08-22 00:22 72748 --a------ C:\WINDOWS\unins000.exe 2006-08-22 00:22 -------- d-------- C:\Program Files\Temp 2006-08-22 00:22 -------- d-------- C:\Program Files\Anark 2006-08-21 23:49 -------- d-------- C:\Program Files\OceanDive 2006-08-21 05:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll 2006-08-21 02:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe 2006-08-21 02:14 128896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys 2006-08-21 00:44 -------- d-------- C:\Program Files\SereneScreen 2006-08-19 11:23 -------- d-------- C:\Documents and Settings\User1\Application Data\RipIt4Me 2006-08-19 09:43 -------- d-------- C:\Program Files\PgcEdit 2006-08-18 15:30 -------- d-------- C:\Documents and Settings\User1\Application Data\Adobe 2006-08-07 16:02 534208 --a------ C:\WINDOWS\system32\SymNeti.dll 2006-08-07 16:02 31936 --a------ C:\WINDOWS\system32\drivers\symids.sys 2006-08-07 16:02 28352 --a------ C:\WINDOWS\system32\drivers\symndis.sys 2006-08-07 16:02 24768 --a------ C:\WINDOWS\system32\drivers\symredrv.sys 2006-08-07 16:02 195776 --a------ C:\WINDOWS\system32\drivers\symtdi.sys 2006-08-07 16:02 161472 --a------ C:\WINDOWS\system32\SymRedir.dll 2006-08-07 16:02 110784 --a------ C:\WINDOWS\system32\drivers\symfw.sys 2006-08-07 16:01 12992 --a------ C:\WINDOWS\system32\drivers\symdns.sys 2006-08-03 20:59 48 ---hs---- C:\Documents and Settings\User1\Application Data\.zreglib 2006-08-03 20:54 -------- d-------- C:\Program Files\Rip it 4 Me 2006-08-02 11:41 -------- d-------- C:\Program Files\BitComet (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries are not shown [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RemoteCenter"="C:\\Program Files\\Creative\\MediaSource\\RemoteControl\\RCMan.EXE" "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\"" "SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTHelper"="CTHELPER.EXE" "CTSysVol"="C:\\Program Files\\Creative\\SBAudigy2ZS\\Surround Mixer\\CTSysVol.exe /r" "CTDVDDET"="C:\\Program Files\\Creative\\SBAudigy2ZS\\DVDAudio\\CTDVDDET.EXE" "SBDrvDet"="C:\\Program Files\\Creative\\SB Drive Det\\SBDrvDet.exe /r" "NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe" "SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe" "ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\"" "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "IS CfgWiz"="\"C:\\Program Files\\Norton Internet Security\\cfgwiz.exe\" /GUID {F073BDC9-0D67-4ff0-879E-27241C843828} /MODE CfgWiz /CMDLINE \"REBOOT\"" "SSC_UserPrompt"="\"C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe\"" "AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP" "!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized" "PinnacleDriverCheck"="C:\\WINDOWS\\system32\\PSDrvCheck.exe -CheckReg" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] "Installed"="1" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000005 "Settings"=dword:00000001 "GeneralFlags"=dword:00000000 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE" [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] "dontdisplaylastusername"=dword:00000000 "legalnoticecaption"="" "legalnoticetext"="" "shutdownwithoutlogon"=dword:00000001 "undockwithoutlogon"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "AllowLegacyWebView"=dword:00000001 "AllowUnhashedWebView"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run] [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}" "CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}" "WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" "SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk" "backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup" "location"="Common Startup" "command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE " "item"="Adobe Reader Speed Launch" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk] "backup"="C:\\WINDOWS\\pss\\InterVideo WinCinema Manager.lnkCommon Startup" "location"="Common Startup" "command"="C:\\PROGRA~1\\INTERV~1\\Common\\Bin\\WINCIN~1.EXE " "item"="InterVideo WinCinema Manager" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MSMSGS] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="msmsgs" "hkey"="HKCU" "command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NeroCheck] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="NeroCheck" "hkey"="HKLM" "command"="C:\\WINDOWS\\system32\\\\NeroCheck.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Symantec NetDriver Monitor] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="SNDMon" "hkey"="HKLM" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\UpdReg] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="UpdReg" "hkey"="HKLM" "command"="C:\\WINDOWS\\UpdReg.EXE" "inimapping"="0" HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dxmamcia HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winbjt32 HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wnmicf HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\wnmicf.sys HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\wnmifc.sys Completion time: 06-10-02 9:21:45.90 ComboFix.txt ComboFix2.txt ComboFix3.txt

10-02-2006, 11:12 AM	#22 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,813 OS: WinXP and Vista	Nice job...keep TeaTimer disabled and this time, run combofix from the Run command using the command I gave you in my previous reply. Post the ComboFix.txt again, along with a new HijackThis log. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

10-04-2006, 09:54 PM	#23 (permalink)
randomrandom Registered User Join Date: Sep 2006 Posts: 31 OS: XP home edition	Great News! Great news! I got AVG anti-virus to finally uninstall (i had to uninstall it in safe-mode because it wouldnt in normal mode) and now my computer is on its way back to being normal again! 1) I have my wireless internet connection back 2) "Control Panel" and "My network Connections" do not crash anymore 3) I was able to reinstall Norton Antivirus 2006 which cleaned quite a few of the viruses out.... 4) I uninstalled Spybot which allows all of my other programs to finally work right (ie. combofix, and norton) 5) Internet Explorer is back up and running as well, no more redirecting or crashing!!!! HOORAY!!!! 6) This is the best one.... My computer shuts down normally again! Unfortunately, My startup time is still abmysal (windows still hangs for 2-5 minutes on the "windows is starting up" screen). I hope these new logs can help fix this! *************************************************** Combofix Log *************************************************** User1 - 06-10-04 20:45:17.35 Service Pack 1 ComboFix 06.09.27 - Running from: "C:\Documents and Settings\User1\desktop" Command switches used :: /v d3dishsv wmneprfl dxmamcia ((((((((((((((((((((((((((((((( Files Created from 2006-09-04 to 2006-10-04 )))))))))))))))))))))))))))))))))) 2006-10-04 17:01 48,816 --a------ C:\WINDOWS\system32\S32EVNT1.DLL 2006-10-04 15:00 331,776 --a------ C:\WINDOWS\system32\winhttp.dll 2006-10-04 15:00 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll 2006-09-27 22:19 53,248 --a------ C:\WINDOWS\system32\Process.exe 2006-09-27 22:19 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2006-09-27 22:19 135,168 --a------ C:\WINDOWS\system32\swreg.exe 2006-09-27 21:54 13 --a------ C:\dumwnmifc.sys 2006-09-27 21:54 13 --a------ C:\dumwnmicf.sys 2006-09-27 21:54 13 --a------ C:\dumwnmicf.dll 2006-09-25 14:47 90,112 --a------ C:\WINDOWS\system32\RegDACL.exe 2006-09-25 14:47 7,483 --a------ C:\clean.bat 2006-09-25 14:47 40,960 --a------ C:\WINDOWS\system32\swsc.exe 2006-09-25 14:47 4,096 --a------ C:\WINDOWS\system32\reboot.exe 2006-09-25 14:47 38,400 --a------ C:\WINDOWS\system32\moveex.exe 2006-09-23 15:24 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll 2006-09-23 15:24 13,312 --a------ C:\WINDOWS\system32\irclass.dll 2006-09-23 13:09 9,728 --a------ C:\WINDOWS\system32\mstinit.exe 2006-09-23 13:09 81,408 --a------ C:\WINDOWS\system32\msoert2.dll 2006-09-23 13:09 77,824 --a------ C:\WINDOWS\system32\isign32.dll 2006-09-23 13:09 73,728 --a------ C:\WINDOWS\system32\ils.dll 2006-09-23 13:09 69,632 --a------ C:\WINDOWS\system32\icwdial.dll 2006-09-23 13:09 65,536 --a------ C:\WINDOWS\system32\msconf.dll 2006-09-23 13:09 63,488 --a------ C:\WINDOWS\system32\srclient.dll 2006-09-23 13:09 61,440 --a------ C:\WINDOWS\system32\icwphbk.dll 2006-09-23 13:09 587,776 --a------ C:\WINDOWS\system32\inetcomm.dll 2006-09-23 13:09 47,616 --a------ C:\WINDOWS\system32\inetres.dll 2006-09-23 13:09 40,960 --a------ C:\WINDOWS\system32\safrslv.dll 2006-09-23 13:09 39,424 --a------ C:\WINDOWS\system32\safrcdlg.dll 2006-09-23 13:09 361,984 --a------ C:\WINDOWS\system32\qmgr.dll 2006-09-23 13:09 33,280 --a------ C:\WINDOWS\system32\racpldlg.dll 2006-09-23 13:09 32,768 --a------ C:\WINDOWS\system32\mnmsrvc.exe 2006-09-23 13:09 32,256 --a------ C:\WINDOWS\system32\mnmdd.dll 2006-09-23 13:09 28,672 --a------ C:\WINDOWS\system32\isrdbg32.dll 2006-09-23 13:09 266,240 --a------ C:\WINDOWS\system32\inetcfg.dll 2006-09-23 13:09 26,624 --a------ C:\WINDOWS\system32\safrdm.dll 2006-09-23 13:09 250,368 --a------ C:\WINDOWS\system32\mstask.dll 2006-09-23 13:09 24,576 --a------ C:\WINDOWS\system32\nmmkcert.dll 2006-09-23 13:09 228,864 --a------ C:\WINDOWS\system32\msoeacct.dll 2006-09-23 13:09 226,304 --a------ C:\WINDOWS\system32\srrstr.dll 2006-09-23 13:09 159,232 --a------ C:\WINDOWS\system32\schedsvc.dll 2006-09-23 13:09 158,720 --a------ C:\WINDOWS\system32\srsvc.dll 2006-09-23 13:08 9,728 --a------ C:\WINDOWS\system32\xolehlp.dll 2006-09-23 13:08 869,376 --a------ C:\WINDOWS\system32\msdtctm.dll 2006-09-23 13:08 85,504 --a------ C:\WINDOWS\system32\catsrvps.dll 2006-09-23 13:08 83,968 --a------ C:\WINDOWS\system32\mtxoci.dll 2006-09-23 13:08 82,432 --a------ C:\WINDOWS\system32\comrepl.dll 2006-09-23 13:08 61,952 --a------ C:\WINDOWS\system32\rdshost.exe 2006-09-23 13:08 6,144 --a------ C:\WINDOWS\system32\msdtc.exe 2006-09-23 13:08 56,832 --a------ C:\WINDOWS\system32\colbact.dll 2006-09-23 13:08 54,784 --a------ C:\WINDOWS\system32\msdtclog.dll 2006-09-23 13:08 495,616 --a------ C:\WINDOWS\system32\comuid.dll 2006-09-23 13:08 489,984 --a------ C:\WINDOWS\system32\hypertrm.dll 2006-09-23 13:08 468,480 --a------ C:\WINDOWS\system32\clbcatq.dll 2006-09-23 13:08 215,040 --a------ C:\WINDOWS\system32\catsrv.dll 2006-09-23 13:08 18,432 --a------ C:\WINDOWS\system32\qprocess.exe 2006-09-23 13:08 179,200 --a------ C:\WINDOWS\system32\accwiz.exe 2006-09-23 13:08 151,040 --a------ C:\WINDOWS\system32\msdtcuiu.dll 2006-09-23 13:08 124,416 --a------ C:\WINDOWS\system32\sndrec32.exe 2006-09-23 13:08 100,864 --a------ C:\WINDOWS\system32\clbcatex.dll 2006-09-23 13:07 98,816 --a------ C:\WINDOWS\system32\clipbrd.exe 2006-09-23 13:07 9,216 --a------ C:\WINDOWS\system32\wuauserv.dll 2006-09-23 13:07 9,216 --a------ C:\WINDOWS\system32\icaapi.dll 2006-09-23 13:07 88,064 --a------ C:\WINDOWS\system32\tscfgwmi.dll 2006-09-23 13:07 75,912 --a------ C:\WINDOWS\system32\rdpwsx.dll 2006-09-23 13:07 598,016 --a------ C:\WINDOWS\system32\mstscax.dll 2006-09-23 13:07 582,656 --a------ C:\WINDOWS\system32\catsrvut.dll 2006-09-23 13:07 57,856 --a------ C:\WINDOWS\system32\licwmi.dll 2006-09-23 13:07 56,320 --a------ C:\WINDOWS\system32\remotepg.dll 2006-09-23 13:07 534,016 --a------ C:\WINDOWS\system32\spider.exe 2006-09-23 13:07 53,248 --a------ C:\WINDOWS\system32\servdeps.dll 2006-09-23 13:07 44,032 --a------ C:\WINDOWS\system32\rdpclip.exe 2006-09-23 13:07 40,960 --a------ C:\WINDOWS\system32\tscupgrd.exe 2006-09-23 13:07 388,608 --a------ C:\WINDOWS\system32\mstsc.exe 2006-09-23 13:07 359,936 --a------ C:\WINDOWS\system32\msdtcprx.dll 2006-09-23 13:07 339,968 --a------ C:\WINDOWS\system32\mspaint.exe 2006-09-23 13:07 32,768 --a------ C:\WINDOWS\system32\cfgbkend.dll 2006-09-23 13:07 200,192 --a------ C:\WINDOWS\system32\termsrv.dll 2006-09-23 13:07 174,592 --a------ C:\WINDOWS\system32\cmprops.dll 2006-09-23 13:07 16,384 --a------ C:\WINDOWS\system32\mmfutil.dll 2006-09-23 13:07 14,848 --a------ C:\WINDOWS\system32\rdpsnd.dll 2006-09-23 13:07 135,680 --a------ C:\WINDOWS\system32\rdchost.dll 2006-09-23 13:07 129,024 --a------ C:\WINDOWS\system32\sessmgr.exe 2006-09-23 13:07 124,184 --a------ C:\WINDOWS\system32\wuauclt.exe 2006-09-23 13:07 12,288 --a------ C:\WINDOWS\system32\rdsaddin.exe 2006-09-23 13:07 116,736 --a------ C:\WINDOWS\system32\mplay32.exe 2006-09-23 13:07 1,343,768 --a------ C:\WINDOWS\system32\wuaueng.dll 2006-09-23 13:07 1,172,992 --a------ C:\WINDOWS\system32\comsvcs.dll 2006-09-23 12:12 4,096 --a------ C:\WINDOWS\system32\ksuser.dll 2006-09-23 12:11 71,168 --a------ C:\WINDOWS\system32\storprop.dll 2006-09-21 17:08 84,992 --a------ C:\WINDOWS\system32\ATL70.DLL 2006-09-21 17:08 81,920 --------- C:\WINDOWS\system32\vdrmux.dll 2006-09-21 17:08 76,800 --------- C:\WINDOWS\system32\Lfwmf13n.dll 2006-09-21 17:08 73,728 --------- C:\WINDOWS\system32\MMAviAx.dll 2006-09-21 17:08 73,728 --------- C:\WINDOWS\system32\lffax13n.dll 2006-09-21 17:08 65,536 --------- C:\WINDOWS\system32\Lfpct13n.dll 2006-09-21 17:08 46,592 --------- C:\WINDOWS\system32\vdrcodec.dll 2006-09-21 17:08 453,120 --------- C:\WINDOWS\system32\ltkrn13n.dll 2006-09-21 17:08 44,544 --------- C:\WINDOWS\system32\msxml4a.dll 2006-09-21 17:08 40,960 --------- C:\WINDOWS\system32\langserv.dll 2006-09-21 17:08 393,216 --------- C:\WINDOWS\system32\LFCMP13n.DLL 2006-09-21 17:08 32,768 --------- C:\WINDOWS\system32\MLPagAx.dll 2006-09-21 17:08 30,208 --------- C:\WINDOWS\system32\lfbmp13n.dll 2006-09-21 17:08 294,912 --------- C:\WINDOWS\system32\pvmjpg21.dll 2006-09-21 17:08 278,016 --------- C:\WINDOWS\system32\LFJ2K13n.dll 2006-09-21 17:08 24,576 --------- C:\WINDOWS\system32\lftga13n.dll 2006-09-21 17:08 204,881 --------- C:\WINDOWS\system32\DiskIO.dll 2006-09-21 17:08 18,432 --------- C:\WINDOWS\system32\Cachex.dll 2006-09-21 17:08 155,721 --------- C:\WINDOWS\system32\RALMain.dll 2006-09-21 17:08 153,088 --------- C:\WINDOWS\system32\ltfil13n.DLL 2006-09-21 17:08 143,360 --------- C:\WINDOWS\system32\lftif13n.dll 2006-09-21 17:08 114,759 --------- C:\WINDOWS\system32\Aviprax.dll 2006-09-21 17:08 1,693,696 --------- C:\WINDOWS\system32\LTCLR13n.dll 2006-09-21 17:05 964,608 --a------ C:\WINDOWS\system32\MFC70U.DLL 2006-09-21 17:05 65,536 --a------ C:\WINDOWS\system32\MFC71DEU.DLL 2006-09-21 17:05 61,440 --a------ C:\WINDOWS\system32\pclepim1.dll 2006-09-21 17:05 61,440 --a------ C:\WINDOWS\system32\MFC71ITA.DLL 2006-09-21 17:05 61,440 --a------ C:\WINDOWS\system32\MFC71FRA.DLL 2006-09-21 17:05 61,440 --a------ C:\WINDOWS\system32\MFC71ESP.DLL 2006-09-21 17:05 57,344 --a------ C:\WINDOWS\system32\MFC71ENU.DLL 2006-09-21 17:05 49,152 --a------ C:\WINDOWS\system32\PCLEGetGuid.dll 2006-09-21 17:05 49,152 --a------ C:\WINDOWS\system32\MFC71KOR.DLL 2006-09-21 17:05 49,152 --a------ C:\WINDOWS\system32\MFC71JPN.DLL 2006-09-21 17:05 45,056 --a------ C:\WINDOWS\system32\MFC71CHT.DLL 2006-09-21 17:05 40,960 --a------ C:\WINDOWS\system32\MFC71CHS.DLL 2006-09-17 18:01 82,432 --------- C:\WINDOWS\system32\msxml4r.dll 2006-09-17 18:01 54,784 --a------ C:\WINDOWS\system32\msvci70.dll 2006-09-17 18:01 442,368 --a------ C:\WINDOWS\system32\vp6vfw.dll 2006-09-17 18:01 265,785 --a------ C:\WINDOWS\system32\pixomatic.dll 2006-09-17 18:01 22,016 --a------ C:\WINDOWS\system32\borlndmm.dll 2006-09-17 18:01 188,416 --a------ C:\WINDOWS\system32\eax.dll 2006-09-17 18:01 1,500,160 --a------ C:\WINDOWS\system32\cc3260mt.dll 2006-09-17 18:01 1,230,336 --------- C:\WINDOWS\system32\msxml4.dll (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2006-10-04 20:21 -------- d-------- C:\Program Files\Trillian 2006-10-04 20:17 -------- d-------- C:\Program Files\Common Files\Symantec Shared 2006-10-04 20:06 -------- d-------- C:\Program Files\Mozilla Firefox 2006-10-04 17:21 -------- d-------- C:\Program Files\Norton Internet Security 2006-10-04 17:20 -------- d-------- C:\Program Files\Symantec 2006-10-04 17:02 10344 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys 2006-10-04 17:01 -------- d-------- C:\Program Files\Common Files 2006-10-04 15:39 -------- d-------- C:\Program Files\Windows Media Player 2006-10-04 15:33 -------- d-------- C:\Program Files\Symantec Technical Support 2006-10-04 15:07 -------- d-------- C:\Program Files\ewido anti-spyware 4.0 2006-10-04 14:53 -------- d--h----- C:\Program Files\InstallShield Installation Information 2006-10-04 14:53 -------- d-------- C:\Program Files\U.S. Robotics 802.11g WLAN 2006-10-01 00:35 -------- d-------- C:\Program Files\Internet Explorer 2006-09-27 23:37 -------- d--h----- C:\Program Files\WindowsUpdate 2006-09-27 22:29 -------- d-------- C:\Program Files\CleanUp! 2006-09-27 21:55 -------- d-------- C:\Program Files\HaxFix 2006-09-27 15:50 -------- d-------- C:\Documents and Settings\User1\Application Data\DMCache 2006-09-26 19:25 -------- d-------- C:\Program Files\RegistryFix 2006-09-25 20:18 -------- d-------- C:\Program Files\Unlocker 2006-09-25 18:25 -------- d-------- C:\Program Files\Grisoft 2006-09-25 18:14 -------- d-------- C:\Documents and Settings\User1\Application Data\Symantec 2006-09-24 23:00 -------- d-------- C:\Documents and Settings\User1\Application Data\Mozilla 2006-09-24 13:04 8329 --a------ C:\Documents and Settings\User1\Application Data\.googlewebacchosts 2006-09-24 09:07 -------- d-------- C:\Program Files\Alwil Software 2006-09-23 21:53 -------- d-------- C:\Program Files\Pinnacle 2006-09-23 13:09 -------- d-------- C:\Program Files\Outlook Express 2006-09-23 13:09 -------- d-------- C:\Program Files\NetMeeting 2006-09-23 13:09 -------- d-------- C:\Program Files\Movie Maker 2006-09-23 13:09 -------- d-------- C:\Program Files\Common Files\System 2006-09-23 13:08 -------- d-------- C:\Program Files\Windows NT 2006-09-21 17:07 -------- d-------- C:\Program Files\SmartSound Software 2006-09-18 16:28 -------- d-------- C:\Program Files\Internet Download Manager 2006-09-18 16:28 -------- d-------- C:\Documents and Settings\User1\Application Data\IDM 2006-09-17 21:11 14848 --a------ C:\WINDOWS\system32\BASSMOD.dll 2006-09-17 18:11 -------- d-------- C:\Program Files\GTA-SanAndreas 2006-09-16 23:24 -------- d-------- C:\Documents and Settings\User1\Application Data\Sun 2006-09-16 10:07 -------- d-------- C:\Documents and Settings\User1\Application Data\Google 2006-09-15 22:04 109744 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS 2006-09-14 14:44 -------- d-------- C:\Program Files\Winamp 2006-09-10 19:43 -------- d-------- C:\Documents and Settings\User1\Application Data\AdobeUM 2006-09-10 18:24 -------- d---s---- C:\Documents and Settings\User1\Application Data\Microsoft 2006-09-10 10:34 -------- d-------- C:\Program Files\Java 2006-09-07 22:32 -------- d-------- C:\Program Files\Save Flash 2006-08-29 01:28 140984 --a------ C:\WINDOWS\system32\idmmbc.dll 2006-08-24 20:40 -------- d-------- C:\Program Files\GeoVid 2006-08-22 18:32 22768 --a------ C:\WINDOWS\system32\drivers\usbsermpt.sys 2006-08-22 18:32 -------- d-------- C:\Program Files\Motorola Phone Tools 2006-08-22 18:25 -------- d-------- C:\Program Files\mobile PhoneTools 2006-08-22 18:05 -------- d-------- C:\Program Files\LiveUpdate 2006-08-22 00:22 72748 --a------ C:\WINDOWS\unins001.exe 2006-08-22 00:22 72748 --a------ C:\WINDOWS\unins000.exe 2006-08-22 00:22 -------- d-------- C:\Program Files\Temp 2006-08-22 00:22 -------- d-------- C:\Program Files\Anark 2006-08-21 23:49 -------- d-------- C:\Program Files\OceanDive 2006-08-21 05:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll 2006-08-21 02:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe 2006-08-21 02:14 128896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys 2006-08-21 00:44 -------- d-------- C:\Program Files\SereneScreen 2006-08-19 11:23 -------- d-------- C:\Documents and Settings\User1\Application Data\RipIt4Me 2006-08-19 09:43 -------- d-------- C:\Program Files\PgcEdit 2006-08-18 15:30 -------- d-------- C:\Documents and Settings\User1\Application Data\Adobe 2006-08-07 16:02 534208 --a------ C:\WINDOWS\system32\SymNeti.dll 2006-08-07 16:02 31936 --a------ C:\WINDOWS\system32\drivers\symids.sys 2006-08-07 16:02 28352 --a------ C:\WINDOWS\system32\drivers\symndis.sys 2006-08-07 16:02 24768 --a------ C:\WINDOWS\system32\drivers\symredrv.sys 2006-08-07 16:02 195776 --a------ C:\WINDOWS\system32\drivers\symtdi.sys 2006-08-07 16:02 161472 --a------ C:\WINDOWS\system32\SymRedir.dll 2006-08-07 16:02 110784 --a------ C:\WINDOWS\system32\drivers\symfw.sys 2006-08-07 16:01 12992 --a------ C:\WINDOWS\system32\drivers\symdns.sys 2006-08-03 20:59 48 ---hs---- C:\Documents and Settings\User1\Application Data\.zreglib (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries are not shown [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RemoteCenter"="C:\\Program Files\\Creative\\MediaSource\\RemoteControl\\RCMan.EXE" "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\"" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTHelper"="CTHELPER.EXE" "CTSysVol"="C:\\Program Files\\Creative\\SBAudigy2ZS\\Surround Mixer\\CTSysVol.exe /r" "CTDVDDET"="C:\\Program Files\\Creative\\SBAudigy2ZS\\DVDAudio\\CTDVDDET.EXE" "SBDrvDet"="C:\\Program Files\\Creative\\SB Drive Det\\SBDrvDet.exe /r" "NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe" "SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe" "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized" "PinnacleDriverCheck"="C:\\WINDOWS\\system32\\PSDrvCheck.exe -CheckReg" "ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\"" "SSC_UserPrompt"="\"C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe\"" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] "Installed"="1" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000005 "Settings"=dword:00000001 "GeneralFlags"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] "dontdisplaylastusername"=dword:00000000 "legalnoticecaption"="" "legalnoticetext"="" "shutdownwithoutlogon"=dword:00000001 "undockwithoutlogon"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "AllowLegacyWebView"=dword:00000001 "AllowUnhashedWebView"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run] [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}" "CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}" "WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" "SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk" "backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup" "location"="Common Startup" "command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE " "item"="Adobe Reader Speed Launch" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk] "backup"="C:\\WINDOWS\\pss\\InterVideo WinCinema Manager.lnkCommon Startup" "location"="Common Startup" "command"="C:\\PROGRA~1\\INTERV~1\\Common\\Bin\\WINCIN~1.EXE " "item"="InterVideo WinCinema Manager" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MSMSGS] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="msmsgs" "hkey"="HKCU" "command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NeroCheck] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="NeroCheck" "hkey"="HKLM" "command"="C:\\WINDOWS\\system32\\\\NeroCheck.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Symantec NetDriver Monitor] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="SNDMon" "hkey"="HKLM" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\UpdReg] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="UpdReg" "hkey"="HKLM" "command"="C:\\WINDOWS\\UpdReg.EXE" "inimapping"="0" HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winbjt32 HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wnmicf HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\wnmicf.sys HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\wnmifc.sys Contents of the 'Scheduled Tasks' folder C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - User1.job Completion time: 06-10-04 20:46:10.49 ComboFix.txt ComboFix2.txt ComboFix3.txt **************************************************** HJT Log **************************************************** Logfile of HijackThis v1.99.1 Scan saved at 20:46, on 06-10-04 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\CTHELPER.EXE C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\ewido anti-spyware 4.0\ewido.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe C:\Program Files\U.S. Robotics 802.11g WLAN\USRWLANG.exe C:\WINDOWS\System32\WgaTray.exe C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE C:\Program Files\Messenger\msmsgs.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Startup: Registration .LNK = C:\Program Files\Ubisoft\Demo\Blazing Angels Squadrons of WWII Demo\RegistrationReminder.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: U.S. Robotics 802.11g Wireless Network Utility.lnk = ? O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...l/SymAData.cab O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - https://www-secure.symantec.com/tech...rl/tgctlsi.cab O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/tech...rl/tgctlsr.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1159425430187 O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc1.webresponse.one.microso.../TLIEFlash.CAB O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - AppInit_DLLs: d3dishsv.dll wmneprfl.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O20 - Winlogon Notify: winbjt32 - C:\WINDOWS\ O20 - Winlogon Notify: wnmicf - wnmicf.dll (file missing) O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

10-05-2006, 11:46 AM	#24 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,813 OS: WinXP and Vista	Almost there. Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out these instructions. Once again, it is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. ************************************************* Download KillBox. (it's important that you get version v2.0.0.175). We'll use it shortly. *********************************************** From Normal Mode: Open HijackThis and click on 'Do a System Scan Only'. Check the following entries: O20 - AppInit_DLLs: d3dishsv.dll wmneprfl.dll O20 - Winlogon Notify: winbjt32 - C:\WINDOWS\ O20 - Winlogon Notify: wnmicf - wnmicf.dll (file missing) Click 'Fix Checked' and close HijackThis. ----------------------------------------------------- Go to <<Start>> then <<Run>> then paste in the single line command then click OK "%userprofile%\desktop\combofix.exe" /v d3dishsv wmneprfl When finished, it shall produce a log for you. Post that log in your next reply along with a new HijackThis log. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall ----------------------------------------------------- Launch KillBox.exe & select the following options: Delete on Reboot All files (if available)** Copy the file names below to the clipboard by highlighting them and pressing Ctrl-C: C:\dumwnmifc.sys C:\dumwnmicf.sys C:\dumwnmicf.dll Select/tick the following: * Delete on Reboot * End Explorer Shell While Killing File Click the RED X button. Click Yes at the 'Delete on Reboot' prompt. Click Yes at the Pending Operations prompt. If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again. * If you received a message such as: "PendingFileRenameOperations registry data has been removed by external process", you have to manually restart Windows. ************************************************* Double click on combofix.exe** & follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply along with a new HijackThis log. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

10-06-2006, 05:11 PM	#25 (permalink)
randomrandom Registered User Join Date: Sep 2006 Posts: 31 OS: XP home edition	Error! I got this error after i did the "fix checked" in HJT what should i do? An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: d3dishsv.dll wmneprfl.dll) Error #5 - Invalid procedure call or argument Please email me at merijn@spywareinfo.com, reporting the following: * What you were trying to fix when the error occurred, if applicable * How you can reproduce the error * A complete HijackThis scan log, if possible Windows version: Windows NT 5.01.2600 MSIE version: 6.0.2800.1106 HijackThis version: 1.99.1 This message has been copied to your clipboard. Click OK to continue the rest of the scan.

10-06-2006, 06:24 PM	#26 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,813 OS: WinXP and Vista	Keep going. If you've stopped and closed HijackThis, begin again, ignore that message, and continue with the remaining instructions. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

10-07-2006, 06:29 PM	#28 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,813 OS: WinXP and Vista	Hi, We're are just about through here. I'd like to see another Haxfix log. Run Haxfix.exe: Select the option to - Make logfile - Type 1 & press`Enter'. Haxfix will produce a log for you to post back here. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

10-07-2006, 08:16 PM	#29 (permalink)
randomrandom Registered User Join Date: Sep 2006 Posts: 31 OS: XP home edition	HAXFIX logfile - by Marckie ______________ version 4.20.1 Sat 10/07/06 19:14:11.62 checking for haxdoor -------------------- checking for a3d files.... a3d files found p2s2.a3d checking for matching notify keys.... no matching notify keys found checking for matching services.... matching services found Aspi32 wnmifc checking for matching safeboot services.... matching safeboot services found wnmicf.sys wnmifc.sys checking for other haxdoorfiles.... Checking for goldun ------------------- checking for SSODL keys.... no ssodl keys found checking for notify keys.... no notify keys found checking for services.... no services found checking for other goldunfiles.... Finished

10-07-2006, 08:26 PM	#30 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,813 OS: WinXP and Vista	Ok, that's what I thought. Open this folder program files > haxfix and double click on fix.bat (or double click on fix.bat desktop icon) Close all other open windows since this step requires a reboot Select option 2. Run auto fix by typing 2 and then pressing "Enter" If an infection is found, you'll get a message to close all other open windows. Close all open windows except the red dos window from haxfix and then press "Enter" The computer will reboot After reboot a logfile will open > (c:\haxfix.txt) Post the contents of that logfile. Run combofix.exe again and post the ComboFix.txt here as well. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

10-07-2006, 08:27 PM	#31 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,813 OS: WinXP and Vista	Before you proceed with my previous instructions, do this first: Using Internet Explorer, download ResetTeaTimer.bat. If you are using Firefox, right click the above link and choose ‘Save As’. Save it to your desktop. Double click ResetTeaTimer.bat to remove all entries set by TeaTimer. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

10-08-2006, 11:35 AM	#32 (permalink)
randomrandom Registered User Join Date: Sep 2006 Posts: 31 OS: XP home edition	HAXFIX logfile - by Marckie -------------- version 4.20.1 Sun 10/08/06 10:28:22.46 --- Auto Haxdoorfix --- searching for files: searching for services.... service wnmifc found [SWSC] DeleteService SUCCESS --- Goldunfix --- searching for files: searching for SSODLkeys: no SSODLkeys found searching for notifykeys: no notifykeys found searching for services: no services found .....rebooting the computer..... searching for ssodlkeys not needed searching for notifykeys not needed searching for services service wnmifc not found searching for safeboot services safeboot service wnmicf.sys not found safeboot service wnmifc.sys not found searching for files wnmifc.sys exists deleting wnmifc.sys wnmifc.sys has been deleted wnmicf.sys exists deleting wnmicf.sys wnmicf.sys has been deleted checking for other files xg.ffc exists deleting xg.ffc xg.ffc has been deleted checking for a3d files p2s2.a3d deleting a3d files a3d files are deleted Finished

10-08-2006, 12:06 PM	#33 (permalink)
randomrandom Registered User Join Date: Sep 2006 Posts: 31 OS: XP home edition	Seriously Important! This is super important. You know how i had to restart my computer for the HAXFIX to delete the viruses? well after i did THAT restart, i restarted again and a windows box came up telling me that due to significant hardware changes, i must reactivate my hardware within the next three days! So i click on the register windows button, and it tells me to go to: Start-All Programs-Accessories-System Tools-Activate Windows except..... I DONT HAVE THIS ICON! So i go to the microsoft website, and being its typically completely unhelpful self , suggests that my copy of windows is counterfit. This is completely untrue because i bought this copy and have the origional disk. I have been using this same copy of windows since i got my computer (about 2-3 years ago) and havent had any kind of problem like this. Did haxfix couse this??????????? Seriously i cant believe this is happening.........this is the LAST thing that i needed.............

10-08-2006, 12:38 PM	#34 (permalink)
randomrandom Registered User Join Date: Sep 2006 Posts: 31 OS: XP home edition	sorry 'bout the triple post ah, sorry for the 3 in a row post (it wouldnt let me edit the post before this one), but this whole situation scared me bad... like this--> ok so i reactivated windows by phone, and it is supposedly successfully activated now. I restarted my comp to make sure that it was ACTUALLY successful, and i didnt get that error message this time. but im STILL wondering what caused this..... any suggestions?

10-08-2006, 03:58 PM	#35 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,813 OS: WinXP and Vista	Hiya, I am relieved you were able to rectify that situation. i've seen that happen before, albeit not often and no, Haxfix did not cause this problem, the haxdoor infection did. We need to go a bit deeper. Download gmer from http://www.gmer.net & unzip it to desktop Launch gmer.exe by double-clicking it. Select the rootkit tab & make sure the 'Show All' button is unticked. Press scan & when it has finished press copy & paste the log back here. --------------------------------- Run combofix.exe again and post that log here as well. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

10-09-2006, 07:36 AM	#37 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,813 OS: WinXP and Vista	Hi, Haxdoor appears to be gone. How is the system behaving now? I'd like you to run a different online scan this time to look for any remnants that may be lurking: Please perform an online scan with Internet Explorer at Kaspersky Online Scanner Answer Yes, when prompted to install an ActiveX component. The program will then begin downloading the latest definition files. Once the files have been downloaded click on NEXT Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK & have it scan My Computer Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply along with a new HijackThis log. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

10-09-2006, 08:18 AM	#38 (permalink)
randomrandom Registered User Join Date: Sep 2006 Posts: 31 OS: XP home edition	sorry disregard this post Last edited by randomrandom; 10-09-2006 at 08:19 AM.

10-09-2006, 08:26 AM	#39 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,813 OS: WinXP and Vista	Such a tease, randomrandom. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul." Last edited by Ried; 10-09-2006 at 08:28 AM.