pc very slow, multiple trojans/malware, hijackthis log

jimmyfishcake · 10-02-2007, 03:52 AM

About 4 or 5 days ago my pc became extremely slow & laggy, so slow it is almost impossible to use unless i restart it. After a restart it gradually slows down over a few hours until I have to restart it again. Its when I'm using firefox I notice it the most but it affects most programs, applications will freeze for 1 minute or 10 minutes or even hours.
A couple of times when I forced a folder or some applications to quit, my desktop crashed, everything disappeared & some very large yellow words appeared on a black background at bottom left of my page. The words were VERTICAL & said 'my desktop' or some **** like this. Its so dam frustrating I am on the verge of losing my mind. It takes me hours just to do this post.

The only other clue I have is that I have noticed a new icon in my notification area, it says 'shockwave updater' when I hover over it, it not only looks very suspicious, but I didn't put it there. Its been approaching me a couple of times a day via pop-up, trying to make me click 'o.k.'

I have posted requested log files below:

Any help would be appreciated.

Incident Status Location

Potentially unwanted tool:Application/PRScheduler Not disinfected C:\Documents and Settings\Jon_W\Start Menu\Programs\Startup\PowerReg Scheduler.exe
Adware:adware/exact.bargainbuddy Not disinfected c:\windows\system32\exclean.exe
Spyware:spyware/clearsearch Not disinfected c:\windows\system32\IETie.dll
Dialer:dialer.xd Not disinfected c:\windows\switchagreement.txt
Adware:adware/sahagent Not disinfected c:\windows\system32\SahImages
Adware:adware/wupd Not disinfected Windows Registry
Spyware:spyware/searchcentrix Not disinfected Windows Registry
Dialer:dialer.asl Not disinfected hkey_classes_root\clsid\{0D62A517-E7C6-4E1F-A577-07D4AC549A48}
Adware:adware/instdollars Not disinfected Windows Registry
Adware:adware/dyfuca Not disinfected Windows Registry
Adware:adware/savenow Not disinfected Windows Registry
Adware:adware/ist.yoursitebar Not disinfected Windows Registry
Adware:adware/powerstrip Not disinfected Windows Registry
Dialer:dialer.dk Not disinfected HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{91433D86-9F27-402C-B5E3-DEBDD122C339}
Adware:adware/ist.istbar Not disinfected Windows Registry
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Jon_W\Cookies\jon_w@adultfriendfinder[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Jon_W\Cookies\jon_w@xiti[1].txt
Virus:Generic Trojan Not disinfected C:\Documents and Settings\Jon_W\Desktop\setup.exe[²ÜÇ\xxl.dll]
Adware:Adware/SecurityError Not disinfected C:\Program Files\setup.exe[²ÜÇ\xxl.dll]
Dialer:Dialer.FYG Not disinfected C:\WINDOWS\Downloaded Program Files\qames.inf
Dialer:Dialer.ABR Not disinfected C:\WINDOWS\Downloaded Program Files\startbf2.inf

Deckard's System Scanner v20070905.67
Run by Jon_W on 2007-10-02 22:32:38
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Jon_W.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:32:46 p.m., on 2/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\D-Link\DSL-200\dslagent.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Multimedia Combo Set\MouseDrv.exe
C:\Program Files\Multimedia Combo Set\PS2USBKbdDrv.exe
C:\Program Files\PKR\pkrpal.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\Macromed\Shockwave 10\PostUpdate.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jon_W\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Jon_W.exe

R3 - URLSearchHook: (no name) - _{D94AAA2A-C415-42E3-82B6-49FAB4EBFFE9} - (no file)
F3 - REG:win.ini: run=C:\WINDOWS\scvhost.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\system32\IETie.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O2 - BHO: CPub Object - {CA70AF0D-0D07-4b80-9ECE-B0F1BEFC5822} - C:\Program Files\Byteswarm\DLInterceptor.dll (file missing)
O2 - BHO: IEHlprObj Class - {CD4C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\Go!Zilla\GoIEHlp.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\D-Link\DSL-200\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\D-Link\DSL-200\dslagent.exe
O4 - HKLM\..\Run: [msconfig] C:\WINDOWS\scvhost.exe
O4 - HKLM\..\Run: [Update Checker] C:\WINDOWS\scvhost.exe
O4 - HKLM\..\Run: [] C:\WINDOWS\scvhost.exe
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [P17Helper] Rundll32 SPIRun.dll,RunDLLEntry
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [WireLessMouse ] C:\Program Files\Multimedia Combo Set\MouseDrv.exe
O4 - HKLM\..\Run: [WireLessKeyboard ] C:\Program Files\Multimedia Combo Set\PS2USBKbdDrv.exe
O4 - HKLM\..\Run: [PKR Pal] "C:\Program Files\PKR\pkrpal.exe" -osboot
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [msconfig] C:\WINDOWS\scvhost.exe
O4 - HKLM\..\RunServices: [Update Checker] C:\WINDOWS\scvhost.exe
O4 - HKLM\..\RunServices: [] C:\WINDOWS\scvhost.exe
O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\Jon_W\Application Data\Mozilla\Firefox\Profiles\uknct2rc.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\Jon_W\Application Data\Mozilla\Firefox\Profiles/uknct2rc.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"
O4 - HKCU\..\RunOnce: [SWHelper] "C:\WINDOWS\system32\Macromed\Shockwave 10\PostUpdate.exe" 1011016
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Registration Lock On
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - C:\Program Files\GhostSurf\LaunchPCC.exe (file missing)
O9 - Extra 'Tools' menuitem: GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - C:\Program Files\GhostSurf\LaunchPCC.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\Poker.exe (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://www.gamescampus.com/xiah/luncher/GamesCampus.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0A79AAEF-0913-4E57-9429-59EA4377D8E9} (LaunchGame.launchGameCtrl) - http://shot.ongamenet.com.au/LaunchGame_20050802.CAB
O16 - DPF: {0D62A517-E7C6-4E1F-A577-07D4AC549A48} (Progetto1.int_ver32) - http://advnt01.com/dialer/int_ver32b.CAB
O16 - DPF: {127CE7BA-AD89-4108-A913-C52EFC037C36} -
O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/S...dObjSigned.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.35mb.com/applet/applet_l.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/pa.../GSManager.cab
O16 - DPF: {2776DDE9-D4B2-4BF7-9F98-ADC1A1B80AF5} -
O16 - DPF: {33331111-1111-1111-1111-611111193423} -
O16 - DPF: {33331111-1111-1111-1111-611111193429} -
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O16 - DPF: {33331111-1131-1111-1111-611111193428} -
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://www.ysbweb.com/ist/softwares/...b_pictures.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/soft...ch/alaunch.cab
O16 - DPF: {7DFDB8FD-B498-4958-B930-38021B94351D} (imlUCID Class) - http://imlive.com/chatsource/ImlCID.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemp...ogin-devel.cab
O16 - DPF: {861FDA2A-2B57-4BDA-8B8B-305C9D5D8604} (_Multimedia Player) - http://stream.pussyharem.com/stream/mmp.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://l00kl23.com/default.cab?uid=6...x&ppd=4&tag=45
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://212.150.183.238/activex/AxisCamControl.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} (Progetto1.int_ver34) - http://advnt01.com/dialer/int_ver34.CAB
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn.imagesrvr.com/si...nerInstall.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O16 - DPF: {D3A7982E-915D-4589-8ECE-249F70D0C941} (Launch Control) - http://aaotracker.4players.de/LaunchGame.cab
O16 - DPF: {D94AAA2A-C415-42E3-82B6-49FAB4EBFFE9} (SearchHook Class) - http://www.halflemon.com/Halflemon.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/c...ploader_v6.cab
O16 - DPF: {FDF6378C-7B5D-4ABF-BA1F-92748305FFAC} (DownloadManagerInstall Control) - http://beta.byteswarm.com/agent/1.3.0.1/DMInstall.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F2B011FC-52BC-4B06-A2C6-284118F8F318}: NameServer = 210.48.65.2 210.48.66.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{F8F125C6-8B6C-4CDF-88B4-6FD4DA61A6E4}: NameServer = 203.0.178.191
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: farrandly - {8aa7a4d2-73c7-4fca-bef7-7923e38a3b1c} - C:\WINDOWS\system32\tczij.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 13505 bytes

-- Files created between 2007-09-02 and 2007-10-02 -----------------------------

2007-10-02 21:51:21 0 d-------- C:\WINDOWS\LastGood
2007-09-30 22:34:29 0 d-------- C:\Program Files\Trend Micro
2007-09-30 22:10:59 0 d-------- C:\Program Files\SpywareBlaster
2007-09-30 06:38:03 0 d-------- C:\Program Files\Common Files\xing shared
2007-09-30 00:58:46 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-09-12 09:22:19 0 d-------- C:\Program Files\Mobiola Web Camera for S60 3Ed
2007-09-09 05:04:55 17301504 --a------ C:\Documents and Settings\Jon_W\ntuser.dat
2007-09-03 10:26:52 0 d-------- C:\Program Files\jetflash

-- Find3M Report ---------------------------------------------------------------

2007-10-02 21:54:00 0 d-------- C:\Documents and Settings\Jon_W\Application Data\OpenOffice.org2
2007-09-30 18:04:00 0 d-------- C:\Program Files\Softdiv Audio Converter
2007-09-30 18:03:52 0 d-------- C:\Program Files\Shareaza
2007-09-30 18:03:33 0 d-------- C:\Program Files\PowerISO
2007-09-30 18:03:20 0 d-------- C:\Program Files\PKR
2007-09-30 17:55:39 0 d-------- C:\Program Files\Multimedia Combo Set
2007-09-30 17:55:19 0 d-------- C:\Program Files\Microsoft IntelliPoint
2007-09-30 17:55:18 0 d-------- C:\Program Files\Microsoft ActiveSync
2007-09-30 06:38:03 0 d-------- C:\Program Files\Common Files
2007-09-30 06:37:41 0 d-------- C:\Program Files\Common Files\Real
2007-09-30 06:36:53 0 d-------- C:\Documents and Settings\Jon_W\Application Data\Real
2007-09-30 04:31:43 0 d-------- C:\Program Files\WinAce
2007-09-30 04:31:30 0 d-------- C:\Program Files\QuickTime
2007-09-30 00:29:57 0 d-------- C:\Documents and Settings\Jon_W\Application Data\AVG7
2007-09-20 22:45:08 0 d-------- C:\Program Files\Activision Value
2007-09-18 01:14:58 0 d-------- C:\Program Files\TexasCalculatem
2007-09-17 21:21:27 0 d-------- C:\Program Files\Poker.com
2007-09-15 19:32:56 0 d-------- C:\Program Files\Axis & Allies
2007-09-14 19:25:16 8 --a------ C:\WINDOWS\system32\nvModes.dat
2007-09-02 20:53:44 0 d-------- C:\Program Files\ShotOnline International
2007-08-30 16:56:52 0 d-------- C:\Program Files\CDisplay
2007-08-30 01:50:54 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-08-26 11:45:15 0 d-------- C:\Documents and Settings\Jon_W\Application Data\GrabIt
2007-08-21 23:14:14 0 d-------- C:\Program Files\Steam
2007-08-21 15:42:07 0 d-------- C:\Program Files\Winamp
2007-08-19 20:50:29 0 d-------- C:\Program Files\American Systems
2007-08-19 20:44:09 2772480 --a------ C:\Program Files\psdlx.exe
2007-08-18 00:25:14 0 d-------- C:\Documents and Settings\Jon_W\Application Data\Media Player Classic
2007-08-17 21:33:19 0 d-------- C:\Program Files\K-Lite Codec Pack
2007-08-17 21:23:54 0 d-------- C:\Program Files\Morgan
2007-08-17 21:23:45 0 d-------- C:\Program Files\DivX
2007-08-17 21:22:34 13043226 --a------ C:\Program Files\klcodec330f.exe
2007-08-17 16:39:51 0 d-------- C:\Program Files\GameSpy Arcade
2007-08-17 16:38:42 0 d-------- C:\Program Files\GRETECH
2007-08-17 16:28:52 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-08-17 16:14:11 0 d-------- C:\Program Files\Real
2007-08-17 15:54:41 0 d-------- C:\Program Files\Video Server E
2007-08-16 07:57:24 9264 --a------ C:\WINDOWS\system32\msqtvcap.dat
2007-08-16 04:00:30 0 d-------- C:\Program Files\MSXML 4.0
2007-08-13 17:09:14 0 d-------- C:\Documents and Settings\Jon_W\Application Data\Mozilla
2007-08-13 17:08:31 0 d-------- C:\Documents and Settings\Jon_W\Application Data\SecondLife
2007-08-12 02:11:52 0 d-------- C:\Program Files\NZBPlayer
2007-08-11 16:19:26 0 d-------- C:\Program Files\PartyGaming
2007-08-11 15:46:12 0 d-------- C:\Program Files\Cypress USB 2.0 DVR
2007-08-11 15:17:02 0 d-------- C:\Documents and Settings\Jon_W\Application Data\Microsoft Games
2007-08-11 02:10:57 409600 --a------ C:\WINDOWS\system32\wrap_oal.dll <Not Verified; Creative Labs; Creative Labs OpenAL32>
2007-08-11 02:10:57 114688 --a------ C:\WINDOWS\system32\OpenAL32.dll <Not Verified; Portions (C) Creative Labs Inc. and NVIDIA Corp.; Standard OpenAL(TM) Library>
2007-08-10 20:37:22 0 d-------- C:\Documents and Settings\Jon_W\Application Data\Skype
2007-08-10 08:43:26 510 --a------ C:\s3qs
2007-08-09 20:43:25 510 --a------ C:\s270
2007-08-09 01:49:32 0 d-------- C:\Program Files\id Software
2007-08-06 04:25:48 0 d-------- C:\Program Files\VideoLAN
2007-08-06 04:24:20 9453630 --a------ C:\Program Files\vlc-0.8.6a-win32.exe
2007-08-04 04:20:28 0 d-------- C:\Documents and Settings\Jon_W\Application Data\vlc
2007-08-02 01:20:28 0 d-------- C:\Program Files\Java
2007-07-10 19:55:44 7680 --a------ C:\WINDOWS\system32\ff_vfw.dll

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CD4C3CF0-4B15-11D1-ABED-709549C10000}]
C:\Program Files\Go!Zilla\GoIEHlp.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [14/09/2007 10:03 a.m.]
"AVG7_EMC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" [17/08/2007 10:04 a.m.]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [28/01/2005 07:40 p.m.]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [06/06/2006 03:06 a.m.]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [24/03/2005 12:26 p.m.]
"DSLSTATEXE"="C:\Program Files\D-Link\DSL-200\dslstat.exe" [21/01/2005 09:04 p.m.]
"DSLAGENTEXE"="C:\Program Files\D-Link\DSL-200\dslagent.exe" [21/01/2005 09:04 p.m.]
"msconfig"="C:\WINDOWS\scvhost.exe" []
"Update Checker"="C:\WINDOWS\scvhost.exe" []
"@"="C:\WINDOWS\scvhost.exe" []
"WMC_AutoUpdate"="" []
"RaidTool"="C:\Program Files\VIA\RAID\raid_tool.exe" [04/01/2006 02:43 p.m.]
"VTTimer"="VTTimer.exe" [08/03/2005 08:33 a.m. C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [01/11/2005 09:15 a.m. C:\WINDOWS\system32\VTTrayp.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [22/10/2006 12:22 p.m.]
"nwiz"="nwiz.exe" [22/10/2006 12:22 p.m. C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [22/10/2006 12:22 p.m. C:\WINDOWS\system32\nvmctray.dll]
"P17Helper"="SPIRun.dll" [03/07/2006 12:43 p.m. C:\WINDOWS\system32\SPIRun.dll]
"VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [28/07/2006 09:56 a.m.]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [12/07/2007 05:00 a.m.]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 12:50 p.m.]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [16/07/2005 10:48 a.m.]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [11/06/2007 10:25 p.m.]
"WireLessMouse "="C:\Program Files\Multimedia Combo Set\MouseDrv.exe" [27/06/2004 03:54 p.m.]
"WireLessKeyboard "="C:\Program Files\Multimedia Combo Set\PS2USBKbdDrv.exe" [02/08/2005 11:55 p.m.]
"PKR Pal"="C:\Program Files\PKR\pkrpal.exe" [19/09/2007 12:40 a.m.]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [30/09/2007 06:36 a.m.]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Shareaza"="C:\Program Files\Shareaza\Shareaza.exe" [27/10/2005 07:44 p.m.]
"FreeRAM XP"="C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [23/03/2006 12:13 a.m.]
"SetDefaultMIDI"="MIDIDef.exe" [22/04/2005 11:27 a.m. C:\WINDOWS\MIDIDEF.EXE]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [20/06/2006 11:36 p.m.]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"FFTI"=C:\Documents and Settings\Jon_W\Application Data\Mozilla\Firefox\Profiles\uknct2rc.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\Jon_W\Application Data\Mozilla\Firefox\Profiles/uknct2rc.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"
"SWHelper"="C:\WINDOWS\system32\Macromed\Shockwave 10\PostUpdate.exe" 1011016

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"msconfig"=C:\WINDOWS\scvhost.exe
"Update Checker"=C:\WINDOWS\scvhost.exe
@=C:\WINDOWS\scvhost.exe

C:\Documents and Settings\Jon_W\Start Menu\Programs\Startup\
OpenOffice.org 2.2.lnk - C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe [2/02/2007 5:54:56 p.m.]
PowerReg Scheduler.exe [24/01/2006 1:36:36 a.m.]
Registration Lock On [2/07/2007 7:56:07 a.m.]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23/09/2005 11:05:26 p.m.]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)
"DisableRegistryTools"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{8aa7a4d2-73c7-4fca-bef7-7923e38a3b1c}"= C:\WINDOWS\system32\tczij.dll [ ]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b877742c-fd0a-11da-9bd0-806d6172696f}]
AutoRun\command- E:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c74496bc-405d-11d9-907b-806d6172696f}]
AutoRun\command- D:\autorun\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f9fbf4c5-b3c4-11db-8b1b-806d6172696f}]
AutoRun\command- F:\Autorun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{FC100000-A322-BF20-D41D-B00000104603}]
C:\WINDOWS\scvhost.exe

-- End of Deckard's System Scanner: finished at 2007-10-02 22:33:16 ------------

**eXPeri3nc3** · 10-02-2007, 11:43 PM

Hi and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible.

You may wish to subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please be patient with me during this time.

**eXPeri3nc3** · 10-03-2007, 06:54 PM

Hello and welcome to TSF

You may wish to Subscribe to this thread (Thread Tools) so that you are notified when you receive a reply. To do this click Thread Tools (above the first post), then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions as this webpage would not be available when you're carrying out the fix.

Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your system is clean.

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

----------------------------------------

The fixes we will use are specific to your problems and should only be used for this issue on this machine.

Please only use this topic to reply to. Do not start another thread.
If any other issues arise let me know.

The process is not instant. Please continue to review my answers until I tell you your machine is clear.
Absence of symptoms does not mean that everything is clear. So lets do this to the end!

Please make every effort to reply to my posts in a timely manner. Malware breeds malware and the longer an infection remains on a system, the more likely additional infections will result.

----------------------------------------

Download Combofix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

DO NOT RUN IT YET

--------------------------------------------------------------------

Download SDFix and save it to your Desktop.

We will use it shortly.

--------------------------------------------------------------------

P2P - I see you have P2P software ( Shareaza) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

We recommend you to uninstall it.

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs (if they exist):

Go!Zilla

Please restart if prompted

--------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

[b]R3 - URLSearchHook: (no name) - _{D94AAA2A-C415-42E3-82B6-49FAB4EBFFE9} - (no file)
O16 - DPF: {0A79AAEF-0913-4E57-9429-59EA4377D8E9} ( LaunchGame.launchGameCtrl) - http://shot.ongamenet.com.au/LaunchGame_20050802.CAB
O16 - DPF: {0D62A517-E7C6-4E1F-A577-07D4AC549A48} (Progetto1.int_ver32 ) - http://advnt01.com/dialer/int_ver32b.CAB
O16 - DPF: {127CE7BA-AD89-4108-A913-C52EFC037C36} -
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.35mb.com/applet/applet_l.cab
O16 - DPF: {2776DDE9-D4B2-4BF7-9F98-ADC1A1B80AF5} -
O16 - DPF: {33331111-1111-1111-1111-611111193423} -
O16 - DPF: {33331111-1111-1111-1111-611111193429} -
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O16 - DPF: {33331111-1131-1111-1111-611111193428} -
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://www.ysbweb.com/ist/softwares/...b_pictures.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemp...ogin-devel.cab
O16 - DPF: {861FDA2A-2B57-4BDA-8B8B-305C9D5D8604} (_Multimedia Player) - http://stream.pussyharem.com/stream/mmp.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://l00kl23.com/default.cab?uid=6...x&ppd=4&tag=45
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} (Progetto1.int_ver34) - http://advnt01.com/dialer/int_ver34.CAB
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn.imagesrvr.com/si...nerInstall.cab
O16 - DPF: {D94AAA2A-C415-42E3-82B6-49FAB4EBFFE9} (SearchHook Class) - http://www.halflemon.com/Halflemon.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/c...ploader_v6.cab

Please remember to close all other windows, including browsers then click Fix checked.

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Run ComboFix using these instructions:

Click the Windows 'Start' button > Select 'Run' - then copy/paste the following bolded text into the run box & click OK.

"%userprofile%\desktop\combofix.exe" /killall

When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

--------------------------------------------------------------------

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

--------------------------------------------------------------------

Post the following logs in your next reply...

C:\ComboFix.txt

SDFix log

Fresh HJT log

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now.

jimmyfishcake · 10-05-2007, 10:59 AM

Hi, here are requested log files, the only problem was starting my pc in safemode, I tried until I was blue in the face & ended up using safemode via 'msconfig' which seemed to do the job.

ComboFix 07-10-05.3 - Jon_W 2007-10-06 6:05:03.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.644 [GMT 13:00]
Running from: C:\Documents and Settings\Jon_W\desktop\combofix.exe
Command switches used :: /killall
.

((((((((((((((((((((((((( Files Created from 2007-09-05 to 2007-10-05 )))))))))))))))))))))))))))))))
.

2007-10-05 21:25 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-05 19:40 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-02 22:32 <DIR> d-------- C:\Deckard
2007-09-30 22:34 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-30 22:10 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-09-30 06:38 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-09-30 00:58 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-09-28 08:04 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2007-09-28 08:04 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-09-28 08:04 103,736 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2007-09-12 09:22 <DIR> d-------- C:\Program Files\Mobiola Web Camera for S60 3Ed

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-06 05:22 --------- d-------- C:\Documents and Settings\Jon_W\Application Data\OpenOffice.org2
2007-09-30 18:04 --------- d-------- C:\Program Files\Softdiv Audio Converter
2007-09-30 18:03 --------- d-------- C:\Program Files\Shareaza
2007-09-30 18:03 --------- d-------- C:\Program Files\PowerISO
2007-09-30 18:03 --------- d-------- C:\Program Files\PKR
2007-09-30 17:55 --------- d-------- C:\Program Files\Multimedia Combo Set
2007-09-30 17:55 --------- d-------- C:\Program Files\Microsoft IntelliPoint
2007-09-30 17:55 --------- d-------- C:\Program Files\Microsoft ActiveSync
2007-09-30 06:37 --------- d-------- C:\Program Files\Common Files\Real
2007-09-30 06:36 --------- d-------- C:\Documents and Settings\Jon_W\Application Data\Real
2007-09-30 04:31 --------- d-------- C:\Program Files\WinAce
2007-09-30 04:31 --------- d-------- C:\Program Files\QuickTime
2007-09-20 22:45 --------- d-------- C:\Program Files\Activision Value
2007-09-18 01:14 --------- d-------- C:\Program Files\TexasCalculatem
2007-09-17 21:21 --------- d-------- C:\Program Files\Poker.com
2007-09-15 19:32 --------- d-------- C:\Program Files\Axis & Allies
2007-09-03 10:27 --------- d-------- C:\Program Files\jetflash
2007-09-02 20:53 --------- d-------- C:\Program Files\ShotOnline International
2007-08-30 16:56 --------- d-------- C:\Program Files\CDisplay
2007-08-26 11:45 --------- d-------- C:\Documents and Settings\Jon_W\Application Data\GrabIt
2007-08-21 23:14 --------- d-------- C:\Program Files\Steam
2007-08-21 15:42 --------- d-------- C:\Program Files\Winamp
2007-08-19 20:50 --------- d-------- C:\Program Files\American Systems
2007-08-19 20:44 2772480 --a------ C:\Program Files\psdlx.exe
2007-08-18 00:25 --------- d-------- C:\Documents and Settings\Jon_W\Application Data\Media Player Classic
2007-08-17 21:33 --------- d-------- C:\Program Files\K-Lite Codec Pack
2007-08-17 21:23 --------- d-------- C:\Program Files\Morgan
2007-08-17 21:23 --------- d-------- C:\Program Files\DivX
2007-08-17 21:22 13043226 --a------ C:\Program Files\klcodec330f.exe
2007-08-17 16:39 --------- d-------- C:\Program Files\GameSpy Arcade
2007-08-17 16:38 --------- d-------- C:\Program Files\GRETECH
2007-08-17 16:28 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-17 16:14 --------- d-------- C:\Program Files\Real
2007-08-17 15:54 --------- d-------- C:\Program Files\Video Server E
2007-08-16 04:00 --------- d-------- C:\Program Files\MSXML 4.0
2007-08-13 17:08 --------- d-------- C:\Documents and Settings\Jon_W\Application Data\SecondLife
2007-08-12 02:11 --------- d-------- C:\Program Files\NZBPlayer
2007-08-11 16:19 --------- d-------- C:\Program Files\PartyGaming
2007-08-11 15:46 --------- d-------- C:\Program Files\Cypress USB 2.0 DVR
2007-08-11 15:17 --------- d-------- C:\Documents and Settings\Jon_W\Application Data\Microsoft Games
2007-08-11 02:10 409600 --a------ C:\WINDOWS\system32\wrap_oal.dll
2007-08-11 02:10 114688 --a------ C:\WINDOWS\system32\OpenAL32.dll
2007-08-10 20:37 --------- d-------- C:\Documents and Settings\Jon_W\Application Data\Skype
2007-08-09 01:49 --------- d-------- C:\Program Files\id Software
2007-08-06 04:25 --------- d-------- C:\Program Files\VideoLAN
2007-08-06 04:24 9453630 --a------ C:\Program Files\vlc-0.8.6a-win32.exe
2007-07-30 20:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 20:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 20:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 20:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 20:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 20:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 20:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 20:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-10 19:55 7680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-06-30 04:59 1572511 --a------ C:\Program Files\SetupImgBurn_2.3.2.0.exe
2007-06-30 04:53 8166272 --a------ C:\Program Files\Alcohol120_trial_1.9.6.5403.exe
2007-05-19 22:19 6182805 --a------ C:\Program Files\Firefox Setup 2.0.0.3.exe
2007-05-19 09:33 6136608 --a------ C:\Program Files\winamp535_pro.exe
2007-04-28 02:07 20942920 --a------ C:\Program Files\SkypeSetup.exe
2007-04-17 21:46 113849647 --a------ C:\Program Files\OOo_2.2.0_Win32Intel_install_wJRE_en-US.exe
2007-04-16 07:43 5051008 --a------ C:\Program Files\TradeManagerInstall.exe
2007-02-08 01:56 25886966 --a------ C:\Program Files\WDM_R154.exe
2007-02-08 00:53 25886966 --a------ C:\Program Files\RTLCPL.exe
2007-01-19 13:23 14994392 --a------ C:\Program Files\GoogleEarthWin.exe
2006-11-23 19:51 611017728 --a------ C:\Program Files\PRISMGuardShield_Demo.exe
2006-11-22 04:21 43099 --a------ C:\Program Files\simpleviewer.zip
2006-11-21 19:50 535421557 --a------ C:\Program Files\WAR_FRONT_MULTIPLAYER_DEMO.EXE
2006-11-06 16:34 855344 --a------ C:\Program Files\WGAPluginInstall.exe
2005-11-23 21:07 4878136 --a------ C:\Program Files\Firefox Setup 1.0.7.exe
2005-10-06 12:47 2266608 --a------ C:\Program Files\ec22.exe
2005-10-05 21:21 3797975 --a------ C:\Program Files\BitTorrent-4.0.4.exe
2005-10-03 11:59 895488 --a------ C:\Program Files\iview397.exe
2005-02-04 16:24 10810909 --a------ C:\Program Files\avg70free_300a419.exe
2004-06-23 09:27 1531833 --a------ C:\Program Files\NT187.EXE
1999-05-06 01:30 956 --a------ C:\Program Files\DXINFO.CFG
1999-05-06 01:30 8170 --a------ C:\Program Files\README.TXT
1999-05-06 01:30 35328 --a------ C:\Program Files\DXLAUNCH.EXE
1999-05-06 01:30 35 --a------ C:\Program Files\AUTOPLAY.BAT
2005-06-26 20:32:28 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-22 03:37:42 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
.

((((((((((((((((((((((((((((( snapshot@2007-10-05_19.43.36.71 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 163,328 2007-09-27 09:03:23 C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
----a-w 17,260,544 2007-10-05 08:26:07 C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
----a-w 487,424 2007-10-05 08:26:07 C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
----a-w 163,328 2007-09-27 09:03:23 C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
----a-w 17,260,544 2007-10-05 08:25:52 C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
----a-w 487,424 2007-10-05 08:25:52 C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CD4C3CF0-4B15-11D1-ABED-709549C10000}]
C:\Program Files\Go!Zilla\GoIEHlp.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-09-14 10:03]
"AVG7_EMC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" [2007-08-17 10:04]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-01-28 19:40]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2006-06-06 03:06]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-03-24 12:26]
"DSLSTATEXE"="C:\Program Files\D-Link\DSL-200\dslstat.exe" [2005-01-21 21:04]
"DSLAGENTEXE"="C:\Program Files\D-Link\DSL-200\dslagent.exe" [2005-01-21 21:04]
"WMC_AutoUpdate"="" []
"RaidTool"="C:\Program Files\VIA\RAID\raid_tool.exe" [2006-01-04 14:43]
"VTTimer"="VTTimer.exe" [2005-03-08 08:33 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-11-01 09:15 C:\WINDOWS\system32\VTTrayp.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-10-22 12:22 C:\WINDOWS\system32\nvmctray.dll]
"P17Helper"="SPIRun.dll" [2006-07-03 12:43 C:\WINDOWS\system32\SPIRun.dll]
"VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2006-07-28 09:56]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 05:00]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-16 10:48]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 22:25]
"WireLessMouse "="C:\Program Files\Multimedia Combo Set\MouseDrv.exe" [2004-06-27 15:54]
"WireLessKeyboard "="C:\Program Files\Multimedia Combo Set\PS2USBKbdDrv.exe" [2005-08-02 23:55]
"PKR Pal"="C:\Program Files\PKR\pkrpal.exe" [2007-09-19 00:40]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-30 06:36]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 00:56]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Shareaza"="C:\Program Files\Shareaza\Shareaza.exe" [2005-10-27 19:44]
"FreeRAM XP"="C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-23 00:13]
"SetDefaultMIDI"="MIDIDef.exe" [2005-04-22 11:27 C:\WINDOWS\MIDIDEF.EXE]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-06-20 23:36]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"FFTI"=C:\Documents and Settings\Jon_W\Application Data\Mozilla\Firefox\Profiles\uknct2rc.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\Jon_W\Application Data\Mozilla\Firefox\Profiles/uknct2rc.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"

C:\Documents and Settings\Jon_W\Start Menu\Programs\Startup\
OpenOffice.org 2.2.lnk - C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 17:54:56]
PowerReg Scheduler.exe [2006-01-24 01:36:36]
Registration Lock On [2007-07-02 07:56:07]

R0 viamraid;viamraid;C:\WINDOWS\system32\DRIVERS\viamraid.sys
R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys
R3 BTCAMDRV;Mobiola Web Camera driver;C:\WINDOWS\system32\DRIVERS\BTCamDrv.sys
R3 P17xfi;Sound Blaster X-Fi Xtreme Audio;C:\WINDOWS\system32\drivers\P17xfi.sys
R3 p17xfilt;p17xfilt;C:\WINDOWS\system32\drivers\p17xfilt.sys
R3 wanusb;D-Link DSL-200 USB ADSL Modem(WAN);C:\WINDOWS\system32\DRIVERS\gwausb.sys
S2 DCamUSB20;USB 2.0 Capture;C:\WINDOWS\system32\Drivers\CsMini20.sys
S2 Usb20Scan;USB 2.0 Still Image;C:\WINDOWS\system32\Drivers\CresScan.sys
S3 jbridgep;jbridgep;\??\C:\DOCUME~1\Jon_W\LOCALS~1\Temp\jbridgep.sys
S3 VNic;ULan Network Driver Module;C:\WINDOWS\system32\DRIVERS\VNic.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c74496bc-405d-11d9-907b-806d6172696f}]
AutoRun\command- D:\autorun\autorun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{FC100000-A322-BF20-D41D-B00000104603}]
C:\WINDOWS\scvhost.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-06 06

53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
P17Helper = Rundll32 SPIRun.dll,RunDLLEntry?

scanning hidden files ...

C:\WINDOWS\wininit.ini
C:\WINDOWS\winnt.bmp
C:\WINDOWS\winnt256.bmp
C:\WINDOWS\WinSxS
C:\WINDOWS\WMFDist11.log
C:\WINDOWS\wmp11.log
C:\WINDOWS\wmp11Uninst.log
C:\WINDOWS\wmsetup.log
C:\WINDOWS\wmsetup10.log
C:\WINDOWS\WMSysPr9.prx
C:\WINDOWS\WMSysPrx.prx
C:\WINDOWS\WSST_Screen_Saver.ini
C:\WINDOWS\Wudf01000Inst.log
C:\WINDOWS\wwdslcfg.ini
C:\WINDOWS\wwdslcfg.log
C:\WINDOWS\XDICT.INI
C:\WINDOWS\Zapotec.bmp
C:\WINDOWS\_default.pif
C:\WINDOWS\_MSRSTRT.EXE
C:\WINDOWS\Windows Update.log
C:\WINDOWS\WindowsShell.Manifest
C:\WINDOWS\WindowsUpdate.log
C:\WINDOWS\winhelp.exe
C:\WINDOWS\winhlp32.exe

scan completed successfully
hidden files: 24

**************************************************************************
.
Completion time: 2007-10-06 6:08:01
C:\ComboFix-quarantined-files.txt ... 2007-10-06 06:07
C:\ComboFix2.txt ... 2007-10-05 19:44
.
--- E O F ---

-----------------------------------------------------------------------

SDFix: Version 1.107

Run by Jon_W on Sat 06/10/2007 at 06:17 a.m.

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

No Trojan Files Found

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.

Final Check:

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

Files with Hidden Attributes:

Mon 10 Jan 2005 40,960 A..HR --- "C:\WINDOWS\MustRead\Must Read.exe"
Mon 27 Jun 2005 616,448 A.SHR --- "C:\WINDOWS\system32\cygwin1.dll"
Wed 22 Jun 2005 45,568 A.SHR --- "C:\WINDOWS\system32\cygz.dll"
Thu 27 Jun 2002 73,728 A..H. --- "C:\WINDOWS\system32\IETie.dll"
Fri 7 Jan 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 22 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Thu 3 Aug 2006 888 A..H. --- "C:\Documents and Settings\Jon_W\Application Data\SecuROM\UserData\securom_v7_01.bak"
Sat 9 Dec 2006 20 A..H. --- "C:\Documents and Settings\Jon_W\My Documents\My Music\License Backup\drmv1lic.bak"

Finished!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:44:39 a.m., on 6/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WgaTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\D-Link\DSL-200\dslstat.exe
C:\Program Files\D-Link\DSL-200\dslagent.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Multimedia Combo Set\MouseDrv.exe
C:\Program Files\Multimedia Combo Set\PS2USBKbdDrv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\system32\IETie.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O2 - BHO: CPub Object - {CA70AF0D-0D07-4b80-9ECE-B0F1BEFC5822} - C:\Program Files\Byteswarm\DLInterceptor.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\D-Link\DSL-200\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\D-Link\DSL-200\dslagent.exe
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [P17Helper] Rundll32 SPIRun.dll,RunDLLEntry
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [WireLessMouse ] C:\Program Files\Multimedia Combo Set\MouseDrv.exe
O4 - HKLM\..\Run: [WireLessKeyboard ] C:\Program Files\Multimedia Combo Set\PS2USBKbdDrv.exe
O4 - HKLM\..\Run: [PKR Pal] "C:\Program Files\PKR\pkrpal.exe" -osboot
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\Jon_W\Application Data\Mozilla\Firefox\Profiles\uknct2rc.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\Jon_W\Application Data\Mozilla\Firefox\Profiles/uknct2rc.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Registration Lock On
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - C:\Program Files\GhostSurf\LaunchPCC.exe (file missing)
O9 - Extra 'Tools' menuitem: GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - C:\Program Files\GhostSurf\LaunchPCC.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\Poker.exe (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://www.gamescampus.com/xiah/luncher/GamesCampus.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/S...dObjSigned.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/pa.../GSManager.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/soft...ch/alaunch.cab
O16 - DPF: {7DFDB8FD-B498-4958-B930-38021B94351D} (imlUCID Class) - http://imlive.com/chatsource/ImlCID.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://212.150.183.238/activex/AxisCamControl.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O16 - DPF: {D3A7982E-915D-4589-8ECE-249F70D0C941} (Launch Control) - http://aaotracker.4players.de/LaunchGame.cab
O16 - DPF: {FDF6378C-7B5D-4ABF-BA1F-92748305FFAC} (DownloadManagerInstall Control) - http://beta.byteswarm.com/agent/1.3.0.1/DMInstall.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F2B011FC-52BC-4B06-A2C6-284118F8F318}: NameServer = 210.48.65.2 210.48.66.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{F8F125C6-8B6C-4CDF-88B4-6FD4DA61A6E4}: NameServer = 203.0.178.191
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 10718 bytes

**eXPeri3nc3** · 10-07-2007, 01:49 AM

Hello,

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions as this webpage would not be available when you're carrying out the fix.

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

--------------------------------------------------------------------

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Quote:

File::
C:\DOCUME~1\Jon_W\LOCALS~1\Temp\jbridgep.sys

Folder::
C:\Program Files\Go!Zilla

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CD4C3CF0-4B15-11D1-ABED-709549C10000}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c74496bc-405d-11d9-907b-806d6172696f}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{FC100000-A322-BF20-D41D-B00000104603}]

Driver::
jbridgep

DirLook::
C:\WINDOWS\MustRead\

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

--------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

O2 - BHO: CPub Object - {CA70AF0D-0D07-4b80-9ECE-B0F1BEFC5822} - C:\Program Files\Byteswarm\DLInterceptor.dll (file missing)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html

Please remember to close all other windows, including browsers then click Fix checked.

Reboot your system in Normal Mode.

--------------------------------------------------------------------

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan
Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.

--------------------------------------------------------------------

Please post the following logs in your next reply...

C:\ComboFix.txt

Kaspersky Extended Scan Log

Fresh Hijackthis log

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now.

jimmyfishcake · 10-08-2007, 06:39 PM

Hi, I didnt have any problem performing these steps, my pc is a bit faster now. Here are requested log files:

ComboFix 07-10-05.3 - Jon_W 2007-10-09 11:02:47.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.626 [GMT 13:00]
Running from: C:\Documents and Settings\Jon_W\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jon_W\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\DOCUME~1\Jon_W\LOCALS~1\Temp\jbridgep.sys
.

((((((((((((((((((((((((( Files Created from 2007-09-08 to 2007-10-08 )))))))))))))))))))))))))))))))
.

2007-10-05 21:25 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-05 19:40 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-02 22:32 <DIR> d-------- C:\Deckard
2007-09-30 22:34 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-30 22:10 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-09-30 06:38 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-09-30 00:58 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-09-28 08:04 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2007-09-28 08:04 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-09-28 08:04 103,736 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2007-09-12 09:22 <DIR> d-------- C:\Program Files\Mobiola Web Camera for S60 3Ed

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-09 07:57 --------- d-------- C:\Documents and Settings\Jon_W\Application Data\OpenOffice.org2
2007-09-30 18:04 --------- d-------- C:\Program Files\Softdiv Audio Converter
2007-09-30 18:03 --------- d-------- C:\Program Files\Shareaza
2007-09-30 18:03 --------- d-------- C:\Program Files\PowerISO
2007-09-30 18:03 --------- d-------- C:\Program Files\PKR
2007-09-30 17:55 --------- d-------- C:\Program Files\Multimedia Combo Set
2007-09-30 17:55 --------- d-------- C:\Program Files\Microsoft IntelliPoint
2007-09-30 17:55 --------- d-------- C:\Program Files\Microsoft ActiveSync
2007-09-30 06:37 --------- d-------- C:\Program Files\Common Files\Real
2007-09-30 06:36 --------- d-------- C:\Documents and Settings\Jon_W\Application Data\Real
2007-09-30 04:31 --------- d-------- C:\Program Files\WinAce
2007-09-30 04:31 --------- d-------- C:\Program Files\QuickTime
2007-09-20 22:45 --------- d-------- C:\Program Files\Activision Value
2007-09-18 01:14 --------- d-------- C:\Program Files\TexasCalculatem
2007-09-17 21:21 --------- d-------- C:\Program Files\Poker.com
2007-09-15 19:32 --------- d-------- C:\Program Files\Axis & Allies
2007-09-03 10:27 --------- d-------- C:\Program Files\jetflash
2007-09-02 20:53 --------- d-------- C:\Program Files\ShotOnline International
2007-08-30 16:56 --------- d-------- C:\Program Files\CDisplay
2007-08-26 11:45 --------- d-------- C:\Documents and Settings\Jon_W\Application Data\GrabIt
2007-08-21 23:14 --------- d-------- C:\Program Files\Steam
2007-08-21 15:42 --------- d-------- C:\Program Files\Winamp
2007-08-19 20:50 --------- d-------- C:\Program Files\American Systems
2007-08-19 20:44 2772480 --a------ C:\Program Files\psdlx.exe
2007-08-18 00:25 --------- d-------- C:\Documents and Settings\Jon_W\Application Data\Media Player Classic
2007-08-17 21:33 --------- d-------- C:\Program Files\K-Lite Codec Pack
2007-08-17 21:23 --------- d-------- C:\Program Files\Morgan
2007-08-17 21:23 --------- d-------- C:\Program Files\DivX
2007-08-17 21:22 13043226 --a------ C:\Program Files\klcodec330f.exe
2007-08-17 16:39 --------- d-------- C:\Program Files\GameSpy Arcade
2007-08-17 16:38 --------- d-------- C:\Program Files\GRETECH
2007-08-17 16:28 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-17 16:14 --------- d-------- C:\Program Files\Real
2007-08-17 15:54 --------- d-------- C:\Program Files\Video Server E
2007-08-16 04:00 --------- d-------- C:\Program Files\MSXML 4.0
2007-08-13 17:08 --------- d-------- C:\Documents and Settings\Jon_W\Application Data\SecondLife
2007-08-12 02:11 --------- d-------- C:\Program Files\NZBPlayer
2007-08-11 16:19 --------- d-------- C:\Program Files\PartyGaming
2007-08-11 15:46 --------- d-------- C:\Program Files\Cypress USB 2.0 DVR
2007-08-11 15:17 --------- d-------- C:\Documents and Settings\Jon_W\Application Data\Microsoft Games
2007-08-10 20:37 --------- d-------- C:\Documents and Settings\Jon_W\Application Data\Skype
2007-08-09 01:49 --------- d-------- C:\Program Files\id Software
2007-08-06 04:24 9453630 --a------ C:\Program Files\vlc-0.8.6a-win32.exe
2007-06-30 04:59 1572511 --a------ C:\Program Files\SetupImgBurn_2.3.2.0.exe
2007-06-30 04:53 8166272 --a------ C:\Program Files\Alcohol120_trial_1.9.6.5403.exe
2007-05-19 22:19 6182805 --a------ C:\Program Files\Firefox Setup 2.0.0.3.exe
2007-05-19 09:33 6136608 --a------ C:\Program Files\winamp535_pro.exe
2007-04-28 02:07 20942920 --a------ C:\Program Files\SkypeSetup.exe
2007-04-17 21:46 113849647 --a------ C:\Program Files\OOo_2.2.0_Win32Intel_install_wJRE_en-US.exe
2007-04-16 07:43 5051008 --a------ C:\Program Files\TradeManagerInstall.exe
2007-02-08 01:56 25886966 --a------ C:\Program Files\WDM_R154.exe
2007-02-08 00:53 25886966 --a------ C:\Program Files\RTLCPL.exe
2007-01-19 13:23 14994392 --a------ C:\Program Files\GoogleEarthWin.exe
2006-11-23 19:51 611017728 --a------ C:\Program Files\PRISMGuardShield_Demo.exe
2006-11-22 04:21 43099 --a------ C:\Program Files\simpleviewer.zip
2006-11-21 19:50 535421557 --a------ C:\Program Files\WAR_FRONT_MULTIPLAYER_DEMO.EXE
2006-11-06 16:34 855344 --a------ C:\Program Files\WGAPluginInstall.exe
2005-11-23 21:07 4878136 --a------ C:\Program Files\Firefox Setup 1.0.7.exe
2005-10-06 12:47 2266608 --a------ C:\Program Files\ec22.exe
2005-10-05 21:21 3797975 --a------ C:\Program Files\BitTorrent-4.0.4.exe
2005-10-03 11:59 895488 --a------ C:\Program Files\iview397.exe
2005-02-04 16:24 10810909 --a------ C:\Program Files\avg70free_300a419.exe
2004-06-23 09:27 1531833 --a------ C:\Program Files\NT187.EXE
1999-05-06 01:30 956 --a------ C:\Program Files\DXINFO.CFG
1999-05-06 01:30 8170 --a------ C:\Program Files\README.TXT
1999-05-06 01:30 35328 --a------ C:\Program Files\DXLAUNCH.EXE
1999-05-06 01:30 35 --a------ C:\Program Files\AUTOPLAY.BAT
2005-06-26 20:32:28 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-22 03:37:42 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

---- Directory of C:\WINDOWS\MustRead\ ----

2005-01-10 20:18 40960 -rah----- C:\WINDOWS\MustRead\\Must Read.exe
2004-12-31 21:37 79775 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.htm
2004-12-31 21:37 369 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\border_index.css
2004-12-31 21:37 194 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\bord01.css
2004-12-31 21:35 5286 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\V-301_150.jpg
2004-12-31 15:08 696 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\icon-question-1.gif
2004-12-31 15:08 664 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\profile_manual.gif
2004-12-31 15:08 648 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\icon-download-2.gif
2004-12-31 15:08 624 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\PRODUCTS_manual.gif
2004-12-31 15:08 549 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\news_manual.gif
2004-12-31 15:08 527 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\award_manual.gif
2004-12-31 15:08 403 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\FAQ_MANUAL.gif
2004-12-31 15:08 245 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\line_index.gif
2004-12-30 20:54 774 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\icon-buy.gif
2004-12-30 20:54 761 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\registration_1.gif
2004-12-30 20:54 7560 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\nvidia.jpg
2004-12-30 20:54 7114 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\winXPMC.gif
2004-12-30 20:54 6612 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\402_PlayTV500DVB-T.gif
2004-12-30 20:54 6532 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\G6600_Box%20GT_128_150.jpg
2004-12-30 20:54 648 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\3DVGA_manual.gif
2004-12-30 20:54 619 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\partners_manual.gif
2004-12-30 20:54 553 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\icon-award.gif
2004-12-30 20:54 550 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\certificate_manual.gif
2004-12-30 20:54 540 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\contact_manual.gif
2004-12-30 20:54 5334 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\PROLINKNEWS.jpg
2004-12-30 20:54 515 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\iabu_01.gif
2004-12-30 20:54 435 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\home-2.gif
2004-12-30 20:54 4004 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\CeBIT.jpg
2004-12-30 20:54 3581 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\print-icon1.jpg
2004-12-30 20:54 30741 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\mm_menu.js
2004-12-30 20:54 30029 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\400USB_BoxCard_150.jpg
2004-12-30 20:54 24913 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\DVB-T_mark.jpg
2004-12-30 20:54 2181 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\new04.gif
2004-12-30 20:54 2116 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\aboutprolink_manual.gif
2004-12-30 20:54 19675 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\vmax_products.gif
2004-12-30 20:54 19504 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\PCX_POR.jpg
2004-12-30 20:54 1664 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\support_manual.gif
2004-12-30 20:54 160 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\work.gif
2004-12-30 20:54 129 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\tower.gif
2004-12-29 14:05 450270 -ra------ C:\WINDOWS\MustRead\\bmp\SPA.bmp
2004-12-29 14:03 450270 -ra------ C:\WINDOWS\MustRead\\bmp\GER.bmp
2004-12-29 14:02 450270 -ra------ C:\WINDOWS\MustRead\\bmp\FRE.bmp
2004-12-29 14:01 450270 -ra------ C:\WINDOWS\MustRead\\bmp\ENU.bmp
2004-12-29 14:01 450270 -ra------ C:\WINDOWS\MustRead\\bmp\CHS.bmp
2004-12-29 14:00 450270 -ra------ C:\WINDOWS\MustRead\\bmp\KOR.bmp
2004-12-29 14:00 450270 -ra------ C:\WINDOWS\MustRead\\bmp\JPN.bmp
2004-12-29 13:59 450270 -ra------ C:\WINDOWS\MustRead\\bmp\CHT.bmp

((((((((((((((((((((((((((((( snapshot@2007-10-05_19.43.36.71 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 163,328 2007-09-27 09:03:23 C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
----a-w 17,260,544 2007-10-05 17:16:42 C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
----a-w 487,424 2007-10-05 17:16:42 C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
----a-w 163,328 2007-09-27 09:03:23 C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
----a-w 17,260,544 2007-10-05 08:25:52 C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
----a-w 487,424 2007-10-05 08:25:52 C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-09-14 10:03]
"AVG7_EMC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" [2007-08-17 10:04]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-01-28 19:40]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2006-06-06 03:06]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-03-24 12:26]
"DSLSTATEXE"="C:\Program Files\D-Link\DSL-200\dslstat.exe" [2005-01-21 21:04]
"DSLAGENTEXE"="C:\Program Files\D-Link\DSL-200\dslagent.exe" [2005-01-21 21:04]
"WMC_AutoUpdate"="" []
"RaidTool"="C:\Program Files\VIA\RAID\raid_tool.exe" [2006-01-04 14:43]
"VTTimer"="VTTimer.exe" [2005-03-08 08:33 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-11-01 09:15 C:\WINDOWS\system32\VTTrayp.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-10-22 12:22 C:\WINDOWS\system32\nvmctray.dll]
"P17Helper"="SPIRun.dll" [2006-07-03 12:43 C:\WINDOWS\system32\SPIRun.dll]
"VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2006-07-28 09:56]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 05:00]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-16 10:48]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 22:25]
"WireLessMouse "="C:\Program Files\Multimedia Combo Set\MouseDrv.exe" [2004-06-27 15:54]
"WireLessKeyboard "="C:\Program Files\Multimedia Combo Set\PS2USBKbdDrv.exe" [2005-08-02 23:55]
"PKR Pal"="C:\Program Files\PKR\pkrpal.exe" [2007-09-19 00:40]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-30 06:36]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Shareaza"="C:\Program Files\Shareaza\Shareaza.exe" [2005-10-27 19:44]
"FreeRAM XP"="C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-23 00:13]
"SetDefaultMIDI"="MIDIDef.exe" [2005-04-22 11:27 C:\WINDOWS\MIDIDEF.EXE]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-06-20 23:36]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"FFTI"=C:\Documents and Settings\Jon_W\Application Data\Mozilla\Firefox\Profiles\uknct2rc.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\Jon_W\Application Data\Mozilla\Firefox\Profiles/uknct2rc.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"

C:\Documents and Settings\Jon_W\Start Menu\Programs\Startup\
OpenOffice.org 2.2.lnk - C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 17:54:56]
PowerReg Scheduler.exe [2006-01-24 01:36:36]
Registration Lock On [2007-07-02 07:56:07]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

R0 viamraid;viamraid;C:\WINDOWS\system32\DRIVERS\viamraid.sys
R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys
R3 BTCAMDRV;Mobiola Web Camera driver;C:\WINDOWS\system32\DRIVERS\BTCamDrv.sys
R3 P17xfi;Sound Blaster X-Fi Xtreme Audio;C:\WINDOWS\system32\drivers\P17xfi.sys
R3 p17xfilt;p17xfilt;C:\WINDOWS\system32\drivers\p17xfilt.sys
R3 wanusb;D-Link DSL-200 USB ADSL Modem(WAN);C:\WINDOWS\system32\DRIVERS\gwausb.sys
S2 DCamUSB20;USB 2.0 Capture;C:\WINDOWS\system32\Drivers\CsMini20.sys
S2 Usb20Scan;USB 2.0 Still Image;C:\WINDOWS\system32\Drivers\CresScan.sys
S3 VNic;ULan Network Driver Module;C:\WINDOWS\system32\DRIVERS\VNic.sys

.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-09 11:07:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\wininit.ini
C:\WINDOWS\winnt.bmp
C:\WINDOWS\winnt256.bmp
C:\WINDOWS\WinSxS
C:\WINDOWS\WMFDist11.log
C:\WINDOWS\wmp11.log
C:\WINDOWS\wmp11Uninst.log
C:\WINDOWS\wmsetup.log
C:\WINDOWS\wmsetup10.log
C:\WINDOWS\WMSysPr9.prx
C:\WINDOWS\WMSysPrx.prx
C:\WINDOWS\WSST_Screen_Saver.ini
C:\WINDOWS\Wudf01000Inst.log
C:\WINDOWS\wwdslcfg.ini
C:\WINDOWS\wwdslcfg.log
C:\WINDOWS\XDICT.INI
C:\WINDOWS\Zapotec.bmp
C:\WINDOWS\_default.pif
C:\WINDOWS\_MSRSTRT.EXE
C:\WINDOWS\Windows Update.log
C:\WINDOWS\WindowsShell.Manifest
C:\WINDOWS\WindowsUpdate.log
C:\WINDOWS\winhelp.exe
C:\WINDOWS\winhlp32.exe

scan completed successfully
hidden files: 24

**************************************************************************
.
Completion time: 2007-10-09 11:09:46 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-09 11:09
C:\ComboFix2.txt ... 2007-10-06 06:08
C:\ComboFix3.txt ... 2007-10-05 19:44
.
--- E O F ---
KASPERSKY ONLINE SCANNER REPORT
Tuesday, October 09, 2007 2:11:20 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 9/10/2007
Kaspersky Anti-Virus database records: 429470

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
G:\
H:\

Scan Statistics
Total number of scanned objects 127180
Number of viruses found 3
Number of infected objects 11
Number of suspicious objects 0
Duration of the scan process 01:23:08

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\AVG7\AVG7QT.DAT Infected: Trojan.Win32.Qhost.kc skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

C:\Documents and Settings\Jon_W\Application Data\$_hpcst$.hpc Object is locked skipped

C:\Documents and Settings\Jon_W\Application Data\AVG7\Log\emc.log Object is locked skipped

C:\Documents and Settings\Jon_W\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Jon_W\Desktop\setup.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.btu skipped

C:\Documents and Settings\Jon_W\Desktop\setup.exe/stream Infected: Trojan-Downloader.Win32.Zlob.btu skipped

C:\Documents and Settings\Jon_W\Desktop\setup.exe NSIS: infected - 2 skipped

C:\Documents and Settings\Jon_W\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Jon_W\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Jon_W\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Jon_W\Local Settings\Temp\WCESLog.log Object is locked skipped

C:\Documents and Settings\Jon_W\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Jon_W\ntuser.dat Object is locked skipped

C:\Documents and Settings\Jon_W\NTUSER.DAT.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\SDFix\backups_old1\backups.zip/backups/setup.exe/data0007 Infected: Trojan-Downloader.Win32.Zlob.bqu skipped

C:\SDFix\backups_old1\backups.zip/backups/setup.exe Infected: Trojan-Downloader.Win32.Zlob.bqu skipped

C:\SDFix\backups_old1\backups.zip ZIP: infected - 2 skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{CFA48CF2-59EA-46D3-A312-1F329C8A297C}\RP459\A0224602.exe/data0007 Infected: Trojan-Downloader.Win32.Zlob.bqu skipped

C:\System Volume Information\_restore{CFA48CF2-59EA-46D3-A312-1F329C8A297C}\RP459\A0224602.exe NSIS: infected - 1 skipped

C:\System Volume Information\_restore{CFA48CF2-59EA-46D3-A312-1F329C8A297C}\RP459\A0224610.exe/data0007 Infected: Trojan-Downloader.Win32.Zlob.bqu skipped

C:\System Volume Information\_restore{CFA48CF2-59EA-46D3-A312-1F329C8A297C}\RP459\A0224610.exe NSIS: infected - 1 skipped

C:\System Volume Information\_restore{CFA48CF2-59EA-46D3-A312-1F329C8A297C}\RP462\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\pfirewall.log Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:25:31 p.m., on 9/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\D-Link\DSL-200\dslstat.exe
C:\Program Files\D-Link\DSL-200\dslagent.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Multimedia Combo Set\MouseDrv.exe
C:\Program Files\Multimedia Combo Set\PS2USBKbdDrv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\system32\IETie.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\D-Link\DSL-200\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\D-Link\DSL-200\dslagent.exe
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [P17Helper] Rundll32 SPIRun.dll,RunDLLEntry
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [WireLessMouse ] C:\Program Files\Multimedia Combo Set\MouseDrv.exe
O4 - HKLM\..\Run: [WireLessKeyboard ] C:\Program Files\Multimedia Combo Set\PS2USBKbdDrv.exe
O4 - HKLM\..\Run: [PKR Pal] "C:\Program Files\PKR\pkrpal.exe" -osboot
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\Jon_W\Application Data\Mozilla\Firefox\Profiles\uknct2rc.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\Jon_W\Application Data\Mozilla\Firefox\Profiles/uknct2rc.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - C:\Program Files\GhostSurf\LaunchPCC.exe (file missing)
O9 - Extra 'Tools' menuitem: GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - C:\Program Files\GhostSurf\LaunchPCC.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\Poker.exe (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://www.gamescampus.com/xiah/luncher/GamesCampus.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/S...dObjSigned.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/pa.../GSManager.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/soft...ch/alaunch.cab
O16 - DPF: {7DFDB8FD-B498-4958-B930-38021B94351D} (imlUCID Class) - http://imlive.com/chatsource/ImlCID.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://212.150.183.238/activex/AxisCamControl.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O16 - DPF: {D3A7982E-915D-4589-8ECE-249F70D0C941} (Launch Control) - http://aaotracker.4players.de/LaunchGame.cab
O16 - DPF: {FDF6378C-7B5D-4ABF-BA1F-92748305FFAC} (DownloadManagerInstall Control) - http://beta.byteswarm.com/agent/1.3.0.1/DMInstall.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F2B011FC-52BC-4B06-A2C6-284118F8F318}: NameServer = 210.48.65.2 210.48.66.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{F8F125C6-8B6C-4CDF-88B4-6FD4DA61A6E4}: NameServer = 203.0.178.191
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 10507 bytes

jimmyfishcake · 10-10-2007, 01:42 AM

I forgot to mention, thanks for the advice on shareaza, I have just uninstalled it.

**eXPeri3nc3** · 10-10-2007, 09:15 AM

Hi jimmyfishcake,

Everything looks great --- your HijackThis log / logs appears to be clean. :) Please do the following:-

--------------------------------------------------------------------

Delete the following Files indicated in RED and Folders indicated in BLUE (let me know if you fail to find/delete any)

C:\Documents and Settings\Jon_W\Desktop\setup.exe/

Please delete C:\SDFix as well.

--------------------------------------------------------------------

Note about poker games:
You appear to be a fan of games. but I think it's important to note that often these kind of programs are installed with other unwanted software, namely spyware or adware. If you did not install these programs yourself, or you do not use them any more, I would definitely recommend that you uninstall them from your computer, even if it is simply a precautionary measure. The amount of different poker software which arises on the internet means it is impossible to keep track of which ones are infected and which ones are not. If you do use the software, and wish to continue doing so, please ignore this. If you do decide to go ahead and remove the poker software, you should be able uninstall them via add/remove which can be found in the control panel. Let me know if you have any problems whilst doing so.
Here are links to some poker sites regarded as safe for your reference.

* http://www.pokerstars.net/ - This is a free to use/play site.
* http://www.pokerstars.com - This is the paid for version.

--------------------------------------------------------------------

Please fix the following entries as well if you have decided to remove it:

O4 - HKLM\..\Run: [PKR Pal] "C:\Program Files\PKR\pkrpal.exe" -osboot
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\Poker.exe (HKCU)

Delete the following Files indicated in RED and Folders indicated in BLUE

C:\Program Files\PKR\
C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\
C:\Program Files\Poker.com\
C:\Program Files\PartyGaming\

--------------------------------------------------------------------

C:\System Volume Information\ is where System Restore's cache is stored. Whatever is in there can't harm you unless you choose to perform a manual restore. Nevertheless, uninstalling Combofix will be resetting/clearing the cache in a little while.

---------------------------------------------------------------------

Start > Run - type ComboFix /u and press enter.

Combofix will auto uninstall now.

--------------------------------------------------------------------

Please take some time reading this list; it is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

Windows Updates (a must!)
It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. You can either click on the link above and bookmark the updates page, or open Internet Explorer, then go to the Tools menu -> Windows Update, and follow the online instructions from there.
Firewall (a must!)
It is definitely a must have. Some good FREE versions are Comodo Personal Firewall, Outpost, PCTools Firewall, or Kerio Personal Firewall.
Note: You must only use 1 (one) firewall at a time because if you have 2 or more firewalls running at the same time, they will conflict with each other and make your security less reliable. Please also remember to turn off Windows Firewall once you have installed a new firewall.
Also make sure to run your antivirus software regularly, and to keep it up-to-date.
Note: You must only use 1 (one) AV at a time because if you have 2 or more AVs running at the same time, they will conflict with each other and make your security less reliable.
SpywareBlaster
It helps to prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.
Tutorial: How to use!
SpywareGuard
It helps to prevent spyware from installing yet catch and block spyware before it can execute. Install & update SpywareGuard with the latest definitions.
Tutorial: How to use!
IE-SPYAD
This FREE tool puts over 5000 sites in your IE Restricted Zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
This is a self-extracting .EXE file, save it to your desktop. Once downloaded, follow the tutorial listed below on how to install it.
Tutorial: How to use!
Spybot - Search & Destroy
This is a very powerful FREE tool that can search for and annihilate nasties that make it onto your system. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features for realtime protection.
Tutorial: How to use!
Ad-Aware SE
This is another very powerful FREE tool that searches for and kills nasties that infect your system. Ad-Aware SE and Spybot Search & Destroy compliment each other very well.
Tutorial: How to use!
AVG Anti-Spyware
This is an excellent FREE scanner to look for trojans and other nasties that might be residing in your system.
User Manual: How to use!
SUPERAntiSpyware
This is another excellent FREE scanner to look for nasties that might be lurking in your system. SUPERAntiSpyware and AVG Anti-Spyware compliment each other very well.
Quick Guide: How to use!
McAfee SiteAdvisor
An excellent SiteAdvisor to guide you through the internet websites. It helps to warn you before you interact with a dangerous Web site. Works with both IE and Firefox.
Quick Guide: How it works!

Please also read Tony Klein's excellent article How I got Infected in the First Place and this CastleCops article Malware Prevention: Prevent Re-infection.

Please respond to this thread one more time so we can mark this thread as resolved.

jimmyfishcake · 10-13-2007, 01:00 AM

Thank you very much for your advice on how to deal with these bastards... I have just donated to the forum as a sign of my gratitude.

**eXPeri3nc3** · 10-13-2007, 03:25 AM

Thank you very much for the donation. Have a nice day.

10-02-2007, 03:52 AM	#1 (permalink)
jimmyfishcake Registered User Join Date: Sep 2007 Posts: 5 OS: XP	pc very slow, multiple trojans/malware, hijackthis log About 4 or 5 days ago my pc became extremely slow & laggy, so slow it is almost impossible to use unless i restart it. After a restart it gradually slows down over a few hours until I have to restart it again. Its when I'm using firefox I notice it the most but it affects most programs, applications will freeze for 1 minute or 10 minutes or even hours. A couple of times when I forced a folder or some applications to quit, my desktop crashed, everything disappeared & some very large yellow words appeared on a black background at bottom left of my page. The words were VERTICAL & said 'my desktop' or some **** like this. Its so dam frustrating I am on the verge of losing my mind. It takes me hours just to do this post. The only other clue I have is that I have noticed a new icon in my notification area, it says 'shockwave updater' when I hover over it, it not only looks very suspicious, but I didn't put it there. Its been approaching me a couple of times a day via pop-up, trying to make me click 'o.k.' I have posted requested log files below: Any help would be appreciated. Incident Status Location Potentially unwanted tool:Application/PRScheduler Not disinfected C:\Documents and Settings\Jon_W\Start Menu\Programs\Startup\PowerReg Scheduler.exe Adware:adware/exact.bargainbuddy Not disinfected c:\windows\system32\exclean.exe Spyware:spyware/clearsearch Not disinfected c:\windows\system32\IETie.dll Dialer:dialer.xd Not disinfected c:\windows\switchagreement.txt Adware:adware/sahagent Not disinfected c:\windows\system32\SahImages Adware:adware/wupd Not disinfected Windows Registry Spyware:spyware/searchcentrix Not disinfected Windows Registry Dialer:dialer.asl Not disinfected hkey_classes_root\clsid\{0D62A517-E7C6-4E1F-A577-07D4AC549A48} Adware:adware/instdollars Not disinfected Windows Registry Adware:adware/dyfuca Not disinfected Windows Registry Adware:adware/savenow Not disinfected Windows Registry Adware:adware/ist.yoursitebar Not disinfected Windows Registry Adware:adware/powerstrip Not disinfected Windows Registry Dialer:dialer.dk Not disinfected HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{91433D86-9F27-402C-B5E3-DEBDD122C339} Adware:adware/ist.istbar Not disinfected Windows Registry Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Jon_W\Cookies\jon_w@adultfriendfinder[1].txt Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Jon_W\Cookies\jon_w@xiti[1].txt Virus:Generic Trojan Not disinfected C:\Documents and Settings\Jon_W\Desktop\setup.exe[²ÜÇ\xxl.dll] Adware:Adware/SecurityError Not disinfected C:\Program Files\setup.exe[²ÜÇ\xxl.dll] Dialer:Dialer.FYG Not disinfected C:\WINDOWS\Downloaded Program Files\qames.inf Dialer:Dialer.ABR Not disinfected C:\WINDOWS\Downloaded Program Files\startbf2.inf Deckard's System Scanner v20070905.67 Run by Jon_W on 2007-10-02 22:32:38 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- HijackThis (run as Jon_W.exe) ----------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:32:46 p.m., on 2/10/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\PnkBstrB.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\WgaTray.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\Program Files\D-Link\DSL-200\dslagent.exe C:\Program Files\VIA\RAID\raid_tool.exe C:\WINDOWS\system32\VTTimer.exe C:\WINDOWS\system32\RunDLL32.exe C:\WINDOWS\system32\Rundll32.exe C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\Program Files\Google\Gmail Notifier\gnotify.exe C:\Program Files\Multimedia Combo Set\MouseDrv.exe C:\Program Files\Multimedia Combo Set\PS2USBKbdDrv.exe C:\Program Files\PKR\pkrpal.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Microsoft ActiveSync\wcescomm.exe C:\PROGRA~1\MI3AA1~1\rapimgr.exe C:\WINDOWS\system32\Macromed\Shockwave 10\PostUpdate.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Jon_W\Desktop\dss.exe C:\PROGRA~1\TRENDM~1\HIJACK~1\Jon_W.exe R3 - URLSearchHook: (no name) - _{D94AAA2A-C415-42E3-82B6-49FAB4EBFFE9} - (no file) F3 - REG:win.ini: run=C:\WINDOWS\scvhost.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\system32\IETie.dll O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll O2 - BHO: CPub Object - {CA70AF0D-0D07-4b80-9ECE-B0F1BEFC5822} - C:\Program Files\Byteswarm\DLInterceptor.dll (file missing) O2 - BHO: IEHlprObj Class - {CD4C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\Go!Zilla\GoIEHlp.dll (file missing) O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\D-Link\DSL-200\dslstat.exe icon O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\D-Link\DSL-200\dslagent.exe O4 - HKLM\..\Run: [msconfig] C:\WINDOWS\scvhost.exe O4 - HKLM\..\Run: [Update Checker] C:\WINDOWS\scvhost.exe O4 - HKLM\..\Run: [] C:\WINDOWS\scvhost.exe O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [P17Helper] Rundll32 SPIRun.dll,RunDLLEntry O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [WireLessMouse ] C:\Program Files\Multimedia Combo Set\MouseDrv.exe O4 - HKLM\..\Run: [WireLessKeyboard ] C:\Program Files\Multimedia Combo Set\PS2USBKbdDrv.exe O4 - HKLM\..\Run: [PKR Pal] "C:\Program Files\PKR\pkrpal.exe" -osboot O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\RunServices: [msconfig] C:\WINDOWS\scvhost.exe O4 - HKLM\..\RunServices: [Update Checker] C:\WINDOWS\scvhost.exe O4 - HKLM\..\RunServices: [] C:\WINDOWS\scvhost.exe O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" O4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\Jon_W\Application Data\Mozilla\Firefox\Profiles\uknct2rc.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\Jon_W\Application Data\Mozilla\Firefox\Profiles/uknct2rc.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}" O4 - HKCU\..\RunOnce: [SWHelper] "C:\WINDOWS\system32\Macromed\Shockwave 10\PostUpdate.exe" 1011016 O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe O4 - Startup: PowerReg Scheduler.exe O4 - Startup: Registration Lock On O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - C:\Program Files\GhostSurf\LaunchPCC.exe (file missing) O9 - Extra 'Tools' menuitem: GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - C:\Program Files\GhostSurf\LaunchPCC.exe (file missing) O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\Poker.exe (HKCU) O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://www.gamescampus.com/xiah/luncher/GamesCampus.cab O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {0A79AAEF-0913-4E57-9429-59EA4377D8E9} (LaunchGame.launchGameCtrl) - http://shot.ongamenet.com.au/LaunchGame_20050802.CAB O16 - DPF: {0D62A517-E7C6-4E1F-A577-07D4AC549A48} (Progetto1.int_ver32) - http://advnt01.com/dialer/int_ver32b.CAB O16 - DPF: {127CE7BA-AD89-4108-A913-C52EFC037C36} - O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/S...dObjSigned.cab O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.35mb.com/applet/applet_l.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/pa.../GSManager.cab O16 - DPF: {2776DDE9-D4B2-4BF7-9F98-ADC1A1B80AF5} - O16 - DPF: {33331111-1111-1111-1111-611111193423} - O16 - DPF: {33331111-1111-1111-1111-611111193429} - O16 - DPF: {33331111-1111-1111-1111-615111193427} - O16 - DPF: {33331111-1131-1111-1111-611111193428} - O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://www.ysbweb.com/ist/softwares/...b_pictures.cab O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/soft...ch/alaunch.cab O16 - DPF: {7DFDB8FD-B498-4958-B930-38021B94351D} (imlUCID Class) - http://imlive.com/chatsource/ImlCID.cab O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemp...ogin-devel.cab O16 - DPF: {861FDA2A-2B57-4BDA-8B8B-305C9D5D8604} (_Multimedia Player) - http://stream.pussyharem.com/stream/mmp.cab O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://l00kl23.com/default.cab?uid=6...x&ppd=4&tag=45 O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://212.150.183.238/activex/AxisCamControl.ocx O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} (Progetto1.int_ver34) - http://advnt01.com/dialer/int_ver34.CAB O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn.imagesrvr.com/si...nerInstall.cab O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab O16 - DPF: {D3A7982E-915D-4589-8ECE-249F70D0C941} (Launch Control) - http://aaotracker.4players.de/LaunchGame.cab O16 - DPF: {D94AAA2A-C415-42E3-82B6-49FAB4EBFFE9} (SearchHook Class) - http://www.halflemon.com/Halflemon.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/c...ploader_v6.cab O16 - DPF: {FDF6378C-7B5D-4ABF-BA1F-92748305FFAC} (DownloadManagerInstall Control) - http://beta.byteswarm.com/agent/1.3.0.1/DMInstall.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{F2B011FC-52BC-4B06-A2C6-284118F8F318}: NameServer = 210.48.65.2 210.48.66.2 O17 - HKLM\System\CCS\Services\Tcpip\..\{F8F125C6-8B6C-4CDF-88B4-6FD4DA61A6E4}: NameServer = 203.0.178.191 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O22 - SharedTaskScheduler: farrandly - {8aa7a4d2-73c7-4fca-bef7-7923e38a3b1c} - C:\WINDOWS\system32\tczij.dll (file missing) O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe -- End of file - 13505 bytes -- Files created between 2007-09-02 and 2007-10-02 ----------------------------- 2007-10-02 21:51:21 0 d-------- C:\WINDOWS\LastGood 2007-09-30 22:34:29 0 d-------- C:\Program Files\Trend Micro 2007-09-30 22:10:59 0 d-------- C:\Program Files\SpywareBlaster 2007-09-30 06:38:03 0 d-------- C:\Program Files\Common Files\xing shared 2007-09-30 00:58:46 0 d-------- C:\WINDOWS\system32\ActiveScan 2007-09-12 09:22:19 0 d-------- C:\Program Files\Mobiola Web Camera for S60 3Ed 2007-09-09 05:04:55 17301504 --a------ C:\Documents and Settings\Jon_W\ntuser.dat 2007-09-03 10:26:52 0 d-------- C:\Program Files\jetflash -- Find3M Report --------------------------------------------------------------- 2007-10-02 21:54:00 0 d-------- C:\Documents and Settings\Jon_W\Application Data\OpenOffice.org2 2007-09-30 18:04:00 0 d-------- C:\Program Files\Softdiv Audio Converter 2007-09-30 18:03:52 0 d-------- C:\Program Files\Shareaza 2007-09-30 18:03:33 0 d-------- C:\Program Files\PowerISO 2007-09-30 18:03:20 0 d-------- C:\Program Files\PKR 2007-09-30 17:55:39 0 d-------- C:\Program Files\Multimedia Combo Set 2007-09-30 17:55:19 0 d-------- C:\Program Files\Microsoft IntelliPoint 2007-09-30 17:55:18 0 d-------- C:\Program Files\Microsoft ActiveSync 2007-09-30 06:38:03 0 d-------- C:\Program Files\Common Files 2007-09-30 06:37:41 0 d-------- C:\Program Files\Common Files\Real 2007-09-30 06:36:53 0 d-------- C:\Documents and Settings\Jon_W\Application Data\Real 2007-09-30 04:31:43 0 d-------- C:\Program Files\WinAce 2007-09-30 04:31:30 0 d-------- C:\Program Files\QuickTime 2007-09-30 00:29:57 0 d-------- C:\Documents and Settings\Jon_W\Application Data\AVG7 2007-09-20 22:45:08 0 d-------- C:\Program Files\Activision Value 2007-09-18 01:14:58 0 d-------- C:\Program Files\TexasCalculatem 2007-09-17 21:21:27 0 d-------- C:\Program Files\Poker.com 2007-09-15 19:32:56 0 d-------- C:\Program Files\Axis & Allies 2007-09-14 19:25:16 8 --a------ C:\WINDOWS\system32\nvModes.dat 2007-09-02 20:53:44 0 d-------- C:\Program Files\ShotOnline International 2007-08-30 16:56:52 0 d-------- C:\Program Files\CDisplay 2007-08-30 01:50:54 664 --a------ C:\WINDOWS\system32\d3d9caps.dat 2007-08-26 11:45:15 0 d-------- C:\Documents and Settings\Jon_W\Application Data\GrabIt 2007-08-21 23:14:14 0 d-------- C:\Program Files\Steam 2007-08-21 15:42:07 0 d-------- C:\Program Files\Winamp 2007-08-19 20:50:29 0 d-------- C:\Program Files\American Systems 2007-08-19 20:44:09 2772480 --a------ C:\Program Files\psdlx.exe 2007-08-18 00:25:14 0 d-------- C:\Documents and Settings\Jon_W\Application Data\Media Player Classic 2007-08-17 21:33:19 0 d-------- C:\Program Files\K-Lite Codec Pack 2007-08-17 21:23:54 0 d-------- C:\Program Files\Morgan 2007-08-17 21:23:45 0 d-------- C:\Program Files\DivX 2007-08-17 21:22:34 13043226 --a------ C:\Program Files\klcodec330f.exe 2007-08-17 16:39:51 0 d-------- C:\Program Files\GameSpy Arcade 2007-08-17 16:38:42 0 d-------- C:\Program Files\GRETECH 2007-08-17 16:28:52 0 d--h----- C:\Program Files\InstallShield Installation Information 2007-08-17 16:14:11 0 d-------- C:\Program Files\Real 2007-08-17 15:54:41 0 d-------- C:\Program Files\Video Server E 2007-08-16 07:57:24 9264 --a------ C:\WINDOWS\system32\msqtvcap.dat 2007-08-16 04:00:30 0 d-------- C:\Program Files\MSXML 4.0 2007-08-13 17:09:14 0 d-------- C:\Documents and Settings\Jon_W\Application Data\Mozilla 2007-08-13 17:08:31 0 d-------- C:\Documents and Settings\Jon_W\Application Data\SecondLife 2007-08-12 02:11:52 0 d-------- C:\Program Files\NZBPlayer 2007-08-11 16:19:26 0 d-------- C:\Program Files\PartyGaming 2007-08-11 15:46:12 0 d-------- C:\Program Files\Cypress USB 2.0 DVR 2007-08-11 15:17:02 0 d-------- C:\Documents and Settings\Jon_W\Application Data\Microsoft Games 2007-08-11 02:10:57 409600 --a------ C:\WINDOWS\system32\wrap_oal.dll <Not Verified; Creative Labs; Creative Labs OpenAL32> 2007-08-11 02:10:57 114688 --a------ C:\WINDOWS\system32\OpenAL32.dll <Not Verified; Portions (C) Creative Labs Inc. and NVIDIA Corp.; Standard OpenAL(TM) Library> 2007-08-10 20:37:22 0 d-------- C:\Documents and Settings\Jon_W\Application Data\Skype 2007-08-10 08:43:26 510 --a------ C:\s3qs 2007-08-09 20:43:25 510 --a------ C:\s270 2007-08-09 01:49:32 0 d-------- C:\Program Files\id Software 2007-08-06 04:25:48 0 d-------- C:\Program Files\VideoLAN 2007-08-06 04:24:20 9453630 --a------ C:\Program Files\vlc-0.8.6a-win32.exe 2007-08-04 04:20:28 0 d-------- C:\Documents and Settings\Jon_W\Application Data\vlc 2007-08-02 01:20:28 0 d-------- C:\Program Files\Java 2007-07-10 19:55:44 7680 --a------ C:\WINDOWS\system32\ff_vfw.dll -- Registry Dump --------------------------------------------------------------- Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CD4C3CF0-4B15-11D1-ABED-709549C10000}] C:\Program Files\Go!Zilla\GoIEHlp.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [14/09/2007 10:03 a.m.] "AVG7_EMC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" [17/08/2007 10:04 a.m.] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [28/01/2005 07:40 p.m.] "PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [06/06/2006 03:06 a.m.] "IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [24/03/2005 12:26 p.m.] "DSLSTATEXE"="C:\Program Files\D-Link\DSL-200\dslstat.exe" [21/01/2005 09:04 p.m.] "DSLAGENTEXE"="C:\Program Files\D-Link\DSL-200\dslagent.exe" [21/01/2005 09:04 p.m.] "msconfig"="C:\WINDOWS\scvhost.exe" [] "Update Checker"="C:\WINDOWS\scvhost.exe" [] "@"="C:\WINDOWS\scvhost.exe" [] "WMC_AutoUpdate"="" [] "RaidTool"="C:\Program Files\VIA\RAID\raid_tool.exe" [04/01/2006 02:43 p.m.] "VTTimer"="VTTimer.exe" [08/03/2005 08:33 a.m. C:\WINDOWS\system32\VTTimer.exe] "VTTrayp"="VTtrayp.exe" [01/11/2005 09:15 a.m. C:\WINDOWS\system32\VTTrayp.exe] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [22/10/2006 12:22 p.m.] "nwiz"="nwiz.exe" [22/10/2006 12:22 p.m. C:\WINDOWS\system32\nwiz.exe] "NvMediaCenter"="NvMCTray.dll" [22/10/2006 12:22 p.m. C:\WINDOWS\system32\nvmctray.dll] "P17Helper"="SPIRun.dll" [03/07/2006 12:43 p.m. C:\WINDOWS\system32\SPIRun.dll] "VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [28/07/2006 09:56 a.m.] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [12/07/2007 05:00 a.m.] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 12:50 p.m.] "{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [16/07/2005 10:48 a.m.] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [11/06/2007 10:25 p.m.] "WireLessMouse "="C:\Program Files\Multimedia Combo Set\MouseDrv.exe" [27/06/2004 03:54 p.m.] "WireLessKeyboard "="C:\Program Files\Multimedia Combo Set\PS2USBKbdDrv.exe" [02/08/2005 11:55 p.m.] "PKR Pal"="C:\Program Files\PKR\pkrpal.exe" [19/09/2007 12:40 a.m.] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [30/09/2007 06:36 a.m.] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Shareaza"="C:\Program Files\Shareaza\Shareaza.exe" [27/10/2005 07:44 p.m.] "FreeRAM XP"="C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [23/03/2006 12:13 a.m.] "SetDefaultMIDI"="MIDIDef.exe" [22/04/2005 11:27 a.m. C:\WINDOWS\MIDIDEF.EXE] "H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [20/06/2006 11:36 p.m.] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce] "FFTI"=C:\Documents and Settings\Jon_W\Application Data\Mozilla\Firefox\Profiles\uknct2rc.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\Jon_W\Application Data\Mozilla\Firefox\Profiles/uknct2rc.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}" "SWHelper"="C:\WINDOWS\system32\Macromed\Shockwave 10\PostUpdate.exe" 1011016 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices] "msconfig"=C:\WINDOWS\scvhost.exe "Update Checker"=C:\WINDOWS\scvhost.exe @=C:\WINDOWS\scvhost.exe C:\Documents and Settings\Jon_W\Start Menu\Programs\Startup\ OpenOffice.org 2.2.lnk - C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe [2/02/2007 5:54:56 p.m.] PowerReg Scheduler.exe [24/01/2006 1:36:36 a.m.] Registration Lock On [2/07/2007 7:56:07 a.m.] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23/09/2005 11:05:26 p.m.] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "DisableTaskMgr"=1 (0x1) "DisableRegistryTools"=1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=0 (0x0) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{8aa7a4d2-73c7-4fca-bef7-7923e38a3b1c}"= C:\WINDOWS\system32\tczij.dll [ ] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}] @="Volume shadow copy" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D] AutoRun\command- D:\autorun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b877742c-fd0a-11da-9bd0-806d6172696f}] AutoRun\command- E:\setupSNK.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c74496bc-405d-11d9-907b-806d6172696f}] AutoRun\command- D:\autorun\autorun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f9fbf4c5-b3c4-11db-8b1b-806d6172696f}] AutoRun\command- F:\Autorun.exe [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{FC100000-A322-BF20-D41D-B00000104603}] C:\WINDOWS\scvhost.exe -- End of Deckard's System Scanner: finished at 2007-10-02 22:33:16 ------------

10-02-2007, 11:43 PM	#2 (permalink)
eXPeri3nc3 TSF Enthusiast Join Date: Dec 2005 Location: Malaysia (GMT+8) Posts: 1,073 OS: Windows XP Pro SP3 RC, VMWare (Ubuntu 7.10), BackTrack3 Beta My System Blog Entries: 5	Re: pc very slow, multiple trojans/malware, hijackthis log Hi and welcome to TSF. I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible. You may wish to subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. Please be patient with me during this time. __________________ If You Feel That We've Helped You, Please Donate To The Forum `世上无难事,只怕有心人` e X P e r i 3 n c 3 -- AleX `玉不琢不成器` "It's not because things are difficult that we dare not, it's because we dare not that things are difficult" <- Makes a huge diff

10-03-2007, 06:54 PM	#3 (permalink)
eXPeri3nc3 TSF Enthusiast Join Date: Dec 2005 Location: Malaysia (GMT+8) Posts: 1,073 OS: Windows XP Pro SP3 RC, VMWare (Ubuntu 7.10), BackTrack3 Beta My System Blog Entries: 5	Re: pc very slow, multiple trojans/malware, hijackthis log Hello and welcome to TSF You may wish to Subscribe to this thread (Thread Tools) so that you are notified when you receive a reply. To do this click Thread Tools (above the first post), then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions as this webpage would not be available when you're carrying out the fix. Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your system is clean. IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER. ---------------------------------------- The fixes we will use are specific to your problems and should only be used for this issue on this machine. Please only use this topic to reply to. Do not start another thread. If any other issues arise let me know. The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear. So lets do this to the end! Please make every effort to reply to my posts in a timely manner. Malware breeds malware and the longer an infection remains on a system, the more likely additional infections will result. ---------------------------------------- Download Combofix and save it to your desktop. Note: It is important that it is saved directly to your desktop DO NOT RUN IT YET -------------------------------------------------------------------- Download SDFix and save it to your Desktop. We will use it shortly. -------------------------------------------------------------------- P2P - I see you have P2P software ( Shareaza) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information. We recommend you to uninstall it. Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs (if they exist): Go!Zilla Please restart if prompted -------------------------------------------------------------------- Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any) [b]R3 - URLSearchHook: (no name) - _{D94AAA2A-C415-42E3-82B6-49FAB4EBFFE9} - (no file) O16 - DPF: {0A79AAEF-0913-4E57-9429-59EA4377D8E9} ( LaunchGame.launchGameCtrl) - http://shot.ongamenet.com.au/LaunchGame_20050802.CAB O16 - DPF: {0D62A517-E7C6-4E1F-A577-07D4AC549A48} (Progetto1.int_ver32 ) - http://advnt01.com/dialer/int_ver32b.CAB O16 - DPF: {127CE7BA-AD89-4108-A913-C52EFC037C36} - O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.35mb.com/applet/applet_l.cab O16 - DPF: {2776DDE9-D4B2-4BF7-9F98-ADC1A1B80AF5} - O16 - DPF: {33331111-1111-1111-1111-611111193423} - O16 - DPF: {33331111-1111-1111-1111-611111193429} - O16 - DPF: {33331111-1111-1111-1111-615111193427} - O16 - DPF: {33331111-1131-1111-1111-611111193428} - O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://www.ysbweb.com/ist/softwares/...b_pictures.cab O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemp...ogin-devel.cab O16 - DPF: {861FDA2A-2B57-4BDA-8B8B-305C9D5D8604} (_Multimedia Player) - http://stream.pussyharem.com/stream/mmp.cab O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://l00kl23.com/default.cab?uid=6...x&ppd=4&tag=45 O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} (Progetto1.int_ver34) - http://advnt01.com/dialer/int_ver34.CAB O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn.imagesrvr.com/si...nerInstall.cab O16 - DPF: {D94AAA2A-C415-42E3-82B6-49FAB4EBFFE9} (SearchHook Class) - http://www.halflemon.com/Halflemon.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/c...ploader_v6.cab *Please remember to close all other windows, including browsers then click Fix checked.* -------------------------------------------------------------------- 1. Close any open browsers. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. -------------------------------------------------------------------- Run ComboFix using these instructions: Click the Windows 'Start' button > Select 'Run' - then copy/paste the following bolded text into the run box & click OK. "%userprofile%\desktop\combofix.exe" /killall When finished, it shall produce a log for you. Post that log in your next reply. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall. -------------------------------------------------------------------- Double click SDFix.exe and it will extract the files to %systemdrive% (Drive that contains the Windows Directory, typically C:\SDFix) Please then reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, the Advanced Options Menu should appear; Select the first option, to run Windows in Safe Mode, then press Enter. Choose your usual account. Open the extracted SDFix folder and double click RunThis.bat to start the script. Type Y to begin the cleanup process. It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. Press any Key and it will restart the PC. When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard ready for posting back on the forum). Finally paste the contents of the Report.txt back on the forum with a new HijackThis log -------------------------------------------------------------------- Post the following logs in your next reply... C:\ComboFix.txt SDFix log Fresh HJT log Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now. __________________ If You Feel That We've Helped You, Please Donate To The Forum `世上无难事,只怕有心人` e X P e r i 3 n c 3 -- AleX `玉不琢不成器` "It's not because things are difficult that we dare not, it's because we dare not that things are difficult" <- Makes a huge diff

10-05-2007, 10:59 AM	#4 (permalink)
jimmyfishcake Registered User Join Date: Sep 2007 Posts: 5 OS: XP	Re: pc very slow, multiple trojans/malware, hijackthis log Hi, here are requested log files, the only problem was starting my pc in safemode, I tried until I was blue in the face & ended up using safemode via 'msconfig' which seemed to do the job. ComboFix 07-10-05.3 - Jon_W 2007-10-06 6:05:03.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.644 [GMT 13:00] Running from: C:\Documents and Settings\Jon_W\desktop\combofix.exe Command switches used :: /killall . ((((((((((((((((((((((((( Files Created from 2007-09-05 to 2007-10-05 ))))))))))))))))))))))))))))))) . 2007-10-05 21:25 <DIR> d-------- C:\WINDOWS\ERUNT 2007-10-05 19:40 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-10-02 22:32 <DIR> d-------- C:\Deckard 2007-09-30 22:34 <DIR> d-------- C:\Program Files\Trend Micro 2007-09-30 22:10 <DIR> d-------- C:\Program Files\SpywareBlaster 2007-09-30 06:38 <DIR> d-------- C:\Program Files\Common Files\xing shared 2007-09-30 00:58 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-09-28 08:04 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe 2007-09-28 08:04 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys 2007-09-28 08:04 103,736 --a------ C:\WINDOWS\system32\PnkBstrB.exe 2007-09-12 09:22 <DIR> d-------- C:\Program Files\Mobiola Web Camera for S60 3Ed . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-10-06 05:22 --------- d-------- C:\Documents and Settings\Jon_W\Application Data\OpenOffice.org2 2007-09-30 18:04 --------- d-------- C:\Program Files\Softdiv Audio Converter 2007-09-30 18:03 --------- d-------- C:\Program Files\Shareaza 2007-09-30 18:03 --------- d-------- C:\Program Files\PowerISO 2007-09-30 18:03 --------- d-------- C:\Program Files\PKR 2007-09-30 17:55 --------- d-------- C:\Program Files\Multimedia Combo Set 2007-09-30 17:55 --------- d-------- C:\Program Files\Microsoft IntelliPoint 2007-09-30 17:55 --------- d-------- C:\Program Files\Microsoft ActiveSync 2007-09-30 06:37 --------- d-------- C:\Program Files\Common Files\Real 2007-09-30 06:36 --------- d-------- C:\Documents and Settings\Jon_W\Application Data\Real 2007-09-30 04:31 --------- d-------- C:\Program Files\WinAce 2007-09-30 04:31 --------- d-------- C:\Program Files\QuickTime 2007-09-20 22:45 --------- d-------- C:\Program Files\Activision Value 2007-09-18 01:14 --------- d-------- C:\Program Files\TexasCalculatem 2007-09-17 21:21 --------- d-------- C:\Program Files\Poker.com 2007-09-15 19:32 --------- d-------- C:\Program Files\Axis & Allies 2007-09-03 10:27 --------- d-------- C:\Program Files\jetflash 2007-09-02 20:53 --------- d-------- C:\Program Files\ShotOnline International 2007-08-30 16:56 --------- d-------- C:\Program Files\CDisplay 2007-08-26 11:45 --------- d-------- C:\Documents and Settings\Jon_W\Application Data\GrabIt 2007-08-21 23:14 --------- d-------- C:\Program Files\Steam 2007-08-21 15:42 --------- d-------- C:\Program Files\Winamp 2007-08-19 20:50 --------- d-------- C:\Program Files\American Systems 2007-08-19 20:44 2772480 --a------ C:\Program Files\psdlx.exe 2007-08-18 00:25 --------- d-------- C:\Documents and Settings\Jon_W\Application Data\Media Player Classic 2007-08-17 21:33 --------- d-------- C:\Program Files\K-Lite Codec Pack 2007-08-17 21:23 --------- d-------- C:\Program Files\Morgan 2007-08-17 21:23 --------- d-------- C:\Program Files\DivX 2007-08-17 21:22 13043226 --a------ C:\Program Files\klcodec330f.exe 2007-08-17 16:39 --------- d-------- C:\Program Files\GameSpy Arcade 2007-08-17 16:38 --------- d-------- C:\Program Files\GRETECH 2007-08-17 16:28 --------- d--h----- C:\Program Files\InstallShield Installation Information 2007-08-17 16:14 --------- d-------- C:\Program Files\Real 2007-08-17 15:54 --------- d-------- C:\Program Files\Video Server E 2007-08-16 04:00 --------- d-------- C:\Program Files\MSXML 4.0 2007-08-13 17:08 --------- d-------- C:\Documents and Settings\Jon_W\Application Data\SecondLife 2007-08-12 02:11 --------- d-------- C:\Program Files\NZBPlayer 2007-08-11 16:19 --------- d-------- C:\Program Files\PartyGaming 2007-08-11 15:46 --------- d-------- C:\Program Files\Cypress USB 2.0 DVR 2007-08-11 15:17 --------- d-------- C:\Documents and Settings\Jon_W\Application Data\Microsoft Games 2007-08-11 02:10 409600 --a------ C:\WINDOWS\system32\wrap_oal.dll 2007-08-11 02:10 114688 --a------ C:\WINDOWS\system32\OpenAL32.dll 2007-08-10 20:37 --------- d-------- C:\Documents and Settings\Jon_W\Application Data\Skype 2007-08-09 01:49 --------- d-------- C:\Program Files\id Software 2007-08-06 04:25 --------- d-------- C:\Program Files\VideoLAN 2007-08-06 04:24 9453630 --a------ C:\Program Files\vlc-0.8.6a-win32.exe 2007-07-30 20:19 92504 --a------ C:\WINDOWS\system32\cdm.dll 2007-07-30 20:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll 2007-07-30 20:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe 2007-07-30 20:19 43352 --a------ C:\WINDOWS\system32\wups2.dll 2007-07-30 20:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll 2007-07-30 20:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll 2007-07-30 20:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll 2007-07-30 20:18 33624 --a------ C:\WINDOWS\system32\wups.dll 2007-07-10 19:55 7680 --a------ C:\WINDOWS\system32\ff_vfw.dll 2007-06-30 04:59 1572511 --a------ C:\Program Files\SetupImgBurn_2.3.2.0.exe 2007-06-30 04:53 8166272 --a------ C:\Program Files\Alcohol120_trial_1.9.6.5403.exe 2007-05-19 22:19 6182805 --a------ C:\Program Files\Firefox Setup 2.0.0.3.exe 2007-05-19 09:33 6136608 --a------ C:\Program Files\winamp535_pro.exe 2007-04-28 02:07 20942920 --a------ C:\Program Files\SkypeSetup.exe 2007-04-17 21:46 113849647 --a------ C:\Program Files\OOo_2.2.0_Win32Intel_install_wJRE_en-US.exe 2007-04-16 07:43 5051008 --a------ C:\Program Files\TradeManagerInstall.exe 2007-02-08 01:56 25886966 --a------ C:\Program Files\WDM_R154.exe 2007-02-08 00:53 25886966 --a------ C:\Program Files\RTLCPL.exe 2007-01-19 13:23 14994392 --a------ C:\Program Files\GoogleEarthWin.exe 2006-11-23 19:51 611017728 --a------ C:\Program Files\PRISMGuardShield_Demo.exe 2006-11-22 04:21 43099 --a------ C:\Program Files\simpleviewer.zip 2006-11-21 19:50 535421557 --a------ C:\Program Files\WAR_FRONT_MULTIPLAYER_DEMO.EXE 2006-11-06 16:34 855344 --a------ C:\Program Files\WGAPluginInstall.exe 2005-11-23 21:07 4878136 --a------ C:\Program Files\Firefox Setup 1.0.7.exe 2005-10-06 12:47 2266608 --a------ C:\Program Files\ec22.exe 2005-10-05 21:21 3797975 --a------ C:\Program Files\BitTorrent-4.0.4.exe 2005-10-03 11:59 895488 --a------ C:\Program Files\iview397.exe 2005-02-04 16:24 10810909 --a------ C:\Program Files\avg70free_300a419.exe 2004-06-23 09:27 1531833 --a------ C:\Program Files\NT187.EXE 1999-05-06 01:30 956 --a------ C:\Program Files\DXINFO.CFG 1999-05-06 01:30 8170 --a------ C:\Program Files\README.TXT 1999-05-06 01:30 35328 --a------ C:\Program Files\DXLAUNCH.EXE 1999-05-06 01:30 35 --a------ C:\Program Files\AUTOPLAY.BAT 2005-06-26 20:32:28 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll 2005-06-22 03:37:42 45,568 --sha-r C:\WINDOWS\system32\cygz.dll . ((((((((((((((((((((((((((((( snapshot@2007-10-05_19.43.36.71 ))))))))))))))))))))))))))))))))))))))))) . ----a-w 163,328 2007-09-27 09:03:23 C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE ----a-w 17,260,544 2007-10-05 08:26:07 C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat ----a-w 487,424 2007-10-05 08:26:07 C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat ----a-w 163,328 2007-09-27 09:03:23 C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE ----a-w 17,260,544 2007-10-05 08:25:52 C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat ----a-w 487,424 2007-10-05 08:25:52 C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CD4C3CF0-4B15-11D1-ABED-709549C10000}] C:\Program Files\Go!Zilla\GoIEHlp.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-09-14 10:03] "AVG7_EMC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" [2007-08-17 10:04] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-01-28 19:40] "PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2006-06-06 03:06] "IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-03-24 12:26] "DSLSTATEXE"="C:\Program Files\D-Link\DSL-200\dslstat.exe" [2005-01-21 21:04] "DSLAGENTEXE"="C:\Program Files\D-Link\DSL-200\dslagent.exe" [2005-01-21 21:04] "WMC_AutoUpdate"="" [] "RaidTool"="C:\Program Files\VIA\RAID\raid_tool.exe" [2006-01-04 14:43] "VTTimer"="VTTimer.exe" [2005-03-08 08:33 C:\WINDOWS\system32\VTTimer.exe] "VTTrayp"="VTtrayp.exe" [2005-11-01 09:15 C:\WINDOWS\system32\VTTrayp.exe] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22] "nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe] "NvMediaCenter"="NvMCTray.dll" [2006-10-22 12:22 C:\WINDOWS\system32\nvmctray.dll] "P17Helper"="SPIRun.dll" [2006-07-03 12:43 C:\WINDOWS\system32\SPIRun.dll] "VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2006-07-28 09:56] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 05:00] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50] "{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-16 10:48] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 22:25] "WireLessMouse "="C:\Program Files\Multimedia Combo Set\MouseDrv.exe" [2004-06-27 15:54] "WireLessKeyboard "="C:\Program Files\Multimedia Combo Set\PS2USBKbdDrv.exe" [2005-08-02 23:55] "PKR Pal"="C:\Program Files\PKR\pkrpal.exe" [2007-09-19 00:40] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-30 06:36] "MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 00:56] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Shareaza"="C:\Program Files\Shareaza\Shareaza.exe" [2005-10-27 19:44] "FreeRAM XP"="C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-23 00:13] "SetDefaultMIDI"="MIDIDef.exe" [2005-04-22 11:27 C:\WINDOWS\MIDIDEF.EXE] "H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-06-20 23:36] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce] "FFTI"=C:\Documents and Settings\Jon_W\Application Data\Mozilla\Firefox\Profiles\uknct2rc.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\Jon_W\Application Data\Mozilla\Firefox\Profiles/uknct2rc.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}" C:\Documents and Settings\Jon_W\Start Menu\Programs\Startup\ OpenOffice.org 2.2.lnk - C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 17:54:56] PowerReg Scheduler.exe [2006-01-24 01:36:36] Registration Lock On [2007-07-02 07:56:07] R0 viamraid;viamraid;C:\WINDOWS\system32\DRIVERS\viamraid.sys R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys R3 BTCAMDRV;Mobiola Web Camera driver;C:\WINDOWS\system32\DRIVERS\BTCamDrv.sys R3 P17xfi;Sound Blaster X-Fi Xtreme Audio;C:\WINDOWS\system32\drivers\P17xfi.sys R3 p17xfilt;p17xfilt;C:\WINDOWS\system32\drivers\p17xfilt.sys R3 wanusb;D-Link DSL-200 USB ADSL Modem(WAN);C:\WINDOWS\system32\DRIVERS\gwausb.sys S2 DCamUSB20;USB 2.0 Capture;C:\WINDOWS\system32\Drivers\CsMini20.sys S2 Usb20Scan;USB 2.0 Still Image;C:\WINDOWS\system32\Drivers\CresScan.sys S3 jbridgep;jbridgep;\??\C:\DOCUME~1\Jon_W\LOCALS~1\Temp\jbridgep.sys S3 VNic;ULan Network Driver Module;C:\WINDOWS\system32\DRIVERS\VNic.sys [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c74496bc-405d-11d9-907b-806d6172696f}] AutoRun\command- D:\autorun\autorun.exe [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{FC100000-A322-BF20-D41D-B00000104603}] C:\WINDOWS\scvhost.exe . ************************************************************************ catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-06 0653 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run P17Helper = Rundll32 SPIRun.dll,RunDLLEntry? scanning hidden files ... C:\WINDOWS\wininit.ini C:\WINDOWS\winnt.bmp C:\WINDOWS\winnt256.bmp C:\WINDOWS\WinSxS C:\WINDOWS\WMFDist11.log C:\WINDOWS\wmp11.log C:\WINDOWS\wmp11Uninst.log C:\WINDOWS\wmsetup.log C:\WINDOWS\wmsetup10.log C:\WINDOWS\WMSysPr9.prx C:\WINDOWS\WMSysPrx.prx C:\WINDOWS\WSST_Screen_Saver.ini C:\WINDOWS\Wudf01000Inst.log C:\WINDOWS\wwdslcfg.ini C:\WINDOWS\wwdslcfg.log C:\WINDOWS\XDICT.INI C:\WINDOWS\Zapotec.bmp C:\WINDOWS\_default.pif C:\WINDOWS\_MSRSTRT.EXE C:\WINDOWS\Windows Update.log C:\WINDOWS\WindowsShell.Manifest C:\WINDOWS\WindowsUpdate.log C:\WINDOWS\winhelp.exe C:\WINDOWS\winhlp32.exe scan completed successfully hidden files: 24 ************************************************************************ . Completion time: 2007-10-06 6:08:01 C:\ComboFix-quarantined-files.txt ... 2007-10-06 06:07 C:\ComboFix2.txt ... 2007-10-05 19:44 . --- E O F --- ----------------------------------------------------------------------- SDFix: Version 1.107 Run by Jon_W on Sat 06/10/2007 at 06:17 a.m. Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Safe Mode: Checking Services: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting... Normal Mode: Checking Files: No Trojan Files Found Removing Temp Files... ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] Remaining Files: --------------- Files with Hidden Attributes: Mon 10 Jan 2005 40,960 A..HR --- "C:\WINDOWS\MustRead\Must Read.exe" Mon 27 Jun 2005 616,448 A.SHR --- "C:\WINDOWS\system32\cygwin1.dll" Wed 22 Jun 2005 45,568 A.SHR --- "C:\WINDOWS\system32\cygz.dll" Thu 27 Jun 2002 73,728 A..H. --- "C:\WINDOWS\system32\IETie.dll" Fri 7 Jan 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak" Fri 22 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp" Thu 3 Aug 2006 888 A..H. --- "C:\Documents and Settings\Jon_W\Application Data\SecuROM\UserData\securom_v7_01.bak" Sat 9 Dec 2006 20 A..H. --- "C:\Documents and Settings\Jon_W\My Documents\My Music\License Backup\drmv1lic.bak" Finished! Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:44:39 a.m., on 6/10/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\PnkBstrB.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\WgaTray.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\Program Files\D-Link\DSL-200\dslstat.exe C:\Program Files\D-Link\DSL-200\dslagent.exe C:\Program Files\VIA\RAID\raid_tool.exe C:\WINDOWS\system32\VTTimer.exe C:\WINDOWS\system32\RunDLL32.exe C:\WINDOWS\system32\Rundll32.exe C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\Program Files\Google\Gmail Notifier\gnotify.exe C:\Program Files\Multimedia Combo Set\MouseDrv.exe C:\Program Files\Multimedia Combo Set\PS2USBKbdDrv.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Microsoft ActiveSync\wcescomm.exe C:\PROGRA~1\MI3AA1~1\rapimgr.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\system32\IETie.dll O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll O2 - BHO: CPub Object - {CA70AF0D-0D07-4b80-9ECE-B0F1BEFC5822} - C:\Program Files\Byteswarm\DLInterceptor.dll (file missing) O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\D-Link\DSL-200\dslstat.exe icon O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\D-Link\DSL-200\dslagent.exe O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [P17Helper] Rundll32 SPIRun.dll,RunDLLEntry O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [WireLessMouse ] C:\Program Files\Multimedia Combo Set\MouseDrv.exe O4 - HKLM\..\Run: [WireLessKeyboard ] C:\Program Files\Multimedia Combo Set\PS2USBKbdDrv.exe O4 - HKLM\..\Run: [PKR Pal] "C:\Program Files\PKR\pkrpal.exe" -osboot O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" O4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\Jon_W\Application Data\Mozilla\Firefox\Profiles\uknct2rc.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\Jon_W\Application Data\Mozilla\Firefox\Profiles/uknct2rc.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}" O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe O4 - Startup: PowerReg Scheduler.exe O4 - Startup: Registration Lock On O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - C:\Program Files\GhostSurf\LaunchPCC.exe (file missing) O9 - Extra 'Tools' menuitem: GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - C:\Program Files\GhostSurf\LaunchPCC.exe (file missing) O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\Poker.exe (HKCU) O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://www.gamescampus.com/xiah/luncher/GamesCampus.cab O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/S...dObjSigned.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/pa.../GSManager.cab O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/soft...ch/alaunch.cab O16 - DPF: {7DFDB8FD-B498-4958-B930-38021B94351D} (imlUCID Class) - http://imlive.com/chatsource/ImlCID.cab O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://212.150.183.238/activex/AxisCamControl.ocx O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab O16 - DPF: {D3A7982E-915D-4589-8ECE-249F70D0C941} (Launch Control) - http://aaotracker.4players.de/LaunchGame.cab O16 - DPF: {FDF6378C-7B5D-4ABF-BA1F-92748305FFAC} (DownloadManagerInstall Control) - http://beta.byteswarm.com/agent/1.3.0.1/DMInstall.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{F2B011FC-52BC-4B06-A2C6-284118F8F318}: NameServer = 210.48.65.2 210.48.66.2 O17 - HKLM\System\CCS\Services\Tcpip\..\{F8F125C6-8B6C-4CDF-88B4-6FD4DA61A6E4}: NameServer = 203.0.178.191 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe -- End of file - 10718 bytes

10-08-2007, 06:39 PM	#6 (permalink)
jimmyfishcake Registered User Join Date: Sep 2007 Posts: 5 OS: XP	Re: pc very slow, multiple trojans/malware, hijackthis log Hi, I didnt have any problem performing these steps, my pc is a bit faster now. Here are requested log files: ComboFix 07-10-05.3 - Jon_W 2007-10-09 11:02:47.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.626 [GMT 13:00] Running from: C:\Documents and Settings\Jon_W\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Jon_W\Desktop\CFScript.txt * Created a new restore point FILE:: C:\DOCUME~1\Jon_W\LOCALS~1\Temp\jbridgep.sys . ((((((((((((((((((((((((( Files Created from 2007-09-08 to 2007-10-08 ))))))))))))))))))))))))))))))) . 2007-10-05 21:25 <DIR> d-------- C:\WINDOWS\ERUNT 2007-10-05 19:40 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-10-02 22:32 <DIR> d-------- C:\Deckard 2007-09-30 22:34 <DIR> d-------- C:\Program Files\Trend Micro 2007-09-30 22:10 <DIR> d-------- C:\Program Files\SpywareBlaster 2007-09-30 06:38 <DIR> d-------- C:\Program Files\Common Files\xing shared 2007-09-30 00:58 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-09-28 08:04 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe 2007-09-28 08:04 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys 2007-09-28 08:04 103,736 --a------ C:\WINDOWS\system32\PnkBstrB.exe 2007-09-12 09:22 <DIR> d-------- C:\Program Files\Mobiola Web Camera for S60 3Ed . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-10-09 07:57 --------- d-------- C:\Documents and Settings\Jon_W\Application Data\OpenOffice.org2 2007-09-30 18:04 --------- d-------- C:\Program Files\Softdiv Audio Converter 2007-09-30 18:03 --------- d-------- C:\Program Files\Shareaza 2007-09-30 18:03 --------- d-------- C:\Program Files\PowerISO 2007-09-30 18:03 --------- d-------- C:\Program Files\PKR 2007-09-30 17:55 --------- d-------- C:\Program Files\Multimedia Combo Set 2007-09-30 17:55 --------- d-------- C:\Program Files\Microsoft IntelliPoint 2007-09-30 17:55 --------- d-------- C:\Program Files\Microsoft ActiveSync 2007-09-30 06:37 --------- d-------- C:\Program Files\Common Files\Real 2007-09-30 06:36 --------- d-------- C:\Documents and Settings\Jon_W\Application Data\Real 2007-09-30 04:31 --------- d-------- C:\Program Files\WinAce 2007-09-30 04:31 --------- d-------- C:\Program Files\QuickTime 2007-09-20 22:45 --------- d-------- C:\Program Files\Activision Value 2007-09-18 01:14 --------- d-------- C:\Program Files\TexasCalculatem 2007-09-17 21:21 --------- d-------- C:\Program Files\Poker.com 2007-09-15 19:32 --------- d-------- C:\Program Files\Axis & Allies 2007-09-03 10:27 --------- d-------- C:\Program Files\jetflash 2007-09-02 20:53 --------- d-------- C:\Program Files\ShotOnline International 2007-08-30 16:56 --------- d-------- C:\Program Files\CDisplay 2007-08-26 11:45 --------- d-------- C:\Documents and Settings\Jon_W\Application Data\GrabIt 2007-08-21 23:14 --------- d-------- C:\Program Files\Steam 2007-08-21 15:42 --------- d-------- C:\Program Files\Winamp 2007-08-19 20:50 --------- d-------- C:\Program Files\American Systems 2007-08-19 20:44 2772480 --a------ C:\Program Files\psdlx.exe 2007-08-18 00:25 --------- d-------- C:\Documents and Settings\Jon_W\Application Data\Media Player Classic 2007-08-17 21:33 --------- d-------- C:\Program Files\K-Lite Codec Pack 2007-08-17 21:23 --------- d-------- C:\Program Files\Morgan 2007-08-17 21:23 --------- d-------- C:\Program Files\DivX 2007-08-17 21:22 13043226 --a------ C:\Program Files\klcodec330f.exe 2007-08-17 16:39 --------- d-------- C:\Program Files\GameSpy Arcade 2007-08-17 16:38 --------- d-------- C:\Program Files\GRETECH 2007-08-17 16:28 --------- d--h----- C:\Program Files\InstallShield Installation Information 2007-08-17 16:14 --------- d-------- C:\Program Files\Real 2007-08-17 15:54 --------- d-------- C:\Program Files\Video Server E 2007-08-16 04:00 --------- d-------- C:\Program Files\MSXML 4.0 2007-08-13 17:08 --------- d-------- C:\Documents and Settings\Jon_W\Application Data\SecondLife 2007-08-12 02:11 --------- d-------- C:\Program Files\NZBPlayer 2007-08-11 16:19 --------- d-------- C:\Program Files\PartyGaming 2007-08-11 15:46 --------- d-------- C:\Program Files\Cypress USB 2.0 DVR 2007-08-11 15:17 --------- d-------- C:\Documents and Settings\Jon_W\Application Data\Microsoft Games 2007-08-10 20:37 --------- d-------- C:\Documents and Settings\Jon_W\Application Data\Skype 2007-08-09 01:49 --------- d-------- C:\Program Files\id Software 2007-08-06 04:24 9453630 --a------ C:\Program Files\vlc-0.8.6a-win32.exe 2007-06-30 04:59 1572511 --a------ C:\Program Files\SetupImgBurn_2.3.2.0.exe 2007-06-30 04:53 8166272 --a------ C:\Program Files\Alcohol120_trial_1.9.6.5403.exe 2007-05-19 22:19 6182805 --a------ C:\Program Files\Firefox Setup 2.0.0.3.exe 2007-05-19 09:33 6136608 --a------ C:\Program Files\winamp535_pro.exe 2007-04-28 02:07 20942920 --a------ C:\Program Files\SkypeSetup.exe 2007-04-17 21:46 113849647 --a------ C:\Program Files\OOo_2.2.0_Win32Intel_install_wJRE_en-US.exe 2007-04-16 07:43 5051008 --a------ C:\Program Files\TradeManagerInstall.exe 2007-02-08 01:56 25886966 --a------ C:\Program Files\WDM_R154.exe 2007-02-08 00:53 25886966 --a------ C:\Program Files\RTLCPL.exe 2007-01-19 13:23 14994392 --a------ C:\Program Files\GoogleEarthWin.exe 2006-11-23 19:51 611017728 --a------ C:\Program Files\PRISMGuardShield_Demo.exe 2006-11-22 04:21 43099 --a------ C:\Program Files\simpleviewer.zip 2006-11-21 19:50 535421557 --a------ C:\Program Files\WAR_FRONT_MULTIPLAYER_DEMO.EXE 2006-11-06 16:34 855344 --a------ C:\Program Files\WGAPluginInstall.exe 2005-11-23 21:07 4878136 --a------ C:\Program Files\Firefox Setup 1.0.7.exe 2005-10-06 12:47 2266608 --a------ C:\Program Files\ec22.exe 2005-10-05 21:21 3797975 --a------ C:\Program Files\BitTorrent-4.0.4.exe 2005-10-03 11:59 895488 --a------ C:\Program Files\iview397.exe 2005-02-04 16:24 10810909 --a------ C:\Program Files\avg70free_300a419.exe 2004-06-23 09:27 1531833 --a------ C:\Program Files\NT187.EXE 1999-05-06 01:30 956 --a------ C:\Program Files\DXINFO.CFG 1999-05-06 01:30 8170 --a------ C:\Program Files\README.TXT 1999-05-06 01:30 35328 --a------ C:\Program Files\DXLAUNCH.EXE 1999-05-06 01:30 35 --a------ C:\Program Files\AUTOPLAY.BAT 2005-06-26 20:32:28 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll 2005-06-22 03:37:42 45,568 --sha-r C:\WINDOWS\system32\cygz.dll . (((((((((((((((((((((((((((((((((((((((((((( Look ))))))))))))))))))))))))))))))))))))))))))))))))))))))))) ---- Directory of C:\WINDOWS\MustRead\ ---- 2005-01-10 20:18 40960 -rah----- C:\WINDOWS\MustRead\\Must Read.exe 2004-12-31 21:37 79775 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.htm 2004-12-31 21:37 369 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\border_index.css 2004-12-31 21:37 194 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\bord01.css 2004-12-31 21:35 5286 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\V-301_150.jpg 2004-12-31 15:08 696 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\icon-question-1.gif 2004-12-31 15:08 664 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\profile_manual.gif 2004-12-31 15:08 648 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\icon-download-2.gif 2004-12-31 15:08 624 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\PRODUCTS_manual.gif 2004-12-31 15:08 549 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\news_manual.gif 2004-12-31 15:08 527 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\award_manual.gif 2004-12-31 15:08 403 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\FAQ_MANUAL.gif 2004-12-31 15:08 245 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\line_index.gif 2004-12-30 20:54 774 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\icon-buy.gif 2004-12-30 20:54 761 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\registration_1.gif 2004-12-30 20:54 7560 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\nvidia.jpg 2004-12-30 20:54 7114 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\winXPMC.gif 2004-12-30 20:54 6612 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\402_PlayTV500DVB-T.gif 2004-12-30 20:54 6532 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\G6600_Box%20GT_128_150.jpg 2004-12-30 20:54 648 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\3DVGA_manual.gif 2004-12-30 20:54 619 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\partners_manual.gif 2004-12-30 20:54 553 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\icon-award.gif 2004-12-30 20:54 550 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\certificate_manual.gif 2004-12-30 20:54 540 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\contact_manual.gif 2004-12-30 20:54 5334 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\PROLINKNEWS.jpg 2004-12-30 20:54 515 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\iabu_01.gif 2004-12-30 20:54 435 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\home-2.gif 2004-12-30 20:54 4004 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\CeBIT.jpg 2004-12-30 20:54 3581 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\print-icon1.jpg 2004-12-30 20:54 30741 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\mm_menu.js 2004-12-30 20:54 30029 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\400USB_BoxCard_150.jpg 2004-12-30 20:54 24913 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\DVB-T_mark.jpg 2004-12-30 20:54 2181 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\new04.gif 2004-12-30 20:54 2116 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\aboutprolink_manual.gif 2004-12-30 20:54 19675 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\vmax_products.gif 2004-12-30 20:54 19504 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\PCX_POR.jpg 2004-12-30 20:54 1664 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\support_manual.gif 2004-12-30 20:54 160 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\work.gif 2004-12-30 20:54 129 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\tower.gif 2004-12-29 14:05 450270 -ra------ C:\WINDOWS\MustRead\\bmp\SPA.bmp 2004-12-29 14:03 450270 -ra------ C:\WINDOWS\MustRead\\bmp\GER.bmp 2004-12-29 14:02 450270 -ra------ C:\WINDOWS\MustRead\\bmp\FRE.bmp 2004-12-29 14:01 450270 -ra------ C:\WINDOWS\MustRead\\bmp\ENU.bmp 2004-12-29 14:01 450270 -ra------ C:\WINDOWS\MustRead\\bmp\CHS.bmp 2004-12-29 14:00 450270 -ra------ C:\WINDOWS\MustRead\\bmp\KOR.bmp 2004-12-29 14:00 450270 -ra------ C:\WINDOWS\MustRead\\bmp\JPN.bmp 2004-12-29 13:59 450270 -ra------ C:\WINDOWS\MustRead\\bmp\CHT.bmp ((((((((((((((((((((((((((((( snapshot@2007-10-05_19.43.36.71 ))))))))))))))))))))))))))))))))))))))))) . ----a-w 163,328 2007-09-27 09:03:23 C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE ----a-w 17,260,544 2007-10-05 17:16:42 C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat ----a-w 487,424 2007-10-05 17:16:42 C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat ----a-w 163,328 2007-09-27 09:03:23 C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE ----a-w 17,260,544 2007-10-05 08:25:52 C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat ----a-w 487,424 2007-10-05 08:25:52 C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-09-14 10:03] "AVG7_EMC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" [2007-08-17 10:04] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-01-28 19:40] "PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2006-06-06 03:06] "IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-03-24 12:26] "DSLSTATEXE"="C:\Program Files\D-Link\DSL-200\dslstat.exe" [2005-01-21 21:04] "DSLAGENTEXE"="C:\Program Files\D-Link\DSL-200\dslagent.exe" [2005-01-21 21:04] "WMC_AutoUpdate"="" [] "RaidTool"="C:\Program Files\VIA\RAID\raid_tool.exe" [2006-01-04 14:43] "VTTimer"="VTTimer.exe" [2005-03-08 08:33 C:\WINDOWS\system32\VTTimer.exe] "VTTrayp"="VTtrayp.exe" [2005-11-01 09:15 C:\WINDOWS\system32\VTTrayp.exe] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22] "nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe] "NvMediaCenter"="NvMCTray.dll" [2006-10-22 12:22 C:\WINDOWS\system32\nvmctray.dll] "P17Helper"="SPIRun.dll" [2006-07-03 12:43 C:\WINDOWS\system32\SPIRun.dll] "VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2006-07-28 09:56] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 05:00] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50] "{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-16 10:48] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 22:25] "WireLessMouse "="C:\Program Files\Multimedia Combo Set\MouseDrv.exe" [2004-06-27 15:54] "WireLessKeyboard "="C:\Program Files\Multimedia Combo Set\PS2USBKbdDrv.exe" [2005-08-02 23:55] "PKR Pal"="C:\Program Files\PKR\pkrpal.exe" [2007-09-19 00:40] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-30 06:36] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Shareaza"="C:\Program Files\Shareaza\Shareaza.exe" [2005-10-27 19:44] "FreeRAM XP"="C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-23 00:13] "SetDefaultMIDI"="MIDIDef.exe" [2005-04-22 11:27 C:\WINDOWS\MIDIDEF.EXE] "H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-06-20 23:36] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce] "FFTI"=C:\Documents and Settings\Jon_W\Application Data\Mozilla\Firefox\Profiles\uknct2rc.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\Jon_W\Application Data\Mozilla\Firefox\Profiles/uknct2rc.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}" C:\Documents and Settings\Jon_W\Start Menu\Programs\Startup\ OpenOffice.org 2.2.lnk - C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 17:54:56] PowerReg Scheduler.exe [2006-01-24 01:36:36] Registration Lock On [2007-07-02 07:56:07] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=0 (0x0) R0 viamraid;viamraid;C:\WINDOWS\system32\DRIVERS\viamraid.sys R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys R3 BTCAMDRV;Mobiola Web Camera driver;C:\WINDOWS\system32\DRIVERS\BTCamDrv.sys R3 P17xfi;Sound Blaster X-Fi Xtreme Audio;C:\WINDOWS\system32\drivers\P17xfi.sys R3 p17xfilt;p17xfilt;C:\WINDOWS\system32\drivers\p17xfilt.sys R3 wanusb;D-Link DSL-200 USB ADSL Modem(WAN);C:\WINDOWS\system32\DRIVERS\gwausb.sys S2 DCamUSB20;USB 2.0 Capture;C:\WINDOWS\system32\Drivers\CsMini20.sys S2 Usb20Scan;USB 2.0 Still Image;C:\WINDOWS\system32\Drivers\CresScan.sys S3 VNic;ULan Network Driver Module;C:\WINDOWS\system32\DRIVERS\VNic.sys . ************************************************************************ catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-09 11:07:22 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... C:\WINDOWS\wininit.ini C:\WINDOWS\winnt.bmp C:\WINDOWS\winnt256.bmp C:\WINDOWS\WinSxS C:\WINDOWS\WMFDist11.log C:\WINDOWS\wmp11.log C:\WINDOWS\wmp11Uninst.log C:\WINDOWS\wmsetup.log C:\WINDOWS\wmsetup10.log C:\WINDOWS\WMSysPr9.prx C:\WINDOWS\WMSysPrx.prx C:\WINDOWS\WSST_Screen_Saver.ini C:\WINDOWS\Wudf01000Inst.log C:\WINDOWS\wwdslcfg.ini C:\WINDOWS\wwdslcfg.log C:\WINDOWS\XDICT.INI C:\WINDOWS\Zapotec.bmp C:\WINDOWS\_default.pif C:\WINDOWS\_MSRSTRT.EXE C:\WINDOWS\Windows Update.log C:\WINDOWS\WindowsShell.Manifest C:\WINDOWS\WindowsUpdate.log C:\WINDOWS\winhelp.exe C:\WINDOWS\winhlp32.exe scan completed successfully hidden files: 24 ************************************************************************ . Completion time: 2007-10-09 11:09:46 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-10-09 11:09 C:\ComboFix2.txt ... 2007-10-06 06:08 C:\ComboFix3.txt ... 2007-10-05 19:44 . --- E O F --- KASPERSKY ONLINE SCANNER REPORT Tuesday, October 09, 2007 2:11:20 PM Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.98.0 Kaspersky Anti-Virus database last update: 9/10/2007 Kaspersky Anti-Virus database records: 429470 Scan Settings Scan using the following antivirus database extended Scan Archives true Scan Mail Bases true Scan Target My Computer A:\ C:\ D:\ E:\ F:\ G:\ H:\ Scan Statistics Total number of scanned objects 127180 Number of viruses found 3 Number of infected objects 11 Number of suspicious objects 0 Duration of the scan process 01:23:08 Infected Object Name Virus Name Last Action C:\Documents and Settings\All Users\Application Data\AVG7\AVG7QT.DAT Infected: Trojan.Win32.Qhost.kc skipped C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped C:\Documents and Settings\Jon_W\Application Data\$_hpcst$.hpc Object is locked skipped C:\Documents and Settings\Jon_W\Application Data\AVG7\Log\emc.log Object is locked skipped C:\Documents and Settings\Jon_W\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Jon_W\Desktop\setup.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.btu skipped C:\Documents and Settings\Jon_W\Desktop\setup.exe/stream Infected: Trojan-Downloader.Win32.Zlob.btu skipped C:\Documents and Settings\Jon_W\Desktop\setup.exe NSIS: infected - 2 skipped C:\Documents and Settings\Jon_W\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Jon_W\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Jon_W\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Jon_W\Local Settings\Temp\WCESLog.log Object is locked skipped C:\Documents and Settings\Jon_W\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Jon_W\ntuser.dat Object is locked skipped C:\Documents and Settings\Jon_W\NTUSER.DAT.LOG Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\SDFix\backups_old1\backups.zip/backups/setup.exe/data0007 Infected: Trojan-Downloader.Win32.Zlob.bqu skipped C:\SDFix\backups_old1\backups.zip/backups/setup.exe Infected: Trojan-Downloader.Win32.Zlob.bqu skipped C:\SDFix\backups_old1\backups.zip ZIP: infected - 2 skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{CFA48CF2-59EA-46D3-A312-1F329C8A297C}\RP459\A0224602.exe/data0007 Infected: Trojan-Downloader.Win32.Zlob.bqu skipped C:\System Volume Information\_restore{CFA48CF2-59EA-46D3-A312-1F329C8A297C}\RP459\A0224602.exe NSIS: infected - 1 skipped C:\System Volume Information\_restore{CFA48CF2-59EA-46D3-A312-1F329C8A297C}\RP459\A0224610.exe/data0007 Infected: Trojan-Downloader.Win32.Zlob.bqu skipped C:\System Volume Information\_restore{CFA48CF2-59EA-46D3-A312-1F329C8A297C}\RP459\A0224610.exe NSIS: infected - 1 skipped C:\System Volume Information\_restore{CFA48CF2-59EA-46D3-A312-1F329C8A297C}\RP462\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\pfirewall.log Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped Scan process completed. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:25:31 p.m., on 9/10/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\PnkBstrB.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\WgaTray.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\Program Files\D-Link\DSL-200\dslstat.exe C:\Program Files\D-Link\DSL-200\dslagent.exe C:\Program Files\VIA\RAID\raid_tool.exe C:\WINDOWS\system32\VTTimer.exe C:\WINDOWS\system32\RunDLL32.exe C:\WINDOWS\system32\Rundll32.exe C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\Program Files\Google\Gmail Notifier\gnotify.exe C:\Program Files\Multimedia Combo Set\MouseDrv.exe C:\Program Files\Multimedia Combo Set\PS2USBKbdDrv.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Microsoft ActiveSync\wcescomm.exe C:\PROGRA~1\MI3AA1~1\rapimgr.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\system32\IETie.dll O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\D-Link\DSL-200\dslstat.exe icon O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\D-Link\DSL-200\dslagent.exe O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [P17Helper] Rundll32 SPIRun.dll,RunDLLEntry O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [WireLessMouse ] C:\Program Files\Multimedia Combo Set\MouseDrv.exe O4 - HKLM\..\Run: [WireLessKeyboard ] C:\Program Files\Multimedia Combo Set\PS2USBKbdDrv.exe O4 - HKLM\..\Run: [PKR Pal] "C:\Program Files\PKR\pkrpal.exe" -osboot O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" O4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\Jon_W\Application Data\Mozilla\Firefox\Profiles\uknct2rc.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\Jon_W\Application Data\Mozilla\Firefox\Profiles/uknct2rc.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}" O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe O4 - Startup: PowerReg Scheduler.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - C:\Program Files\GhostSurf\LaunchPCC.exe (file missing) O9 - Extra 'Tools' menuitem: GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - C:\Program Files\GhostSurf\LaunchPCC.exe (file missing) O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\Poker.exe (HKCU) O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://www.gamescampus.com/xiah/luncher/GamesCampus.cab O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/S...dObjSigned.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/pa.../GSManager.cab O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/soft...ch/alaunch.cab O16 - DPF: {7DFDB8FD-B498-4958-B930-38021B94351D} (imlUCID Class) - http://imlive.com/chatsource/ImlCID.cab O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://212.150.183.238/activex/AxisCamControl.ocx O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab O16 - DPF: {D3A7982E-915D-4589-8ECE-249F70D0C941} (Launch Control) - http://aaotracker.4players.de/LaunchGame.cab O16 - DPF: {FDF6378C-7B5D-4ABF-BA1F-92748305FFAC} (DownloadManagerInstall Control) - http://beta.byteswarm.com/agent/1.3.0.1/DMInstall.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{F2B011FC-52BC-4B06-A2C6-284118F8F318}: NameServer = 210.48.65.2 210.48.66.2 O17 - HKLM\System\CCS\Services\Tcpip\..\{F8F125C6-8B6C-4CDF-88B4-6FD4DA61A6E4}: NameServer = 203.0.178.191 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe -- End of file - 10507 bytes

10-10-2007, 01:42 AM	#7 (permalink)
jimmyfishcake Registered User Join Date: Sep 2007 Posts: 5 OS: XP	Re: pc very slow, multiple trojans/malware, hijackthis log I forgot to mention, thanks for the advice on shareaza, I have just uninstalled it.

10-10-2007, 09:15 AM	#8 (permalink)
eXPeri3nc3 TSF Enthusiast Join Date: Dec 2005 Location: Malaysia (GMT+8) Posts: 1,073 OS: Windows XP Pro SP3 RC, VMWare (Ubuntu 7.10), BackTrack3 Beta My System Blog Entries: 5	Re: pc very slow, multiple trojans/malware, hijackthis log Hi jimmyfishcake, Everything looks great --- your HijackThis log / logs appears to be clean. :) Please do the following:- -------------------------------------------------------------------- Delete the following Files indicated in RED and Folders indicated in BLUE (let me know if you fail to find/delete any) C:\Documents and Settings\Jon_W\Desktop\setup.exe/ Please delete C:\SDFix as well. -------------------------------------------------------------------- Note about poker games: You appear to be a fan of games. but I think it's important to note that often these kind of programs are installed with other unwanted software, namely spyware or adware. If you did not install these programs yourself, or you do not use them any more, I would definitely recommend that you uninstall them from your computer, even if it is simply a precautionary measure. The amount of different poker software which arises on the internet means it is impossible to keep track of which ones are infected and which ones are not. If you do use the software, and wish to continue doing so, please ignore this. If you do decide to go ahead and remove the poker software, you should be able uninstall them via add/remove which can be found in the control panel. Let me know if you have any problems whilst doing so. Here are links to some poker sites regarded as safe for your reference. * http://www.pokerstars.net/ - This is a free to use/play site. * http://www.pokerstars.com - This is the paid for version. -------------------------------------------------------------------- Please fix the following entries as well if you have decided to remove it: O4 - HKLM\..\Run: [PKR Pal] "C:\Program Files\PKR\pkrpal.exe" -osboot O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\Poker.exe (HKCU) Delete the following Files indicated in RED and Folders indicated in BLUE C:\Program Files\PKR\ C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\ C:\Program Files\Poker.com\ C:\Program Files\PartyGaming\ -------------------------------------------------------------------- C:\System Volume Information\ is where System Restore's cache is stored. Whatever is in there can't harm you unless you choose to perform a manual restore. Nevertheless, uninstalling Combofix will be resetting/clearing the cache in a little while. --------------------------------------------------------------------- Start > Run - type ComboFix /u and press enter. Combofix will auto uninstall now. -------------------------------------------------------------------- Please take some time reading this list; it is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again. Windows Updates (a must!) It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. You can either click on the link above and bookmark the updates page, or open Internet Explorer, then go to the Tools menu -> Windows Update, and follow the online instructions from there. Firewall (a must!) It is definitely a must have. Some good FREE versions are Comodo Personal Firewall, Outpost, PCTools Firewall, or Kerio Personal Firewall. Note: You must only use 1 (one) firewall at a time because if you have 2 or more firewalls running at the same time, they will conflict with each other and make your security less reliable. Please also remember to turn off Windows Firewall once you have installed a new firewall. Also make sure to run your antivirus software regularly, and to keep it up-to-date. Note: You must only use 1 (one) AV at a time because if you have 2 or more AVs running at the same time, they will conflict with each other and make your security less reliable. SpywareBlaster It helps to prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items. Tutorial: How to use! SpywareGuard It helps to prevent spyware from installing yet catch and block spyware before it can execute. Install & update SpywareGuard with the latest definitions. Tutorial: How to use! IE-SPYAD This FREE tool puts over 5000 sites in your IE Restricted Zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. This is a self-extracting .EXE file, save it to your desktop. Once downloaded, follow the tutorial listed below on how to install it. Tutorial: How to use! Spybot - Search & Destroy This is a very powerful FREE tool that can search for and annihilate nasties that make it onto your system. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features for realtime protection. Tutorial: How to use! Ad-Aware SE This is another very powerful FREE tool that searches for and kills nasties that infect your system. Ad-Aware SE and Spybot Search & Destroy compliment each other very well. Tutorial: How to use! AVG Anti-Spyware This is an excellent FREE scanner to look for trojans and other nasties that might be residing in your system. User Manual: How to use! SUPERAntiSpyware This is another excellent FREE scanner to look for nasties that might be lurking in your system. SUPERAntiSpyware and AVG Anti-Spyware compliment each other very well. Quick Guide: How to use! McAfee SiteAdvisor An excellent SiteAdvisor to guide you through the internet websites. It helps to warn you before you interact with a dangerous Web site. Works with both IE and Firefox. Quick Guide: How it works! Please also read Tony Klein's excellent article How I got Infected in the First Place and this CastleCops article Malware Prevention: Prevent Re-infection. Please respond to this thread one more time so we can mark this thread as resolved. __________________ If You Feel That We've Helped You, Please Donate To The Forum `世上无难事,只怕有心人` e X P e r i 3 n c 3 -- AleX `玉不琢不成器` "It's not because things are difficult that we dare not, it's because we dare not that things are difficult" <- Makes a huge diff

10-13-2007, 01:00 AM	#9 (permalink)
jimmyfishcake Registered User Join Date: Sep 2007 Posts: 5 OS: XP	Re: pc very slow, multiple trojans/malware, hijackthis log Thank you very much for your advice on how to deal with these bastards... I have just donated to the forum as a sign of my gratitude.

10-13-2007, 03:25 AM	#10 (permalink)
eXPeri3nc3 TSF Enthusiast Join Date: Dec 2005 Location: Malaysia (GMT+8) Posts: 1,073 OS: Windows XP Pro SP3 RC, VMWare (Ubuntu 7.10), BackTrack3 Beta My System Blog Entries: 5	Re: pc very slow, multiple trojans/malware, hijackthis log Thank you very much for the donation. Have a nice day. __________________ If You Feel That We've Helped You, Please Donate To The Forum `世上无难事,只怕有心人` e X P e r i 3 n c 3 -- AleX `玉不琢不成器` "It's not because things are difficult that we dare not, it's because we dare not that things are difficult" <- Makes a huge diff