Trojan Loosky, First Hi-jack-this user.

[Evilcookie]

Hi, first time user for Hi Jack This, Tryed getting rid of this maleware, got it to stop spaming me with pop ups but can't stop it to infected files i healed.

Deckard's System Scanner v20070905.67
Run by Ali on 2007-10-03 09:19:13
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Ali.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:19:15 AM, on 10/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\hot_plug.exe
C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\ASUS\Ai Booster\OverClk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\TEMP\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Ali.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 80.69.94.166 gameguard.mapleglobal.com
O1 - Hosts: 80.69.94.166 63.251.217.184
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [Hotplug] C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\hot_plug.exe
O4 - HKLM\..\Run: [SiSRaid] C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [Launch Ai Booster] "C:\Program Files\ASUS\Ai Booster\OverClk.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\SMax4.exe" /tray
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus CX6000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIA.EXE /FU "C:\WINDOWS\TEMP\E_S1A1.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1168700121033
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1168700109924
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 6918 bytes

-- Files created between 2007-09-03 and 2007-10-03 -----------------------------

2007-10-02 22:42:37 0 d-------- C:\Documents and Settings\***\Application Data\AVG7
2007-10-02 22:42:35 0 d-------- C:\Documents and Settings\***\Application Data\Real
2007-10-02 22:42:24 0 d-------- C:\Documents and Settings\***\Application Data\Identities
2007-10-02 22:42:08 0 dr------- C:\Documents and Settings\***\Favorites
2007-10-02 22:42:08 0 d-------- C:\Documents and Settings\***\Desktop
2007-10-02 22:42:08 0 d--hs---- C:\Documents and Settings\***\Cookies
2007-10-02 22:42:08 0 dr-h----- C:\Documents and Settings\***\Application Data
2007-10-02 22:42:08 0 d---s---- C:\Documents and Settings\***\Application Data\Microsoft
2007-10-02 22:42:07 0 d--h----- C:\Documents and Settings\***\Templates
2007-10-02 22:42:07 0 dr------- C:\Documents and Settings\***\Start Menu
2007-10-02 22:42:07 0 dr-h----- C:\Documents and Settings\***\SendTo
2007-10-02 22:42:07 0 dr-h----- C:\Documents and Settings\***\Recent
2007-10-02 22:42:07 0 d--h----- C:\Documents and Settings\***\PrintHood
2007-10-02 22:42:07 786432 --ah----- C:\Documents and Settings\***\NTUSER.DAT
2007-10-02 22:42:07 0 d--h----- C:\Documents and Settings\***\NetHood
2007-10-02 22:42:07 0 dr------- C:\Documents and Settings\***\My Documents
2007-10-02 22:42:07 0 d--h----- C:\Documents and Settings\***\Local Settings
2007-10-02 20:12:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-02 20:12:53 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-02 19:46:01 0 d-------- C:\Documents and Settings\TEMP\Application Data\AVG7
2007-10-02 19:45:50 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-02 19:43:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-02 19:43:35 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-10-02 19:01:22 2126 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-02 19:00:32 25088 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-10-02 19:00:32 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2007-10-02 19:00:32 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2007-10-02 19:00:32 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2007-10-02 19:00:32 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-10-02 18:58:16 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-10-02 18:58:16 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-10-02 18:58:16 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-10-02 18:58:16 0 d--h----- C:\Documents and Settings\Administrator\Recent
2007-10-02 18:58:16 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-10-02 18:58:16 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-10-02 18:58:16 0 d-------- C:\Documents and Settings\Administrator\My Documents
2007-10-02 18:58:16 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-10-02 18:58:16 0 d-------- C:\Documents and Settings\Administrator\Favorites
2007-10-02 18:58:16 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-10-02 18:58:16 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2007-10-02 18:58:16 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-10-02 18:58:16 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-10-02 18:58:15 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-10-02 18:21:51 0 d-------- C:\Program Files\Trend Micro
2007-10-02 16:33:34 0 dr-h----- C:\Documents and Settings\TEMP\Recent
2007-10-02 14:11:42 0 dr-h----- C:\$VAULT$.AVG
2007-10-02 01:21:29 315392 --a------ C:\WINDOWS\sysdx.dll
2007-10-02 01:21:29 274432 --a------ C:\WINDOWS\msvb.dll
2007-09-28 17:40:11 0 d-------- C:\Documents and Settings\TEMP\Application Data\Xfire
2007-09-28 15:03:31 0 d-------- C:\Program Files\Flagship Studios
2007-09-26 07:30:26 0 d-------- C:\Documents and Settings\TEMP\Application Data\Download Manager
2007-09-25 16:13:12 0 d-------- C:\Documents and Settings\All Users\Application Data\Age of Empires 3
2007-09-25 15:21:22 0 d-------- C:\Program Files\Microsoft Games
2007-09-17 22:09:06 163840 --a------ C:\WINDOWS\system32\unrar.dll
2007-09-17 22:09:04 7680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-09-17 22:09:03 0 d-------- C:\Program Files\K-Lite Codec Pack
2007-09-15 02:21:13 0 d-------- C:\WINDOWS\system32\windows media
2007-09-15 02:21:03 0 d--h----- C:\WINDOWS\msdownld.tmp
2007-09-15 02:20:54 0 d-------- C:\Program Files\Windows Media Components


-- Find3M Report ---------------------------------------------------------------

2007-10-02 19:36:52 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-02 02:30:12 0 d-------- C:\Program Files\Fraps
2007-10-01 12:45:32 0 d-------- C:\Program Files\Warcraft III
2007-09-28 17:57:17 0 d---s---- C:\Program Files\Xfire
2007-09-28 17:30:19 0 d-------- C:\Program Files\LimeWire
2007-09-28 17:28:25 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-09-28 17:27:13 2542 --a------ C:\WINDOWS\system32\ealregsnapshot1.reg
2007-09-28 17:26:13 0 d-------- C:\Program Files\Common Files\AOL
2007-09-28 15:00:15 0 d-------- C:\Program Files\QuickTime
2007-09-28 14:57:09 0 d-------- C:\Program Files\Diablo II
2007-09-27 17:07:15 0 d-------- C:\Documents and Settings\TEMP\Application Data\OpenOffice.org2
2007-09-26 17:58:56 0 d-------- C:\Program Files\XoftSpySE
2007-09-26 16:02:43 134629 --a------ C:\Documents and Settings\TEMP\Application Data\Cosmos Prefs
2007-09-25 17:57:11 0 d-------- C:\Program Files\World of Warcraft
2007-09-24 12:34:51 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-09-21 12:28:47 0 d-------- C:\Documents and Settings\TEMP\Application Data\LimeWire
2007-09-04 00:05:56 0 d-------- C:\Program Files\Project64 1.6
2007-09-02 00:35:18 0 d-------- C:\Documents and Settings\TEMP\Application Data\Viewpoint
2007-09-01 15:36:48 0 d-------- C:\Program Files\Viewpoint
2007-09-01 15:36:26 0 d-------- C:\Program Files\Common Files
2007-08-31 04:14:30 0 d-------- C:\Program Files\Steam
2007-08-27 23:50:53 0 d-------- C:\Program Files\The Sir. Community
2007-08-27 23:49:24 0 d-------- C:\Program Files\BitTorrent
2007-08-27 23:46:36 0 d-------- C:\Documents and Settings\TEMP\Application Data\DMCache
2007-08-27 21:24:16 0 d-------- C:\Documents and Settings\TEMP\Application Data\Leadertech
2007-08-27 21:23:53 0 d-------- C:\Program Files\epson
2007-08-27 21:22:27 0 d-------- C:\Program Files\ArcSoft
2007-08-25 03:01:37 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-08-24 20:15:13 36864 --a------ C:\WINDOWS\system32\dxinputdll.dll
2007-08-24 20:15:13 0 d-------- C:\Documents and Settings\TEMP\Application Data\KALiNKOsoft
2007-08-12 13:22:50 0 d-------- C:\Program Files\Common Files\Logitech
2007-08-12 13:22:42 0 d-------- C:\Program Files\Logitech
2007-08-09 14:25:51 0 d-------- C:\Documents and Settings\TEMP\Application Data\teamspeak2
2007-08-07 01:20:49 0 d-------- C:\Program Files\Common Files\Blizzard Entertainment
2007-07-30 12:42:31 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-07-12 00:12:42 81920 --a------ C:\WINDOWS\system32\frapsvid.dll <Not Verified; Beepa P/L; FRAPS>
2007-07-04 22:54:25 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Hotplug"="C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\hot_plug.exe" [05/05/2005 09:10 PM]
"SiSRaid"="C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe" [05/18/2005 03:44 PM]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [10/14/2004 11:11 AM]
"PRONoMgrWired"="C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [11/18/2004 11:16 AM]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [07/16/2005 02:09 AM]
"nwiz"="nwiz.exe" [07/16/2005 02:09 AM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [07/16/2005 02:09 AM]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [06/03/2004 01:51 AM]
"Launch Ai Booster"="C:\Program Files\ASUS\Ai Booster\OverClk.exe" [08/04/2005 03:24 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [03/11/2007 04:14 PM]
"SoundMax"="C:\Program Files\Analog Devices\SoundMAX\SMax4.exe" [09/23/2004 02:41 PM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [01/12/2006 04:40 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [10/02/2007 07:45 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:56 AM]
"EPSON Stylus CX6000 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIA.exe" [10/18/2006 04:01 AM]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []

C:\Documents and Settings\TEMP\Start Menu\Programs\Startup\
Xfire.lnk - C:\Program Files\Xfire\xfire.exe [9/12/2007 3:24:32 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll 12/20/2005 12:57 PM 176128 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^TEMP^Start Menu^Programs^Startup^OpenOffice.org 2.1.lnk]
path=C:\Documents and Settings\TEMP\Start Menu\Programs\Startup\OpenOffice.org 2.1.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 2.1.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
"C:\Program Files\Electronic Arts\EA Link\Core.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
"C:\Program Files\Analog Devices\SoundMAX\SMax4.exe" /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"Apple Mobile Device"=2 (0x2)




-- End of Deckard's System Scanner: finished at 2007-10-03 09:20:08 ------------

[Ried]

Hello Evilcookie and welcome to TSF,

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

Also be sure to carry out the instructions in the sequence listed below.

***************************************************

1. Download SmitfraudFix (by S!Ri) to your Desktop. Do not run it yet.


2. Download Combofix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

• Close any open browsers.
  
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you which I will need in your next reply.


Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

--------------------------------------------------------------------

Double-click smitfraudfix.exe to start the tool.

• Select option #1 - Search by typing 1 and press "Enter"
• A text file will appear which lists infected files (if present).
• Please copy/paste the content of that report into your next reply.

IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so!

--------------------------------------------------------------------

Please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Perform an online scan with Internet Explorer with Panda ActiveScan

1. Click on located at the bottom of the page.
2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
3. Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*

Begin the scan by selecting

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
• Click on then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

--------------------------------------------------------------------

Run a new scan with HijackThis and save the log.

--------------------------------------------------------------------

Please include the following in your next reply:

C:\ComboFix.txt
SmitfraudFix report
Panda results
New HijackThis log

[Evilcookie]

I could not upload 3 notepad files, so I uploaded 2 and copy & past 2 here.
Second one is Active Scan.

ComboFix 07-10-03.8 - Ali 2007-10-03 14:35:41.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1083 [GMT -7:00]
Running from: C:\Documents and Settings\TEMP\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\dat.txt
C:\WINDOWS\rs.txt
C:\WINDOWS\search_res.txt

.
((((((((((((((((((((((((( Files Created from 2007-09-03 to 2007-10-03 )))))))))))))))))))))))))))))))
.

2007-10-03 14:34 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-02 22:42 <DIR> d-------- C:\Documents and Settings\***\Application Data\Real
2007-10-02 20:12 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-02 20:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-02 19:01 2,126 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-02 19:00 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-10-02 19:00 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-10-02 19:00 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-10-02 19:00 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-10-02 19:00 25,088 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-10-02 18:21 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-02 17:23 <DIR> d-------- C:\Deckard
2007-09-28 17:40 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\Xfire
2007-09-28 15:03 <DIR> d-------- C:\Program Files\Flagship Studios
2007-09-26 07:30 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\Download Manager
2007-09-25 16:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Age of Empires 3
2007-09-25 15:21 <DIR> d-------- C:\Program Files\Microsoft Games
2007-09-17 22:09 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-09-17 22:09 163,840 --a------ C:\WINDOWS\system32\unrar.dll
2007-09-17 22:09 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2007-09-15 02:21 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-09-15 02:21 <DIR> d-------- C:\WINDOWS\system32\windows media
2007-09-15 02:20 <DIR> d-------- C:\Program Files\Windows Media Components
2007-09-03 07:42 674,600 --a------ C:\WINDOWS\system32\pbsvc(2).exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-03 14:28 --------- d-------- C:\Program Files\Warcraft III
2007-10-03 09:51 --------- d-------- C:\Program Files\World of Warcraft
2007-10-02 22:51 22328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-10-02 22:49 103736 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2007-10-02 22:35 674600 --a------ C:\WINDOWS\system32\pbsvc.exe
2007-10-02 22:35 66872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2007-10-02 22:35 22328 --a------ C:\Documents and Settings\TEMP\Application Data\PnkBstrK.sys
2007-10-02 19:36 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-02 02:31 --------- d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-02 02:30 --------- d-------- C:\Program Files\Fraps
2007-09-28 17:57 --------- d---s---- C:\Program Files\Xfire
2007-09-28 17:30 --------- d-------- C:\Program Files\LimeWire
2007-09-28 17:28 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-28 17:26 --------- d-------- C:\Program Files\Common Files\AOL
2007-09-28 17:26 --------- d-------- C:\Documents and Settings\All Users\Application Data\AOL
2007-09-28 15:00 --------- d-------- C:\Program Files\QuickTime
2007-09-28 14:57 --------- d-------- C:\Program Files\Diablo II
2007-09-27 17:07 --------- d-------- C:\Documents and Settings\TEMP\Application Data\OpenOffice.org2
2007-09-26 17:58 --------- d-------- C:\Program Files\XoftSpySE
2007-09-24 12:34 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-09-21 12:28 --------- d-------- C:\Documents and Settings\TEMP\Application Data\LimeWire
2007-09-04 00:05 --------- d-------- C:\Program Files\Project64 1.6
2007-09-02 00:35 --------- d-------- C:\Documents and Settings\TEMP\Application Data\Viewpoint
2007-09-01 15:36 --------- d-------- C:\Program Files\Viewpoint
2007-09-01 15:36 --------- d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-09-01 15:34 --------- d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-08-31 04:14 --------- d-------- C:\Program Files\Steam
2007-08-27 23:50 --------- d-------- C:\Program Files\The Sir. Community
2007-08-27 23:49 --------- d-------- C:\Program Files\BitTorrent
2007-08-27 23:46 --------- d-------- C:\Documents and Settings\TEMP\Application Data\DMCache
2007-08-27 21:28 --------- d-------- C:\Documents and Settings\All Users\Application Data\EPSON
2007-08-27 21:24 --------- d-------- C:\Documents and Settings\TEMP\Application Data\Leadertech
2007-08-27 21:23 --------- d-------- C:\Program Files\epson
2007-08-27 21:22 --------- d-------- C:\Program Files\ArcSoft
2007-08-25 03:01 --------- d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-08-24 20:15 36864 --a------ C:\WINDOWS\system32\dxinputdll.dll
2007-08-24 20:15 --------- d-------- C:\Documents and Settings\TEMP\Application Data\KALiNKOsoft
2007-08-12 13:22 --------- d-------- C:\Program Files\Logitech
2007-08-12 13:22 --------- d-------- C:\Program Files\Common Files\Logitech
2007-08-09 14:25 --------- d-------- C:\Documents and Settings\TEMP\Application Data\teamspeak2
2007-08-07 23:13 --------- d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire
2007-08-07 07:33 --------- d-------- C:\Documents and Settings\LocalService\Application Data\Xfire
2007-08-07 01:20 --------- d-------- C:\Program Files\Common Files\Blizzard Entertainment
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-12 00:12 81920 --a------ C:\WINDOWS\system32\frapsvid.dll
2007-07-04 22:54 73216 --a------ C:\WINDOWS\ST6UNST.EXE
2007-07-04 22:54 249856 --------- C:\WINDOWS\Setup1.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Hotplug"="C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\hot_plug.exe" [2005-05-05 21:10]
"SiSRaid"="C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe" [2005-05-18 15:44]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 11:11]
"PRONoMgrWired"="C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2004-11-18 11:16]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2005-07-16 02:09]
"nwiz"="nwiz.exe" [2005-07-16 02:09 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2005-07-16 02:09]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 01:51]
"Launch Ai Booster"="C:\Program Files\ASUS\Ai Booster\OverClk.exe" [2005-08-04 15:24]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-03-11 16:14]
"SoundMax"="C:\Program Files\Analog Devices\SoundMAX\SMax4.exe" [2004-09-23 14:41]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 16:40]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-02 19:45]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"EPSON Stylus CX6000 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIA.exe" [2006-10-18 04:01]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []

C:\Documents and Settings\TEMP\Start Menu\Programs\Startup\
Xfire.lnk - C:\Program Files\Xfire\xfire.exe [2007-09-12 15:24:32]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll 2005-12-20 12:57 176128 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^TEMP^Start Menu^Programs^Startup^OpenOffice.org 2.1.lnk]
path=C:\Documents and Settings\TEMP\Start Menu\Programs\Startup\OpenOffice.org 2.1.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 2.1.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
"C:\Program Files\Electronic Arts\EA Link\Core.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
"C:\Program Files\Analog Devices\SoundMAX\SMax4.exe" /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"Apple Mobile Device"=2 (0x2)

R0 SiSRaid2;SiSRaid2;C:\WINDOWS\system32\DRIVERS\SiSRaid2.sys
R2 WUSB54Gv42SVC;WUSB54Gv42SVC;"C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv42.exe"
R3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys
R3 WmFilter;Logitech WingMan HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys
R3 WUSB54GPV4SRV;Linksys Home Wireless-G USB Adaptor Driver;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys
S3 cdspacex;cdspacex;C:\WINDOWS\system32\DRIVERS\CDSPACEX.sys
S3 Dua1;Dua1;\??\C:\Documents and Settings\Ali\Desktop\Duel Engine\DualEngi.sys
S3 geebers12;geebers12;\??\C:\Documents and Settings\TEMP\Desktop\Sago's Hack Pack .38 III\Xterminator.sys
S3 kaspersky1;kaspersky1;\??\C:\Documents and Settings\TEMP\Desktop\s Hack Pack II\Sago's Hack Pack II\kaspersky.sys
S3 KIKIDRIVER;KIKIDRIVER;\??\C:\Documents and Settings\TEMP\Desktop\Kiki_Engine_1.41__Unpacked_\Kiki Engine 1.41 [Unpacked]\kiki.sys
S3 saruenGang;saruenGang;\??\C:\Documents and Settings\Ali\Desktop\saruengang103\saruenGang.sys
S3 sejt1;sejt1;\??\C:\AkumaEngine33\Applications\sejt.sys
S3 spuce1;spuce1;\??\C:\Documents and Settings\TEMP\Desktop\Spuc3ngine\Spuc3nginef\spuce.sys
S3 TSHAK3T1;TSHAK3T1;\??\C:\Documents and Settings\TEMP\Desktop\Revolution_Engine_3.3\Revolution Engine 3.3\spuce.sys
S3 TwoRabts;Two Rabbits Live Bus;C:\WINDOWS\system32\DRIVERS\TwoRabts.sys
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys
S3 uzeil1;uzeil1;\??\C:\Documents and Settings\TEMP\Desktop\Mini_Engine\Mini Engine\Mini Engine\uzeil.sys
S3 zenos1;zenos1;\??\C:\Documents and Settings\Ali\Desktop\ZEnos\zenos.sys

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-09-29 22:03:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-10-03 20:29:21 C:\WINDOWS\Tasks\User_Feed_Synchronization-{D8798ACA-0D7E-4C58-BE6A-B9613ACB5DE9}.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-03 14:38:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

.
Completion time: 2007-10-03 14:39:28
C:\ComboFix-quarantined-files.txt ... 2007-10-03 14:38
.
--- E O F ---



SmitFraudFix v2.235

Scan done at 15:13:32.84, Wed 10/03/2007
Run from C:\Documents and Settings\TEMP\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\hot_plug.exe
C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\ASUS\Ai Booster\OverClk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\notepad.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\TEMP


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\TEMP\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\TEMP\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="wbsys.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Linksys Wireless-G USB Network Adapter
DNS Server Search Order: 68.237.161.12
DNS Server Search Order: 71.243.0.12

HKLM\SYSTEM\CCS\Services\Tcpip\..\{A0AEA807-1A32-49F2-972E-50E994A7CEBE}: DhcpNameServer=68.237.161.12 71.243.0.12
HKLM\SYSTEM\CS1\Services\Tcpip\..\{A0AEA807-1A32-49F2-972E-50E994A7CEBE}: DhcpNameServer=68.237.161.12 71.243.0.12
HKLM\SYSTEM\CS3\Services\Tcpip\..\{A0AEA807-1A32-49F2-972E-50E994A7CEBE}: DhcpNameServer=68.237.161.12 71.243.0.12
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.237.161.12 71.243.0.12
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.237.161.12 71.243.0.12
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.237.161.12 71.243.0.12


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:22:47 PM, on 10/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\hot_plug.exe
C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\ASUS\Ai Booster\OverClk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 80.69.94.166 gameguard.mapleglobal.com
O1 - Hosts: 80.69.94.166 63.251.217.184
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [Hotplug] C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\hot_plug.exe
O4 - HKLM\..\Run: [SiSRaid] C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [Launch Ai Booster] "C:\Program Files\ASUS\Ai Booster\OverClk.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\SMax4.exe" /tray
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus CX6000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIA.EXE /FU "C:\WINDOWS\TEMP\E_S1A1.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1168700121033
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1168700109924
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanage...ex-2.2.2.1.cab
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 7148 bytes

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Incident Status Location

Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rpia0afj.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rpia0afj.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rpia0afj.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rpia0afj.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rpia0afj.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rpia0afj.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rpia0afj.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rpia0afj.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rpia0afj.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rpia0afj.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rpia0afj.default\cookies.txt[adserver.filefront.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rpia0afj.default\cookies.txt[.overture.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rpia0afj.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rpia0afj.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rpia0afj.default\cookies.txt[.zedo.com/]
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rpia0afj.default\cookies.txt[.ads.addynamix.com/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rpia0afj.default\cookies.txt[www.burstbeacon.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rpia0afj.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rpia0afj.default\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rpia0afj.default\cookies.txt[.as-eu.falkag.net/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rpia0afj.default\cookies.txt[.atwola.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rpia0afj.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rpia0afj.default\cookies.txt[.2o7.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Ali\Cookies\ali@2o7[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Ali\Cookies\ali@atdmt[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Ali\Cookies\ali@fastclick[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Ali\Cookies\ali@mediaplex[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Ali\Cookies\ali@tribalfusion[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Ali\Cookies\ali@zedo[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\5jgriron.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\5jgriron.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\TEMP\Cookies\ali@adrevolver[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\TEMP\Cookies\ali@atdmt[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\TEMP\Cookies\ali@fastclick[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\TEMP\Cookies\ali@media.adrevolver[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\TEMP\Cookies\ali@tribalfusion[2].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\TEMP\Desktop\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\TEMP\Desktop\ComboFix.exe[nircmd.cfexe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\TEMP\Desktop\SmitfraudFix\Process.exe
Virus:Trj/Rebooter.J Disinfected C:\Documents and Settings\TEMP\Desktop\SmitfraudFix\Reboot.exe
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\TEMP\Desktop\SmitfraudFix\restart.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe
Potentially unwanted tool:Application/RealSpy Not disinfected C:\WINDOWS\system32\actskn45.ocx

[Ried]

Please go to: VirusTotal

• On the page you'll find a "Browse" button.
  
• Next to the browse button you'll see a box to enter text.
• Please copy/paste the following in BOLD:
  
  C:\Documents and Settings\Ali\Desktop\ZEnos\zenos.sys
  
  
• Then click the "Send File " button just below.
• This will scan the file. Please be patient.
• Once scanned, copy and paste the results in your next reply.

If the site is too busy, upload it here http://www.virustotal.com/en/indexf.html

------------------------

Also, please provide a detailed description of your current symptoms.

[Evilcookie]

0 bytes size received / Se ha recibido un archivo vacio

[Ried]

Quote:

Originally Posted by Ried

Also, please provide a detailed description of your current symptoms.

[Evilcookie]

not sure what you mean by this. Unless you mean HiJackThis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:58:04 PM, on 10/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\hot_plug.exe
C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 80.69.94.166 gameguard.mapleglobal.com
O1 - Hosts: 80.69.94.166 63.251.217.184
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [Hotplug] C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\hot_plug.exe
O4 - HKLM\..\Run: [SiSRaid] C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [Launch Ai Booster] "C:\Program Files\ASUS\Ai Booster\OverClk.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\SMax4.exe" /tray
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus CX6000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIA.EXE /FU "C:\WINDOWS\TEMP\E_S1A1.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1168700121033
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1168700109924
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanage...ex-2.2.2.1.cab
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 7063 bytes

[Ried]

Quote:

Hi, first time user for Hi Jack This, Tryed getting rid of this maleware, got it to stop spaming me with pop ups but can't stop it to infected files i healed.

\
Are you still getting pop ups? How is the system behaving?

[Evilcookie]

No I stoped getting pop ups, thank you but I am worried about the 26 spyware that the online scanner found.

[Ried]

We can take care of that now.

Download and install CleanUp! (Not Recommended for XP64)[/b].

---------------------------------------------------------

Delete the following files:

C:\WINDOWS\NirCmd.exe
C:\WINDOWS\system32\actskn45.ocx

---------------------------------------------------------

*WARNING* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any C:\Windows\Temporary Folders, please make a backup of these before running CleanUp! or move them to a permanent location.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
• Cleanup! All Users
• Click on the "Temporary Files" and uncheck the box for "Scan drives for file matching" if it's checked.

Click OK
Press the CleanUp! button to start the program.

Reboot/logoff when prompted.

----------------------------------------------------------

Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links:

Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

***********************************************

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.

SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.

• It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

IESpyAD Zoned Out to block access to malicious websites so you cannot be redirected to them from an infected site or email. This severely impairs attempts to infect your system as it basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.


Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.


In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
THE ANTI-SPYWARE TUTORIAL
MAKING INTERNET EXPLORER SAFER
Understanding and Using Firewalls

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

-----------------------------------------------------

Follow the list above and the potential for infection will reduce dramatically.

[Evilcookie]

Thank you again for all your help and clear instructions.
Try to click on the IESpyAD Zoned Out Link but could not get access to it.

[Ried]

You're welcome. This link should work for you --> http://www.techsupportforum.com/cont...ticles/63.html