Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page ad.yieldmanager.com
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 10-11-2007, 03:17 PM   #1 (permalink)
Registered User
 
Join Date: Oct 2007
Posts: 10
OS: xp sp2


ad.yieldmanager.com
hi, ages ago, i was getting pop ups from ad.yieldmanger.com (bastardo's!) and i got rid of them using a-squared. after a few months, when using firefox and trying enter a site, i saw at the bottom of the window "connecting to ad.yieldmanger.com" then it went to the site i wanted but i still thought it was dodgey. then i was searching for stuff on google, then suddenly, the language changed to german! i knew this had to be something to do with that yieldmanager. aswell (this never ever happened b4) most of the time, i click a link, bookmark, type in a url, and it said server not found, i keep clciking retry, and eventually, it goes to the site. i believe all these are symptoms of a browser hijacker, correct me if im wrong.

i downloaded hijackthis

this is my log, could you be kind enough to help me

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:17:17, on 11/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\uTorrent\utorrent.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\a-squared Anti-Malware\a2guard.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe" /d=60
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.google.co.uk
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1191752884906
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab55762.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary...t.cab57213.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O20 - AppInit_DLLs: ?I?
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional Business XII\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional Business XII\RpcSandraSrv.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 7816 bytes

cheers, Oz
Last edited by Oz_Law; 10-11-2007 at 03:20 PM.
Oz_Law is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Sponsored Links
Old 10-14-2007, 04:34 AM   #2 (permalink)
Registered User
 
Join Date: Oct 2007
Posts: 10
OS: xp sp2


Re: ad.yieldmanager.com
any one? at least say my computer is running fine or something

cheers, oz
Oz_Law is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-14-2007, 06:50 AM   #3 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 23,970
OS: WinXP and Vista


Re: ad.yieldmanager.com
Hello Oz_Law,

As you can see, this section of the forum is extremely busy with many users requesting assistance. There are only so many of us, and we can only do so much.

We prefer a more comprehensive set of logs to assist in detecting any malware that may be present. As noted in our sticky topic (Updated!) IMPORTANT - Read This Before Posting A Log, download Deckard's System Scanner (DSS) to your Desktop.

What DSS will do:
  • create a new System Restore point in Windows XP and Vista.
  • clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  • check some important areas of your system and produce a report for your analyst to review.
  • DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.


Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your next reply.
  5. Please attach extra.txt to your post.
To attach a file to a new post, simply
  1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
  2. copy and paste the following into the "Upload File from your Computer" box:
    C:\Deckard\System Scanner\extra.txt
  3. Click Upload.

Please include the following in your next reply:

main.txt
an attached extra.txt
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-14-2007, 10:16 AM   #4 (permalink)
Registered User
 
Join Date: Oct 2007
Posts: 10
OS: xp sp2


Re: ad.yieldmanager.com
ahh cheers mate, i understand about it being to busy


Deckard's System Scanner v20070905.67
Run by Oz on 2007-10-14 18:07:36
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
19: 2007-10-14 17:07:40 UTC - RP27 - Deckard's System Scanner Restore Point
18: 2007-10-13 23:12:22 UTC - RP26 - Installed Java(TM) 6 Update 3
17: 2007-10-13 12:41:35 UTC - RP25 - System Checkpoint
16: 2007-10-12 11:53:17 UTC - RP24 - Software Distribution Service 3.0
15: 2007-10-12 09:22:41 UTC - RP23 - Installed Call of Duty(R) 4 - Modern Warfare(TM) Demo


-- First Restore Point --
1: 2007-10-06 23:55:20 UTC - RP9 - Installed NVIDIA nTune


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Oz.exe) --------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:09:38, on 14/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\Oz\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Oz.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe" /d=60
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.google.co.uk
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1191752884906
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab55762.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary...t.cab57213.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O20 - AppInit_DLLs: ?I?
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe (file missing)
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional Business XII\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional Business XII\RpcSandraSrv.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 8120 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 BTHidMgr (Bluetooth HID Manager Service) - c:\windows\system32\drivers\bthidmgr.sys <Not Verified; IVT Corporation; BlueSoleil(c)>
R0 Vax347b - c:\windows\system32\drivers\vax347b.sys
R0 Vax347s - c:\windows\system32\drivers\vax347s.sys
R2 MDC8021X (AEGIS Protocol (IEEE 802.1x) v2.3.1.7) - c:\windows\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.3.1.7>
R3 NVR0Dev - c:\windows\nvoclock.sys <Not Verified; NVidia Corp.; NVidia System Utility Driver>

S3 BlueletAudio (Bluetooth Audio Service) - c:\windows\system32\drivers\blueletaudio.sys <Not Verified; IVT Corporation; Windows (R) 2000 DDK driver>
S3 BT (Bluetooth PAN Network Adapter) - c:\windows\system32\drivers\btnetdrv.sys <Not Verified; IVT Corporation; BlueSoleil>
S3 Btcsrusb (Bluetooth USB For Bluetooth Service) - c:\windows\system32\drivers\btcusb.sys <Not Verified; IVT Corporation; Bluetooth USB Device Driver>
S3 BTHidEnum (Bluetooth HID Enumerator) - c:\windows\system32\drivers\vbtenum.sys
S3 BTNetFilter (Bluetooth Network Filter) - c:\windows\system32\drivers\btnetfilter.sys
S3 Cardex - c:\windows\system32\drivers\tbpanel.sys (file missing)
S3 mcdbus (Driver for MagicISO SCSI Host Controller) - c:\windows\system32\drivers\mcdbus.sys (file missing)
S3 RivaTuner32 - c:\program files\rivatuner v2.05\rivatuner32.sys
S3 RTLWUSB (Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter) - c:\windows\system32\drivers\rtl8187.sys (file missing)
S3 scrcap - c:\windows\system32\drivers\scrcap.sys (file missing)
S3 SCREAMINGBDRIVER (Screaming Bee Audio) - c:\windows\system32\drivers\screamingbaudio.sys (file missing)
S3 VComm (Virtual Serial port driver) - c:\windows\system32\drivers\vcomm.sys <Not Verified; IVT Corporation; BlueSoleil>
S3 VcommMgr (Bluetooth VComm Manager Service) - c:\windows\system32\drivers\vcommmgr.sys <Not Verified; IVT Corporation; BlueSoleil>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Diskeeper - "c:\program files\diskeeper corporation\diskeeper\dkservice.exe" <Not Verified; Diskeeper Corporation; Diskeeper (TM) Disk Defragmenter>
R2 nTuneService (nTune Service) - c:\program files\nvidia corporation\ntune\ntuneservice.exe /startservice <Not Verified; NVIDIA; NVIDIA nTune>

S2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" (file missing)
S2 PnkBstrA - c:\windows\system32\pnkbstra.exe (file missing)
S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
S3 iPod Service - "c:\program files\ipod\bin\ipodservice.exe" (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Ethernet Controller
Device ID: PCI\VEN_11AB&DEV_4362&SUBSYS_81421043&REV_20\4&AD17F01&0&00E3
Manufacturer:
Name: Ethernet Controller
PNP Device ID: PCI\VEN_11AB&DEV_4362&SUBSYS_81421043&REV_20\4&AD17F01&0&00E3
Service:

Class GUID:
Description: RTL8187_Wireless
Device ID: USB\VID_0BDA&PID_8187\0015AF033B2B
Manufacturer:
Name: RTL8187_Wireless
PNP Device ID: USB\VID_0BDA&PID_8187\0015AF033B2B
Service:

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: BT Voyager 1040 PCI Adapter
Device ID: PCI\VEN_14E4&DEV_4320&SUBSYS_7077144F&REV_03\4&CF81C54&0&00F0
Manufacturer: BT
Name: BT Voyager 1040 PCI Adapter
PNP Device ID: PCI\VEN_14E4&DEV_4320&SUBSYS_7077144F&REV_03\4&CF81C54&0&00F0
Service: BCM43XX


-- Scheduled Tasks -------------------------------------------------------------

2007-10-14 11:04:24 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2007-10-09 21:13:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2007-10-05 13:17:00 264 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job
2007-09-05 13:17:31 386 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job


-- Files created between 2007-09-14 and 2007-10-14 -----------------------------

2007-10-14 00:20:52 0 d-------- C:\Program Files\SystemRequirementsLab
2007-10-14 00:20:38 0 d-------- C:\Documents and Settings\Oz\Application Data\SystemRequirementsLab
2007-10-14 00:13:28 0 d-------- C:\WINDOWS\Sun
2007-10-14 00:13:28 0 d-------- C:\Documents and Settings\Oz\Application Data\Sun
2007-10-14 00:12:49 0 d-------- C:\Program Files\Java
2007-10-14 00:12:25 0 d-------- C:\Program Files\Common Files\Java
2007-10-12 10:22:56 0 d-------- C:\Program Files\Activision
2007-10-12 00:21:33 0 dr-h----- C:\Documents and Settings\Oz\Recent
2007-10-11 22:54:59 0 d-------- C:\VundoFix Backups
2007-10-11 22:35:38 0 d-------- C:\Program Files\Trend Micro
2007-10-07 14:34:46 0 d-------- C:\Program Files\RivaTuner v2.05
2007-10-07 00:42:20 0 d-------- C:\WINDOWS\nview
2007-10-07 00:41:15 0 d-------- C:\NVIDIA
2007-10-07 00:05:35 53248 --a------ C:\WINDOWS\system32\CSVer.dll <Not Verified; Windows XP Bundled build C-Centric Single User; Windows XP Bundled build C-Centric Single User CSVer>
2007-10-02 14:40:56 0 d-------- C:\Program Files\Asus
2007-10-02 11:04:00 0 d-------- C:\Program Files\Bonjour
2007-10-02 10:57:57 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2007-10-02 10:14:08 0 d-------- C:\Program Files\VirtualDJ
2007-10-02 09:55:42 0 d-------- C:\Program Files\MagicISO
2007-09-30 19:46:12 0 d-------- C:\Documents and Settings\Oz\.assistant
2007-09-30 19:38:51 0 d-------- C:\Program Files\Marvell
2007-09-27 22:24:50 0 d-------- C:\Program Files\Sierra Entertainment
2007-09-27 22:24:30 0 d-------- C:\Documents and Settings\Oz\Application Data\InstallShield
2007-09-27 22:23:42 0 d-------- C:\Program Files\DAEMON Tools
2007-09-25 14:37:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-09-24 10:26:55 47357 --a------ C:\WINDOWS\system32\Keygen.exe
2007-09-24 10:26:13 0 d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-09-21 19:37:09 0 d-------- C:\Documents and Settings\All Users\Application Data\Screaming Bee
2007-09-21 19:32:38 0 d-------- C:\Documents and Settings\Oz\Application Data\Screaming Bee
2007-09-21 19:24:22 0 d-------- C:\Program Files\Common Files\Screaming Bee
2007-09-21 19:10:20 0 d-------- C:\Program Files\AV Vcs 6.0 GOLD
2007-09-18 16:38:30 0 d-------- C:\Documents and Settings\LocalService\Application Data\Xfire
2007-09-17 19:50:33 0 d-------- C:\Documents and Settings\Oz\Application Data\Xfire
2007-09-17 19:50:30 0 d-------- C:\Program Files\Xfire
2007-09-17 01:07:00 1626112 --a------ C:\WINDOWS\system32\nwiz.exe
2007-09-17 01:07:00 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2007-09-17 01:07:00 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2007-09-17 01:07:00 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2007-09-17 01:07:00 1478656 --a------ C:\WINDOWS\system32\nview.dll
2007-09-17 01:07:00 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2007-09-17 01:07:00 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2007-09-17 01:07:00 425984 --a------ C:\WINDOWS\system32\keystone.exe
2007-09-14 23:54:15 0 d-------- C:\Program Files\RegSupreme Pro


-- Find3M Report ---------------------------------------------------------------

2007-10-14 17:53:24 0 d-------- C:\Documents and Settings\Oz\Application Data\uTorrent
2007-10-14 12:36:25 0 d-------- C:\Program Files\Steam
2007-10-14 00:13:22 1428 --a------ C:\WINDOWS\mozver.dat
2007-10-14 00:12:25 0 d-------- C:\Program Files\Common Files
2007-10-12 10:24:32 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-10-08 18:08:17 0 d-------- C:\Documents and Settings\Oz\Application Data\Adobe
2007-10-08 12:52:18 0 d-------- C:\Program Files\Microsoft Works
2007-10-07 00:55:45 0 d-------- C:\Program Files\NVIDIA Corporation
2007-10-05 10:17:20 0 d-------- C:\Program Files\a-squared Anti-Malware
2007-10-02 11:03:57 0 d-------- C:\Program Files\Common Files\Adobe
2007-09-25 14:37:27 0 d-------- C:\Program Files\Apple Software Update
2007-09-25 14:37:00 0 d-------- C:\Program Files\QuickTime
2007-09-16 19:27:45 0 d-------- C:\Documents and Settings\Oz\Application Data\Bioshock
2007-09-12 23:12:12 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-12 23:11:42 0 d-------- C:\Program Files\AGEIA Technologies
2007-09-10 18:57:28 0 d-------- C:\Documents and Settings\Oz\Application Data\DAEMON Tools Pro
2007-09-09 14:37:12 0 d-------- C:\Program Files\NT Registry Optimizer
2007-09-08 17:45:51 0 d-------- C:\Program Files\Diskeeper Corporation
2007-09-06 11:39:14 0 d-------- C:\Program Files\Creative
2007-09-05 18:41:19 0 d-------- C:\Program Files\Google
2007-09-05 14:09:29 0 d-------- C:\Program Files\SiSoftware
2007-09-05 13:30:17 0 d-------- C:\Documents and Settings\Oz\Application Data\Uniblue
2007-09-04 01:08:15 0 d-------- C:\Program Files\Xvid
2007-09-03 20:30:32 0 d-------- C:\Program Files\CyberLink
2007-08-30 20:00:52 0 d-------- C:\Documents and Settings\Oz\Application Data\VersionTracker Pro
2007-08-30 19:59:11 0 d-------- C:\Program Files\Winamp
2007-08-29 14:47:53 0 d-------- C:\Program Files\TechTracker
2007-08-27 21:37:28 0 d-------- C:\Program Files\CCleaner
2007-08-26 13:42:14 5 --ahs---- C:\WINDOWS\system32\fcfceaaada_g.dll
2007-07-29 16:55:56 664 --a------ C:\WINDOWS\system32\d3d9caps.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [03/11/2006 18:20]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [11/05/2000 01:00]
"RTHDCPL"="RTHDCPL.EXE" [17/04/2006 08:34 C:\WINDOWS\RTHDCPL.exe]
"P17Helper"="P17.dll" [03/05/2005 12:38 C:\WINDOWS\system32\P17.dll]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [02/03/2007 20:13]
"CTHelper"="CTHELPER.EXE" [18/06/2005 07:01 C:\WINDOWS\CTHELPER.EXE]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/05/2007 03:06]
"a-squared"="C:\Program Files\a-squared Anti-Malware\a2guard.exe" [02/09/2007 16:02]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [17/09/2007 01:07]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [17/09/2007 01:07]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 13:00]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [03/07/2007 12:32]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=?I?

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Creative Detector"=C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Lexmark 1200 Series"="C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
"Alcmtr"=ALCMTR.EXE
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ac91ba86-d572-11db-9bdb-009096cd6312}]
AutoRun\command- J:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ac91ba9e-d572-11db-9bdb-009096cd6312}]
AutoRun\command- J:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aca780e2-4300-11db-841e-806d6172696f}]
AutoRun\command- D:\bootcd\autorun.com




-- Hosts -----------------------------------------------------------------------

127.0.0.1 bin.errorprotector.com ## added by CiD
127.0.0.1 br.errorsafe.com ## added by CiD
127.0.0.1 br.winantivirus.com ## added by CiD
127.0.0.1 br.winfixer.com ## added by CiD
127.0.0.1 cdn.drivecleaner.com ## added by CiD
127.0.0.1 cdn.errorsafe.com ## added by CiD
127.0.0.1 cdn.winsoftware.com ## added by CiD
127.0.0.1 de.errorsafe.com ## added by CiD
127.0.0.1 de.winantivirus.com ## added by CiD
127.0.0.1 download.cdn.drivecleaner.com ## added by CiD

61 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2007-10-14 18:10:57 ------------
Attached Files
File Type: txt extra.txt (32.3 KB, 3 views)
Oz_Law is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-14-2007, 11:02 AM   #5 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 23,970
OS: WinXP and Vista


Re: ad.yieldmanager.com
Thanks, I see it now. Please download Combofix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we can continue cleaning the system.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-14-2007, 11:23 AM   #6 (permalink)
Registered User
 
Join Date: Oct 2007
Posts: 10
OS: xp sp2


Re: ad.yieldmanager.com
note: while running combofix, i got an error message. (i wouldve posted it, but i pressed ok b4 i thought about it, but the 1st numbers of the error were something like "0000013"

ComboFix 07-10-14.4 - Oz 2007-10-14 19:04:58.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1579 [GMT 1:00]
Running from: C:\Documents and Settings\Oz\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-09-14 to 2007-10-14 )))))))))))))))))))))))))))))))
.

2007-10-14 19:04 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-14 18:07 <DIR> d-------- C:\Deckard
2007-10-14 00:20 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2007-10-14 00:20 <DIR> d-------- C:\Documents and Settings\Oz\Application Data\SystemRequirementsLab
2007-10-14 00:13 <DIR> d-------- C:\WINDOWS\Sun
2007-10-14 00:12 <DIR> d-------- C:\Program Files\Java
2007-10-14 00:12 <DIR> d-------- C:\Program Files\Common Files\Java
2007-10-12 10:25 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2007-10-12 10:25 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll
2007-10-12 10:25 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll
2007-10-12 10:25 266,088 --a------ C:\WINDOWS\system32\xactengine2_8.dll
2007-10-12 10:25 261,480 --a------ C:\WINDOWS\system32\xactengine2_7.dll
2007-10-12 10:25 255,848 --a------ C:\WINDOWS\system32\xactengine2_6.dll
2007-10-12 10:25 18,280 --a------ C:\WINDOWS\system32\x3daudio1_2.dll
2007-10-12 10:22 <DIR> d-------- C:\Program Files\Activision
2007-10-11 22:54 <DIR> d-------- C:\VundoFix Backups
2007-10-11 22:35 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-08 09:05 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-10-07 14:34 <DIR> d-------- C:\Program Files\RivaTuner v2.05
2007-10-07 00:42 <DIR> d-------- C:\WINDOWS\nview
2007-10-07 00:42 356,352 --a------ C:\WINDOWS\system32\nvudisp.exe
2007-10-07 00:41 <DIR> d-------- C:\NVIDIA
2007-10-07 00:41 356,352 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2007-10-07 00:05 53,248 --a------ C:\WINDOWS\system32\CSVer.dll
2007-10-02 14:40 <DIR> d-------- C:\Program Files\Asus
2007-10-02 11:04 <DIR> d-------- C:\Program Files\Bonjour
2007-10-02 10:57 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-10-02 10:14 <DIR> d-------- C:\Program Files\VirtualDJ
2007-10-02 09:55 <DIR> d-------- C:\Program Files\MagicISO
2007-09-30 19:46 <DIR> d-------- C:\Documents and Settings\Oz\.assistant
2007-09-30 19:38 <DIR> d-------- C:\Program Files\Marvell
2007-09-27 22:24 <DIR> d-------- C:\Program Files\Sierra Entertainment
2007-09-27 22:24 <DIR> d-------- C:\Documents and Settings\Oz\Application Data\InstallShield
2007-09-27 22:23 <DIR> d-------- C:\Program Files\DAEMON Tools
2007-09-25 14:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-09-24 10:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-09-24 10:26 47,357 --a------ C:\WINDOWS\system32\Keygen.exe
2007-09-21 19:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Screaming Bee
2007-09-21 19:32 <DIR> d-------- C:\Documents and Settings\Oz\Application Data\Screaming Bee
2007-09-21 19:24 <DIR> d-------- C:\Program Files\Common Files\Screaming Bee
2007-09-21 19:10 <DIR> d-------- C:\Program Files\AV Vcs 6.0 GOLD
2007-09-18 16:38 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Xfire
2007-09-17 19:50 <DIR> d-------- C:\Program Files\Xfire
2007-09-17 19:50 <DIR> d-------- C:\Documents and Settings\Oz\Application Data\Xfire
2007-09-15 16:50 6,853,088 --a------ C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-09-15 16:50 6,853,088 --a--c--- C:\WINDOWS\system32\dllcache\nv4_mini.sys
2007-09-15 16:50 5,783,040 --a------ C:\WINDOWS\system32\nv4_disp.dll
2007-09-15 16:50 5,783,040 --a--c--- C:\WINDOWS\system32\dllcache\nv4_disp.dll
2007-09-14 23:54 <DIR> d-------- C:\Program Files\RegSupreme Pro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-14 18:04 --------- d-----w C:\Documents and Settings\Oz\Application Data\uTorrent
2007-10-14 11:36 --------- d-----w C:\Program Files\Steam
2007-10-12 09:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-08 11:52 --------- d-----w C:\Program Files\Microsoft Works
2007-10-06 23:55 --------- d-----w C:\Program Files\NVIDIA Corporation
2007-10-05 09:17 --------- d-----w C:\Program Files\a-squared Anti-Malware
2007-10-02 10:03 --------- d-----w C:\Program Files\Common Files\Adobe
2007-09-25 13:37 --------- d-----w C:\Program Files\QuickTime
2007-09-25 13:37 --------- d-----w C:\Program Files\Apple Software Update
2007-09-17 00:07 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-09-17 00:07 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-09-17 00:07 8,491,008 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-09-17 00:07 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-09-17 00:07 6,746,112 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-09-17 00:07 6,344,704 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-09-17 00:07 5,509,120 ----a-w C:\WINDOWS\system32\nvdispsr.dll
2007-09-17 00:07 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-09-17 00:07 458,752 ----a-w C:\WINDOWS\system32\nvmccssr.dll
2007-09-17 00:07 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-09-17 00:07 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-09-17 00:07 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-09-17 00:07 364,544 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-09-17 00:07 36,864 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-09-17 00:07 36,864 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-09-17 00:07 335,872 ----a-w C:\WINDOWS\system32\nvwrses.dll
2007-09-17 00:07 335,872 ----a-w C:\WINDOWS\system32\nvwrsel.dll
2007-09-17 00:07 327,680 ----a-w C:\WINDOWS\system32\nvwrsfr.dll
2007-09-17 00:07 327,680 ----a-w C:\WINDOWS\system32\nvwrsesm.dll
2007-09-17 00:07 327,680 ----a-w C:\WINDOWS\system32\nvrshe.dll
2007-09-17 00:07 327,680 ----a-w C:\WINDOWS\system32\nvrsar.dll
2007-09-17 00:07 323,584 ----a-w C:\WINDOWS\system32\nvwrspt.dll
2007-09-17 00:07 323,584 ----a-w C:\WINDOWS\system32\nvwrsit.dll
2007-09-17 00:07 319,488 ----a-w C:\WINDOWS\system32\nvwrsptb.dll
2007-09-17 00:07 319,488 ----a-w C:\WINDOWS\system32\nvwrsnl.dll
2007-09-17 00:07 315,392 ----a-w C:\WINDOWS\system32\nvwrsru.dll
2007-09-17 00:07 315,392 ----a-w C:\WINDOWS\system32\nvwrshu.dll
2007-09-17 00:07 311,296 ----a-w C:\WINDOWS\system32\nvwrsde.dll
2007-09-17 00:07 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-09-17 00:07 303,104 ----a-w C:\WINDOWS\system32\nvwrstr.dll
2007-09-17 00:07 303,104 ----a-w C:\WINDOWS\system32\nvwrssl.dll
2007-09-17 00:07 303,104 ----a-w C:\WINDOWS\system32\nvwrsfi.dll
2007-09-17 00:07 3,629,056 ----a-w C:\WINDOWS\system32\nvvitvsr.dll
2007-09-17 00:07 3,551,232 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-09-17 00:07 3,334,144 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-09-17 00:07 3,166,208 ----a-w C:\WINDOWS\system32\nvgamesr.dll
2007-09-17 00:07 299,008 ----a-w C:\WINDOWS\system32\nvwrssk.dll
2007-09-17 00:07 299,008 ----a-w C:\WINDOWS\system32\nvwrsno.dll
2007-09-17 00:07 294,912 ----a-w C:\WINDOWS\system32\nvwrssv.dll
2007-09-17 00:07 294,912 ----a-w C:\WINDOWS\system32\nvwrspl.dll
2007-09-17 00:07 294,912 ----a-w C:\WINDOWS\system32\nvwrsda.dll
2007-09-17 00:07 290,816 ----a-w C:\WINDOWS\system32\nvwrsth.dll
2007-09-17 00:07 286,720 ----a-w C:\WINDOWS\system32\nvwrseng.dll
2007-09-17 00:07 286,720 ----a-w C:\WINDOWS\system32\nvwrscs.dll
2007-09-17 00:07 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-09-17 00:07 282,624 ----a-w C:\WINDOWS\system32\nvwrsar.dll
2007-09-17 00:07 282,624 ----a-w C:\WINDOWS\system32\nvrsfr.dll
2007-09-17 00:07 282,624 ----a-w C:\WINDOWS\system32\nvrses.dll
2007-09-17 00:07 282,624 ----a-w C:\WINDOWS\system32\nvrsel.dll
2007-09-17 00:07 278,528 ----a-w C:\WINDOWS\system32\nvwrshe.dll
2007-09-17 00:07 278,528 ----a-w C:\WINDOWS\system32\nvrsit.dll
2007-09-17 00:07 278,528 ----a-w C:\WINDOWS\system32\nvrsde.dll
2007-09-17 00:07 274,432 ----a-w C:\WINDOWS\system32\nvrspt.dll
2007-09-17 00:07 274,432 ----a-w C:\WINDOWS\system32\nvrsnl.dll
2007-09-17 00:07 274,432 ----a-w C:\WINDOWS\system32\nvrsesm.dll
2007-09-17 00:07 270,336 ----a-w C:\WINDOWS\system32\nvrsru.dll
2007-09-17 00:07 266,240 ----a-w C:\WINDOWS\system32\nvrsptb.dll
2007-09-17 00:07 266,240 ----a-w C:\WINDOWS\system32\nvrsja.dll
2007-09-17 00:07 258,048 ----a-w C:\WINDOWS\system32\nvrstr.dll
2007-09-17 00:07 258,048 ----a-w C:\WINDOWS\system32\nvrssl.dll
2007-09-17 00:07 258,048 ----a-w C:\WINDOWS\system32\nvrssk.dll
2007-09-17 00:07 258,048 ----a-w C:\WINDOWS\system32\nvrsko.dll
2007-09-17 00:07 258,048 ----a-w C:\WINDOWS\system32\nvrshu.dll
2007-09-17 00:07 253,952 ----a-w C:\WINDOWS\system32\nvrsth.dll
2007-09-17 00:07 253,952 ----a-w C:\WINDOWS\system32\nvrssv.dll
2007-09-17 00:07 253,952 ----a-w C:\WINDOWS\system32\nvrspl.dll
2007-09-17 00:07 253,952 ----a-w C:\WINDOWS\system32\nvrsno.dll
2007-09-17 00:07 253,952 ----a-w C:\WINDOWS\system32\nvrsda.dll
2007-09-17 00:07 249,856 ----a-w C:\WINDOWS\system32\nvrsfi.dll
2007-09-17 00:07 249,856 ----a-w C:\WINDOWS\system32\nvrscs.dll
2007-09-17 00:07 245,760 ----a-w C:\WINDOWS\system32\nvrseng.dll
2007-09-17 00:07 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-09-17 00:07 225,280 ----a-w C:\WINDOWS\system32\nvrszhc.dll
2007-09-17 00:07 212,992 ----a-w C:\WINDOWS\system32\nvwrsja.dll
2007-09-17 00:07 2,854,912 ----a-w C:\WINDOWS\system32\nvmoblsr.dll
2007-09-17 00:07 2,441,216 ----a-w C:\WINDOWS\system32\nvwssr.dll
2007-09-17 00:07 2,371,584 ----a-w C:\WINDOWS\system32\nvwss.dll
2007-09-17 00:07 196,608 ----a-w C:\WINDOWS\system32\nvwrsko.dll
2007-09-17 00:07 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll
2007-09-17 00:07 167,936 ----a-w C:\WINDOWS\system32\nvwrszht.dll
2007-09-17 00:07 163,840 ----a-w C:\WINDOWS\system32\nvwrszhc.dll
2007-09-17 00:07 155,716 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2007-09-17 00:07 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe
2007-09-17 00:07 126,976 ----a-w C:\WINDOWS\system32\nvrszht.dll
2007-09-17 00:07 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll
2007-09-17 00:07 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
2007-09-17 00:07 1,478,656 ----a-w C:\WINDOWS\system32\nview.dll
2007-09-17 00:07 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe
2007-09-17 00:07 1,150,976 ----a-w C:\WINDOWS\system32\nvmobls.dll
2007-09-17 00:07 1,073,152 ----a-w C:\WINDOWS\system32\nvcpluir.dll
2007-09-17 00:07 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 331,776 2006-03-20 19:43:16 C:\Program Files\AGEIA Technologies\bak\TrayIcon.exe

----a-w 102,400 2004-12-02 17:23:34 C:\Program Files\Creative\MediaSource\Detector\bak\CTDetect.exe
------w 102,400 2004-12-02 17:23:34 C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

----a-w 35,328 2005-12-08 19:18:40 C:\Program Files\Winamp\bak\winampa.exe
----a-w 39,424 2007-08-22 02:50:34 C:\Program Files\Winamp\winampa.exe

----a-w 15,360 2004-08-04 12:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 12:00:00 C:\WINDOWS\system32\ctfmon.exe

----a-w 155,648 2001-07-09 18:50:42 C:\WINDOWS\system32\bak\NeroCheck.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-17 08:34 C:\WINDOWS\RTHDCPL.exe]
"P17Helper"="P17.dll" [2005-05-03 12:38 C:\WINDOWS\system32\P17.dll]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-03-02 20:13]
"CTHelper"="CTHELPER.EXE" [2005-06-18 07:01 C:\WINDOWS\CTHELPER.EXE]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"a-squared"="C:\Program Files\a-squared Anti-Malware\a2guard.exe" [2007-09-02 16:02]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-09-17 01:07]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 01:07]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 12:32]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=?I?

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Creative Detector"=C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Lexmark 1200 Series"="C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
"Alcmtr"=ALCMTR.EXE
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime

R3 P17;Sound Blaster Audigy;C:\WINDOWS\system32\drivers\P17.sys
S3 BTNetFilter;Bluetooth Network Filter;\??\C:\WINDOWS\system32\drivers\BTNetFilter.sys
S3 RivaTuner32;RivaTuner32;\??\C:\Program Files\RivaTuner v2.05\RivaTuner32.sys
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;C:\WINDOWS\system32\DRIVERS\RTL8187.sys
S3 scrcap;scrcap;C:\WINDOWS\system32\DRIVERS\scrcap.sys
S3 SCREAMINGBDRIVER;Screaming Bee Audio;C:\WINDOWS\system32\drivers\ScreamingBAudio.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ac91ba86-d572-11db-9bdb-009096cd6312}]
AutoRun\command - J:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ac91ba9e-d572-11db-9bdb-009096cd6312}]
AutoRun\command - J:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aca780e2-4300-11db-841e-806d6172696f}]
AutoRun\command - D:\bootcd\autorun.com

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-10-09 20:13:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-10-14 10:04:24 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-10-05 12:17:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-09-05 12:17:31 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-14 19:07:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-14 19:09:45
.
--- E O F ---


-HI_JACK_THIS:-

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:11:02, on 14/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe" /d=60
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.google.co.uk
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1191752884906
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab55762.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary...t.cab57213.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O20 - AppInit_DLLs: ?I?
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe (file missing)
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional Business XII\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional Business XII\RpcSandraSrv.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 7927 bytes
Oz_Law is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-14-2007, 12:51 PM   #7 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 23,970
OS: WinXP and Vista


Re: ad.yieldmanager.com
Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

***************************************************

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

---------------------------------------------------------------------

Open notepad and copy/paste the text in the quotebox below into it:

Quote:
File::
C:\WINDOWS\system32\fcfceaaada_g.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=-
Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

--------------------------------------------------------------------

Please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Perform an online scan with Internet Explorer with Panda ActiveScan
  1. Click on located at the bottom of the page.
  2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  3. Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*
Begin the scan by selecting
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on then click
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

--------------------------------------------------------------------

Run a new scan with HijackThis and save the log.

--------------------------------------------------------------------

Please include the following in your next reply:

C:\ComboFix.txt
Panda results
New HijackThis log

How is the system behaving now?
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-14-2007, 02:52 PM   #8 (permalink)
Registered User
 
Join Date: Oct 2007
Posts: 10
OS: xp sp2


Re: ad.yieldmanager.com
ComboFix 07-10-14.4 - Oz 2007-10-14 21:11:22.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1578 [GMT 1:00]
Running from: C:\Documents and Settings\Oz\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Oz\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\fcfceaaada_g.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\fcfceaaada_g.dll

.
((((((((((((((((((((((((( Files Created from 2007-09-14 to 2007-10-14 )))))))))))))))))))))))))))))))
.

2007-10-14 20:01 <DIR> d-------- C:\Documents and Settings\Oz\Application Data\InstallShield Installation Information
2007-10-14 19:59 <DIR> d-------- C:\Program Files\Unreal Tournament 3 Demo
2007-10-14 19:58 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2007-10-14 19:58 1,358,192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2007-10-14 19:58 444,776 --a------ C:\WINDOWS\system32\d3dx10_35.dll
2007-10-14 19:04 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-14 18:07 <DIR> d-------- C:\Deckard
2007-10-14 00:20 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2007-10-14 00:20 <DIR> d-------- C:\Documents and Settings\Oz\Application Data\SystemRequirementsLab
2007-10-14 00:13 <DIR> d-------- C:\WINDOWS\Sun
2007-10-14 00:12 <DIR> d-------- C:\Program Files\Java
2007-10-14 00:12 <DIR> d-------- C:\Program Files\Common Files\Java
2007-10-12 10:25 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2007-10-12 10:25 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll
2007-10-12 10:25 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll
2007-10-12 10:25 266,088 --a------ C:\WINDOWS\system32\xactengine2_8.dll
2007-10-12 10:25 261,480 --a------ C:\WINDOWS\system32\xactengine2_7.dll
2007-10-12 10:25 255,848 --a------ C:\WINDOWS\system32\xactengine2_6.dll
2007-10-12 10:25 18,280 --a------ C:\WINDOWS\system32\x3daudio1_2.dll
2007-10-12 10:22 <DIR> d-------- C:\Program Files\Activision
2007-10-11 22:54 <DIR> d-------- C:\VundoFix Backups
2007-10-11 22:35 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-08 09:05 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-10-07 14:34 <DIR> d-------- C:\Program Files\RivaTuner v2.05
2007-10-07 00:42 <DIR> d-------- C:\WINDOWS\nview
2007-10-07 00:42 356,352 --a------ C:\WINDOWS\system32\nvudisp.exe
2007-10-07 00:41 <DIR> d-------- C:\NVIDIA
2007-10-07 00:41 356,352 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2007-10-07 00:05 53,248 --a------ C:\WINDOWS\system32\CSVer.dll
2007-10-02 14:40 <DIR> d-------- C:\Program Files\Asus
2007-10-02 11:04 <DIR> d-------- C:\Program Files\Bonjour
2007-10-02 10:57 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-10-02 10:14 <DIR> d-------- C:\Program Files\VirtualDJ
2007-10-02 09:55 <DIR> d-------- C:\Program Files\MagicISO
2007-09-30 19:46 <DIR> d-------- C:\Documents and Settings\Oz\.assistant
2007-09-30 19:38 <DIR> d-------- C:\Program Files\Marvell
2007-09-27 22:24 <DIR> d-------- C:\Program Files\Sierra Entertainment
2007-09-27 22:24 <DIR> d-------- C:\Documents and Settings\Oz\Application Data\InstallShield
2007-09-27 22:23 <DIR> d-------- C:\Program Files\DAEMON Tools
2007-09-25 14:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-09-24 10:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-09-24 10:26 47,357 --a------ C:\WINDOWS\system32\Keygen.exe
2007-09-21 19:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Screaming Bee
2007-09-21 19:32 <DIR> d-------- C:\Documents and Settings\Oz\Application Data\Screaming Bee
2007-09-21 19:24 <DIR> d-------- C:\Program Files\Common Files\Screaming Bee
2007-09-21 19:10 <DIR> d-------- C:\Program Files\AV Vcs 6.0 GOLD
2007-09-18 16:38 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Xfire
2007-09-17 19:50 <DIR> d-------- C:\Program Files\Xfire
2007-09-17 19:50 <DIR> d-------- C:\Documents and Settings\Oz\Application Data\Xfire
2007-09-15 16:50 6,853,088 --a------ C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-09-15 16:50 6,853,088 --a--c--- C:\WINDOWS\system32\dllcache\nv4_mini.sys
2007-09-15 16:50 5,783,040 --a------ C:\WINDOWS\system32\nv4_disp.dll
2007-09-15 16:50 5,783,040 --a--c--- C:\WINDOWS\system32\dllcache\nv4_disp.dll
2007-09-14 23:54 <DIR> d-------- C:\Program Files\RegSupreme Pro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-14 19:06 --------- d-----w C:\Documents and Settings\Oz\Application Data\uTorrent
2007-10-14 18:58 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-14 18:57 --------- d-----w C:\Program Files\AGEIA Technologies
2007-10-14 11:36 --------- d-----w C:\Program Files\Steam
2007-10-12 09:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-08 11:52 --------- d-----w C:\Program Files\Microsoft Works
2007-10-06 23:55 --------- d-----w C:\Program Files\NVIDIA Corporation
2007-10-05 09:17 --------- d-----w C:\Program Files\a-squared Anti-Malware
2007-10-02 10:03 --------- d-----w C:\Program Files\Common Files\Adobe
2007-09-25 13:37 --------- d-----w C:\Program Files\QuickTime
2007-09-25 13:37 --------- d-----w C:\Program Files\Apple Software Update
2007-09-16 18:27 --------- d-----w C:\Documents and Settings\Oz\Application Data\Bioshock
2007-09-16 13:48 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-09-10 18:58 278,728 ----a-w C:\WINDOWS\system32\drivers\atksgt.sys
2007-09-10 18:58 25,416 ----a-w C:\WINDOWS\system32\drivers\lirsgt.sys
2007-09-10 17:57 --------- d-----w C:\Documents and Settings\Oz\Application Data\DAEMON Tools Pro
2007-09-10 15:47 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-09-09 13:37 --------- d-----w C:\Program Files\NT Registry Optimizer
2007-09-08 16:45 --------- d-----w C:\Program Files\Diskeeper Corporation
2007-09-06 10:39 --------- d-----w C:\Program Files\Creative
2007-09-05 17:41 --------- d-----w C:\Program Files\Google
2007-09-05 13:09 --------- d-----w C:\Program Files\SiSoftware
2007-09-05 12:30 --------- d-----w C:\Documents and Settings\Oz\Application Data\Uniblue
2007-09-04 00:08 --------- d-----w C:\Program Files\Xvid
2007-09-03 19:30 --------- d-----w C:\Program Files\CyberLink
2007-09-02 07:56 --------- d-----w C:\Documents and Settings\Bill\Application Data\VersionTracker Pro
2007-08-30 19:00 --------- d-----w C:\Documents and Settings\Oz\Application Data\VersionTracker Pro
2007-08-30 18:59 --------- d-----w C:\Program Files\Winamp
2007-08-29 13:47 --------- d-----w C:\Program Files\TechTracker
2007-08-27 20:37 --------- d-----w C:\Program Files\CCleaner
2005-06-07 12:58 765,952 ----a-w C:\WINDOWS\system32\config\systemprofile\CRLDS3D.DLL
2005-06-07 12:58 765,952 ----a-w C:\Documents and Settings\Oz\CRLDS3D.DLL
2005-06-07 12:58 765,952 ----a-w C:\Documents and Settings\Default User\CRLDS3D.DLL
2005-06-07 12:58 765,952 ----a-w C:\Documents and Settings\Bill\CRLDS3D.DLL
.

((((((((((((((((((((((((((((( snapshot@2007-10-14_19.07.34.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-10-14 19:01:13 10,134 ----a-r C:\WINDOWS\Installer\{3266FEA9-98E9-448B-B235-DAC63D4CE781}\ARPPRODUCTICON.exe
+ 2007-10-14 19:01:13 8,854 ----a-r C:\WINDOWS\Installer\{3266FEA9-98E9-448B-B235-DAC63D4CE781}\UNINST_Uninstall_U_60A1F671743240AA8B648B7E9493FFD4.exe
- 2007-07-22 16:39:56 199,885 ----a-w C:\WINDOWS\system32\ageia\AG1011\app.bin
+ 2007-07-24 07:20:06 207,405 ----a-w C:\WINDOWS\system32\ageia\AG1011\app.bin
- 2007-06-25 19:37:06 114,217 ----a-w C:\WINDOWS\system32\ageia\AG1021\diag.bin
+ 2007-05-16 07:42:44 105,981 ----a-w C:\WINDOWS\system32\ageia\AG1021\diag.bin
+ 2007-09-13 06:43:00 120,320 -c--a-w C:\WINDOWS\system32\DRVSTORE\PhysX32_FFB51AAB1A2BF852A002A5B1138133BBA89337D4\physX32.sys
- 2007-06-19 07:59:36 70,400 ----a-w C:\WINDOWS\system32\PhysXLoader.dll
+ 2007-09-13 08:45:50 70,944 ----a-w C:\WINDOWS\system32\PhysXLoader.dll
+ 2007-10-14 20:16:26 35,850,501 ----a-w C:\WINDOWS\Temp\a2cache_0F850D93.dat
+ 2007-10-14 20:16:04 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_6a0.dat
+ 2007-10-14 20:16:08 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_714.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 331,776 2006-03-20 19:43:16 C:\Program Files\AGEIA Technologies\bak\TrayIcon.exe

----a-w 102,400 2004-12-02 17:23:34 C:\Program Files\Creative\MediaSource\Detector\bak\CTDetect.exe
------w 102,400 2004-12-02 17:23:34 C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

----a-w 35,328 2005-12-08 19:18:40 C:\Program Files\Winamp\bak\winampa.exe
----a-w 39,424 2007-08-22 02:50:34 C:\Program Files\Winamp\winampa.exe

----a-w 15,360 2004-08-04 12:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 12:00:00 C:\WINDOWS\system32\ctfmon.exe

----a-w 155,648 2001-07-09 18:50:42 C:\WINDOWS\system32\bak\NeroCheck.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-17 08:34 C:\WINDOWS\RTHDCPL.exe]
"P17Helper"="P17.dll" [2005-05-03 12:38 C:\WINDOWS\system32\P17.dll]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-03-02 20:13]
"CTHelper"="CTHELPER.EXE" [2005-06-18 07:01 C:\WINDOWS\CTHELPER.EXE]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"a-squared"="C:\Program Files\a-squared Anti-Malware\a2guard.exe" [2007-09-02 16:02]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-09-17 01:07]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 01:07]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 12:32]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Creative Detector"=C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Lexmark 1200 Series"="C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
"Alcmtr"=ALCMTR.EXE
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime

R3 P17;Sound Blaster Audigy;C:\WINDOWS\system32\drivers\P17.sys
S3 BTNetFilter;Bluetooth Network Filter;\??\C:\WINDOWS\system32\drivers\BTNetFilter.sys
S3 RivaTuner32;RivaTuner32;\??\C:\Program Files\RivaTuner v2.05\RivaTuner32.sys
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;C:\WINDOWS\system32\DRIVERS\RTL8187.sys
S3 scrcap;scrcap;C:\WINDOWS\system32\DRIVERS\scrcap.sys
S3 SCREAMINGBDRIVER;Screaming Bee Audio;C:\WINDOWS\system32\drivers\ScreamingBAudio.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ac91ba86-d572-11db-9bdb-009096cd6312}]
AutoRun\command - J:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ac91ba9e-d572-11db-9bdb-009096cd6312}]
AutoRun\command - J:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aca780e2-4300-11db-841e-806d6172696f}]
AutoRun\command - D:\bootcd\autorun.com

.
Contents of the 'Scheduled Tasks' folder
"2007-10-09 20:13:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-10-14 20:19:03 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-10-05 12:17:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-09-05 12:17:31 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-14 21:16:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-14 21:29:33 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-14 19:09
.
--- E O F ---



Incident Status Location

Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\7wl9dcaw.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\7wl9dcaw.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\7wl9dcaw.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\7wl9dcaw.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\7wl9dcaw.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\7wl9dcaw.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\7wl9dcaw.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\7wl9dcaw.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\7wl9dcaw.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\7wl9dcaw.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\7wl9dcaw.default\cookies.txt[.adtech.de/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\7wl9dcaw.default\cookies.txt[.advertising.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\7wl9dcaw.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Adviva Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\7wl9dcaw.default\cookies.txt[.adviva.net/]
Spyware:Cookie/NewMedia Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\7wl9dcaw.default\cookies.txt[.anm.co.uk/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\7wl9dcaw.default\cookies.txt[.bluestreak.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\7wl9dcaw.default\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\7wl9dcaw.default\cookies.txt[.112.2o7.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\7wl9dcaw.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\7wl9dcaw.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\7wl9dcaw.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\7wl9dcaw.default\cookies.txt[.overture.com/]
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\7wl9dcaw.default\cookies.txt[.tradedoubler.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\7wl9dcaw.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\7wl9dcaw.default\cookies.txt[.xiti.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\7wl9dcaw.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Bill\Cookies\bill@ad.yieldmanager[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Bill\Cookies\bill@apmebf[1].txt
Spyware:Cookie/Casinotropez Not disinfected C:\Documents and Settings\Bill\Cookies\bill@casinotropez[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies-1.txt[ad.yieldmanager.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies-1.txt[.ad.yieldmanager.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies-1.txt[ad.yieldmanager.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies-1.txt[.247realmedia.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies-1.txt[.atdmt.com/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies-1.txt[.adtech.de/]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies-1.txt[.adserver.easyad.info/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies-1.txt[.adtech.de/]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies-1.txt[.adserver.easyad.info/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies-1.txt[.doubleclick.net/]
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies-1.txt[.azjmp.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies-1.txt[.adrevolver.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies-1.txt[.as-eu.falkag.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies-1.txt[.2o7.net/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies-1.txt[.statcounter.com/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies-1.txt[.bluestreak.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies-1.txt[.bs.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies-1.txt[.serving-sys.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies-1.txt[.questionmarket.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies-1.txt[.fastclick.net/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies-1.txt[.mediaplex.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies-1.txt[.advertising.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies-1.txt[statse.webtrendslive.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies-1.txt[.zedo.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies-1.txt[.com.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies-1.txt[.zedo.com/]
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies-1.txt[.clickbank.net/]
Spyware:Cookie/SpyLog Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies-1.txt[.spylog.com/]
Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies-1.txt[.hotlog.ru/]
Spyware:Cookie/SexList Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies-1.txt[.sexlist.com/]
Spyware:Cookie/7search Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies-1.txt[.7search.com/]
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies-1.txt[.tradedoubler.com/]
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies-1.txt[.systemdoctor.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies-1.txt[searchportal.information.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies-1.txt[.tribalfusion.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies-1.txt[.burstnet.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies-1.txt[.apmebf.com/]
Spyware:Cookie/Hitslink Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies-1.txt[counter.hitslink.com/]
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies-1.txt[.toplist.cz/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies-1.txt[.ads.pointroll.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies-1.txt[.overture.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies-1.txt[.perf.overture.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies-1.txt[.xiti.com/]
Spyware:Cookie/PayCounter Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies-1.txt[.paycounter.com/]
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies-1.txt[.yadro.ru/]
Spyware:Cookie/Findwhat Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies-1.txt[.findwhat.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies-1.txt[statse.webtrendslive.com/S152628]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies.txt[.112.2o7.net/]
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies.txt[.toplist.cz/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies.txt[.tickle.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies.txt[.overture.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies.txt[.com.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies.txt[.adtech.de/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Oz\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Oz\Cookies\oz@adrevolver[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Oz\Cookies\oz@ads.pointroll[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Oz\Cookies\oz@advertising[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Oz\Cookies\oz@atdmt[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Oz\Cookies\oz@com[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Oz\Cookies\oz@doubleclick[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Oz\Cookies\oz@media.adrevolver[3].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Oz\Cookies\oz@mediaplex[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Oz\Cookies\oz@questionmarket[2].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Oz\Cookies\oz@tradedoubler[2].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Oz\Desktop\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Oz\Desktop\ComboFix.exe[nircmd.cfexe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Oz\Local Settings\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\Cache\7ED6F4AAd01[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Oz\Local Settings\Application Data\Mozilla\Firefox\Profiles\y3puy4vo.default\Cache\7ED6F4AAd01[nircmd.cfexe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:51:00, on 14/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe" /d=60
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.google.co.uk
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1191752884906
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab55762.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary...t.cab57213.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe (file missing)
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional Business XII\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional Business XII\RpcSandraSrv.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 8188 bytes
Last edited by Oz_Law; 10-14-2007 at 02:53 PM.
Oz_Law is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-14-2007, 05:36 PM   #9 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 23,970
OS: WinXP and Vista


Re: ad.yieldmanager.com
Hi,

Use CCleaner to take care of all those undesirable cookies reported by Panda. Be sure to 'check' the cookies box for Firefox browser as well. (In the Application Tab)


How is the system behaving now?
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-15-2007, 07:30 AM   #10 (permalink)
Registered User
 
Join Date: Oct 2007
Posts: 10
OS: xp sp2


Re: ad.yieldmanager.com
hi,
my internet seems to load pages much quicker now :D, i think what the problem was, is that; when running ccleaner before, it was only in my directory rather than my dads aswell. so he got a clog of cookies and other stuff. so cheers for the help ried, i appreciate ur time.

oz.

ps. is there any way to get ccleaner to scan the whole computer?
Oz_Law is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-15-2007, 09:37 AM   #11 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 23,970
OS: WinXP and Vista


Re: ad.yieldmanager.com
Hi Oz_Law,

From CCleaner FAQ:
Quote:
At the moment CCleaner supports cleaning the current user's account only. This may change in a future release.
Just install it on your Dad's account as well, and you'll have to run it from there periodically.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-15-2007, 12:09 PM   #12 (permalink)
Registered User
 
Join Date: Oct 2007
Posts: 10
OS: xp sp2


Re: ad.yieldmanager.com
cheers mate, uve been hell of alot of help but...

this may sound burdoning, but i just got a party poker pop up, i installed it AGES ago, and the C***S are still lingering in my system . its the only pop up ive got for ages.

running hijackfree, i saw these entries:

O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.net{F4430FE8-2638-42e5-B849-800749B94EED} - C:\WINDOWS\system32\shdocvw.dll

would this do with it?
Oz_Law is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-15-2007, 12:19 PM   #13 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 23,970
OS: WinXP and Vista


Re: ad.yieldmanager.com
It's not a burden.

Yes--Run a scan with HijackThis and check those 2 entries, then click 'Fix Checked'.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-15-2007, 12:22 PM   #14 (permalink)
Registered User
 
Join Date: Oct 2007
Posts: 10
OS: xp sp2


Re: ad.yieldmanager.com
ill tell u if it makes a difference or if it happends again, if not, THANK YOU!
Oz_Law is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-18-2007, 08:40 AM   #15 (permalink)
Registered User
 
Join Date: Oct 2007
Posts: 10
OS: xp sp2


Re: ad.yieldmanager.com
hi, system running fine :)

isit alright if i delete the deckard scanners back up? cos the file is 28gb lol
Oz_Law is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-18-2007, 09:30 AM   #16 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 23,970
OS: WinXP and Vista


Re: ad.yieldmanager.com
That's good to hear.

I have something better in mind for you. The following procedure will clear out the tools we've used as well as the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u


--------------------------------------------------------------------


To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.

SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.
  • It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

IESpyAD Zoned Out to block access to malicious websites so you cannot be redirected to them from an infected site or email. This severely impairs attempts to infect your system as it basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.


Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.


In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
THE ANTI-SPYWARE TUTORIAL
MAKING INTERNET EXPLORER SAFER
Understanding and Using Firewalls

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

-----------------------------------------------------

Follow the list above and the potential for infection will reduce dramatically.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-18-2007, 01:26 PM   #17 (permalink)
Registered User
 
Join Date: Oct 2007
Posts: 10
OS: xp sp2


Re: ad.yieldmanager.com
wow, thank u very much, you have been A LOT of help
Oz_Law is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-18-2007, 09:20 PM   #18 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 23,970
OS: WinXP and Vista


Re: ad.yieldmanager.com
You're welcome, take care Oz
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 11:34 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84