help me please..systems admin been takenover

zerbet · 10-20-2007, 03:32 AM

please help me i am really stuck on this one my computer wont let me do anything like update anti virus(i did down load a whole new one which found a virus but still hasnt fixed my problem also ran spyware begone.same result)i cant get into control panel or users or anything i keep getting a window saying contact your systems administrator which is no one on my comp. i also get systems alerts all the time halting what ever i am doing and if i click it it takes me to some site to buy a program to fix all!!(yeah right i maybe blonde but even i aint fallin for that!)please help me i have done about all i know how and i really want my baby back!

thanx heaps

Vino Rosso · 10-22-2007, 03:59 AM

Hi zerbet and welcome to the Tech Support Forums.

HijackThis logs can take a little time to research so please be patient and I'd be grateful if you would note the following:

I will working on your Malware issues, this may or may not, solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for this issue on this machine.
Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
It's often worth reading through these instructions and printing them for ease of reference.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Finally, please reply to this thread. Do not start a new topic.

1 - Install HijackThis
Download a copy of HJTInstall.exe from >here< and save it to your Desktop.

Double click HJTinstall.exe to begin installation.
By default it will install to C:\Program Files\Trend Micro\HijackThis.
Click on Install, then I accept. A HijackThis icon will be created on the desktop and Hijackthis will launch.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in Notepad.
In Notepad, click the Format menu and make sure that Wordwrap is NOT ticked. If it is then click on it to UNtick it.
Click Edit > Select All then Edit > Copy
Paste (Ctrl+V) the content with your next reply.
Do NOT use the Analyse This button in HijackThis. Its findings are dangerous if misinterpreted.
Do NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

Thanks
Vino

zerbet · 10-22-2007, 01:36 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:21:07 AM, on 10/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\printer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\spywarebegone\SpywareBeGone.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\DllHost.exe
c:\windows\system32\rlvknlg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\FREEDO~1\fdm.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe
O2 - BHO: IEHlprObj Class - {ABCDECF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\system32\vtr.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Spyware Begone] "C:\spywarebegone\SpywareBeGone.exe" -FastScan
O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: system.exe
O4 - Global Startup: autorun.exe
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.whataboutadog.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1190280802687
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/W...gPublisher.exe
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{959C980D-6A13-4BBC-8B6E-7727A008DDE7}: NameServer = 203.109.129.67 203.109.129.68
O20 - AppInit_DLLs: C:\WINDOWS\system32\sulimo.dat
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 8205 bytes
thank you sooo much for your help this is amazing i will rec you guys to everyone i know thanx sooo much

Vino Rosso · 10-22-2007, 03:16 PM

Hi

1 - Scan With ComboFix
Download ComboFix from >Tech Support Forum< or >Bleeping Computer< to your Desktop
Close ALL windows
Physically disconnect from the Internet, then disable your anti-virus and any real-time anti-spyware monitors that are running.
Double click combofix.exe follow the prompts
When finished, the program will produce a log
Please post the log in your next reply

Please Note:

Do not mouse click in the combofix window while it is running - this may cause your system to hang/crash.
Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

2 - Status Check
Please reply with

the ComboFix log
a fresh HijackThis log

Thanks
Vino

zerbet · 10-22-2007, 09:29 PM

ComboFix 07-10-23.2 - jacinta 2007-10-23 17:09:43.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.156 [GMT 13:00]
Running from: C:\Documents and Settings\jacinta\My Documents\My Music\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\jacinta\Desktop\internet.lnk
C:\Documents and Settings\jacinta\Start Menu\Programs\Startup\system.exe
C:\Documents and Settings\logan and hunter\Desktop\internet.lnk
C:\Documents and Settings\logan and hunter\Start Menu\Programs\Startup\system.exe
C:\Documents and Settings\trent\Desktop\internet.lnk
C:\Documents and Settings\trent\Start Menu\Programs\Startup\system.exe
C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\crap.1191696826.old
C:\Program Files\WinBudget\bin\crap.1192311387.old
C:\Program Files\WinBudget\bin\matrix.dat
C:\Program Files\WinBudget\bin\matrix.dll
C:\Program Files\WinBudget\bin\matrix.dll.1192311385.old
C:\WINDOWS\system32\_000005_.tmp.dll
C:\WINDOWS\system32\8_exception.nls
C:\WINDOWS\system32\ldpackage.dll
C:\WINDOWS\system32\model.dat
C:\WINDOWS\system32\nsp26.dll
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\rlls.dll
C:\WINDOWS\system32\rlvknlg.exe
C:\WINDOWS\system32\rlxf.dll
C:\WINDOWS\system32\sulimo.dat
C:\WINDOWS\system32\vtr.dll
C:\WINDOWS\system32\WinAvXX.exe
C:\WINDOWS\xlavra3.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NWSAPAGENT
-------\NwSapAgent
-------\runtime

((((((((((((((((((((((((( Files Created from 2007-09-23 to 2007-10-23 )))))))))))))))))))))))))))))))
.

2007-10-23 17:07 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-23 09:20 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-23 08:58 16,384 --a------ C:\WINDOWS\xlavba3.exe
2007-10-21 17:33 20,992 --a------ C:\WINDOWS\dravic.exe
2007-10-20 22:30 <DIR> d-------- C:\Program Files\Alwil Software
2007-10-20 22:30 801,144 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-10-20 22:30 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-10-20 22:30 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-10-20 22:30 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-10-20 22:30 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-10-20 22:30 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-10-20 22:30 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-10-19 15:21 <DIR> d-------- C:\BTT0AAW1
2007-10-18 15:27 <DIR> d-------- C:\spywarebegone
2007-10-18 15:27 724,992 --a------ C:\WINDOWS\iun6002.exe
2007-10-18 15:17 <DIR> d-------- C:\Documents and Settings\jacinta\Application Data\AntiSpyware
2007-10-17 00:01 <DIR> d-------- C:\Program Files\Video Add-on
2007-10-16 21:23 4,096 --a------ C:\WINDOWS\d3dx.dat
2007-10-15 13:15 <DIR> d-------- C:\BUTTERFLYEFFECT2_RETAIL
2007-10-14 23:06 <DIR> d-------- C:\Diablo
2007-10-14 23:06 86,528 --a------ C:\WINDOWS\bnetunin.exe
2007-10-14 23:06 61,440 --a------ C:\WINDOWS\diabswun.exe
2007-10-14 13:25 <DIR> d-------- C:\Program Files\Fada-soft
2007-10-13 11:49 <DIR> d-------- C:\Program Files\MyPlayCity.com
2007-10-12 23:50 <DIR> d-------- C:\Program Files\Out Of The World
2007-10-12 23:50 <DIR> d-------- C:\Program Files\myplaycity_WhenUSave_Installer
2007-10-12 06:20 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-11 12:42 79,832 --a------ C:\WINDOWS\system32\adssite-remove.exe
2007-10-11 12:42 40,733 --a------ C:\WINDOWS\system32\rightonadz-uninst.exe
2007-10-10 23:24 63,488 --a------ C:\WINDOWS\system32\gzmrotate.dll
2007-10-09 22:35 <DIR> d-------- C:\Program Files\Yahoo!
2007-10-06 15:26 <DIR> d-------- C:\WINDOWS\system32\drivers\bak
2007-10-06 15:26 <DIR> d-------- C:\WINDOWS\system32\bak
2007-09-28 16:34 <DIR> d-------- C:\Program Files\BMTA
2007-09-28 16:34 164,352 --a------ C:\WINDOWS\system32\SpoonUninstall.exe
2007-09-28 16:34 6,318 --a------ C:\WINDOWS\system32\SpoonUninstall-STABILO BOSSMANIA.dat
2007-09-28 16:34 516 --a------ C:\WINDOWS\system32\SpoonUninstall-BOSS MINI TATTOO ATTACK.dat
2007-09-28 16:33 <DIR> d-------- C:\Program Files\BOSSMANIA
2007-09-25 22:07 <DIR> d-------- C:\TMNT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-23 04:16 --------- d-----w C:\Documents and Settings\jacinta\Application Data\Free Download Manager
2007-10-18 21:46 --------- d-----w C:\Program Files\LimeWire
2007-10-06 19:00 --------- d-----w C:\Documents and Settings\jacinta\Application Data\AVG7
2007-10-06 02:33 --------- d-----w C:\Program Files\Zune
2007-10-06 02:33 --------- d-----w C:\Program Files\QuickTime
2007-10-06 02:31 28,172 ----a-w C:\WINDOWS\system32\drivers\STDSB.exe
2007-10-06 02:31 28,172 ----a-w C:\WINDOWS\system32\drivers\Icon.exe
2007-10-05 21:51 --------- d-----w C:\Documents and Settings\logan and hunter\Application Data\AVG7
2007-10-05 19:00 --------- d-----w C:\Documents and Settings\trent\Application Data\AVG7
2007-09-30 21:52 0 ----a-w C:\WINDOWS\system32\drivers\eicon.txt
2007-09-28 06:53 189,824 ----a-w C:\Documents and Settings\jacinta\Application Data\GDIPFONTCACHEV1.DAT
2007-09-27 02:25 --------- d-----w C:\Program Files\Common Files\Adobe
2007-09-22 09:57 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-09-18 20:44 --------- d-----w C:\Program Files\Sony
2007-09-18 20:35 --------- d-----w C:\Program Files\RegClean
2007-09-18 04:02 --------- d-----w C:\Documents and Settings\jacinta\Application Data\RegClean
2007-09-18 03:47 --------- d-----w C:\Documents and Settings\jacinta\Application Data\Uniblue
2007-09-16 06:32 --------- d-----w C:\Program Files\Drug Lord 2
2007-09-15 06:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-15 04:33 --------- d-----w C:\Program Files\Java
2007-09-15 04:32 --------- d-----w C:\Program Files\Common Files\Java
2007-09-14 04:43 --------- d-----w C:\Program Files\Dynalink
2007-09-13 23:24 --------- d-----w C:\Documents and Settings\jacinta\Application Data\Sony Corporation
2007-08-25 05:42 --------- d-----w C:\Program Files\Disney Interactive
2007-07-23 06:58 2,220 ----a-w C:\Documents and Settings\jacinta\Application Data\wklnhst.dat
2006-10-29 00:41 137,904 ----a-w C:\Documents and Settings\trent\Application Data\GDIPFONTCACHEV1.DAT
2006-06-25 02:58 0 ----a-w C:\Documents and Settings\logan and hunter\Application Data\wklnhst.dat
2006-05-29 10:34 5,037,072 ----a-w C:\Documents and Settings\jacinta\spybotsd14.exe
2006-05-27 06:49 2,855,080 ----a-w C:\Documents and Settings\jacinta\aawsepersonal.exe
2006-05-22 22:08 532,616 ----a-w C:\Documents and Settings\jacinta\ImageResizerPowertoySetup.exe
2004-03-11 01:27 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 127,118 2005-05-11 00:48:02 C:\APPS\Powercinema\bak\PCMService.exe
----a-w 28,172 2007-10-06 02:31:07 C:\APPS\Powercinema\PCMService.exe

----a-w 40,048 2007-05-10 15

32 C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

----a-w 180,269 2006-02-17 16:36:52 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

----a-w 16,384 2003-08-18 23:47:00 C:\Program Files\Dynalink\Adsl\bak\dslagent.exe
----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Dynalink\Adsl\dslagent.exe

----a-w 299,008 2002-07-16 16:18:00 C:\Program Files\Dynalink\Adsl\bak\dslstat.exe
----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Dynalink\Adsl\dslstat.exe

----a-w 421,888 2007-09-14 04:16:13 C:\Program Files\Grisoft\AVG7\bak\avgcc.exe
----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Grisoft\AVG7\avgcc.exe

----a-w 75,520 2007-05-01 16:15:50 C:\Program Files\Java\jre1.5.0_12\bin\bak\jusched.exe
----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe

----a-w 77,824 2006-05-11 23:36:43 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\QuickTime\qttask.exe

----a-w 45,056 2005-04-25 21:08:26 C:\Program Files\Realtek\InstallShield\bak\AzMixerSel.exe
----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Realtek\InstallShield\AzMixerSel.exe

----a-w 49,152 2003-05-07 23:00:58 C:\Program Files\ScanSoft\OmniPageSE2.0\bak\OpwareSE2.exe
----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe

----a-w 688,218 2005-03-10 05:43:30 C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe
----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

----a-w 98,394 2005-03-10 05:44:34 C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe
----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

----a-w 24,104 2007-03-14 05:03:04 C:\Program Files\Zune\bak\ZuneLauncher.exe
----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Zune\ZuneLauncher.exe

----a-w 208,952 2004-08-04 07:00:00 C:\WINDOWS\ime\IMJP8_1\bak\IMJPMIG.EXE
----a-w 208,952 2004-08-04 01:00:00 C:\WINDOWS\ime\IMJP8_1\imjpmig.exe

----a-w 15,360 2004-08-04 07:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 01:00:00 C:\WINDOWS\system32\ctfmon.exe

----a-w 77,824 2005-07-18 22

12 C:\WINDOWS\system32\bak\hkcmd.exe

----a-w 114,688 2005-07-18 22:10:06 C:\WINDOWS\system32\bak\igfxpers.exe

----a-w 94,208 2005-07-18 22:09:26 C:\WINDOWS\system32\bak\igfxtray.exe

----a-w 155,648 2001-07-08 23:50:42 C:\WINDOWS\system32\bak\NeroCheck.exe
----a-w 28,172 2007-10-06 02:31:07 C:\WINDOWS\system32\NeroCheck.exe

----a-w 221,184 2005-08-23 02:51:58 C:\WINDOWS\system32\drivers\bak\Icon.exe
----a-w 28,172 2007-10-06 02:31:07 C:\WINDOWS\system32\drivers\Icon.exe

----a-w 28,672 2003-12-17 03:50:44 C:\WINDOWS\system32\drivers\bak\STDSB.exe
----a-w 28,172 2007-10-06 02:31:07 C:\WINDOWS\system32\drivers\STDSB.exe

----a-w 455,168 2004-08-04 07:00:00 C:\WINDOWS\system32\IME\TINTLGNT\bak\TINTSETP.EXE
----a-w 455,168 2004-08-04 01:00:00 C:\WINDOWS\system32\IME\TINTLGNT\tintsetp.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 14:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 14:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 14:00]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2007-10-06 15:31]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-05-04 17:28 C:\WINDOWS\RTHDCPL.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-06 15:31]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 22:06]
"WinAVX"="C:\WINDOWS\system32\WinAvXX.exe" [2007-10-17 00:01]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 05:24]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" []
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []
"Spyware Begone"="C:\spywarebegone\SpywareBeGone.exe" [2006-03-22 13:06]
"WinAVX"="C:\WINDOWS\system32\WinAvXX.exe" [2007-10-17 00:01]

C:\Documents and Settings\jacinta\Start Menu\Programs\Startup\
system.exe [2007-10-17 00:01:25]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=1 (0x1)
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=1 (0x1)
"DisableTaskMgr"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=1 (0x1)
"NoWindowsUpdate"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe C:\WINDOWS\system32\printer.exe"

R2 MTC0007_STDSB;Scroll Bar Driver;C:\WINDOWS\system32\drivers\STDSB.sys
S2 STDSB;STDSB;C:\WINDOWS\system32\DRIVERS\STDSB.sys
S3 BVRPMPR5;BVRPMPR5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\drivers\BVRPMPR5.SYS
S3 wanusb;GlobespanVirata USB ADSL WAN Modem;C:\WINDOWS\system32\DRIVERS\gwausb.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-21 04:59:00 C:\WINDOWS\Tasks\Ad-Aware SE Personal.job"
"2007-10-18 02:17:44 C:\WINDOWS\Tasks\AntiSpyware Scheduled Scan.job"
- C:\Program Files\AntiSpywareApp\AntiSpyware.exe
"2007-10-19 05:00:00 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
"2007-10-09 14:30:00 C:\WINDOWS\Tasks\RegClean Scheduled Scan.job"
- C:\Program Files\RegClean\RegClean.exe
"2007-10-21 04:58:00 C:\WINDOWS\Tasks\Spybot - Search & Destroy.job"
- C:\PROGRA~1\SPYBOT~1\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-23 17:19:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\printer.exe 7680 bytes executable
C:\WINDOWS\system32\WinAvXX.exe 7680 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************
.
Completion time: 2007-10-23 17:24:27 - machine was rebooted
.
--- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:28:05 PM, on 10/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Spyware Begone] "C:\spywarebegone\SpywareBeGone.exe" -FastScan
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: system.exe
O4 - Global Startup: autorun.exe
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: *.doginhispen.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1190280802687
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/W...gPublisher.exe
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{959C980D-6A13-4BBC-8B6E-7727A008DDE7}: NameServer = 203.109.129.67 203.109.129.68
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7185 bytesComboFix 07-10-23.2 - jacinta 2007-10-23 17:09:43.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.156 [GMT 13:00]
Running from: C:\Documents and Settings\jacinta\My Documents\My Music\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\jacinta\Desktop\internet.lnk
C:\Documents and Settings\jacinta\Start Menu\Programs\Startup\system.exe
C:\Documents and Settings\logan and hunter\Desktop\internet.lnk
C:\Documents and Settings\logan and hunter\Start Menu\Programs\Startup\system.exe
C:\Documents and Settings\trent\Desktop\internet.lnk
C:\Documents and Settings\trent\Start Menu\Programs\Startup\system.exe
C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\crap.1191696826.old
C:\Program Files\WinBudget\bin\crap.1192311387.old
C:\Program Files\WinBudget\bin\matrix.dat
C:\Program Files\WinBudget\bin\matrix.dll
C:\Program Files\WinBudget\bin\matrix.dll.1192311385.old
C:\WINDOWS\system32\_000005_.tmp.dll
C:\WINDOWS\system32\8_exception.nls
C:\WINDOWS\system32\ldpackage.dll
C:\WINDOWS\system32\model.dat
C:\WINDOWS\system32\nsp26.dll
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\rlls.dll
C:\WINDOWS\system32\rlvknlg.exe
C:\WINDOWS\system32\rlxf.dll
C:\WINDOWS\system32\sulimo.dat
C:\WINDOWS\system32\vtr.dll
C:\WINDOWS\system32\WinAvXX.exe
C:\WINDOWS\xlavra3.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NWSAPAGENT
-------\NwSapAgent
-------\runtime

((((((((((((((((((((((((( Files Created from 2007-09-23 to 2007-10-23 )))))))))))))))))))))))))))))))
.

2007-10-23 17:07 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-23 09:20 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-23 08:58 16,384 --a------ C:\WINDOWS\xlavba3.exe
2007-10-21 17:33 20,992 --a------ C:\WINDOWS\dravic.exe
2007-10-20 22:30 <DIR> d-------- C:\Program Files\Alwil Software
2007-10-20 22:30 801,144 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-10-20 22:30 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-10-20 22:30 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-10-20 22:30 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-10-20 22:30 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-10-20 22:30 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-10-20 22:30 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-10-19 15:21 <DIR> d-------- C:\BTT0AAW1
2007-10-18 15:27 <DIR> d-------- C:\spywarebegone
2007-10-18 15:27 724,992 --a------ C:\WINDOWS\iun6002.exe
2007-10-18 15:17 <DIR> d-------- C:\Documents and Settings\jacinta\Application Data\AntiSpyware
2007-10-17 00:01 <DIR> d-------- C:\Program Files\Video Add-on
2007-10-16 21:23 4,096 --a------ C:\WINDOWS\d3dx.dat
2007-10-15 13:15 <DIR> d-------- C:\BUTTERFLYEFFECT2_RETAIL
2007-10-14 23:06 <DIR> d-------- C:\Diablo
2007-10-14 23:06 86,528 --a------ C:\WINDOWS\bnetunin.exe
2007-10-14 23:06 61,440 --a------ C:\WINDOWS\diabswun.exe
2007-10-14 13:25 <DIR> d-------- C:\Program Files\Fada-soft
2007-10-13 11:49 <DIR> d-------- C:\Program Files\MyPlayCity.com
2007-10-12 23:50 <DIR> d-------- C:\Program Files\Out Of The World
2007-10-12 23:50 <DIR> d-------- C:\Program Files\myplaycity_WhenUSave_Installer
2007-10-12 06:20 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-11 12:42 79,832 --a------ C:\WINDOWS\system32\adssite-remove.exe
2007-10-11 12:42 40,733 --a------ C:\WINDOWS\system32\rightonadz-uninst.exe
2007-10-10 23:24 63,488 --a------ C:\WINDOWS\system32\gzmrotate.dll
2007-10-09 22:35 <DIR> d-------- C:\Program Files\Yahoo!
2007-10-06 15:26 <DIR> d-------- C:\WINDOWS\system32\drivers\bak
2007-10-06 15:26 <DIR> d-------- C:\WINDOWS\system32\bak
2007-09-28 16:34 <DIR> d-------- C:\Program Files\BMTA
2007-09-28 16:34 164,352 --a------ C:\WINDOWS\system32\SpoonUninstall.exe
2007-09-28 16:34 6,318 --a------ C:\WINDOWS\system32\SpoonUninstall-STABILO BOSSMANIA.dat
2007-09-28 16:34 516 --a------ C:\WINDOWS\system32\SpoonUninstall-BOSS MINI TATTOO ATTACK.dat
2007-09-28 16:33 <DIR> d-------- C:\Program Files\BOSSMANIA
2007-09-25 22:07 <DIR> d-------- C:\TMNT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-23 04:16 --------- d-----w C:\Documents and Settings\jacinta\Application Data\Free Download Manager
2007-10-18 21:46 --------- d-----w C:\Program Files\LimeWire
2007-10-06 19:00 --------- d-----w C:\Documents and Settings\jacinta\Application Data\AVG7
2007-10-06 02:33 --------- d-----w C:\Program Files\Zune
2007-10-06 02:33 --------- d-----w C:\Program Files\QuickTime
2007-10-06 02:31 28,172 ----a-w C:\WINDOWS\system32\drivers\STDSB.exe
2007-10-06 02:31 28,172 ----a-w C:\WINDOWS\system32\drivers\Icon.exe
2007-10-05 21:51 --------- d-----w C:\Documents and Settings\logan and hunter\Application Data\AVG7
2007-10-05 19:00 --------- d-----w C:\Documents and Settings\trent\Application Data\AVG7
2007-09-30 21:52 0 ----a-w C:\WINDOWS\system32\drivers\eicon.txt
2007-09-28 06:53 189,824 ----a-w C:\Documents and Settings\jacinta\Application Data\GDIPFONTCACHEV1.DAT
2007-09-27 02:25 --------- d-----w C:\Program Files\Common Files\Adobe
2007-09-22 09:57 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-09-18 20:44 --------- d-----w C:\Program Files\Sony
2007-09-18 20:35 --------- d-----w C:\Program Files\RegClean
2007-09-18 04:02 --------- d-----w C:\Documents and Settings\jacinta\Application Data\RegClean
2007-09-18 03:47 --------- d-----w C:\Documents and Settings\jacinta\Application Data\Uniblue
2007-09-16 06:32 --------- d-----w C:\Program Files\Drug Lord 2
2007-09-15 06:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-15 04:33 --------- d-----w C:\Program Files\Java
2007-09-15 04:32 --------- d-----w C:\Program Files\Common Files\Java
2007-09-14 04:43 --------- d-----w C:\Program Files\Dynalink
2007-09-13 23:24 --------- d-----w C:\Documents and Settings\jacinta\Application Data\Sony Corporation
2007-08-25 05:42 --------- d-----w C:\Program Files\Disney Interactive
2007-07-23 06:58 2,220 ----a-w C:\Documents and Settings\jacinta\Application Data\wklnhst.dat
2006-10-29 00:41 137,904 ----a-w C:\Documents and Settings\trent\Application Data\GDIPFONTCACHEV1.DAT
2006-06-25 02:58 0 ----a-w C:\Documents and Settings\logan and hunter\Application Data\wklnhst.dat
2006-05-29 10:34 5,037,072 ----a-w C:\Documents and Settings\jacinta\spybotsd14.exe
2006-05-27 06:49 2,855,080 ----a-w C:\Documents and Settings\jacinta\aawsepersonal.exe
2006-05-22 22:08 532,616 ----a-w C:\Documents and Settings\jacinta\ImageResizerPowertoySetup.exe
2004-03-11 01:27 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 127,118 2005-05-11 00:48:02 C:\APPS\Powercinema\bak\PCMService.exe
----a-w 28,172 2007-10-06 02:31:07 C:\APPS\Powercinema\PCMService.exe

----a-w 40,048 2007-05-10 15

32 C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

----a-w 180,269 2006-02-17 16:36:52 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

----a-w 16,384 2003-08-18 23:47:00 C:\Program Files\Dynalink\Adsl\bak\dslagent.exe
----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Dynalink\Adsl\dslagent.exe

----a-w 299,008 2002-07-16 16:18:00 C:\Program Files\Dynalink\Adsl\bak\dslstat.exe
----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Dynalink\Adsl\dslstat.exe

----a-w 421,888 2007-09-14 04:16:13 C:\Program Files\Grisoft\AVG7\bak\avgcc.exe
----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Grisoft\AVG7\avgcc.exe

----a-w 75,520 2007-05-01 16:15:50 C:\Program Files\Java\jre1.5.0_12\bin\bak\jusched.exe
----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe

----a-w 77,824 2006-05-11 23:36:43 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\QuickTime\qttask.exe

----a-w 45,056 2005-04-25 21:08:26 C:\Program Files\Realtek\InstallShield\bak\AzMixerSel.exe
----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Realtek\InstallShield\AzMixerSel.exe

----a-w 49,152 2003-05-07 23:00:58 C:\Program Files\ScanSoft\OmniPageSE2.0\bak\OpwareSE2.exe
----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe

----a-w 688,218 2005-03-10 05:43:30 C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe
----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

----a-w 98,394 2005-03-10 05:44:34 C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe
----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

----a-w 24,104 2007-03-14 05:03:04 C:\Program Files\Zune\bak\ZuneLauncher.exe
----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Zune\ZuneLauncher.exe

----a-w 208,952 2004-08-04 07:00:00 C:\WINDOWS\ime\IMJP8_1\bak\IMJPMIG.EXE
----a-w 208,952 2004-08-04 01:00:00 C:\WINDOWS\ime\IMJP8_1\imjpmig.exe

----a-w 15,360 2004-08-04 07:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 01:00:00 C:\WINDOWS\system32\ctfmon.exe

----a-w 77,824 2005-07-18 22

12 C:\WINDOWS\system32\bak\hkcmd.exe

----a-w 114,688 2005-07-18 22:10:06 C:\WINDOWS\system32\bak\igfxpers.exe

----a-w 94,208 2005-07-18 22:09:26 C:\WINDOWS\system32\bak\igfxtray.exe

----a-w 155,648 2001-07-08 23:50:42 C:\WINDOWS\system32\bak\NeroCheck.exe
----a-w 28,172 2007-10-06 02:31:07 C:\WINDOWS\system32\NeroCheck.exe

----a-w 221,184 2005-08-23 02:51:58 C:\WINDOWS\system32\drivers\bak\Icon.exe
----a-w 28,172 2007-10-06 02:31:07 C:\WINDOWS\system32\drivers\Icon.exe

----a-w 28,672 2003-12-17 03:50:44 C:\WINDOWS\system32\drivers\bak\STDSB.exe
----a-w 28,172 2007-10-06 02:31:07 C:\WINDOWS\system32\drivers\STDSB.exe

----a-w 455,168 2004-08-04 07:00:00 C:\WINDOWS\system32\IME\TINTLGNT\bak\TINTSETP.EXE
----a-w 455,168 2004-08-04 01:00:00 C:\WINDOWS\system32\IME\TINTLGNT\tintsetp.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 14:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 14:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 14:00]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2007-10-06 15:31]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-05-04 17:28 C:\WINDOWS\RTHDCPL.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-06 15:31]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 22:06]
"WinAVX"="C:\WINDOWS\system32\WinAvXX.exe" [2007-10-17 00:01]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 05:24]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" []
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []
"Spyware Begone"="C:\spywarebegone\SpywareBeGone.exe" [2006-03-22 13:06]
"WinAVX"="C:\WINDOWS\system32\WinAvXX.exe" [2007-10-17 00:01]

C:\Documents and Settings\jacinta\Start Menu\Programs\Startup\
system.exe [2007-10-17 00:01:25]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=1 (0x1)
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=1 (0x1)
"DisableTaskMgr"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=1 (0x1)
"NoWindowsUpdate"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe C:\WINDOWS\system32\printer.exe"

R2 MTC0007_STDSB;Scroll Bar Driver;C:\WINDOWS\system32\drivers\STDSB.sys
S2 STDSB;STDSB;C:\WINDOWS\system32\DRIVERS\STDSB.sys
S3 BVRPMPR5;BVRPMPR5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\drivers\BVRPMPR5.SYS
S3 wanusb;GlobespanVirata USB ADSL WAN Modem;C:\WINDOWS\system32\DRIVERS\gwausb.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-21 04:59:00 C:\WINDOWS\Tasks\Ad-Aware SE Personal.job"
"2007-10-18 02:17:44 C:\WINDOWS\Tasks\AntiSpyware Scheduled Scan.job"
- C:\Program Files\AntiSpywareApp\AntiSpyware.exe
"2007-10-19 05:00:00 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
"2007-10-09 14:30:00 C:\WINDOWS\Tasks\RegClean Scheduled Scan.job"
- C:\Program Files\RegClean\RegClean.exe
"2007-10-21 04:58:00 C:\WINDOWS\Tasks\Spybot - Search & Destroy.job"
- C:\PROGRA~1\SPYBOT~1\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-23 17:19:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\printer.exe 7680 bytes executable
C:\WINDOWS\system32\WinAvXX.exe 7680 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************
.
Completion time: 2007-10-23 17:24:27 - machine was rebooted
.
--- E O F ---
thanx again

Vino Rosso · 10-23-2007, 03:17 PM

Hi

Unfortunately, your computer has several infections and it may take a few posts to sort things out.

Here are the first steps.

1 - ComboFix Script Fixes
Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the quote box by highlighting all the text and pressing Ctrl+C

Quote:

File::
C:\WINDOWS\xlavba3.exe
C:\WINDOWS\bnetunin.exe
C:\WINDOWS\diabswun.exe
C:\WINDOWS\system32\adssite-remove.exe
C:\WINDOWS\system32\gzmrotate.dll
C:\WINDOWS\system32\rightonadz-uninst.exe
C:\WINDOWS\system32\drivers\Icon.exe
C:\Documents and Settings\jacinta\Start Menu\Programs\Startup\system.exe
C:\WINDOWS\Tasks\AntiSpyware Scheduled Scan.job

Folder::
C:\Documents and Settings\jacinta\Application Data\AntiSpyware
C:\Program Files\myplaycity_WhenUSave_Installer
C:\Program Files\AntiSpywareApp

DirLook::
C:\BTT0AAW1
C:\Program Files\Video Add-on
C:\Program Files\BMTA
C:\TMNT

Rootkit::
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\WinAvXX.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinAVX"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinAVX"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=-
"DisableTaskMgr"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=-
"DisableTaskMgr"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=-
"NoWindowsUpdate"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe"

Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

The main ComboFix.exe program should be on your Desktop
Drag the file you just created CFScript.txt and drop it on the main ComboFix.exe icon
Please wait for ComboFix to finish running

Please Note: Do not mouse click in the combofix window while it is running - this may cause your system to hang/crash.

2 - Upload Files To Jotti
I'd like to be certain about the content of some files.
Please visit this link http://virusscan.jotti.org/
Click the Browse... button
Navigate to the following file on your PC:

C:\WINDOWS\iun6002.exe

Note: If you are unable to find the file while browsing, copy/paste or type the full location of the file into the upload box
Click Open
Please reply back with the results from Jotti.

Please repeat the above for the following file:

C:\WINDOWS\system32\SpoonUninstall.exe

Please reply back with the full results for all both files.

3 - Check on status
After you have completed the above, please reboot and provide:

the ComboFix report
a new HijackThis log
and the full Jotti results for both files

Thanks
Vino

zerbet · 10-24-2007, 12:31 AM

hi have done step one but cannot open the virus jotti page even if i go through their home page?will paste results from step one dont kn ow if they are of any help?thanx again
ComboFix 07-10-23.2 - jacinta 2007-10-24 20:12:53.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.160 [GMT 13:00]
Running from: C:\Documents and Settings\jacinta\My Documents\My Music\ComboFix.exe
Command switches used :: C:\Documents and Settings\jacinta\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\Documents and Settings\jacinta\Start Menu\Programs\Startup\system.exe
C:\WINDOWS\bnetunin.exe
C:\WINDOWS\diabswun.exe
C:\WINDOWS\system32\adssite-remove.exe
C:\WINDOWS\system32\drivers\Icon.exe
C:\WINDOWS\system32\gzmrotate.dll
C:\WINDOWS\system32\rightonadz-uninst.exe
C:\WINDOWS\Tasks\AntiSpyware Scheduled Scan.job
C:\WINDOWS\xlavba3.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\jacinta\Application Data\AntiSpyware
C:\Documents and Settings\jacinta\Application Data\AntiSpyware\Log\2007 Oct 18 - 03_17_41 PM_250.log
C:\Documents and Settings\jacinta\Application Data\AntiSpyware\Log\2007 Oct 18 - 03_17_43 PM_875.log
C:\Documents and Settings\jacinta\Application Data\AntiSpyware\rs.dat
C:\Documents and Settings\jacinta\Application Data\AntiSpyware\Settings\CustomScan.stg
C:\Documents and Settings\jacinta\Application Data\AntiSpyware\Settings\IgnoreList.stg
C:\Documents and Settings\jacinta\Application Data\AntiSpyware\Settings\ScanInfo.stg
C:\Documents and Settings\jacinta\Application Data\AntiSpyware\Settings\ScanResults.stg
C:\Documents and Settings\jacinta\Application Data\AntiSpyware\Settings\SelectedFolders.stg
C:\Documents and Settings\jacinta\Application Data\AntiSpyware\Settings\Settings.stg
C:\Documents and Settings\jacinta\Start Menu\Programs\Startup\system.exe
C:\Program Files\myplaycity_WhenUSave_Installer
C:\WINDOWS\bnetunin.exe
C:\WINDOWS\diabswun.exe
C:\WINDOWS\system32\adssite-remove.exe
C:\WINDOWS\system32\drivers\Icon.exe
C:\WINDOWS\system32\gzmrotate.dll
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\rightonadz-uninst.exe
C:\WINDOWS\system32\WinAvXX.exe
C:\WINDOWS\Tasks\AntiSpyware Scheduled Scan.job
C:\WINDOWS\xlavba3.exe

.
((((((((((((((((((((((((( Files Created from 2007-09-24 to 2007-10-24 )))))))))))))))))))))))))))))))
.

2007-10-23 17:07 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-23 09:20 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-21 17:33 20,992 --a------ C:\WINDOWS\dravic.exe
2007-10-20 22:30 <DIR> d-------- C:\Program Files\Alwil Software
2007-10-20 22:30 801,144 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-10-20 22:30 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-10-20 22:30 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-10-20 22:30 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-10-20 22:30 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-10-20 22:30 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-10-20 22:30 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-10-19 15:21 <DIR> d-------- C:\BTT0AAW1
2007-10-18 15:27 <DIR> d-------- C:\spywarebegone
2007-10-18 15:27 724,992 --a------ C:\WINDOWS\iun6002.exe
2007-10-17 00:01 <DIR> d-------- C:\Program Files\Video Add-on
2007-10-16 21:23 4,096 --a------ C:\WINDOWS\d3dx.dat
2007-10-15 13:15 <DIR> d-------- C:\BUTTERFLYEFFECT2_RETAIL
2007-10-14 23:06 <DIR> d-------- C:\Diablo
2007-10-14 13:25 <DIR> d-------- C:\Program Files\Fada-soft
2007-10-13 11:49 <DIR> d-------- C:\Program Files\MyPlayCity.com
2007-10-12 23:50 <DIR> d-------- C:\Program Files\Out Of The World
2007-10-12 06:20 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-09 22:35 <DIR> d-------- C:\Program Files\Yahoo!
2007-10-06 15:26 <DIR> d-------- C:\WINDOWS\system32\drivers\bak
2007-10-06 15:26 <DIR> d-------- C:\WINDOWS\system32\bak
2007-09-28 16:34 <DIR> d-------- C:\Program Files\BMTA
2007-09-28 16:34 164,352 --a------ C:\WINDOWS\system32\SpoonUninstall.exe
2007-09-28 16:34 6,318 --a------ C:\WINDOWS\system32\SpoonUninstall-STABILO BOSSMANIA.dat
2007-09-28 16:34 516 --a------ C:\WINDOWS\system32\SpoonUninstall-BOSS MINI TATTOO ATTACK.dat
2007-09-28 16:33 <DIR> d-------- C:\Program Files\BOSSMANIA
2007-09-25 22:07 <DIR> d-------- C:\TMNT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-23 04:16 --------- d-----w C:\Documents and Settings\jacinta\Application Data\Free Download Manager
2007-10-18 21:46 --------- d-----w C:\Program Files\LimeWire
2007-10-06 19:00 --------- d-----w C:\Documents and Settings\jacinta\Application Data\AVG7
2007-10-06 02:33 --------- d-----w C:\Program Files\Zune
2007-10-06 02:33 --------- d-----w C:\Program Files\QuickTime
2007-10-06 02:31 28,172 ----a-w C:\WINDOWS\system32\drivers\STDSB.exe
2007-10-05 21:51 --------- d-----w C:\Documents and Settings\logan and hunter\Application Data\AVG7
2007-10-05 19:00 --------- d-----w C:\Documents and Settings\trent\Application Data\AVG7
2007-09-30 21:52 0 ----a-w C:\WINDOWS\system32\drivers\eicon.txt
2007-09-28 06:53 189,824 ----a-w C:\Documents and Settings\jacinta\Application Data\GDIPFONTCACHEV1.DAT
2007-09-27 02:25 --------- d-----w C:\Program Files\Common Files\Adobe
2007-09-22 09:57 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-09-18 20:44 --------- d-----w C:\Program Files\Sony
2007-09-18 20:35 --------- d-----w C:\Program Files\RegClean
2007-09-18 04:02 --------- d-----w C:\Documents and Settings\jacinta\Application Data\RegClean
2007-09-18 03:47 --------- d-----w C:\Documents and Settings\jacinta\Application Data\Uniblue
2007-09-16 06:32 --------- d-----w C:\Program Files\Drug Lord 2
2007-09-15 06:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-15 04:33 --------- d-----w C:\Program Files\Java
2007-09-15 04:32 --------- d-----w C:\Program Files\Common Files\Java
2007-09-14 04:43 --------- d-----w C:\Program Files\Dynalink
2007-09-13 23:24 --------- d-----w C:\Documents and Settings\jacinta\Application Data\Sony Corporation
2007-08-25 05:42 --------- d-----w C:\Program Files\Disney Interactive
2007-07-23 06:58 2,220 ----a-w C:\Documents and Settings\jacinta\Application Data\wklnhst.dat
2006-10-29 00:41 137,904 ----a-w C:\Documents and Settings\trent\Application Data\GDIPFONTCACHEV1.DAT
2006-06-25 02:58 0 ----a-w C:\Documents and Settings\logan and hunter\Application Data\wklnhst.dat
2006-05-29 10:34 5,037,072 ----a-w C:\Documents and Settings\jacinta\spybotsd14.exe
2006-05-27 06:49 2,855,080 ----a-w C:\Documents and Settings\jacinta\aawsepersonal.exe
2006-05-22 22:08 532,616 ----a-w C:\Documents and Settings\jacinta\ImageResizerPowertoySetup.exe
2004-03-11 01:27 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\BTT0AAW1 ----

2007-10-19 17:00 6144 --a------ C:\BTT0AAW1\VIDEO_TS\VIDEO_TS.IFO
2007-10-19 17:00 6144 --a------ C:\BTT0AAW1\VIDEO_TS\VIDEO_TS.BUP
2007-10-19 17:00 55296 --a------ C:\BTT0AAW1\VIDEO_TS\VTS_02_0.IFO
2007-10-19 17:00 55296 --a------ C:\BTT0AAW1\VIDEO_TS\VTS_02_0.BUP
2007-10-19 17:00 162422784 --a------ C:\BTT0AAW1\VIDEO_TS\VTS_02_3.VOB
2007-10-19 16:58 1073739776 --a------ C:\BTT0AAW1\VIDEO_TS\VTS_02_2.VOB
2007-10-19 16:37 1073739776 --a------ C:\BTT0AAW1\VIDEO_TS\VTS_02_1.VOB
2007-10-19 16:16 55296 --a------ C:\BTT0AAW1\VIDEO_TS\VTS_01_0.IFO
2007-10-19 16:16 55296 --a------ C:\BTT0AAW1\VIDEO_TS\VTS_01_0.BUP
2007-10-19 16:16 223227904 --a------ C:\BTT0AAW1\VIDEO_TS\VTS_01_3.VOB
2007-10-19 16:13 1073739776 --a------ C:\BTT0AAW1\VIDEO_TS\VTS_01_2.VOB
2007-10-19 15:53 1073739776 --a------ C:\BTT0AAW1\VIDEO_TS\VTS_01_1.VOB

---- Directory of C:\Program Files\BMTA ----

2007-09-28 16:34 4912209 --a------ C:\Program Files\BMTA\BMTA.exe

---- Directory of C:\Program Files\Video Add-on ----

2007-10-18 12:25 6656 --a------ C:\Program Files\Video Add-on\icmntr.exe
2007-10-17 00:01 4286 --a------ C:\Program Files\Video Add-on\ts.ico
2007-10-17 00:01 4286 --a------ C:\Program Files\Video Add-on\ot.ico
2007-10-17 00:01 37292 --a------ C:\Program Files\Video Add-on\uninst.exe
2007-10-17 00:01 26624 --a------ C:\Program Files\Video Add-on\icthis.exe
2007-10-17 00:01 24576 --a------ C:\Program Files\Video Add-on\icun.exe
2007-10-17 00:01 13824 --a------ C:\Program Files\Video Add-on\isfun.exe
2007-10-17 00:01 12800 --a------ C:\Program Files\Video Add-on\ictun.exe

---- Directory of C:\TMNT ----

2007-10-09 15:43 6144 --a------ C:\TMNT\VIDEO_TS\VIDEO_TS.IFO
2007-10-09 15:43 6144 --a------ C:\TMNT\VIDEO_TS\VIDEO_TS.BUP
2007-10-09 15:43 55296 --a------ C:\TMNT\VIDEO_TS\VTS_01_0.IFO
2007-10-09 15:43 55296 --a------ C:\TMNT\VIDEO_TS\VTS_01_0.BUP
2007-10-09 15:43 385761280 --a------ C:\TMNT\VIDEO_TS\VTS_01_5.VOB
2007-10-09 15:41 1073739776 --a------ C:\TMNT\VIDEO_TS\VTS_01_4.VOB
2007-10-09 15:28 1073739776 --a------ C:\TMNT\VIDEO_TS\VTS_01_3.VOB
2007-10-09 15:14 1073739776 --a------ C:\TMNT\VIDEO_TS\VTS_01_2.VOB
2007-10-09 15:02 1073739776 --a------ C:\TMNT\VIDEO_TS\VTS_01_1.VOB

((((((((((((((((((((((((((((( snapshot@2007-10-23_17.21.14.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-10-23 23:54:08 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_47c.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 127,118 2005-05-11 00:48:02 C:\APPS\Powercinema\bak\PCMService.exe
----a-w 28,172 2007-10-06 02:31:07 C:\APPS\Powercinema\PCMService.exe

----a-w 40,048 2007-05-10 15

32 C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

----a-w 180,269 2006-02-17 16:36:52 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe

----a-w 16,384 2003-08-18 23:47:00 C:\Program Files\Dynalink\Adsl\bak\dslagent.exe
----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Dynalink\Adsl\dslagent.exe

----a-w 299,008 2002-07-16 16:18:00 C:\Program Files\Dynalink\Adsl\bak\dslstat.exe
----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Dynalink\Adsl\dslstat.exe

----a-w 421,888 2007-09-14 04:16:13 C:\Program Files\Grisoft\AVG7\bak\avgcc.exe
----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Grisoft\AVG7\avgcc.exe

----a-w 75,520 2007-05-01 16:15:50 C:\Program Files\Java\jre1.5.0_12\bin\bak\jusched.exe
----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe

----a-w 77,824 2006-05-11 23:36:43 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\QuickTime\qttask.exe

----a-w 45,056 2005-04-25 21:08:26 C:\Program Files\Realtek\InstallShield\bak\AzMixerSel.exe
----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Realtek\InstallShield\AzMixerSel.exe

----a-w 49,152 2003-05-07 23:00:58 C:\Program Files\ScanSoft\OmniPageSE2.0\bak\OpwareSE2.exe
----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe

----a-w 688,218 2005-03-10 05:43:30 C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe
----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

----a-w 98,394 2005-03-10 05:44:34 C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe
----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

----a-w 24,104 2007-03-14 05:03:04 C:\Program Files\Zune\bak\ZuneLauncher.exe
----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Zune\ZuneLauncher.exe

----a-w 208,952 2004-08-04 07:00:00 C:\WINDOWS\ime\IMJP8_1\bak\IMJPMIG.EXE
----a-w 208,952 2004-08-04 01:00:00 C:\WINDOWS\ime\IMJP8_1\imjpmig.exe

----a-w 15,360 2004-08-04 07:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 01:00:00 C:\WINDOWS\system32\ctfmon.exe

----a-w 77,824 2005-07-18 22

12 C:\WINDOWS\system32\bak\hkcmd.exe

----a-w 114,688 2005-07-18 22:10:06 C:\WINDOWS\system32\bak\igfxpers.exe

----a-w 94,208 2005-07-18 22:09:26 C:\WINDOWS\system32\bak\igfxtray.exe

----a-w 155,648 2001-07-08 23:50:42 C:\WINDOWS\system32\bak\NeroCheck.exe
----a-w 28,172 2007-10-06 02:31:07 C:\WINDOWS\system32\NeroCheck.exe

----a-w 221,184 2005-08-23 02:51:58 C:\WINDOWS\system32\drivers\bak\Icon.exe

----a-w 28,672 2003-12-17 03:50:44 C:\WINDOWS\system32\drivers\bak\STDSB.exe
----a-w 28,172 2007-10-06 02:31:07 C:\WINDOWS\system32\drivers\STDSB.exe

----a-w 455,168 2004-08-04 07:00:00 C:\WINDOWS\system32\IME\TINTLGNT\bak\TINTSETP.EXE
----a-w 455,168 2004-08-04 01:00:00 C:\WINDOWS\system32\IME\TINTLGNT\tintsetp.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 14:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 14:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 14:00]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2007-10-06 15:31]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-05-04 17:28 C:\WINDOWS\RTHDCPL.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-06 15:31]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 22:06]
"WinAVX"="C:\WINDOWS\system32\WinAvXX.exe" [2007-10-17 00:01]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 05:24]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" []
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []
"Spyware Begone"="C:\spywarebegone\SpywareBeGone.exe" [2006-03-22 13:06]
"WinAVX"="C:\WINDOWS\system32\WinAvXX.exe" [2007-10-17 00:01]

C:\Documents and Settings\jacinta\Start Menu\Programs\Startup\
system.exe [2007-10-17 00:01:25]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=1 (0x1)
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=1 (0x1)
"DisableTaskMgr"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=1 (0x1)
"NoWindowsUpdate"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe C:\WINDOWS\system32\printer.exe"

R2 MTC0007_STDSB;Scroll Bar Driver;C:\WINDOWS\system32\drivers\STDSB.sys
R3 wanusb;GlobespanVirata USB ADSL WAN Modem;C:\WINDOWS\system32\DRIVERS\gwausb.sys
S2 STDSB;STDSB;C:\WINDOWS\system32\DRIVERS\STDSB.sys
S3 BVRPMPR5;BVRPMPR5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\drivers\BVRPMPR5.SYS

.
Contents of the 'Scheduled Tasks' folder
"2007-10-23 04:59:00 C:\WINDOWS\Tasks\Ad-Aware SE Personal.job"
"2007-10-19 05:00:00 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
"2007-10-09 14:30:00 C:\WINDOWS\Tasks\RegClean Scheduled Scan.job"
- C:\Program Files\RegClean\RegClean.exe
"2007-10-23 04:58:00 C:\WINDOWS\Tasks\Spybot - Search & Destroy.job"
- C:\PROGRA~1\SPYBOT~1\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-24 20:19:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\printer.exe 7680 bytes executable
C:\WINDOWS\system32\WinAvXX.exe 7680 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************
.
Completion time: 2007-10-24 20:23:21 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-23 17:24
.
--- E O F ---
thanx

zerbet · 10-24-2007, 12:33 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:32:39 PM, on 10/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\spywarebegone\SpywareBeGone.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Spyware Begone] "C:\spywarebegone\SpywareBeGone.exe" -FastScan
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: system.exe
O4 - Global Startup: autorun.exe
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: *.doginhispen.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1190280802687
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/W...gPublisher.exe
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{959C980D-6A13-4BBC-8B6E-7727A008DDE7}: NameServer = 203.109.129.67 203.109.129.68
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7159 bytes
the results of hijack scan - if it helps

cheers

Vino Rosso · 10-24-2007, 03:16 AM

1 - Download SmitfraudFix
Please print out these instructions as we will need to close every window that is open later in the fix.

Important: If you have an old version, please delete this and download a fresh copy of SmitfraudFix.exe by S!Ri from >here< and save it to your Desktop.
The fix is frequently updated, often daily, and it is advisable to ensure that you have the latest version.

2 - Boot Into Safe Mode
Physically disconnect your computer from your modem/router and boot your PC into Safe Mode by restarting your computer - keep tapping F8 until the menu appears.
Use your up and down arrow keys to select Safe Mode.
We will continue your fix in Safe Mode.

3 - Run SmitfraudFix
Double-click on SmitfraudFix.exe
Press "2" and then <ENTER> to start the cleaning process.

Wait for the tool to complete and disk cleanup to finish.
You will be prompted "Registry cleaning - Do you want to clean the registry ? Press "Y" and then <ENTER>.
The tool will also check if wininet.dll is infected. You may be prompted to "Replace infected file ?" - press "Y" and then <ENTER>.

When this last routine has finished, you will be presented with a red screen stating Computer will reboot now. Close all applications.
You should now press the spacebar on your computer. A counter will appear stating that the computer will reboot in 15 seconds. Do not cancel this countdown and allow your computer to reboot. If this does not happen automatically, you will need to do so manually.

4 - Check on status
After you have completed the above, please provide:

the file contents of C:\rapport.txt created by SmitfraudFix
a new HijackThis log

Thanks
Vino

zerbet · 10-24-2007, 11:36 PM

hi tried that got to clean registry type y and i get a pop up saying "registry editing has been disabled by your adminisator" and wont let me go on any further.
thanx agsain for all your help

Vino Rosso · 10-25-2007, 12:12 AM

OK, your computer has a number of infections and they are trying to protect themselves.

Did SmitfraudFix produce a log? Have a look with Windows Explorer for C:\rapport.txt
Please post the log, if it's there.

Then...

1 - ComboFix Script Fixes
Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the quote box by highlighting all the text and pressing Ctrl+C

Quote:

File::
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
C:\Documents and Settings\jacinta\Start Menu\Programs\Startup\system.exe

Rootkit::
C:\WINDOWS\system32\WinAvXX.exe
C:\WINDOWS\system32\printer.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinAVX"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinAVX"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=-
"DisableTaskMgr"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=-
"DisableTaskMgr"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=-
"NoWindowsUpdate"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe"

Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

The main ComboFix.exe program should be on your Desktop
Drag the file you just created CFScript.txt and drop it on the main ComboFix.exe icon
Please wait for ComboFix to finish running

Please Note: Do not mouse click in the combofix window while it is running - this may cause your system to hang/crash.

2 - Check on status
After you have completed the above, please provide:

the ComboFix.txt report
a new HijackThis log

Thanks
Vino

zerbet · 10-28-2007, 01:11 AM

SmitFraudFix v2.241

Scan done at 19:07:48.42, Thu 10/25/2007
Run from C:\Documents and Settings\jacinta\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

192.168.200.3 ad.doubleclick.net
192.168.200.3 ad.fastclick.net
192.168.200.3 ads.fastclick.net
192.168.200.3 ar.atwola.com
192.168.200.3 atdmt.com
192.168.200.3 avp.ch
192.168.200.3 avp.com
192.168.200.3 avp.ru
192.168.200.3 awaps.net
192.168.200.3 banner.fastclick.net
192.168.200.3 banners.fastclick.net
192.168.200.3 ca.com
192.168.200.3 click.atdmt.com
192.168.200.3 clicks.atdmt.com
192.168.200.3 customer.symantec.com
192.168.200.3 dispatch.mcafee.com
192.168.200.3 download.mcafee.com
192.168.200.3 downloads-us1.kaspersky-labs.com
192.168.200.3 downloads-us2.kaspersky-labs.com
192.168.200.3 downloads-us3.kaspersky-labs.com
192.168.200.3 downloads1.kaspersky-labs.com
192.168.200.3 downloads2.kaspersky-labs.com
192.168.200.3 downloads3.kaspersky-labs.com
192.168.200.3 downloads4.kaspersky-labs.com
192.168.200.3 engine.awaps.net
192.168.200.3 f-secure.com
192.168.200.3 fastclick.net
192.168.200.3 ftp.avp.ch
192.168.200.3 ftp.downloads1.kaspersky-labs.com
192.168.200.3 ftp.downloads2.kaspersky-labs.com
192.168.200.3 ftp.downloads3.kaspersky-labs.com
192.168.200.3 ftp.f-secure.com
192.168.200.3 ftp.kasperskylab.ru
192.168.200.3 ftp.sophos.com
192.168.200.3 ids.kaspersky-labs.com
192.168.200.3 kaspersky-labs.com
192.168.200.3 kaspersky.com
192.168.200.3 liveupdate.symantec.com
192.168.200.3 liveupdate.symantecliveupdate.com
192.168.200.3 mast.mcafee.com
192.168.200.3 mcafee.com
192.168.200.3 media.fastclick.net
192.168.200.3 my-etrust.com
192.168.200.3 nai.com
192.168.200.3 networkassociates.com
192.168.200.3 norton.com
192.168.200.3 phx.corporate-ir.net
192.168.200.3 rads.mcafee.com
192.168.200.3 secure.nai.com
192.168.200.3 securityresponse.symantec.com
192.168.200.3 service1.symantec.com
192.168.200.3 sophos.com
192.168.200.3 spd.atdmt.com
192.168.200.3 symantec.com
192.168.200.3 trendmicro.com
192.168.200.3 update.symantec.com
192.168.200.3 updates.symantec.com
192.168.200.3 updates1.kaspersky-labs.com
192.168.200.3 updates2.kaspersky-labs.com
192.168.200.3 updates3.kaspersky-labs.com
192.168.200.3 updates4.kaspersky-labs.com
192.168.200.3 updates5.kaspersky-labs.com
192.168.200.3 us.mcafee.com
192.168.200.3 vil.nai.com
192.168.200.3 viruslist.com
192.168.200.3 viruslist.ru
192.168.200.3 virusscan.jotti.org
192.168.200.3 virustotal.com
192.168.200.3 www.avp.ch
192.168.200.3 www.avp.com
192.168.200.3 www.avp.ru
192.168.200.3 www.awaps.net
192.168.200.3 www.ca.com
192.168.200.3 www.f-secure.com
192.168.200.3 www.fastclick.net
192.168.200.3 www.grisoft.com
192.168.200.3 www.kaspersky-labs.com
192.168.200.3 www.kaspersky.com
192.168.200.3 www.kaspersky.ru
192.168.200.3 www.mcafee.com
192.168.200.3 www.my-etrust.com
192.168.200.3 www.nai.com
192.168.200.3 www.networkassociates.com
192.168.200.3 www.sophos.com
192.168.200.3 www.symantec.com
192.168.200.3 www.symantec.com
192.168.200.3 www.trendmicro.com
192.168.200.3 www.viruslist.com
192.168.200.3 www.viruslist.ru
192.168.200.3 www.virustotal.com
192.168.200.3 www3.ca.com

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\printer.exe Deleted
C:\WINDOWS\system32\WinAvXX.exe Deleted
C:\DOCUME~1\jacinta\STARTM~1\Programs\Startup\system.exe Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\autorun.exe Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{959C980D-6A13-4BBC-8B6E-7727A008DDE7}: NameServer=203.109.129.67 203.109.129.68
HKLM\SYSTEM\CS1\Services\Tcpip\..\{959C980D-6A13-4BBC-8B6E-7727A008DDE7}: NameServer=203.109.129.67 203.109.129.68

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

zerbet · 10-28-2007, 01:30 AM

ComboFix 07-10-23.2 - jacinta 2007-10-28 21:16:33.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.183 [GMT 13:00]
Running from: C:\Documents and Settings\jacinta\My Documents\My Music\ComboFix.exe
Command switches used :: C:\Documents and Settings\jacinta\Desktop\CFScript_used_2007-10-24@20.12.txt
* Created a new restore point

FILE::
C:\Documents and Settings\jacinta\Start Menu\Programs\Startup\system.exe
C:\WINDOWS\bnetunin.exe
C:\WINDOWS\diabswun.exe
C:\WINDOWS\system32\adssite-remove.exe
C:\WINDOWS\system32\drivers\Icon.exe
C:\WINDOWS\system32\gzmrotate.dll
C:\WINDOWS\system32\rightonadz-uninst.exe
C:\WINDOWS\Tasks\AntiSpyware Scheduled Scan.job
C:\WINDOWS\xlavba3.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\system.exe
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\WinAvXX.exe

.
((((((((((((((((((((((((( Files Created from 2007-09-28 to 2007-10-28 )))))))))))))))))))))))))))))))
.

2007-10-25 19:07 2,290 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-25 18:52 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-10-25 18:52 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-10-25 18:52 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-10-25 18:52 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-10-25 18:52 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-10-23 17:07 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-23 09:20 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-21 17:33 20,992 --a------ C:\WINDOWS\dravic.exe
2007-10-20 22:30 <DIR> d-------- C:\Program Files\Alwil Software
2007-10-20 22:30 801,144 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-10-20 22:30 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-10-20 22:30 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-10-20 22:30 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-10-20 22:30 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-10-20 22:30 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-10-20 22:30 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-10-19 15:21 <DIR> d-------- C:\BTT0AAW1
2007-10-18 15:27 <DIR> d-------- C:\spywarebegone
2007-10-18 15:27 724,992 --a------ C:\WINDOWS\iun6002.exe
2007-10-17 00:01 <DIR> d-------- C:\Program Files\Video Add-on
2007-10-16 21:23 4,096 --a------ C:\WINDOWS\d3dx.dat
2007-10-15 13:15 <DIR> d-------- C:\BUTTERFLYEFFECT2_RETAIL
2007-10-14 23:06 <DIR> d-------- C:\Diablo
2007-10-14 13:25 <DIR> d-------- C:\Program Files\Fada-soft
2007-10-13 11:49 <DIR> d-------- C:\Program Files\MyPlayCity.com
2007-10-12 23:50 <DIR> d-------- C:\Program Files\Out Of The World
2007-10-12 06:20 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-09 22:35 <DIR> d-------- C:\Program Files\Yahoo!
2007-10-06 15:26 <DIR> d-------- C:\WINDOWS\system32\drivers\bak
2007-10-06 15:26 <DIR> d-------- C:\WINDOWS\system32\bak
2007-09-28 16:34 <DIR> d-------- C:\Program Files\BMTA
2007-09-28 16:34 164,352 --a------ C:\WINDOWS\system32\SpoonUninstall.exe
2007-09-28 16:34 6,318 --a------ C:\WINDOWS\system32\SpoonUninstall-STABILO BOSSMANIA.dat
2007-09-28 16:34 516 --a------ C:\WINDOWS\system32\SpoonUninstall-BOSS MINI TATTOO ATTACK.dat
2007-09-28 16:33 <DIR> d-------- C:\Program Files\BOSSMANIA

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-25 06:01 --------- d-----w C:\Documents and Settings\jacinta\Application Data\Free Download Manager
2007-10-25 05:52 --------- d-----w C:\Program Files\Free Download Manager
2007-10-18 21:46 --------- d-----w C:\Program Files\LimeWire
2007-10-06 19:00 --------- d-----w C:\Documents and Settings\jacinta\Application Data\AVG7
2007-10-06 02:33 --------- d-----w C:\Program Files\Zune
2007-10-06 02:33 --------- d-----w C:\Program Files\QuickTime
2007-10-06 02:31 28,172 ----a-w C:\WINDOWS\system32\drivers\STDSB.exe
2007-10-05 21:51 --------- d-----w C:\Documents and Settings\logan and hunter\Application Data\AVG7
2007-10-05 19:00 --------- d-----w C:\Documents and Settings\trent\Application Data\AVG7
2007-09-30 21:52 0 ----a-w C:\WINDOWS\system32\drivers\eicon.txt
2007-09-28 06:53 189,824 ----a-w C:\Documents and Settings\jacinta\Application Data\GDIPFONTCACHEV1.DAT
2007-09-27 02:25 --------- d-----w C:\Program Files\Common Files\Adobe
2007-09-22 09:57 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-09-18 20:44 --------- d-----w C:\Program Files\Sony
2007-09-18 20:35 --------- d-----w C:\Program Files\RegClean
2007-09-18 04:02 --------- d-----w C:\Documents and Settings\jacinta\Application Data\RegClean
2007-09-18 03:47 --------- d-----w C:\Documents and Settings\jacinta\Application Data\Uniblue
2007-09-16 06:32 --------- d-----w C:\Program Files\Drug Lord 2
2007-09-15 06:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-15 04:33 --------- d-----w C:\Program Files\Java
2007-09-15 04:32 --------- d-----w C:\Program Files\Common Files\Java
2007-09-14 04:43 --------- d-----w C:\Program Files\Dynalink
2007-09-13 23:24 --------- d-----w C:\Documents and Settings\jacinta\Application Data\Sony Corporation
2007-07-23 06:58 2,220 ----a-w C:\Documents and Settings\jacinta\Application Data\wklnhst.dat
2006-10-29 00:41 137,904 ----a-w C:\Documents and Settings\trent\Application Data\GDIPFONTCACHEV1.DAT
2006-06-25 02:58 0 ----a-w C:\Documents and Settings\logan and hunter\Application Data\wklnhst.dat
2006-05-29 10:34 5,037,072 ----a-w C:\Documents and Settings\jacinta\spybotsd14.exe
2006-05-27 06:49 2,855,080 ----a-w C:\Documents and Settings\jacinta\aawsepersonal.exe
2006-05-22 22:08 532,616 ----a-w C:\Documents and Settings\jacinta\ImageResizerPowertoySetup.exe
2004-03-11 01:27 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\BTT0AAW1 ----

2007-10-19 17:00 6144 --a------ C:\BTT0AAW1\VIDEO_TS\VIDEO_TS.IFO
2007-10-19 17:00 6144 --a------ C:\BTT0AAW1\VIDEO_TS\VIDEO_TS.BUP
2007-10-19 17:00 55296 --a------ C:\BTT0AAW1\VIDEO_TS\VTS_02_0.IFO
2007-10-19 17:00 55296 --a------ C:\BTT0AAW1\VIDEO_TS\VTS_02_0.BUP
2007-10-19 17:00 162422784 --a------ C:\BTT0AAW1\VIDEO_TS\VTS_02_3.VOB
2007-10-19 16:58 1073739776 --a------ C:\BTT0AAW1\VIDEO_TS\VTS_02_2.VOB
2007-10-19 16:37 1073739776 --a------ C:\BTT0AAW1\VIDEO_TS\VTS_02_1.VOB
2007-10-19 16:16 55296 --a------ C:\BTT0AAW1\VIDEO_TS\VTS_01_0.IFO
2007-10-19 16:16 55296 --a------ C:\BTT0AAW1\VIDEO_TS\VTS_01_0.BUP
2007-10-19 16:16 223227904 --a------ C:\BTT0AAW1\VIDEO_TS\VTS_01_3.VOB
2007-10-19 16:13 1073739776 --a------ C:\BTT0AAW1\VIDEO_TS\VTS_01_2.VOB
2007-10-19 15:53 1073739776 --a------ C:\BTT0AAW1\VIDEO_TS\VTS_01_1.VOB

---- Directory of C:\Program Files\BMTA ----

2007-09-28 16:34 4912209 --a------ C:\Program Files\BMTA\BMTA.exe

---- Directory of C:\Program Files\Video Add-on ----

2007-10-18 12:25 6656 --a------ C:\Program Files\Video Add-on\icmntr.exe
2007-10-17 00:01 4286 --a------ C:\Program Files\Video Add-on\ts.ico
2007-10-17 00:01 4286 --a------ C:\Program Files\Video Add-on\ot.ico
2007-10-17 00:01 37292 --a------ C:\Program Files\Video Add-on\uninst.exe
2007-10-17 00:01 26624 --a------ C:\Program Files\Video Add-on\icthis.exe
2007-10-17 00:01 24576 --a------ C:\Program Files\Video Add-on\icun.exe
2007-10-17 00:01 13824 --a------ C:\Program Files\Video Add-on\isfun.exe
2007-10-17 00:01 12800 --a------ C:\Program Files\Video Add-on\ictun.exe

---- Directory of C:\TMNT ----

2007-10-09 15:43 6144 --a------ C:\TMNT\VIDEO_TS\VIDEO_TS.IFO
2007-10-09 15:43 6144 --a------ C:\TMNT\VIDEO_TS\VIDEO_TS.BUP
2007-10-09 15:43 55296 --a------ C:\TMNT\VIDEO_TS\VTS_01_0.IFO
2007-10-09 15:43 55296 --a------ C:\TMNT\VIDEO_TS\VTS_01_0.BUP
2007-10-09 15:43 385761280 --a------ C:\TMNT\VIDEO_TS\VTS_01_5.VOB
2007-10-09 15:41 1073739776 --a------ C:\TMNT\VIDEO_TS\VTS_01_4.VOB
2007-10-09 15:28 1073739776 --a------ C:\TMNT\VIDEO_TS\VTS_01_3.VOB
2007-10-09 15:14 1073739776 --a------ C:\TMNT\VIDEO_TS\VTS_01_2.VOB
2007-10-09 15:02 1073739776 --a------ C:\TMNT\VIDEO_TS\VTS_01_1.VOB

((((((((((((((((((((((((((((( snapshot@2007-10-23_17.21.14.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-10-28 08:20:16 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_478.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 127,118 2005-05-11 00:48:02 C:\APPS\Powercinema\bak\PCMService.exe
----a-w 28,172 2007-10-06 02:31:07 C:\APPS\Powercinema\PCMService.exe

----a-w 40,048 2007-05-10 15

32 C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

----a-w 180,269 2006-02-17 16:36:52 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe

----a-w 16,384 2003-08-18 23:47:00 C:\Program Files\Dynalink\Adsl\bak\dslagent.exe
----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Dynalink\Adsl\dslagent.exe

----a-w 299,008 2002-07-16 16:18:00 C:\Program Files\Dynalink\Adsl\bak\dslstat.exe
----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Dynalink\Adsl\dslstat.exe

----a-w 421,888 2007-09-14 04:16:13 C:\Program Files\Grisoft\AVG7\bak\avgcc.exe
----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Grisoft\AVG7\avgcc.exe

----a-w 75,520 2007-05-01 16:15:50 C:\Program Files\Java\jre1.5.0_12\bin\bak\jusched.exe
----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe

----a-w 77,824 2006-05-11 23:36:43 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\QuickTime\qttask.exe

----a-w 45,056 2005-04-25 21:08:26 C:\Program Files\Realtek\InstallShield\bak\AzMixerSel.exe
----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Realtek\InstallShield\AzMixerSel.exe

----a-w 49,152 2003-05-07 23:00:58 C:\Program Files\ScanSoft\OmniPageSE2.0\bak\OpwareSE2.exe
----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe

----a-w 688,218 2005-03-10 05:43:30 C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe
----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

----a-w 98,394 2005-03-10 05:44:34 C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe
----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

----a-w 24,104 2007-03-14 05:03:04 C:\Program Files\Zune\bak\ZuneLauncher.exe
----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Zune\ZuneLauncher.exe

----a-w 208,952 2004-08-04 07:00:00 C:\WINDOWS\ime\IMJP8_1\bak\IMJPMIG.EXE
----a-w 208,952 2004-08-04 01:00:00 C:\WINDOWS\ime\IMJP8_1\imjpmig.exe

----a-w 15,360 2004-08-04 07:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 01:00:00 C:\WINDOWS\system32\ctfmon.exe

----a-w 77,824 2005-07-18 22

12 C:\WINDOWS\system32\bak\hkcmd.exe

----a-w 114,688 2005-07-18 22:10:06 C:\WINDOWS\system32\bak\igfxpers.exe

----a-w 94,208 2005-07-18 22:09:26 C:\WINDOWS\system32\bak\igfxtray.exe

----a-w 155,648 2001-07-08 23:50:42 C:\WINDOWS\system32\bak\NeroCheck.exe
----a-w 28,172 2007-10-06 02:31:07 C:\WINDOWS\system32\NeroCheck.exe

----a-w 221,184 2005-08-23 02:51:58 C:\WINDOWS\system32\drivers\bak\Icon.exe

----a-w 28,672 2003-12-17 03:50:44 C:\WINDOWS\system32\drivers\bak\STDSB.exe
----a-w 28,172 2007-10-06 02:31:07 C:\WINDOWS\system32\drivers\STDSB.exe

----a-w 455,168 2004-08-04 07:00:00 C:\WINDOWS\system32\IME\TINTLGNT\bak\TINTSETP.EXE
----a-w 455,168 2004-08-04 01:00:00 C:\WINDOWS\system32\IME\TINTLGNT\tintsetp.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 14:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 14:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 14:00]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2007-10-06 15:31]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-05-04 17:28 C:\WINDOWS\RTHDCPL.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-06 15:31]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 22:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 05:24]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" []
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []
"Spyware Begone"="C:\spywarebegone\SpywareBeGone.exe" [2006-03-22 13:06]

R2 MTC0007_STDSB;Scroll Bar Driver;C:\WINDOWS\system32\drivers\STDSB.sys
S2 STDSB;STDSB;C:\WINDOWS\system32\DRIVERS\STDSB.sys
S3 BVRPMPR5;BVRPMPR5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\drivers\BVRPMPR5.SYS
S3 wanusb;GlobespanVirata USB ADSL WAN Modem;C:\WINDOWS\system32\DRIVERS\gwausb.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-27 04:59:00 C:\WINDOWS\Tasks\Ad-Aware SE Personal.job"
"2007-10-26 05:00:00 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
"2007-10-09 14:30:00 C:\WINDOWS\Tasks\RegClean Scheduled Scan.job"
- C:\Program Files\RegClean\RegClean.exe
"2007-10-27 04:58:00 C:\WINDOWS\Tasks\Spybot - Search & Destroy.job"
- C:\PROGRA~1\SPYBOT~1\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-28 21:22:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-28 21:26:29 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-24 20:23
C:\ComboFix3.txt ... 2007-10-23 17:24
.
--- E O F ---Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:29:58 PM, on 10/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Spyware Begone] "C:\spywarebegone\SpywareBeGone.exe" -FastScan
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: *.doginhispen.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1190280802687
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/W...gPublisher.exe
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{959C980D-6A13-4BBC-8B6E-7727A008DDE7}: NameServer = 203.109.129.67 203.109.129.68
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7092 bytes
thanx

Vino Rosso · 10-28-2007, 02:35 AM

Hi Zerbet

Well, fingers crossed... it looks like we've got rid of one main infection.

Let's hit the next one...

1 - Download and Run FindAWF
Please download FindAWF by noahdfear from >here<
Save the file to your desktop
Go to your Desktop and double-click on FindAWF.exe to run it
If your security software asks, please allow FindAWF to run
A command window will open - press any key to continue
A Notepad window will open called awf.txt (this will have been saved to your desktop)
Click the Format menu and make sure that Wordwrap is NOT ticked. If it is then click on it to UNtick it.
Click Edit > Select All then Edit > Copy
Paste (Ctrl+V) the content with your next reply.

Thanks
Vino

zerbet · 10-28-2007, 04:08 PM

Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Mon 10/29/2007
The current time is: 12:05:45.79

bak folders found
~~~~~~~~~~~

Directory of C:\APPS\POWERC~1\BAK

05/11/2005 01:48 PM 127,118 PCMService.exe
1 File(s) 127,118 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

05/12/2006 12:36 PM 77,824 qttask.exe
1 File(s) 77,824 bytes

Directory of C:\PROGRA~1\ZUNE\BAK

03/14/2007 06:03 PM 24,104 ZuneLauncher.exe
1 File(s) 24,104 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 08:00 PM 15,360 ctfmon.exe
07/19/2005 11:06 AM 77,824 hkcmd.exe
07/19/2005 11:10 AM 114,688 igfxpers.exe
07/19/2005 11:09 AM 94,208 igfxtray.exe
07/09/2001 12:50 PM 155,648 NeroCheck.exe
5 File(s) 457,728 bytes

Directory of C:\PROGRA~1\DYNALINK\ADSL\BAK

08/19/2003 12:47 PM 16,384 dslagent.exe
07/17/2002 05:18 AM 299,008 dslstat.exe
2 File(s) 315,392 bytes

Directory of C:\PROGRA~1\GRISOFT\AVG7\BAK

09/14/2007 05:16 PM 421,888 avgcc.exe
1 File(s) 421,888 bytes

Directory of C:\PROGRA~1\REALTEK\INSTAL~1\BAK

04/26/2005 10:08 AM 45,056 AzMixerSel.exe
1 File(s) 45,056 bytes

Directory of C:\PROGRA~1\SCANSOFT\OMNIPA~1.0\BAK

05/08/2003 12:00 PM 49,152 OpwareSE2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\SYNAPT~1\SYNTP\BAK

03/10/2005 06:43 PM 688,218 SynTPEnh.exe
03/10/2005 06:44 PM 98,394 SynTPLpr.exe
2 File(s) 786,612 bytes

Directory of C:\WINDOWS\IME\IMJP8_1\BAK

08/04/2004 08:00 PM 208,952 IMJPMIG.EXE
1 File(s) 208,952 bytes

Directory of C:\WINDOWS\SYSTEM32\DRIVERS\BAK

08/23/2005 03:51 PM 221,184 Icon.exe
12/17/2003 04:50 PM 28,672 STDSB.exe
2 File(s) 249,856 bytes

Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK

05/11/2007 04:06 AM 40,048 Reader_sl.exe
1 File(s) 40,048 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

02/18/2006 05:36 AM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~1.0_1\BIN\BAK

05/02/2007 05:15 AM 75,520 jusched.exe
1 File(s) 75,520 bytes

Directory of C:\WINDOWS\SYSTEM32\IME\TINTLGNT\BAK

08/04/2004 08:00 PM 455,168 TINTSETP.EXE
1 File(s) 455,168 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

28172 Oct 6 2007 "C:\APPS\Powercinema\PCMService.exe"
127118 May 11 2005 "C:\APPS\Powercinema\bak\PCMService.exe"
28172 Oct 6 2007 "C:\Program Files\QuickTime\qttask.exe"
77824 May 12 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
28172 Oct 6 2007 "C:\Program Files\Zune\ZuneLauncher.exe"
24104 Mar 14 2007 "C:\Program Files\Zune\bak\ZuneLauncher.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
77824 Jul 19 2005 "C:\PNP\VIDEO\HKCMD.EXE"
77824 Jul 19 2005 "C:\WINDOWS\system32\bak\hkcmd.exe"
114688 Jul 19 2005 "C:\PNP\VIDEO\IGFXPERS.EXE"
114688 Jul 19 2005 "C:\WINDOWS\system32\bak\igfxpers.exe"
94208 Jul 19 2005 "C:\PNP\VIDEO\IGFXTRAY.EXE"
94208 Jul 19 2005 "C:\WINDOWS\system32\bak\igfxtray.exe"
28172 Oct 6 2007 "C:\WINDOWS\system32\NeroCheck.exe"
155648 Jul 9 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe"
28172 Oct 6 2007 "C:\Program Files\Dynalink\Adsl\dslagent.exe"
16384 Aug 19 2003 "C:\Program Files\Dynalink\Adsl\bak\dslagent.exe"
28172 Oct 6 2007 "C:\Program Files\Dynalink\Adsl\dslstat.exe"
299008 Jul 17 2002 "C:\Program Files\Dynalink\Adsl\bak\dslstat.exe"
28172 Oct 6 2007 "C:\Program Files\Grisoft\AVG7\avgcc.exe"
421888 Sep 14 2007 "C:\Program Files\Grisoft\AVG7\bak\avgcc.exe"
45056 Apr 26 2005 "C:\PNP\AUDIO\Config\AzMixerSel.exe"
28172 Oct 6 2007 "C:\Program Files\Realtek\InstallShield\AzMixerSel.exe"
45056 Apr 26 2005 "C:\Program Files\Realtek\InstallShield\bak\AzMixerSel.exe"
28172 Oct 6 2007 "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
49152 May 8 2003 "C:\Program Files\ScanSoft\OmniPageSE2.0\bak\OpwareSE2.exe"
688218 Mar 10 2005 "C:\PNP\MOUSE\SYNTPENH.EXE"
28172 Oct 6 2007 "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
688218 Mar 10 2005 "C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe"
688218 Mar 10 2005 "C:\Program Files\Synaptics\SynTP\Media\SYNTPENH.EXE"
98394 Mar 10 2005 "C:\PNP\MOUSE\SYNTPLPR.EXE"
28172 Oct 6 2007 "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
98394 Mar 10 2005 "C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe"
98394 Mar 10 2005 "C:\Program Files\Synaptics\SynTP\Media\SYNTPLPR.EXE"
208952 Aug 4 2004 "C:\WINDOWS\ime\IMJP8_1\imjpmig.exe"
208952 Aug 4 2004 "C:\WINDOWS\ime\IMJP8_1\bak\IMJPMIG.EXE"
221184 Aug 23 2005 "C:\PNP\OTHER\SCROLL\ICON.EXE"
32768 Dec 16 2006 "C:\WINDOWS\Installer\{37477865-A3F1-4772-AD43-AAFC6BCFF99F}\icon.exe"
32768 Aug 21 2007 "C:\WINDOWS\Installer\{C04E32E0-0416-434D-AFB9-6969D703A9EF}\icon.exe"
221184 Aug 23 2005 "C:\WINDOWS\system32\drivers\bak\Icon.exe"
28672 Dec 17 2003 "C:\PNP\OTHER\SCROLL\STDSB.EXE"
28172 Oct 6 2007 "C:\WINDOWS\system32\drivers\STDSB.exe"
28672 Dec 17 2003 "C:\WINDOWS\system32\drivers\bak\STDSB.exe"
28172 Oct 6 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
180269 Feb 18 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
28172 Oct 6 2007 "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
75520 May 2 2007 "C:\Program Files\Java\jre1.5.0_12\bin\bak\jusched.exe"
455168 Aug 4 2004 "C:\WINDOWS\system32\IME\TINTLGNT\tintsetp.exe"
455168 Aug 4 2004 "C:\WINDOWS\system32\IME\TINTLGNT\bak\TINTSETP.EXE"

end of report
once again i thank you soo much!

Vino Rosso · 10-29-2007, 01:47 PM

Hi

OK, let's hit the next infection...

1 - Replace Files With FindAWF
With your mouse, highlight the following list of files in the quote box, then press Ctrl+C (Copy)

Quote:

"C:\APPS\Powercinema\bak\PCMService.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\Program Files\Zune\bak\ZuneLauncher.exe"
"C:\WINDOWS\system32\bak\hkcmd.exe"
"C:\WINDOWS\system32\bak\igfxpers.exe"
"C:\WINDOWS\system32\bak\igfxtray.exe"
"C:\WINDOWS\system32\bak\NeroCheck.exe"
"C:\Program Files\Dynalink\Adsl\bak\dslagent.exe"
"C:\Program Files\Dynalink\Adsl\bak\dslstat.exe"
"C:\Program Files\Grisoft\AVG7\bak\avgcc.exe"
"C:\Program Files\Realtek\InstallShield\bak\AzMixerSel.exe"
"C:\Program Files\ScanSoft\OmniPageSE2.0\bak\OpwareSE2.exe"
"C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe"
"C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe"
"C:\WINDOWS\ime\IMJP8_1\bak\IMJPMIG.EXE"
"C:\WINDOWS\system32\drivers\bak\STDSB.exe"
"C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
"C:\Program Files\Java\jre1.5.0_12\bin\bak\jusched.exe"
"C:\WINDOWS\system32\IME\TINTLGNT\bak\TINTSETP.EXE"

Go to your Desktop and double-click on FindAWF.exe to run it
If your security software asks, please allow FindAWF to run
A command window will open - press any key to continue
Select 2 and press Enter on your keyboard
A Notepad window will open called files.txt.
Follow the instructions and click below the line.
Press Ctrl+V to paste the list of files to be restored.
Click File > Save then File > Exit

When FindAWF has finished processing, a new Notepad window will open.
Click Edit > Select All then Edit > Copy
Paste (Ctrl+V) the content with your next reply.

Thanks
Vino

zerbet · 10-30-2007, 04:22 PM

Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Wed 10/31/2007
The current time is: 12:19:17.44

bak folders found
~~~~~~~~~~~

Directory of C:\APPS\POWERC~1\BAK

05/11/2005 01:48 PM 127,118 PCMService.exe
1 File(s) 127,118 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

05/12/2006 12:36 PM 77,824 qttask.exe
1 File(s) 77,824 bytes

Directory of C:\PROGRA~1\ZUNE\BAK

03/14/2007 06:03 PM 24,104 ZuneLauncher.exe
1 File(s) 24,104 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 08:00 PM 15,360 ctfmon.exe
07/19/2005 11:06 AM 77,824 hkcmd.exe
07/19/2005 11:10 AM 114,688 igfxpers.exe
07/19/2005 11:09 AM 94,208 igfxtray.exe
07/09/2001 12:50 PM 155,648 NeroCheck.exe
5 File(s) 457,728 bytes

Directory of C:\PROGRA~1\DYNALINK\ADSL\BAK

08/19/2003 12:47 PM 16,384 dslagent.exe
07/17/2002 05:18 AM 299,008 dslstat.exe
2 File(s) 315,392 bytes

Directory of C:\PROGRA~1\GRISOFT\AVG7\BAK

09/14/2007 05:16 PM 421,888 avgcc.exe
1 File(s) 421,888 bytes

Directory of C:\PROGRA~1\REALTEK\INSTAL~1\BAK

04/26/2005 10:08 AM 45,056 AzMixerSel.exe
1 File(s) 45,056 bytes

Directory of C:\PROGRA~1\SCANSOFT\OMNIPA~1.0\BAK

05/08/2003 12:00 PM 49,152 OpwareSE2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\SYNAPT~1\SYNTP\BAK

03/10/2005 06:43 PM 688,218 SynTPEnh.exe
03/10/2005 06:44 PM 98,394 SynTPLpr.exe
2 File(s) 786,612 bytes

Directory of C:\WINDOWS\IME\IMJP8_1\BAK

08/04/2004 08:00 PM 208,952 IMJPMIG.EXE
1 File(s) 208,952 bytes

Directory of C:\WINDOWS\SYSTEM32\DRIVERS\BAK

08/23/2005 03:51 PM 221,184 Icon.exe
12/17/2003 04:50 PM 28,672 STDSB.exe
2 File(s) 249,856 bytes

Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK

05/11/2007 04:06 AM 40,048 Reader_sl.exe
1 File(s) 40,048 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

02/18/2006 05:36 AM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~1.0_1\BIN\BAK

05/02/2007 05:15 AM 75,520 jusched.exe
1 File(s) 75,520 bytes

Directory of C:\WINDOWS\SYSTEM32\IME\TINTLGNT\BAK

08/04/2004 08:00 PM 455,168 TINTSETP.EXE
1 File(s) 455,168 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

127118 May 11 2005 "C:\APPS\Powercinema\PCMService.exe"
127118 May 11 2005 "C:\APPS\Powercinema\bak\PCMService.exe"
77824 May 12 2006 "C:\Program Files\QuickTime\qttask.exe"
77824 May 12 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
24104 Mar 14 2007 "C:\Program Files\Zune\ZuneLauncher.exe"
24104 Mar 14 2007 "C:\Program Files\Zune\bak\ZuneLauncher.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
77824 Jul 19 2005 "C:\PNP\VIDEO\HKCMD.EXE"
77824 Jul 19 2005 "C:\WINDOWS\system32\hkcmd.exe"
77824 Jul 19 2005 "C:\WINDOWS\system32\bak\hkcmd.exe"
114688 Jul 19 2005 "C:\PNP\VIDEO\IGFXPERS.EXE"
114688 Jul 19 2005 "C:\WINDOWS\system32\igfxpers.exe"
114688 Jul 19 2005 "C:\WINDOWS\system32\bak\igfxpers.exe"
94208 Jul 19 2005 "C:\PNP\VIDEO\IGFXTRAY.EXE"
94208 Jul 19 2005 "C:\WINDOWS\system32\igfxtray.exe"
94208 Jul 19 2005 "C:\WINDOWS\system32\bak\igfxtray.exe"
155648 Jul 9 2001 "C:\WINDOWS\system32\NeroCheck.exe"
155648 Jul 9 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe"
16384 Aug 19 2003 "C:\Program Files\Dynalink\Adsl\dslagent.exe"
16384 Aug 19 2003 "C:\Program Files\Dynalink\Adsl\bak\dslagent.exe"
299008 Jul 17 2002 "C:\Program Files\Dynalink\Adsl\dslstat.exe"
299008 Jul 17 2002 "C:\Program Files\Dynalink\Adsl\bak\dslstat.exe"
421888 Sep 14 2007 "C:\Program Files\Grisoft\AVG7\avgcc.exe"
421888 Sep 14 2007 "C:\Program Files\Grisoft\AVG7\bak\avgcc.exe"
45056 Apr 26 2005 "C:\PNP\AUDIO\Config\AzMixerSel.exe"
45056 Apr 26 2005 "C:\Program Files\Realtek\InstallShield\AzMixerSel.exe"
45056 Apr 26 2005 "C:\Program Files\Realtek\InstallShield\bak\AzMixerSel.exe"
49152 May 8 2003 "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
49152 May 8 2003 "C:\Program Files\ScanSoft\OmniPageSE2.0\bak\OpwareSE2.exe"
688218 Mar 10 2005 "C:\PNP\MOUSE\SYNTPENH.EXE"
688218 Mar 10 2005 "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
688218 Mar 10 2005 "C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe"
688218 Mar 10 2005 "C:\Program Files\Synaptics\SynTP\Media\SYNTPENH.EXE"
98394 Mar 10 2005 "C:\PNP\MOUSE\SYNTPLPR.EXE"
98394 Mar 10 2005 "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
98394 Mar 10 2005 "C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe"
98394 Mar 10 2005 "C:\Program Files\Synaptics\SynTP\Media\SYNTPLPR.EXE"
208952 Aug 4 2004 "C:\WINDOWS\ime\IMJP8_1\IMJPMIG.EXE"
208952 Aug 4 2004 "C:\WINDOWS\ime\IMJP8_1\bak\IMJPMIG.EXE"
221184 Aug 23 2005 "C:\PNP\OTHER\SCROLL\ICON.EXE"
32768 Dec 16 2006 "C:\WINDOWS\Installer\{37477865-A3F1-4772-AD43-AAFC6BCFF99F}\icon.exe"
32768 Aug 21 2007 "C:\WINDOWS\Installer\{C04E32E0-0416-434D-AFB9-6969D703A9EF}\icon.exe"
221184 Aug 23 2005 "C:\WINDOWS\system32\drivers\bak\Icon.exe"
28672 Dec 17 2003 "C:\PNP\OTHER\SCROLL\STDSB.EXE"
28672 Dec 17 2003 "C:\WINDOWS\system32\drivers\STDSB.exe"
28672 Dec 17 2003 "C:\WINDOWS\system32\drivers\bak\STDSB.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
180269 Feb 18 2006 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
180269 Feb 18 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
75520 May 2 2007 "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
75520 May 2 2007 "C:\Program Files\Java\jre1.5.0_12\bin\bak\jusched.exe"
455168 Aug 4 2004 "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE"
455168 Aug 4 2004 "C:\WINDOWS\system32\IME\TINTLGNT\bak\TINTSETP.EXE"

end of report

Vino Rosso · 10-31-2007, 04:03 PM

Hi

OK, next steps...

1 - Delete Bak Folders With FindAWF
With your mouse, highlight the following list of files in the quote box, then press Ctrl+C (Copy)

Quote:

C:\APPS\Powercinema\bak
C:\Program Files\QuickTime\bak
C:\Program Files\Zune\bak
C:\WINDOWS\system32\bak
C:\Program Files\Dynalink\Adsl\bak
C:\Program Files\Grisoft\AVG7\bak
C:\Program Files\Realtek\InstallShield\bak
C:\Program Files\ScanSoft\OmniPageSE2.0\bak
C:\Program Files\Synaptics\SynTP\bak
C:\WINDOWS\ime\IMJP8_1\bak
C:\WINDOWS\system32\drivers\bak
C:\Program Files\Adobe\Reader 8.0\Reader\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\Java\jre1.5.0_12\bin\bak
C:\WINDOWS\system32\IME\TINTLGNT\bak

Go to your Desktop and double-click on FindAWF.exe to run it
If your security software asks, please allow FindAWF to run
A command window will open - press any key to continue
Select 3 and press Enter on your keyboard
A Notepad window will open called folders.txt.
Follow the instructions and click below the line.
Press Ctrl+V to paste the list of folders to be deleted.
Click File > Save then File > Exit

When FindAWF has finished processing, a new Notepad window will open.
Click Edit > Select All then Edit > Copy
Paste (Ctrl+V) the content with your next reply.

2 - Delete Domains With FindAWF
Go to your Desktop and double-click on FindAWF.exe to run it
If your security software asks, please allow FindAWF to run
A command window will open - press any key to continue
Select 4 and press Enter on your keyboard
When FindAWF has finished, the main menu will appear
Press E to Exit and press Enter on your keyboard.

3 - Check on status
After you have completed the above, please provide:

the AWF report
a new HijackThis log
and a description of how your PC is behaving - what problems are you now experiencing?

Thanks
Vino

zerbet · 10-31-2007, 09:26 PM

Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: Thu 11/01/2007
The current time is: 17:23:59.25

bak folders found
~~~~~~~~~~~

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

end of report

zerbet · 10-31-2007, 09:30 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:27:54 PM, on 11/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\printer.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\spywarebegone\SpywareBeGone.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Spyware Begone] "C:\spywarebegone\SpywareBeGone.exe" -FastScan
O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: system.exe
O4 - Global Startup: autorun.exe
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: *.doginhispen.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1190280802687
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/W...gPublisher.exe
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{959C980D-6A13-4BBC-8B6E-7727A008DDE7}: NameServer = 203.109.129.67 203.109.129.68
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7607 bytes

was going really well till i turned it on this arvo now i have the box with the same warning as at the begining of all this!and the system administaror box all over again ...i could cry!!i was soooo happy !

10-20-2007, 03:32 AM	#1 (permalink)
zerbet Registered User Join Date: Oct 2007 Posts: 61 OS: win xp	help me please..systems admin been takenover please help me i am really stuck on this one my computer wont let me do anything like update anti virus(i did down load a whole new one which found a virus but still hasnt fixed my problem also ran spyware begone.same result)i cant get into control panel or users or anything i keep getting a window saying contact your systems administrator which is no one on my comp. i also get systems alerts all the time halting what ever i am doing and if i click it it takes me to some site to buy a program to fix all!!(yeah right i maybe blonde but even i aint fallin for that!)please help me i have done about all i know how and i really want my baby back! thanx heaps

10-22-2007, 03:59 AM	#2 (permalink)
Vino Rosso Analyst, Security Team Join Date: Aug 2007 Posts: 172 OS: XP/Vista	Re: help me please..systems admin been takenover Hi zerbet and welcome to the Tech Support Forums. HijackThis logs can take a little time to research so please be patient and I'd be grateful if you would note the following: I will working on your Malware issues, this may or may not, solve other issues you have with your machine. The fixes are specific to your problem and should only be used for this issue on this machine. Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear. It's often worth reading through these instructions and printing them for ease of reference. If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry. Finally, please reply to this thread. Do not start a new topic. 1 - Install HijackThis Download a copy of HJTInstall.exe from >here< and save it to your Desktop. Double click HJTinstall.exe to begin installation. By default it will install to C:\Program Files\Trend Micro\HijackThis. Click on Install, then I accept. A HijackThis icon will be created on the desktop and Hijackthis will launch. Click on the Do a system scan and save a logfile button. It will scan and the log should open in Notepad. In Notepad, click the Format menu and make sure that Wordwrap is NOT ticked. If it is then click on it to UNtick it. Click Edit > Select All then Edit > Copy Paste (Ctrl+V) the content with your next reply. Do NOT use the Analyse This button in HijackThis. Its findings are dangerous if misinterpreted. Do NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required. Thanks Vino __________________ Vino Rosso The help we provide at Tech Support Forums is free. Any donation to help keep us online would be appreciated.

10-22-2007, 01:36 PM	#3 (permalink)
zerbet Registered User Join Date: Oct 2007 Posts: 61 OS: win xp	Re: help me please..systems admin been takenover Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:21:07 AM, on 10/23/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\WINDOWS\Explorer.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe c:\APPS\HIDSERVICE\HIDSERVICE.exe C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe c:\APPS\Powercinema\Kernel\TV\CLSched.exe C:\WINDOWS\system32\printer.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\RTHDCPL.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\spywarebegone\SpywareBeGone.exe C:\Program Files\RALINK\Common\RaUI.exe C:\Program Files\Outlook Express\msimn.exe C:\WINDOWS\system32\DllHost.exe c:\windows\system32\rlvknlg.exe C:\Program Files\Internet Explorer\iexplore.exe C:\PROGRA~1\FREEDO~1\fdm.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe O2 - BHO: IEHlprObj Class - {ABCDECF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\system32\vtr.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S O4 - HKCU\..\Run: [Spyware Begone] "C:\spywarebegone\SpywareBeGone.exe" -FastScan O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O4 - Startup: system.exe O4 - Global Startup: autorun.exe O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll O15 - Trusted Zone: .doginhispen.com O15 - Trusted Zone: .whataboutadog.com O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1190280802687 O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/W...gPublisher.exe O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{959C980D-6A13-4BBC-8B6E-7727A008DDE7}: NameServer = 203.109.129.67 203.109.129.68 O20 - AppInit_DLLs: C:\WINDOWS\system32\sulimo.dat O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe -- End of file - 8205 bytes thank you sooo much for your help this is amazing i will rec you guys to everyone i know thanx sooo much

10-22-2007, 03:16 PM	#4 (permalink)
Vino Rosso Analyst, Security Team Join Date: Aug 2007 Posts: 172 OS: XP/Vista	Re: help me please..systems admin been takenover Hi 1 - Scan With ComboFix Download ComboFix from >Tech Support Forum< or >Bleeping Computer< to your Desktop Close ALL windows Physically disconnect from the Internet, then disable your anti-virus and any real-time anti-spyware monitors that are running. Double click combofix.exe follow the prompts When finished, the program will produce a log Please post the log in your next reply Please Note: Do not mouse click in the combofix window while it is running - this may cause your system to hang/crash. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet. 2 - Status Check Please reply with the ComboFix log a fresh HijackThis log Thanks Vino __________________ Vino Rosso The help we provide at Tech Support Forums is free. Any donation to help keep us online would be appreciated.

10-22-2007, 09:29 PM	#5 (permalink)
zerbet Registered User Join Date: Oct 2007 Posts: 61 OS: win xp	Re: help me please..systems admin been takenover ComboFix 07-10-23.2 - jacinta 2007-10-23 17:09:43.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.156 [GMT 13:00] Running from: C:\Documents and Settings\jacinta\My Documents\My Music\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\jacinta\Desktop\internet.lnk C:\Documents and Settings\jacinta\Start Menu\Programs\Startup\system.exe C:\Documents and Settings\logan and hunter\Desktop\internet.lnk C:\Documents and Settings\logan and hunter\Start Menu\Programs\Startup\system.exe C:\Documents and Settings\trent\Desktop\internet.lnk C:\Documents and Settings\trent\Start Menu\Programs\Startup\system.exe C:\Program Files\WinBudget C:\Program Files\WinBudget\bin\crap.1191696826.old C:\Program Files\WinBudget\bin\crap.1192311387.old C:\Program Files\WinBudget\bin\matrix.dat C:\Program Files\WinBudget\bin\matrix.dll C:\Program Files\WinBudget\bin\matrix.dll.1192311385.old C:\WINDOWS\system32\_000005_.tmp.dll C:\WINDOWS\system32\8_exception.nls C:\WINDOWS\system32\ldpackage.dll C:\WINDOWS\system32\model.dat C:\WINDOWS\system32\nsp26.dll C:\WINDOWS\system32\printer.exe C:\WINDOWS\system32\rlls.dll C:\WINDOWS\system32\rlvknlg.exe C:\WINDOWS\system32\rlxf.dll C:\WINDOWS\system32\sulimo.dat C:\WINDOWS\system32\vtr.dll C:\WINDOWS\system32\WinAvXX.exe C:\WINDOWS\xlavra3.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_NWSAPAGENT -------\NwSapAgent -------\runtime ((((((((((((((((((((((((( Files Created from 2007-09-23 to 2007-10-23 ))))))))))))))))))))))))))))))) . 2007-10-23 17:07 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-10-23 09:20 <DIR> d-------- C:\Program Files\Trend Micro 2007-10-23 08:58 16,384 --a------ C:\WINDOWS\xlavba3.exe 2007-10-21 17:33 20,992 --a------ C:\WINDOWS\dravic.exe 2007-10-20 22:30 <DIR> d-------- C:\Program Files\Alwil Software 2007-10-20 22:30 801,144 --a------ C:\WINDOWS\system32\aswBoot.exe 2007-10-20 22:30 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr 2007-10-20 22:30 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys 2007-10-20 22:30 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys 2007-10-20 22:30 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys 2007-10-20 22:30 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys 2007-10-20 22:30 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys 2007-10-19 15:21 <DIR> d-------- C:\BTT0AAW1 2007-10-18 15:27 <DIR> d-------- C:\spywarebegone 2007-10-18 15:27 724,992 --a------ C:\WINDOWS\iun6002.exe 2007-10-18 15:17 <DIR> d-------- C:\Documents and Settings\jacinta\Application Data\AntiSpyware 2007-10-17 00:01 <DIR> d-------- C:\Program Files\Video Add-on 2007-10-16 21:23 4,096 --a------ C:\WINDOWS\d3dx.dat 2007-10-15 13:15 <DIR> d-------- C:\BUTTERFLYEFFECT2_RETAIL 2007-10-14 23:06 <DIR> d-------- C:\Diablo 2007-10-14 23:06 86,528 --a------ C:\WINDOWS\bnetunin.exe 2007-10-14 23:06 61,440 --a------ C:\WINDOWS\diabswun.exe 2007-10-14 13:25 <DIR> d-------- C:\Program Files\Fada-soft 2007-10-13 11:49 <DIR> d-------- C:\Program Files\MyPlayCity.com 2007-10-12 23:50 <DIR> d-------- C:\Program Files\Out Of The World 2007-10-12 23:50 <DIR> d-------- C:\Program Files\myplaycity_WhenUSave_Installer 2007-10-12 06:20 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll 2007-10-11 12:42 79,832 --a------ C:\WINDOWS\system32\adssite-remove.exe 2007-10-11 12:42 40,733 --a------ C:\WINDOWS\system32\rightonadz-uninst.exe 2007-10-10 23:24 63,488 --a------ C:\WINDOWS\system32\gzmrotate.dll 2007-10-09 22:35 <DIR> d-------- C:\Program Files\Yahoo! 2007-10-06 15:26 <DIR> d-------- C:\WINDOWS\system32\drivers\bak 2007-10-06 15:26 <DIR> d-------- C:\WINDOWS\system32\bak 2007-09-28 16:34 <DIR> d-------- C:\Program Files\BMTA 2007-09-28 16:34 164,352 --a------ C:\WINDOWS\system32\SpoonUninstall.exe 2007-09-28 16:34 6,318 --a------ C:\WINDOWS\system32\SpoonUninstall-STABILO BOSSMANIA.dat 2007-09-28 16:34 516 --a------ C:\WINDOWS\system32\SpoonUninstall-BOSS MINI TATTOO ATTACK.dat 2007-09-28 16:33 <DIR> d-------- C:\Program Files\BOSSMANIA 2007-09-25 22:07 <DIR> d-------- C:\TMNT . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-10-23 04:16 --------- d-----w C:\Documents and Settings\jacinta\Application Data\Free Download Manager 2007-10-18 21:46 --------- d-----w C:\Program Files\LimeWire 2007-10-06 19:00 --------- d-----w C:\Documents and Settings\jacinta\Application Data\AVG7 2007-10-06 02:33 --------- d-----w C:\Program Files\Zune 2007-10-06 02:33 --------- d-----w C:\Program Files\QuickTime 2007-10-06 02:31 28,172 ----a-w C:\WINDOWS\system32\drivers\STDSB.exe 2007-10-06 02:31 28,172 ----a-w C:\WINDOWS\system32\drivers\Icon.exe 2007-10-05 21:51 --------- d-----w C:\Documents and Settings\logan and hunter\Application Data\AVG7 2007-10-05 19:00 --------- d-----w C:\Documents and Settings\trent\Application Data\AVG7 2007-09-30 21:52 0 ----a-w C:\WINDOWS\system32\drivers\eicon.txt 2007-09-28 06:53 189,824 ----a-w C:\Documents and Settings\jacinta\Application Data\GDIPFONTCACHEV1.DAT 2007-09-27 02:25 --------- d-----w C:\Program Files\Common Files\Adobe 2007-09-22 09:57 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2 2007-09-18 20:44 --------- d-----w C:\Program Files\Sony 2007-09-18 20:35 --------- d-----w C:\Program Files\RegClean 2007-09-18 04:02 --------- d-----w C:\Documents and Settings\jacinta\Application Data\RegClean 2007-09-18 03:47 --------- d-----w C:\Documents and Settings\jacinta\Application Data\Uniblue 2007-09-16 06:32 --------- d-----w C:\Program Files\Drug Lord 2 2007-09-15 06:19 --------- d--h--w C:\Program Files\InstallShield Installation Information 2007-09-15 04:33 --------- d-----w C:\Program Files\Java 2007-09-15 04:32 --------- d-----w C:\Program Files\Common Files\Java 2007-09-14 04:43 --------- d-----w C:\Program Files\Dynalink 2007-09-13 23:24 --------- d-----w C:\Documents and Settings\jacinta\Application Data\Sony Corporation 2007-08-25 05:42 --------- d-----w C:\Program Files\Disney Interactive 2007-07-23 06:58 2,220 ----a-w C:\Documents and Settings\jacinta\Application Data\wklnhst.dat 2006-10-29 00:41 137,904 ----a-w C:\Documents and Settings\trent\Application Data\GDIPFONTCACHEV1.DAT 2006-06-25 02:58 0 ----a-w C:\Documents and Settings\logan and hunter\Application Data\wklnhst.dat 2006-05-29 10:34 5,037,072 ----a-w C:\Documents and Settings\jacinta\spybotsd14.exe 2006-05-27 06:49 2,855,080 ----a-w C:\Documents and Settings\jacinta\aawsepersonal.exe 2006-05-22 22:08 532,616 ----a-w C:\Documents and Settings\jacinta\ImageResizerPowertoySetup.exe 2004-03-11 01:27 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe . ((((((((((((((((((((((((((((((((((((((((((((( AWF )))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ----a-w 127,118 2005-05-11 00:48:02 C:\APPS\Powercinema\bak\PCMService.exe ----a-w 28,172 2007-10-06 02:31:07 C:\APPS\Powercinema\PCMService.exe ----a-w 40,048 2007-05-10 1532 C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe ----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe ----a-w 180,269 2006-02-17 16:36:52 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe ----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Common Files\Real\Update_OB\realsched.exe ----a-w 16,384 2003-08-18 23:47:00 C:\Program Files\Dynalink\Adsl\bak\dslagent.exe ----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Dynalink\Adsl\dslagent.exe ----a-w 299,008 2002-07-16 16:18:00 C:\Program Files\Dynalink\Adsl\bak\dslstat.exe ----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Dynalink\Adsl\dslstat.exe ----a-w 421,888 2007-09-14 04:16:13 C:\Program Files\Grisoft\AVG7\bak\avgcc.exe ----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Grisoft\AVG7\avgcc.exe ----a-w 75,520 2007-05-01 16:15:50 C:\Program Files\Java\jre1.5.0_12\bin\bak\jusched.exe ----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe ----a-w 77,824 2006-05-11 23:36:43 C:\Program Files\QuickTime\bak\qttask.exe ----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\QuickTime\qttask.exe ----a-w 45,056 2005-04-25 21:08:26 C:\Program Files\Realtek\InstallShield\bak\AzMixerSel.exe ----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Realtek\InstallShield\AzMixerSel.exe ----a-w 49,152 2003-05-07 23:00:58 C:\Program Files\ScanSoft\OmniPageSE2.0\bak\OpwareSE2.exe ----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe ----a-w 688,218 2005-03-10 05:43:30 C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe ----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe ----a-w 98,394 2005-03-10 05:44:34 C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe ----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe ----a-w 24,104 2007-03-14 05:03:04 C:\Program Files\Zune\bak\ZuneLauncher.exe ----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Zune\ZuneLauncher.exe ----a-w 208,952 2004-08-04 07:00:00 C:\WINDOWS\ime\IMJP8_1\bak\IMJPMIG.EXE ----a-w 208,952 2004-08-04 01:00:00 C:\WINDOWS\ime\IMJP8_1\imjpmig.exe ----a-w 15,360 2004-08-04 07:00:00 C:\WINDOWS\system32\bak\ctfmon.exe ----a-w 15,360 2004-08-04 01:00:00 C:\WINDOWS\system32\ctfmon.exe ----a-w 77,824 2005-07-18 2212 C:\WINDOWS\system32\bak\hkcmd.exe ----a-w 114,688 2005-07-18 22:10:06 C:\WINDOWS\system32\bak\igfxpers.exe ----a-w 94,208 2005-07-18 22:09:26 C:\WINDOWS\system32\bak\igfxtray.exe ----a-w 155,648 2001-07-08 23:50:42 C:\WINDOWS\system32\bak\NeroCheck.exe ----a-w 28,172 2007-10-06 02:31:07 C:\WINDOWS\system32\NeroCheck.exe ----a-w 221,184 2005-08-23 02:51:58 C:\WINDOWS\system32\drivers\bak\Icon.exe ----a-w 28,172 2007-10-06 02:31:07 C:\WINDOWS\system32\drivers\Icon.exe ----a-w 28,672 2003-12-17 03:50:44 C:\WINDOWS\system32\drivers\bak\STDSB.exe ----a-w 28,172 2007-10-06 02:31:07 C:\WINDOWS\system32\drivers\STDSB.exe ----a-w 455,168 2004-08-04 07:00:00 C:\WINDOWS\system32\IME\TINTLGNT\bak\TINTSETP.EXE ----a-w 455,168 2004-08-04 01:00:00 C:\WINDOWS\system32\IME\TINTLGNT\tintsetp.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 14:00] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 14:00] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 14:00] "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2007-10-06 15:31] "High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 C:\WINDOWS\system32\HdAShCut.exe] "RTHDCPL"="RTHDCPL.EXE" [2005-05-04 17:28 C:\WINDOWS\RTHDCPL.EXE] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-06 15:31] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 22:06] "WinAVX"="C:\WINDOWS\system32\WinAvXX.exe" [2007-10-17 00:01] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 05:24] "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [] "Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [] "Spyware Begone"="C:\spywarebegone\SpywareBeGone.exe" [2006-03-22 13:06] "WinAVX"="C:\WINDOWS\system32\WinAvXX.exe" [2007-10-17 00:01] C:\Documents and Settings\jacinta\Start Menu\Programs\Startup\ system.exe [2007-10-17 00:01:25] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=1 (0x1) "DisableTaskMgr"=1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=1 (0x1) "DisableTaskMgr"=1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoControlPanel"=1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoControlPanel"=1 (0x1) "NoWindowsUpdate"=1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Shell"="Explorer.exe C:\WINDOWS\system32\printer.exe" R2 MTC0007_STDSB;Scroll Bar Driver;C:\WINDOWS\system32\drivers\STDSB.sys S2 STDSB;STDSB;C:\WINDOWS\system32\DRIVERS\STDSB.sys S3 BVRPMPR5;BVRPMPR5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\drivers\BVRPMPR5.SYS S3 wanusb;GlobespanVirata USB ADSL WAN Modem;C:\WINDOWS\system32\DRIVERS\gwausb.sys . Contents of the 'Scheduled Tasks' folder "2007-10-21 04:59:00 C:\WINDOWS\Tasks\Ad-Aware SE Personal.job" "2007-10-18 02:17:44 C:\WINDOWS\Tasks\AntiSpyware Scheduled Scan.job" - C:\Program Files\AntiSpywareApp\AntiSpyware.exe "2007-10-19 05:00:00 C:\WINDOWS\Tasks\Disk Cleanup.job" - C:\WINDOWS\system32\cleanmgr.exe "2007-10-09 14:30:00 C:\WINDOWS\Tasks\RegClean Scheduled Scan.job" - C:\Program Files\RegClean\RegClean.exe "2007-10-21 04:58:00 C:\WINDOWS\Tasks\Spybot - Search & Destroy.job" - C:\PROGRA~1\SPYBOT~1\SpybotSD.exe . ************************************************************************ catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-23 17:19:41 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... C:\WINDOWS\system32\printer.exe 7680 bytes executable C:\WINDOWS\system32\WinAvXX.exe 7680 bytes executable scan completed successfully hidden files: 2 ************************************************************************ . Completion time: 2007-10-23 17:24:27 - machine was rebooted . --- E O F --- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:28:05 PM, on 10/23/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe c:\APPS\HIDSERVICE\HIDSERVICE.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe c:\APPS\Powercinema\Kernel\TV\CLSched.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\RTHDCPL.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe C:\Program Files\RALINK\Common\RaUI.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\system32\DllHost.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S O4 - HKCU\..\Run: [Spyware Begone] "C:\spywarebegone\SpywareBeGone.exe" -FastScan O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O4 - Startup: system.exe O4 - Global Startup: autorun.exe O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O15 - Trusted Zone: .doginhispen.com O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1190280802687 O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/W...gPublisher.exe O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{959C980D-6A13-4BBC-8B6E-7727A008DDE7}: NameServer = 203.109.129.67 203.109.129.68 O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe -- End of file - 7185 bytesComboFix 07-10-23.2 - jacinta 2007-10-23 17:09:43.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.156 [GMT 13:00] Running from: C:\Documents and Settings\jacinta\My Documents\My Music\ComboFix.exe Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\jacinta\Desktop\internet.lnk C:\Documents and Settings\jacinta\Start Menu\Programs\Startup\system.exe C:\Documents and Settings\logan and hunter\Desktop\internet.lnk C:\Documents and Settings\logan and hunter\Start Menu\Programs\Startup\system.exe C:\Documents and Settings\trent\Desktop\internet.lnk C:\Documents and Settings\trent\Start Menu\Programs\Startup\system.exe C:\Program Files\WinBudget C:\Program Files\WinBudget\bin\crap.1191696826.old C:\Program Files\WinBudget\bin\crap.1192311387.old C:\Program Files\WinBudget\bin\matrix.dat C:\Program Files\WinBudget\bin\matrix.dll C:\Program Files\WinBudget\bin\matrix.dll.1192311385.old C:\WINDOWS\system32\_000005_.tmp.dll C:\WINDOWS\system32\8_exception.nls C:\WINDOWS\system32\ldpackage.dll C:\WINDOWS\system32\model.dat C:\WINDOWS\system32\nsp26.dll C:\WINDOWS\system32\printer.exe C:\WINDOWS\system32\rlls.dll C:\WINDOWS\system32\rlvknlg.exe C:\WINDOWS\system32\rlxf.dll C:\WINDOWS\system32\sulimo.dat C:\WINDOWS\system32\vtr.dll C:\WINDOWS\system32\WinAvXX.exe C:\WINDOWS\xlavra3.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_NWSAPAGENT -------\NwSapAgent -------\runtime ((((((((((((((((((((((((( Files Created from 2007-09-23 to 2007-10-23 ))))))))))))))))))))))))))))))) . 2007-10-23 17:07 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-10-23 09:20 <DIR> d-------- C:\Program Files\Trend Micro 2007-10-23 08:58 16,384 --a------ C:\WINDOWS\xlavba3.exe 2007-10-21 17:33 20,992 --a------ C:\WINDOWS\dravic.exe 2007-10-20 22:30 <DIR> d-------- C:\Program Files\Alwil Software 2007-10-20 22:30 801,144 --a------ C:\WINDOWS\system32\aswBoot.exe 2007-10-20 22:30 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr 2007-10-20 22:30 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys 2007-10-20 22:30 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys 2007-10-20 22:30 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys 2007-10-20 22:30 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys 2007-10-20 22:30 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys 2007-10-19 15:21 <DIR> d-------- C:\BTT0AAW1 2007-10-18 15:27 <DIR> d-------- C:\spywarebegone 2007-10-18 15:27 724,992 --a------ C:\WINDOWS\iun6002.exe 2007-10-18 15:17 <DIR> d-------- C:\Documents and Settings\jacinta\Application Data\AntiSpyware 2007-10-17 00:01 <DIR> d-------- C:\Program Files\Video Add-on 2007-10-16 21:23 4,096 --a------ C:\WINDOWS\d3dx.dat 2007-10-15 13:15 <DIR> d-------- C:\BUTTERFLYEFFECT2_RETAIL 2007-10-14 23:06 <DIR> d-------- C:\Diablo 2007-10-14 23:06 86,528 --a------ C:\WINDOWS\bnetunin.exe 2007-10-14 23:06 61,440 --a------ C:\WINDOWS\diabswun.exe 2007-10-14 13:25 <DIR> d-------- C:\Program Files\Fada-soft 2007-10-13 11:49 <DIR> d-------- C:\Program Files\MyPlayCity.com 2007-10-12 23:50 <DIR> d-------- C:\Program Files\Out Of The World 2007-10-12 23:50 <DIR> d-------- C:\Program Files\myplaycity_WhenUSave_Installer 2007-10-12 06:20 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll 2007-10-11 12:42 79,832 --a------ C:\WINDOWS\system32\adssite-remove.exe 2007-10-11 12:42 40,733 --a------ C:\WINDOWS\system32\rightonadz-uninst.exe 2007-10-10 23:24 63,488 --a------ C:\WINDOWS\system32\gzmrotate.dll 2007-10-09 22:35 <DIR> d-------- C:\Program Files\Yahoo! 2007-10-06 15:26 <DIR> d-------- C:\WINDOWS\system32\drivers\bak 2007-10-06 15:26 <DIR> d-------- C:\WINDOWS\system32\bak 2007-09-28 16:34 <DIR> d-------- C:\Program Files\BMTA 2007-09-28 16:34 164,352 --a------ C:\WINDOWS\system32\SpoonUninstall.exe 2007-09-28 16:34 6,318 --a------ C:\WINDOWS\system32\SpoonUninstall-STABILO BOSSMANIA.dat 2007-09-28 16:34 516 --a------ C:\WINDOWS\system32\SpoonUninstall-BOSS MINI TATTOO ATTACK.dat 2007-09-28 16:33 <DIR> d-------- C:\Program Files\BOSSMANIA 2007-09-25 22:07 <DIR> d-------- C:\TMNT . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-10-23 04:16 --------- d-----w C:\Documents and Settings\jacinta\Application Data\Free Download Manager 2007-10-18 21:46 --------- d-----w C:\Program Files\LimeWire 2007-10-06 19:00 --------- d-----w C:\Documents and Settings\jacinta\Application Data\AVG7 2007-10-06 02:33 --------- d-----w C:\Program Files\Zune 2007-10-06 02:33 --------- d-----w C:\Program Files\QuickTime 2007-10-06 02:31 28,172 ----a-w C:\WINDOWS\system32\drivers\STDSB.exe 2007-10-06 02:31 28,172 ----a-w C:\WINDOWS\system32\drivers\Icon.exe 2007-10-05 21:51 --------- d-----w C:\Documents and Settings\logan and hunter\Application Data\AVG7 2007-10-05 19:00 --------- d-----w C:\Documents and Settings\trent\Application Data\AVG7 2007-09-30 21:52 0 ----a-w C:\WINDOWS\system32\drivers\eicon.txt 2007-09-28 06:53 189,824 ----a-w C:\Documents and Settings\jacinta\Application Data\GDIPFONTCACHEV1.DAT 2007-09-27 02:25 --------- d-----w C:\Program Files\Common Files\Adobe 2007-09-22 09:57 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2 2007-09-18 20:44 --------- d-----w C:\Program Files\Sony 2007-09-18 20:35 --------- d-----w C:\Program Files\RegClean 2007-09-18 04:02 --------- d-----w C:\Documents and Settings\jacinta\Application Data\RegClean 2007-09-18 03:47 --------- d-----w C:\Documents and Settings\jacinta\Application Data\Uniblue 2007-09-16 06:32 --------- d-----w C:\Program Files\Drug Lord 2 2007-09-15 06:19 --------- d--h--w C:\Program Files\InstallShield Installation Information 2007-09-15 04:33 --------- d-----w C:\Program Files\Java 2007-09-15 04:32 --------- d-----w C:\Program Files\Common Files\Java 2007-09-14 04:43 --------- d-----w C:\Program Files\Dynalink 2007-09-13 23:24 --------- d-----w C:\Documents and Settings\jacinta\Application Data\Sony Corporation 2007-08-25 05:42 --------- d-----w C:\Program Files\Disney Interactive 2007-07-23 06:58 2,220 ----a-w C:\Documents and Settings\jacinta\Application Data\wklnhst.dat 2006-10-29 00:41 137,904 ----a-w C:\Documents and Settings\trent\Application Data\GDIPFONTCACHEV1.DAT 2006-06-25 02:58 0 ----a-w C:\Documents and Settings\logan and hunter\Application Data\wklnhst.dat 2006-05-29 10:34 5,037,072 ----a-w C:\Documents and Settings\jacinta\spybotsd14.exe 2006-05-27 06:49 2,855,080 ----a-w C:\Documents and Settings\jacinta\aawsepersonal.exe 2006-05-22 22:08 532,616 ----a-w C:\Documents and Settings\jacinta\ImageResizerPowertoySetup.exe 2004-03-11 01:27 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe . ((((((((((((((((((((((((((((((((((((((((((((( AWF )))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ----a-w 127,118 2005-05-11 00:48:02 C:\APPS\Powercinema\bak\PCMService.exe ----a-w 28,172 2007-10-06 02:31:07 C:\APPS\Powercinema\PCMService.exe ----a-w 40,048 2007-05-10 1532 C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe ----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe ----a-w 180,269 2006-02-17 16:36:52 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe ----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Common Files\Real\Update_OB\realsched.exe ----a-w 16,384 2003-08-18 23:47:00 C:\Program Files\Dynalink\Adsl\bak\dslagent.exe ----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Dynalink\Adsl\dslagent.exe ----a-w 299,008 2002-07-16 16:18:00 C:\Program Files\Dynalink\Adsl\bak\dslstat.exe ----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Dynalink\Adsl\dslstat.exe ----a-w 421,888 2007-09-14 04:16:13 C:\Program Files\Grisoft\AVG7\bak\avgcc.exe ----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Grisoft\AVG7\avgcc.exe ----a-w 75,520 2007-05-01 16:15:50 C:\Program Files\Java\jre1.5.0_12\bin\bak\jusched.exe ----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe ----a-w 77,824 2006-05-11 23:36:43 C:\Program Files\QuickTime\bak\qttask.exe ----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\QuickTime\qttask.exe ----a-w 45,056 2005-04-25 21:08:26 C:\Program Files\Realtek\InstallShield\bak\AzMixerSel.exe ----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Realtek\InstallShield\AzMixerSel.exe ----a-w 49,152 2003-05-07 23:00:58 C:\Program Files\ScanSoft\OmniPageSE2.0\bak\OpwareSE2.exe ----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe ----a-w 688,218 2005-03-10 05:43:30 C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe ----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe ----a-w 98,394 2005-03-10 05:44:34 C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe ----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe ----a-w 24,104 2007-03-14 05:03:04 C:\Program Files\Zune\bak\ZuneLauncher.exe ----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Zune\ZuneLauncher.exe ----a-w 208,952 2004-08-04 07:00:00 C:\WINDOWS\ime\IMJP8_1\bak\IMJPMIG.EXE ----a-w 208,952 2004-08-04 01:00:00 C:\WINDOWS\ime\IMJP8_1\imjpmig.exe ----a-w 15,360 2004-08-04 07:00:00 C:\WINDOWS\system32\bak\ctfmon.exe ----a-w 15,360 2004-08-04 01:00:00 C:\WINDOWS\system32\ctfmon.exe ----a-w 77,824 2005-07-18 2212 C:\WINDOWS\system32\bak\hkcmd.exe ----a-w 114,688 2005-07-18 22:10:06 C:\WINDOWS\system32\bak\igfxpers.exe ----a-w 94,208 2005-07-18 22:09:26 C:\WINDOWS\system32\bak\igfxtray.exe ----a-w 155,648 2001-07-08 23:50:42 C:\WINDOWS\system32\bak\NeroCheck.exe ----a-w 28,172 2007-10-06 02:31:07 C:\WINDOWS\system32\NeroCheck.exe ----a-w 221,184 2005-08-23 02:51:58 C:\WINDOWS\system32\drivers\bak\Icon.exe ----a-w 28,172 2007-10-06 02:31:07 C:\WINDOWS\system32\drivers\Icon.exe ----a-w 28,672 2003-12-17 03:50:44 C:\WINDOWS\system32\drivers\bak\STDSB.exe ----a-w 28,172 2007-10-06 02:31:07 C:\WINDOWS\system32\drivers\STDSB.exe ----a-w 455,168 2004-08-04 07:00:00 C:\WINDOWS\system32\IME\TINTLGNT\bak\TINTSETP.EXE ----a-w 455,168 2004-08-04 01:00:00 C:\WINDOWS\system32\IME\TINTLGNT\tintsetp.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 14:00] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 14:00] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 14:00] "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2007-10-06 15:31] "High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 C:\WINDOWS\system32\HdAShCut.exe] "RTHDCPL"="RTHDCPL.EXE" [2005-05-04 17:28 C:\WINDOWS\RTHDCPL.EXE] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-06 15:31] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 22:06] "WinAVX"="C:\WINDOWS\system32\WinAvXX.exe" [2007-10-17 00:01] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 05:24] "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [] "Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [] "Spyware Begone"="C:\spywarebegone\SpywareBeGone.exe" [2006-03-22 13:06] "WinAVX"="C:\WINDOWS\system32\WinAvXX.exe" [2007-10-17 00:01] C:\Documents and Settings\jacinta\Start Menu\Programs\Startup\ system.exe [2007-10-17 00:01:25] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=1 (0x1) "DisableTaskMgr"=1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=1 (0x1) "DisableTaskMgr"=1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoControlPanel"=1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoControlPanel"=1 (0x1) "NoWindowsUpdate"=1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Shell"="Explorer.exe C:\WINDOWS\system32\printer.exe" R2 MTC0007_STDSB;Scroll Bar Driver;C:\WINDOWS\system32\drivers\STDSB.sys S2 STDSB;STDSB;C:\WINDOWS\system32\DRIVERS\STDSB.sys S3 BVRPMPR5;BVRPMPR5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\drivers\BVRPMPR5.SYS S3 wanusb;GlobespanVirata USB ADSL WAN Modem;C:\WINDOWS\system32\DRIVERS\gwausb.sys . Contents of the 'Scheduled Tasks' folder "2007-10-21 04:59:00 C:\WINDOWS\Tasks\Ad-Aware SE Personal.job" "2007-10-18 02:17:44 C:\WINDOWS\Tasks\AntiSpyware Scheduled Scan.job" - C:\Program Files\AntiSpywareApp\AntiSpyware.exe "2007-10-19 05:00:00 C:\WINDOWS\Tasks\Disk Cleanup.job" - C:\WINDOWS\system32\cleanmgr.exe "2007-10-09 14:30:00 C:\WINDOWS\Tasks\RegClean Scheduled Scan.job" - C:\Program Files\RegClean\RegClean.exe "2007-10-21 04:58:00 C:\WINDOWS\Tasks\Spybot - Search & Destroy.job" - C:\PROGRA~1\SPYBOT~1\SpybotSD.exe . ************************************************************************ catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-23 17:19:41 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... C:\WINDOWS\system32\printer.exe 7680 bytes executable C:\WINDOWS\system32\WinAvXX.exe 7680 bytes executable scan completed successfully hidden files: 2 ************************************************************************ . Completion time: 2007-10-23 17:24:27 - machine was rebooted . --- E O F --- thanx again

10-24-2007, 12:31 AM	#7 (permalink)
zerbet Registered User Join Date: Oct 2007 Posts: 61 OS: win xp	Re: help me please..systems admin been takenover hi have done step one but cannot open the virus jotti page even if i go through their home page?will paste results from step one dont kn ow if they are of any help?thanx again ComboFix 07-10-23.2 - jacinta 2007-10-24 20:12:53.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.160 [GMT 13:00] Running from: C:\Documents and Settings\jacinta\My Documents\My Music\ComboFix.exe Command switches used :: C:\Documents and Settings\jacinta\Desktop\CFScript.txt * Created a new restore point FILE:: C:\Documents and Settings\jacinta\Start Menu\Programs\Startup\system.exe C:\WINDOWS\bnetunin.exe C:\WINDOWS\diabswun.exe C:\WINDOWS\system32\adssite-remove.exe C:\WINDOWS\system32\drivers\Icon.exe C:\WINDOWS\system32\gzmrotate.dll C:\WINDOWS\system32\rightonadz-uninst.exe C:\WINDOWS\Tasks\AntiSpyware Scheduled Scan.job C:\WINDOWS\xlavba3.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\jacinta\Application Data\AntiSpyware C:\Documents and Settings\jacinta\Application Data\AntiSpyware\Log\2007 Oct 18 - 03_17_41 PM_250.log C:\Documents and Settings\jacinta\Application Data\AntiSpyware\Log\2007 Oct 18 - 03_17_43 PM_875.log C:\Documents and Settings\jacinta\Application Data\AntiSpyware\rs.dat C:\Documents and Settings\jacinta\Application Data\AntiSpyware\Settings\CustomScan.stg C:\Documents and Settings\jacinta\Application Data\AntiSpyware\Settings\IgnoreList.stg C:\Documents and Settings\jacinta\Application Data\AntiSpyware\Settings\ScanInfo.stg C:\Documents and Settings\jacinta\Application Data\AntiSpyware\Settings\ScanResults.stg C:\Documents and Settings\jacinta\Application Data\AntiSpyware\Settings\SelectedFolders.stg C:\Documents and Settings\jacinta\Application Data\AntiSpyware\Settings\Settings.stg C:\Documents and Settings\jacinta\Start Menu\Programs\Startup\system.exe C:\Program Files\myplaycity_WhenUSave_Installer C:\WINDOWS\bnetunin.exe C:\WINDOWS\diabswun.exe C:\WINDOWS\system32\adssite-remove.exe C:\WINDOWS\system32\drivers\Icon.exe C:\WINDOWS\system32\gzmrotate.dll C:\WINDOWS\system32\printer.exe C:\WINDOWS\system32\rightonadz-uninst.exe C:\WINDOWS\system32\WinAvXX.exe C:\WINDOWS\Tasks\AntiSpyware Scheduled Scan.job C:\WINDOWS\xlavba3.exe . ((((((((((((((((((((((((( Files Created from 2007-09-24 to 2007-10-24 ))))))))))))))))))))))))))))))) . 2007-10-23 17:07 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-10-23 09:20 <DIR> d-------- C:\Program Files\Trend Micro 2007-10-21 17:33 20,992 --a------ C:\WINDOWS\dravic.exe 2007-10-20 22:30 <DIR> d-------- C:\Program Files\Alwil Software 2007-10-20 22:30 801,144 --a------ C:\WINDOWS\system32\aswBoot.exe 2007-10-20 22:30 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr 2007-10-20 22:30 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys 2007-10-20 22:30 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys 2007-10-20 22:30 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys 2007-10-20 22:30 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys 2007-10-20 22:30 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys 2007-10-19 15:21 <DIR> d-------- C:\BTT0AAW1 2007-10-18 15:27 <DIR> d-------- C:\spywarebegone 2007-10-18 15:27 724,992 --a------ C:\WINDOWS\iun6002.exe 2007-10-17 00:01 <DIR> d-------- C:\Program Files\Video Add-on 2007-10-16 21:23 4,096 --a------ C:\WINDOWS\d3dx.dat 2007-10-15 13:15 <DIR> d-------- C:\BUTTERFLYEFFECT2_RETAIL 2007-10-14 23:06 <DIR> d-------- C:\Diablo 2007-10-14 13:25 <DIR> d-------- C:\Program Files\Fada-soft 2007-10-13 11:49 <DIR> d-------- C:\Program Files\MyPlayCity.com 2007-10-12 23:50 <DIR> d-------- C:\Program Files\Out Of The World 2007-10-12 06:20 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll 2007-10-09 22:35 <DIR> d-------- C:\Program Files\Yahoo! 2007-10-06 15:26 <DIR> d-------- C:\WINDOWS\system32\drivers\bak 2007-10-06 15:26 <DIR> d-------- C:\WINDOWS\system32\bak 2007-09-28 16:34 <DIR> d-------- C:\Program Files\BMTA 2007-09-28 16:34 164,352 --a------ C:\WINDOWS\system32\SpoonUninstall.exe 2007-09-28 16:34 6,318 --a------ C:\WINDOWS\system32\SpoonUninstall-STABILO BOSSMANIA.dat 2007-09-28 16:34 516 --a------ C:\WINDOWS\system32\SpoonUninstall-BOSS MINI TATTOO ATTACK.dat 2007-09-28 16:33 <DIR> d-------- C:\Program Files\BOSSMANIA 2007-09-25 22:07 <DIR> d-------- C:\TMNT . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-10-23 04:16 --------- d-----w C:\Documents and Settings\jacinta\Application Data\Free Download Manager 2007-10-18 21:46 --------- d-----w C:\Program Files\LimeWire 2007-10-06 19:00 --------- d-----w C:\Documents and Settings\jacinta\Application Data\AVG7 2007-10-06 02:33 --------- d-----w C:\Program Files\Zune 2007-10-06 02:33 --------- d-----w C:\Program Files\QuickTime 2007-10-06 02:31 28,172 ----a-w C:\WINDOWS\system32\drivers\STDSB.exe 2007-10-05 21:51 --------- d-----w C:\Documents and Settings\logan and hunter\Application Data\AVG7 2007-10-05 19:00 --------- d-----w C:\Documents and Settings\trent\Application Data\AVG7 2007-09-30 21:52 0 ----a-w C:\WINDOWS\system32\drivers\eicon.txt 2007-09-28 06:53 189,824 ----a-w C:\Documents and Settings\jacinta\Application Data\GDIPFONTCACHEV1.DAT 2007-09-27 02:25 --------- d-----w C:\Program Files\Common Files\Adobe 2007-09-22 09:57 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2 2007-09-18 20:44 --------- d-----w C:\Program Files\Sony 2007-09-18 20:35 --------- d-----w C:\Program Files\RegClean 2007-09-18 04:02 --------- d-----w C:\Documents and Settings\jacinta\Application Data\RegClean 2007-09-18 03:47 --------- d-----w C:\Documents and Settings\jacinta\Application Data\Uniblue 2007-09-16 06:32 --------- d-----w C:\Program Files\Drug Lord 2 2007-09-15 06:19 --------- d--h--w C:\Program Files\InstallShield Installation Information 2007-09-15 04:33 --------- d-----w C:\Program Files\Java 2007-09-15 04:32 --------- d-----w C:\Program Files\Common Files\Java 2007-09-14 04:43 --------- d-----w C:\Program Files\Dynalink 2007-09-13 23:24 --------- d-----w C:\Documents and Settings\jacinta\Application Data\Sony Corporation 2007-08-25 05:42 --------- d-----w C:\Program Files\Disney Interactive 2007-07-23 06:58 2,220 ----a-w C:\Documents and Settings\jacinta\Application Data\wklnhst.dat 2006-10-29 00:41 137,904 ----a-w C:\Documents and Settings\trent\Application Data\GDIPFONTCACHEV1.DAT 2006-06-25 02:58 0 ----a-w C:\Documents and Settings\logan and hunter\Application Data\wklnhst.dat 2006-05-29 10:34 5,037,072 ----a-w C:\Documents and Settings\jacinta\spybotsd14.exe 2006-05-27 06:49 2,855,080 ----a-w C:\Documents and Settings\jacinta\aawsepersonal.exe 2006-05-22 22:08 532,616 ----a-w C:\Documents and Settings\jacinta\ImageResizerPowertoySetup.exe 2004-03-11 01:27 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe . (((((((((((((((((((((((((((((((((((((((((((( Look ))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ---- Directory of C:\BTT0AAW1 ---- 2007-10-19 17:00 6144 --a------ C:\BTT0AAW1\VIDEO_TS\VIDEO_TS.IFO 2007-10-19 17:00 6144 --a------ C:\BTT0AAW1\VIDEO_TS\VIDEO_TS.BUP 2007-10-19 17:00 55296 --a------ C:\BTT0AAW1\VIDEO_TS\VTS_02_0.IFO 2007-10-19 17:00 55296 --a------ C:\BTT0AAW1\VIDEO_TS\VTS_02_0.BUP 2007-10-19 17:00 162422784 --a------ C:\BTT0AAW1\VIDEO_TS\VTS_02_3.VOB 2007-10-19 16:58 1073739776 --a------ C:\BTT0AAW1\VIDEO_TS\VTS_02_2.VOB 2007-10-19 16:37 1073739776 --a------ C:\BTT0AAW1\VIDEO_TS\VTS_02_1.VOB 2007-10-19 16:16 55296 --a------ C:\BTT0AAW1\VIDEO_TS\VTS_01_0.IFO 2007-10-19 16:16 55296 --a------ C:\BTT0AAW1\VIDEO_TS\VTS_01_0.BUP 2007-10-19 16:16 223227904 --a------ C:\BTT0AAW1\VIDEO_TS\VTS_01_3.VOB 2007-10-19 16:13 1073739776 --a------ C:\BTT0AAW1\VIDEO_TS\VTS_01_2.VOB 2007-10-19 15:53 1073739776 --a------ C:\BTT0AAW1\VIDEO_TS\VTS_01_1.VOB ---- Directory of C:\Program Files\BMTA ---- 2007-09-28 16:34 4912209 --a------ C:\Program Files\BMTA\BMTA.exe ---- Directory of C:\Program Files\Video Add-on ---- 2007-10-18 12:25 6656 --a------ C:\Program Files\Video Add-on\icmntr.exe 2007-10-17 00:01 4286 --a------ C:\Program Files\Video Add-on\ts.ico 2007-10-17 00:01 4286 --a------ C:\Program Files\Video Add-on\ot.ico 2007-10-17 00:01 37292 --a------ C:\Program Files\Video Add-on\uninst.exe 2007-10-17 00:01 26624 --a------ C:\Program Files\Video Add-on\icthis.exe 2007-10-17 00:01 24576 --a------ C:\Program Files\Video Add-on\icun.exe 2007-10-17 00:01 13824 --a------ C:\Program Files\Video Add-on\isfun.exe 2007-10-17 00:01 12800 --a------ C:\Program Files\Video Add-on\ictun.exe ---- Directory of C:\TMNT ---- 2007-10-09 15:43 6144 --a------ C:\TMNT\VIDEO_TS\VIDEO_TS.IFO 2007-10-09 15:43 6144 --a------ C:\TMNT\VIDEO_TS\VIDEO_TS.BUP 2007-10-09 15:43 55296 --a------ C:\TMNT\VIDEO_TS\VTS_01_0.IFO 2007-10-09 15:43 55296 --a------ C:\TMNT\VIDEO_TS\VTS_01_0.BUP 2007-10-09 15:43 385761280 --a------ C:\TMNT\VIDEO_TS\VTS_01_5.VOB 2007-10-09 15:41 1073739776 --a------ C:\TMNT\VIDEO_TS\VTS_01_4.VOB 2007-10-09 15:28 1073739776 --a------ C:\TMNT\VIDEO_TS\VTS_01_3.VOB 2007-10-09 15:14 1073739776 --a------ C:\TMNT\VIDEO_TS\VTS_01_2.VOB 2007-10-09 15:02 1073739776 --a------ C:\TMNT\VIDEO_TS\VTS_01_1.VOB ((((((((((((((((((((((((((((( snapshot@2007-10-23_17.21.14.21 ))))))))))))))))))))))))))))))))))))))))) . + 2007-10-23 23:54:08 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_47c.dat . ((((((((((((((((((((((((((((((((((((((((((((( AWF )))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ----a-w 127,118 2005-05-11 00:48:02 C:\APPS\Powercinema\bak\PCMService.exe ----a-w 28,172 2007-10-06 02:31:07 C:\APPS\Powercinema\PCMService.exe ----a-w 40,048 2007-05-10 1532 C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe ----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe ----a-w 180,269 2006-02-17 16:36:52 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe ----a-w 16,384 2003-08-18 23:47:00 C:\Program Files\Dynalink\Adsl\bak\dslagent.exe ----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Dynalink\Adsl\dslagent.exe ----a-w 299,008 2002-07-16 16:18:00 C:\Program Files\Dynalink\Adsl\bak\dslstat.exe ----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Dynalink\Adsl\dslstat.exe ----a-w 421,888 2007-09-14 04:16:13 C:\Program Files\Grisoft\AVG7\bak\avgcc.exe ----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Grisoft\AVG7\avgcc.exe ----a-w 75,520 2007-05-01 16:15:50 C:\Program Files\Java\jre1.5.0_12\bin\bak\jusched.exe ----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe ----a-w 77,824 2006-05-11 23:36:43 C:\Program Files\QuickTime\bak\qttask.exe ----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\QuickTime\qttask.exe ----a-w 45,056 2005-04-25 21:08:26 C:\Program Files\Realtek\InstallShield\bak\AzMixerSel.exe ----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Realtek\InstallShield\AzMixerSel.exe ----a-w 49,152 2003-05-07 23:00:58 C:\Program Files\ScanSoft\OmniPageSE2.0\bak\OpwareSE2.exe ----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe ----a-w 688,218 2005-03-10 05:43:30 C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe ----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe ----a-w 98,394 2005-03-10 05:44:34 C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe ----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe ----a-w 24,104 2007-03-14 05:03:04 C:\Program Files\Zune\bak\ZuneLauncher.exe ----a-w 28,172 2007-10-06 02:31:07 C:\Program Files\Zune\ZuneLauncher.exe ----a-w 208,952 2004-08-04 07:00:00 C:\WINDOWS\ime\IMJP8_1\bak\IMJPMIG.EXE ----a-w 208,952 2004-08-04 01:00:00 C:\WINDOWS\ime\IMJP8_1\imjpmig.exe ----a-w 15,360 2004-08-04 07:00:00 C:\WINDOWS\system32\bak\ctfmon.exe ----a-w 15,360 2004-08-04 01:00:00 C:\WINDOWS\system32\ctfmon.exe ----a-w 77,824 2005-07-18 2212 C:\WINDOWS\system32\bak\hkcmd.exe ----a-w 114,688 2005-07-18 22:10:06 C:\WINDOWS\system32\bak\igfxpers.exe ----a-w 94,208 2005-07-18 22:09:26 C:\WINDOWS\system32\bak\igfxtray.exe ----a-w 155,648 2001-07-08 23:50:42 C:\WINDOWS\system32\bak\NeroCheck.exe ----a-w 28,172 2007-10-06 02:31:07 C:\WINDOWS\system32\NeroCheck.exe ----a-w 221,184 2005-08-23 02:51:58 C:\WINDOWS\system32\drivers\bak\Icon.exe ----a-w 28,672 2003-12-17 03:50:44 C:\WINDOWS\system32\drivers\bak\STDSB.exe ----a-w 28,172 2007-10-06 02:31:07 C:\WINDOWS\system32\drivers\STDSB.exe ----a-w 455,168 2004-08-04 07:00:00 C:\WINDOWS\system32\IME\TINTLGNT\bak\TINTSETP.EXE ----a-w 455,168 2004-08-04 01:00:00 C:\WINDOWS\system32\IME\TINTLGNT\tintsetp.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 14:00] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 14:00] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 14:00] "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2007-10-06 15:31] "High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 C:\WINDOWS\system32\HdAShCut.exe] "RTHDCPL"="RTHDCPL.EXE" [2005-05-04 17:28 C:\WINDOWS\RTHDCPL.EXE] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-06 15:31] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 22:06] "WinAVX"="C:\WINDOWS\system32\WinAvXX.exe" [2007-10-17 00:01] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 05:24] "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [] "Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [] "Spyware Begone"="C:\spywarebegone\SpywareBeGone.exe" [2006-03-22 13:06] "WinAVX"="C:\WINDOWS\system32\WinAvXX.exe" [2007-10-17 00:01] C:\Documents and Settings\jacinta\Start Menu\Programs\Startup\ system.exe [2007-10-17 00:01:25] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=1 (0x1) "DisableTaskMgr"=1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=1 (0x1) "DisableTaskMgr"=1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoControlPanel"=1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoControlPanel"=1 (0x1) "NoWindowsUpdate"=1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Shell"="Explorer.exe C:\WINDOWS\system32\printer.exe" R2 MTC0007_STDSB;Scroll Bar Driver;C:\WINDOWS\system32\drivers\STDSB.sys R3 wanusb;GlobespanVirata USB ADSL WAN Modem;C:\WINDOWS\system32\DRIVERS\gwausb.sys S2 STDSB;STDSB;C:\WINDOWS\system32\DRIVERS\STDSB.sys S3 BVRPMPR5;BVRPMPR5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\drivers\BVRPMPR5.SYS . Contents of the 'Scheduled Tasks' folder "2007-10-23 04:59:00 C:\WINDOWS\Tasks\Ad-Aware SE Personal.job" "2007-10-19 05:00:00 C:\WINDOWS\Tasks\Disk Cleanup.job" - C:\WINDOWS\system32\cleanmgr.exe "2007-10-09 14:30:00 C:\WINDOWS\Tasks\RegClean Scheduled Scan.job" - C:\Program Files\RegClean\RegClean.exe "2007-10-23 04:58:00 C:\WINDOWS\Tasks\Spybot - Search & Destroy.job" - C:\PROGRA~1\SPYBOT~1\SpybotSD.exe . ************************************************************************ catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-24 20:19:07 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... C:\WINDOWS\system32\printer.exe 7680 bytes executable C:\WINDOWS\system32\WinAvXX.exe 7680 bytes executable scan completed successfully hidden files: 2 ************************************************************************ . Completion time: 2007-10-24 20:23:21 - machine was rebooted C:\ComboFix2.txt ... 2007-10-23 17:24 . --- E O F --- thanx

10-24-2007, 12:33 AM	#8 (permalink)
zerbet Registered User Join Date: Oct 2007 Posts: 61 OS: win xp	Re: help me please..systems admin been takenover Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:32:39 PM, on 10/24/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe c:\APPS\HIDSERVICE\HIDSERVICE.exe C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE c:\APPS\Powercinema\Kernel\TV\CLSched.exe C:\WINDOWS\RTHDCPL.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\spywarebegone\SpywareBeGone.exe C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe C:\Program Files\RALINK\Common\RaUI.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Outlook Express\msimn.exe C:\WINDOWS\system32\DllHost.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S O4 - HKCU\..\Run: [Spyware Begone] "C:\spywarebegone\SpywareBeGone.exe" -FastScan O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O4 - Startup: system.exe O4 - Global Startup: autorun.exe O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O15 - Trusted Zone: *.doginhispen.com O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1190280802687 O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/W...gPublisher.exe O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{959C980D-6A13-4BBC-8B6E-7727A008DDE7}: NameServer = 203.109.129.67 203.109.129.68 O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe -- End of file - 7159 bytes the results of hijack scan - if it helps cheers

10-24-2007, 03:16 AM	#9 (permalink)
Vino Rosso Analyst, Security Team Join Date: Aug 2007 Posts: 172 OS: XP/Vista	Re: help me please..systems admin been takenover 1 - Download SmitfraudFix Please print out these instructions as we will need to close every window that is open later in the fix. Important: If you have an old version, please delete this and download a fresh copy of SmitfraudFix.exe by S!Ri from >here< and save it to your Desktop. The fix is frequently updated, often daily, and it is advisable to ensure that you have the latest version. 2 - Boot Into Safe Mode Physically disconnect your computer from your modem/router and boot your PC into Safe Mode by restarting your computer - keep tapping F8 until the menu appears. Use your up and down arrow keys to select Safe Mode. We will continue your fix in Safe Mode. 3 - Run SmitfraudFix Double-click on SmitfraudFix.exe Press "2" and then <ENTER> to start the cleaning process. Wait for the tool to complete and disk cleanup to finish. You will be prompted "Registry cleaning - Do you want to clean the registry ? Press "Y" and then <ENTER>. The tool will also check if wininet.dll is infected. You may be prompted to "Replace infected file ?" - press "Y" and then <ENTER>. When this last routine has finished, you will be presented with a red screen stating *Computer will reboot now. Close all applications.* You should now press the spacebar on your computer. A counter will appear stating that the computer will reboot in 15 seconds. Do not cancel this countdown and allow your computer to reboot. If this does not happen automatically, you will need to do so manually. 4 - Check on status After you have completed the above, please provide: the file contents of C:\rapport.txt created by SmitfraudFix a new HijackThis log Thanks Vino __________________ Vino Rosso The help we provide at Tech Support Forums is free. Any donation to help keep us online would be appreciated.

10-24-2007, 11:36 PM	#10 (permalink)
zerbet Registered User Join Date: Oct 2007 Posts: 61 OS: win xp	Re: help me please..systems admin been takenover hi tried that got to clean registry type y and i get a pop up saying "registry editing has been disabled by your adminisator" and wont let me go on any further. thanx agsain for all your help

10-28-2007, 01:11 AM	#12 (permalink)
zerbet Registered User Join Date: Oct 2007 Posts: 61 OS: win xp	Re: help me please..systems admin been takenover SmitFraudFix v2.241 Scan done at 19:07:48.42, Thu 10/25/2007 Run from C:\Documents and Settings\jacinta\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in safe mode »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» hosts 192.168.200.3 ad.doubleclick.net 192.168.200.3 ad.fastclick.net 192.168.200.3 ads.fastclick.net 192.168.200.3 ar.atwola.com 192.168.200.3 atdmt.com 192.168.200.3 avp.ch 192.168.200.3 avp.com 192.168.200.3 avp.ru 192.168.200.3 awaps.net 192.168.200.3 banner.fastclick.net 192.168.200.3 banners.fastclick.net 192.168.200.3 ca.com 192.168.200.3 click.atdmt.com 192.168.200.3 clicks.atdmt.com 192.168.200.3 customer.symantec.com 192.168.200.3 dispatch.mcafee.com 192.168.200.3 download.mcafee.com 192.168.200.3 downloads-us1.kaspersky-labs.com 192.168.200.3 downloads-us2.kaspersky-labs.com 192.168.200.3 downloads-us3.kaspersky-labs.com 192.168.200.3 downloads1.kaspersky-labs.com 192.168.200.3 downloads2.kaspersky-labs.com 192.168.200.3 downloads3.kaspersky-labs.com 192.168.200.3 downloads4.kaspersky-labs.com 192.168.200.3 engine.awaps.net 192.168.200.3 f-secure.com 192.168.200.3 fastclick.net 192.168.200.3 ftp.avp.ch 192.168.200.3 ftp.downloads1.kaspersky-labs.com 192.168.200.3 ftp.downloads2.kaspersky-labs.com 192.168.200.3 ftp.downloads3.kaspersky-labs.com 192.168.200.3 ftp.f-secure.com 192.168.200.3 ftp.kasperskylab.ru 192.168.200.3 ftp.sophos.com 192.168.200.3 ids.kaspersky-labs.com 192.168.200.3 kaspersky-labs.com 192.168.200.3 kaspersky.com 192.168.200.3 liveupdate.symantec.com 192.168.200.3 liveupdate.symantecliveupdate.com 192.168.200.3 mast.mcafee.com 192.168.200.3 mcafee.com 192.168.200.3 media.fastclick.net 192.168.200.3 my-etrust.com 192.168.200.3 nai.com 192.168.200.3 networkassociates.com 192.168.200.3 norton.com 192.168.200.3 phx.corporate-ir.net 192.168.200.3 rads.mcafee.com 192.168.200.3 secure.nai.com 192.168.200.3 securityresponse.symantec.com 192.168.200.3 service1.symantec.com 192.168.200.3 sophos.com 192.168.200.3 spd.atdmt.com 192.168.200.3 symantec.com 192.168.200.3 trendmicro.com 192.168.200.3 update.symantec.com 192.168.200.3 updates.symantec.com 192.168.200.3 updates1.kaspersky-labs.com 192.168.200.3 updates2.kaspersky-labs.com 192.168.200.3 updates3.kaspersky-labs.com 192.168.200.3 updates4.kaspersky-labs.com 192.168.200.3 updates5.kaspersky-labs.com 192.168.200.3 us.mcafee.com 192.168.200.3 vil.nai.com 192.168.200.3 viruslist.com 192.168.200.3 viruslist.ru 192.168.200.3 virusscan.jotti.org 192.168.200.3 virustotal.com 192.168.200.3 www.avp.ch 192.168.200.3 www.avp.com 192.168.200.3 www.avp.ru 192.168.200.3 www.awaps.net 192.168.200.3 www.ca.com 192.168.200.3 www.f-secure.com 192.168.200.3 www.fastclick.net 192.168.200.3 www.grisoft.com 192.168.200.3 www.kaspersky-labs.com 192.168.200.3 www.kaspersky.com 192.168.200.3 www.kaspersky.ru 192.168.200.3 www.mcafee.com 192.168.200.3 www.my-etrust.com 192.168.200.3 www.nai.com 192.168.200.3 www.networkassociates.com 192.168.200.3 www.sophos.com 192.168.200.3 www.symantec.com 192.168.200.3 www.symantec.com 192.168.200.3 www.trendmicro.com 192.168.200.3 www.viruslist.com 192.168.200.3 www.viruslist.ru 192.168.200.3 www.virustotal.com 192.168.200.3 www3.ca.com »»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix S!Ri's WS2Fix: LSP not Found. »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files C:\WINDOWS\system32\printer.exe Deleted C:\WINDOWS\system32\WinAvXX.exe Deleted C:\DOCUME~1\jacinta\STARTM~1\Programs\Startup\system.exe Deleted C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\autorun.exe Deleted »»»»»»»»»»»»»»»»»»»»»»»» DNS HKLM\SYSTEM\CCS\Services\Tcpip\..\{959C980D-6A13-4BBC-8B6E-7727A008DDE7}: NameServer=203.109.129.67 203.109.129.68 HKLM\SYSTEM\CS1\Services\Tcpip\..\{959C980D-6A13-4BBC-8B6E-7727A008DDE7}: NameServer=203.109.129.67 203.109.129.68 »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

10-28-2007, 02:35 AM	#14 (permalink)
Vino Rosso Analyst, Security Team Join Date: Aug 2007 Posts: 172 OS: XP/Vista	Re: help me please..systems admin been takenover Hi Zerbet Well, fingers crossed... it looks like we've got rid of one main infection. Let's hit the next one... 1 - Download and Run FindAWF Please download FindAWF by noahdfear from >here< Save the file to your desktop Go to your Desktop and double-click on FindAWF.exe to run it If your security software asks, please allow FindAWF to run A command window will open - press any key to continue A Notepad window will open called awf.txt (this will have been saved to your desktop) Click the Format menu and make sure that Wordwrap is NOT ticked. If it is then click on it to UNtick it. Click Edit > Select All then Edit > Copy Paste (Ctrl+V) the content with your next reply. Thanks Vino __________________ Vino Rosso The help we provide at Tech Support Forums is free. Any donation to help keep us online would be appreciated.

10-31-2007, 09:26 PM	#19 (permalink)
zerbet Registered User Join Date: Oct 2007 Posts: 61 OS: win xp	Re: help me please..systems admin been takenover Find AWF report by noahdfear ©2006 Version 1.40 Option 3 run successfully The current date is: Thu 11/01/2007 The current time is: 17:23:59.25 bak folders found ~~~~~~~~~~~ Directory of C:\PROGRA~1\MESSEN~1\BAK 0 File(s) 0 bytes Duplicate files of bak directory contents ~~~~~~~~~~~~~~~~~~~~~~~ end of report

10-31-2007, 09:30 PM	#20 (permalink)
zerbet Registered User Join Date: Oct 2007 Posts: 61 OS: win xp	Re: help me please..systems admin been takenover Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:27:54 PM, on 11/1/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe c:\APPS\HIDSERVICE\HIDSERVICE.exe C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe c:\APPS\Powercinema\Kernel\TV\CLSched.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\printer.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\spywarebegone\SpywareBeGone.exe C:\Program Files\RALINK\Common\RaUI.exe C:\Program Files\Outlook Express\msimn.exe C:\WINDOWS\system32\DllHost.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S O4 - HKCU\..\Run: [Spyware Begone] "C:\spywarebegone\SpywareBeGone.exe" -FastScan O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O4 - Startup: system.exe O4 - Global Startup: autorun.exe O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O15 - Trusted Zone: *.doginhispen.com O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1190280802687 O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/W...gPublisher.exe O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{959C980D-6A13-4BBC-8B6E-7727A008DDE7}: NameServer = 203.109.129.67 203.109.129.68 O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe -- End of file - 7607 bytes was going really well till i turned it on this arvo now i have the box with the same warning as at the begining of all this!and the system administaror box all over again ...i could cry!!i was soooo happy !