Explorer.exe Keeps Closing

diddy89 · 07-30-2008, 07:50 PM

Hi, about a 2 weeks ago I've had constant pop-ups and I tried several antivirus removal programs, like mcafee, avg8.0, search and destroy, and some others, so in the end AVG actually removed the problem then all of a sudden explorer.exe kept closing then coming back and so forth. I've seen the other threads and forums and tried those solutions, but to no avail. So here's my logs.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:21:53 PM, on 7/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\NinjaVideo\NinjaVideo Helper\NinjaVideo Helper.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\windows\system32\svchost.exe
C:\windows\system32\wscntfy.exe
C:\windows\system32\taskmgr.exe
C:\Documents and Settings\Mohamed\Desktop\dss.exe
C:\DOCUME~1\Mohamed\MYDOCU~1\DOWNLO~1\Programs\Mohamed.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by SHAW Internet
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {30EE7C7E-3B4B-4065-9FFA-C87C8C10C42A} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: (no name) - {4E1795E2-145A-4662-80BB-A17498ACE90A} - C:\windows\system32\cbXRIyaa.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: Loader Class - {F880A4A8-C436-4AC4-AFD1-AA0BDC9552DD} - C:\WINDOWS\Resources\Themes\Crystal.Systema Suite\FindeXer Nightly V1.1.0.3\FindeXer.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/229?53a22baa9a8b466ba676dad31deb712d
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/230?53a22baa9a8b466ba676dad31deb712d
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: opnmLeEu - opnmLeEu.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NinjaVideo Helper (NinjaVideo Helper.exe) - NinjaVideo - C:\Program Files\NinjaVideo\NinjaVideo Helper\NinjaVideo Helper.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\windows\system32\spoolsv.exe (file missing)

--
End of file - 5387 bytes

Deckard's System Scanner v20071014.68
Run by Mohamed on 2008-07-29 19:15:28
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; System Restore is disabled (service is not running).

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as Mohamed.exe) ---------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-29 19:21:25
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\NinjaVideo\NinjaVideo Helper\NinjaVideo Helper.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Mohamed\Desktop\dss.exe
C:\Documents and Settings\Mohamed\My Documents\Downloads\Programs\Mohamed.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.microsoft.com/isapi/redir...mp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by SHAW Internet
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {30EE7C7E-3B4B-4065-9FFA-C87C8C10C42A} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: (no name) - {4E1795E2-145A-4662-80BB-A17498ACE90A} - C:\WINDOWS\system32\cbXRIyaa.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: Loader Class - {F880A4A8-C436-4AC4-AFD1-AA0BDC9552DD} - C:\WINDOWS\Resources\Themes\Crystal.Systema Suite\FindeXer Nightly V1.1.0.3\FindeXer.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\RunOnceEx: [Flags] 128
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/229?53a22baa9a8b466ba676dad31deb712d
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/230?53a22baa9a8b466ba676dad31deb712d
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub...irector/sw.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get.../ultrashim.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: opnmLeEu - C:\windows\system32\opnmLeEu.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NinjaVideo Helper (NinjaVideo Helper.exe) - NinjaVideo - C:\Program Files\NinjaVideo\NinjaVideo Helper\NinjaVideo Helper.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\windows\system32\spoolsv.exe

--
End of file - 7329 bytes

-- HijackThis Fixed Entries (C:\DOCUME~1\Mohamed\MYDOCU~1\DOWNLO~1\Programs\backups\) --------------------------------------------------------------------------------

backup-20080121-231657-151 O4 - HKUS\.DEFAULT\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
backup-20080121-231657-166 O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\windows\system32\drvkov.dll,startup
backup-20080121-231657-178 O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
backup-20080121-231657-186 O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
backup-20080121-231657-209 O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
backup-20080121-231657-215 O4 - HKCU\..\Policies\Explorer\Run: [{2028C971-09DC-1033-0815-021220050001}] "C:\Program Files\Common Files\{2028C971-09DC-1033-0815-021220050001}\Update.exe" mc-110-12-0000272
backup-20080121-231657-242 O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
backup-20080121-231657-262 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
backup-20080121-231657-276 O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
backup-20080121-231657-306 O4 - HKLM\..\Run: [2028c9de] rundll32.exe "C:\windows\system32\uodqoxcv.dll",b
backup-20080121-231657-377 O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
backup-20080121-231657-432 O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
backup-20080121-231657-442 O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
backup-20080121-231657-488 O4 - HKLM\..\Run: [avp] C:\windows\avp.exe
backup-20080121-231657-491 O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/230?53a22baa9a8b466ba676dad31deb712d
backup-20080121-231657-496 O4 - HKLM\..\Run: [BM231bfa42] Rundll32.exe "C:\windows\system32\sftfhhpc.dll",s
backup-20080121-231657-522 O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
backup-20080121-231657-528 O4 - HKLM\..\Run: [SDTray] C:\Program Files\Spyware Doctor\SDTrayApp.exe
backup-20080121-231657-534 O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
backup-20080121-231657-554 O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
backup-20080121-231657-564 O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
backup-20080121-231657-567 O4 - HKLM\..\Run: [smgr] mgrs.exe
backup-20080121-231657-597 O4 - HKCU\..\Run: [HoleWarn] C:\DOCUME~1\Mohamed\APPLIC~1\MFCDWA~1\ball mail support.exe
backup-20080121-231657-608 O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
backup-20080121-231657-620 O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\windows\system32\cgogmzbl.dll
backup-20080121-231657-633 O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
backup-20080121-231657-639 O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
backup-20080121-231657-648 O1 - Hosts: 80.69.94.166 gameguard.mapleglobal.com
backup-20080121-231657-710 O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
backup-20080121-231657-719 O4 - HKLM\..\Run: [HiHiCall] C:\Program Files\HiHiCall.com\HiHiCall.exe
backup-20080121-231657-732 O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
backup-20080121-231657-814 O1 - Hosts: 80.69.94.166 63.251.217.184
backup-20080121-231657-831 O4 - HKLM\..\Run: [Mode Load Mpeg Less] C:\Documents and Settings\All Users\Application Data\two setup mode load\burn for.exe
backup-20080121-231657-850 O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
backup-20080121-231657-856 O4 - HKLM\..\Run: [C:\WINDOWS\system32\V0250Cvw.dll] C:\windows\system32\RegSvr32.exe /s C:\windows\system32\V0250Cvw.dll
backup-20080121-231657-890 O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
backup-20080121-231657-925 O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/229?53a22baa9a8b466ba676dad31deb712d
backup-20080121-231657-948 O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
backup-20080121-231658-166 O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
backup-20080121-231658-225 O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
backup-20080121-231658-707 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
backup-20080121-231659-268 O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
backup-20080121-231659-501 O23 - Service: DomainService - - C:\windows\system32\wtbedpjq.exe
backup-20080121-231659-656 O21 - SSODL: E404Helper - {4b993299-5e4c-4e73-b0e6-869763910b35} - e404d.dll (file missing)
backup-20080121-231659-747 O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
backup-20080121-231659-892 O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
backup-20080121-231700-191 O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
backup-20080121-231700-244 O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
backup-20080121-231700-317 O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender S.R.L. - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
backup-20080121-231700-414 O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
backup-20080121-231700-459 O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
backup-20080121-231700-493 O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
backup-20080121-231700-594 O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
backup-20080728-165241-298 O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
backup-20080728-165501-402 O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
backup-20080728-165501-422 O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 Asapi - c:\windows\system32\drivers\asapi.sys <Not Verified; VOB Computersysteme GmbH; asapi>
R2 npkcrypt - c:\nexon\maplestory\npkcrypt.sys <Not Verified; INCA Internet Co., Ltd.; nProtect KeyCrypt Driver>
R3 npkcusb - c:\nexon\maplestory\npkcusb.sys <Not Verified; INCA Internet Co., Ltd.; nProtect KeyCrypt Driver>
R3 NVR0Dev - c:\windows\nvoclock.sys <Not Verified; NVidia Corp.; NVidia System Utility Driver>

S0 Partizan - c:\windows\system32\drivers\partizan.sys (file missing)
S3 catchme - c:\docume~1\mohamed\locals~1\temp\catchme.sys (file missing)
S3 CEDRIVER53 - c:\program files\cheat engine\dbk32.sys (file missing)
S3 Dua1 - c:\documents and settings\mohamed\desktop\maplestory hacks\dual engine\dualengi.sys (file missing)
S3 NPPTNT2 - c:\windows\system32\npptnt2.sys <Not Verified; INCA Internet Co., Ltd.; nProtect NPSC Kernel Mode Driver for NT>
S3 Profos - c:\program files\common files\bitdefender\bitdefender threat scanner\profos.sys (file missing)
S3 VMnetAdapter (VMware Virtual Ethernet Adapter Driver) - c:\windows\system32\drivers\vmnetadapter.sys (file missing)
S3 XTrapD12 - c:\windows\system32\xtrapd12.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 NinjaVideo Helper.exe (NinjaVideo Helper) - "c:\program files\ninjavideo\ninjavideo helper\ninjavideo helper.exe" <Not Verified; NinjaVideo; NinjaVideo Helper>
R2 nTuneService (nTune Service) - c:\program files\nvidia corporation\ntune\ntuneservice.exe /startservice <Not Verified; NVIDIA; NVIDIA nTune>

S2 Spooler (Print Spooler) - c:\windows\system32\spoolsv.exe (file missing)
S4 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2008-07-10 12:33:02 284 --a------ C:\windows\Tasks\AppleSoftwareUpdate.job

-- Files created between 2008-06-29 and 2008-07-29 -----------------------------

2008-07-29 13:34:07 0 d-------- C:\ie-spyad_zo
2008-07-28 17:08:12 0 d-------- C:\Program Files\Panda Security
2008-07-28 16:44:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-07-27 02:03:26 0 d-------- C:\Documents and Settings\Mohamed\DoctorWeb
2008-07-27 01:11:18 0 d-------- C:\windows\ERUNT
2008-07-27 00:25:15 60416 --a------ C:\windows\ALCFDRTM.EXE <Not Verified; Realtek Semiconductor Corp.; Realtek ALCFDRTM>
2008-07-25 03:02:05 579678 --ahs---- C:\windows\system32\aayIRXbc.ini2
2008-07-25 03:01:57 246784 --a------ C:\windows\system32\cbXRIyaa.dll
2008-07-25 02:59:23 0 d-------- C:\Program Files\AVG
2008-07-20 21:16:01 24 --a------ C:\windows\system32\sysogg.dll
2008-07-20 21:14:31 1703936 --a------ C:\windows\system32\NCTAudioFile.dll <Not Verified; NCT Company; NCTAudioFile ActiveX DLL>
2008-07-20 21:14:30 0 d-------- C:\Program Files\MP3 Converter Simple
2008-07-20 21:04:53 0 d-------- C:\Program Files\AtomixMP3
2008-07-11 13:19:27 0 d-------- C:\Nexon
2008-07-06 19:43:08 0 d-------- C:\Documents and Settings\LocalService\My Documents
2008-06-30 02:45:40 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-06-30 02:45:40 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-06-30 02:45:40 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-06-30 02:45:40 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-06-30 02:45:40 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-06-30 02:45:40 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-06-30 02:45:40 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-06-30 02:45:40 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-06-30 02:45:40 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-06-30 02:45:40 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-06-30 02:45:40 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-06-30 02:45:40 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-06-30 02:45:40 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-06-30 02:45:39 516096 --a------ C:\Documents and Settings\Administrator\NTUSER.DAT

-- Find3M Report ---------------------------------------------------------------

2008-07-29 14:57:26 0 d-------- C:\Program Files\Mozilla Firefox 3 Beta 5
2008-07-29 13:42:28 0 d-------- C:\Documents and Settings\Mohamed\Application Data\Azureus
2008-07-29 00:45:11 0 d-------- C:\Program Files\Internet Download Manager
2008-07-28 17

15 0 dr------- C:\Program Files\TypingMaster
2008-07-28 16:44:48 0 d-------- C:\Program Files\Active WebCam
2008-07-28 16:43:11 0 d-------- C:\Documents and Settings\Mohamed\Application Data\DMCache
2008-07-28 16:43:05 0 d-------- C:\Documents and Settings\Mohamed\Application Data\IDM
2008-07-27 00:12:39 0 d-------- C:\Documents and Settings\Mohamed\Application Data\LimeWire
2008-07-22 12:47:59 0 d-------- C:\Program Files\Winamp
2008-07-22 12:24:56 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-22 12:24:27 0 d-------- C:\Program Files\Common Files
2008-07-02 14:20:59 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-16 03

22 0 d-------- C:\Documents and Settings\Mohamed\Application Data\FindeXer
2008-06-14 01:49:52 0 d-------- C:\Program Files\mkv2vob
2008-06-14 01:49:44 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-11 17:46:49 0 d-------- C:\Program Files\Veoh Networks
2008-05-14 12:40:56 166447 --a------ C:\windows\Video Cleaner Pro Uninstaller.exe
2008-05-14 02:15:13 160373 --a------ C:\windows\MPEG-4 Booster Pack Uninstaller.exe

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30EE7C7E-3B4B-4065-9FFA-C87C8C10C42A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E1795E2-145A-4662-80BB-A17498ACE90A}]
07/25/2008 03:01 AM 246784 --a------ C:\windows\system32\cbXRIyaa.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\windows\system32\NvCpl.dll" [12/05/2007 02:41 AM]
"NvMediaCenter"="C:\windows\system32\NvMcTray.dll" [12/05/2007 02:41 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [12/03/2006 11:27 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDMan"="C:\Program Files\Internet Download Manager\IDMan.exe" [07/28/2008 08:08 AM]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [09/04/2007 08:25 PM]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [09/02/2007 02:58 PM]
"WeatherEye"="C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe" [05/30/2008 02:45 PM]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [05/15/2008 04:11 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{BD3C6F7C-6C8D-48F6-AC52-5E4071AEB257}"= C:\windows\system32\opnmLeEu.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnmLeEu]
opnmLeEu.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\windows\system32\cbXRIyaa

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DAEMON Tools.lnk]
backup=C:\WINDOWS\pss\DAEMON Tools.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Mohamed^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Mohamed^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS\system32]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS\system32\V0250Cvw.dll]
C:\WINDOWS\system32\RegSvr32.exe /s C:\WINDOWS\system32\V0250Cvw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative WebCam Tray]
"C:\Program Files\Creative\Shared Files\CamTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
C:\Program Files\Internet Download Manager\IDMan.exe /onboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrevxOne]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusBursters]
C:\Program Files\VirusBursters\virusbursters.exe /h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zone Labs Client]
"C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"vsmon"=2 (0x2)
"usnjsvc"=3 (0x3)
"RichVideo"=2 (0x2)
"PREVXAgent"=2 (0x2)
"ose"=3 (0x3)
"NVSvc"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"IDriverT"=3 (0x3)
"AVG Anti-Spyware Guard"=2 (0x2)

*Newly Created Service* - PAVBOOT

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{F8B9E5C0-4DCC-CFCF-ABA5-00401D608516}]
C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools\Recycle Bin\kdja.exe

-- End of Deckard's System Scanner: finished at 2008-07-29 19:24:29 ------------

ActiveScan.txt

extra.txt

diddy89 · 08-03-2008, 06:03 PM

Bump,Please

Ried · 08-03-2008, 10:29 PM

Hello diddy89 and welcome,

This will require more than one round to properly eradicate. Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

***************************************************

1. Download SDFix and save it to your Desktop. Double click SDFix.exe and it will extract the files to %systemdrive% -(Drive that contains the Windows Directory, typically C:\SDFix). Do not run it yet.

2. Download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Click NO to exit ComboFix now.

--------------------------------------------------------------------

1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

--------------------------------------------------------------------

Open the extracted SDFix folder and double click RunThis.bat to start the script.

Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.

When the PC restarts, the Fixtool will run again and complete the removal process then display Finished.

Press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt I'll need that in your next reply.

--------------------------------------------------------------------

From Normal Mode...

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.

When the tool is finished, it will produce a report for you at C:\ComboFix.txt which I will need in your next reply.

--------------------------------------------------------------------

Run a new scan with HijackThis.exe (not dss.exe) and save the log.

--------------------------------------------------------------------

Please include the following in your next reply:

C:\SDFix\Report.txt
C:\ComboFix.txt
New HijackThis log

diddy89 · 08-04-2008, 01:38 AM

Alrighty! so since I didn't have the the explorer.exe working for the combofix thing where I drag the XP file, so I used the task manager if that's alright. Also, I couldnt click or type No for the Combofix System Restore thing so it went ahead anyways...but I kept on going and finished the rest of the steps, it fixed the explorer.exe's disappearing act, but I'm still positive there's something wrong, because when it booted after the SDFIX scanning thing, there was a black screen and said, INVALID BOOT.INI File, or missing something like that sorry my memory's pretty bad(but it's not the first time I've seen it just opens occassionaly). Anyways here's my logs

SDFix: Version 1.212
Run by Mohamed on 2008-08-04 at 01:28

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\Mohamed\Desktop\SDFIX\SDFix

Checking Services :

Restoring Default Security Values
Restoring Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\nvrsul32.dll - Deleted

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-04 01:47:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:1d,0a,a4,33,69,ce,b9,0e,15,93,0e,f8,19,a0,0d,97,58,1b,98,d9,5a,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,68,d2,1d,25,89,4c,c4,72,e0,df,8b,96,0c,fb,eb,67,6e,..
"khjeh"=hex:85,a2,26,fc,94,af,06,52,9f,bb,96,0e,9b,36,bb,6a,ec,c9,1c,8c,4e,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:10,0a,17,f8,fc,bf,81,a0,64,a8,f4,8a,c7,ee,46,f3,f0,2f,15,e2,2d,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:2c,e7,23,b5,0a,08,3d,24,e9,e1,73,61,b6,49,4c,2e,cb,96,14,a5,c5,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:d60abf16
"s2"=dword:cd4f5905
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:1d,0a,a4,33,69,ce,b9,0e,15,93,0e,f8,19,a0,0d,97,58,1b,98,d9,5a,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,68,d2,1d,25,89,4c,c4,72,e0,df,8b,96,0c,fb,eb,67,6e,..
"khjeh"=hex:ec,14,ef,7f,9a,49,09,2d,ea,a9,d4,22,76,e1,2a,8e,4f,51,84,19,fc,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:dd,e9,36,88,ee,17,82,2d,30,9a,37,6a,3f,de,ac,7a,6d,6f,82,a0,83,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:32,2a,71,40,a4,b8,f0,66,65,ec,27,33,bb,e4,5f,34,a3,7d,28,50,65,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:91,1f,64,94,f6,ae,6d,64,b9,49,14,90,94,2a,2e,9a,1a,4c,ed,6a,b6,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
"khjeh"=hex:3f,db,b2,94,d9,48,4c,b0,ae,e3,2b,aa,27,34,8d,3b,f7,7e,2d,9a,9c,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:1d,0a,a4,33,69,ce,b9,0e,15,93,0e,f8,19,a0,0d,97,58,1b,98,d9,5a,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,68,d2,1d,25,89,4c,c4,72,e0,df,8b,96,0c,fb,eb,67,6e,..
"khjeh"=hex:ec,14,ef,7f,9a,49,09,2d,ea,a9,d4,22,76,e1,2a,8e,4f,51,84,19,fc,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:dd,e9,36,88,ee,17,82,2d,30,9a,37,6a,3f,de,ac,7a,6d,6f,82,a0,83,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:32,2a,71,40,a4,b8,f0,66,65,ec,27,33,bb,e4,5f,34,a3,7d,28,50,65,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:91,1f,64,94,f6,ae,6d,64,b9,49,14,90,94,2a,2e,9a,1a,4c,ed,6a,b6,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
"khjeh"=hex:3f,db,b2,94,d9,48,4c,b0,ae,e3,2b,aa,27,34,8d,3b,f7,7e,2d,9a,9c,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\pdwpamt.exe"="C:\\pdwpamt.exe:*:Enabled:Server"
"C:\\Documents and Settings\\Mohamed\\My Documents\\Downloads\\Programs\\utorrent.exe"="C:\\Documents and Settings\\Mohamed\\My Documents\\Downloads\\Programs\\utorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Mozilla Firefox"
"C:\\Program Files\\Internet Download Manager\\IDMan.exe"="C:\\Program Files\\Internet Download Manager\\IDMan.exe:*:Enabled:Internet Download Manager"
"C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"="C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe:*:Enabled:Nexon Game Manager"
"C:\\windows\\system32\\wtbedpjq.exe"="C:\\windows\\system32\\wtb"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"="C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe:*:Enabled:Remote Assistance - Windows Messenger and Voice"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"="C:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe:*:Enabled:Java(TM) Platform SE binary"
"C:\\Documents and Settings\\Mohamed\\Local Settings\\Temp\\usmt\\migwiz.exe"="C:\\Documents and Settings\\Mohamed\\Local Settings\\Temp\\usmt\\migwiz.exe:*:Enabled:Files and Settings Transfer Wizard"
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"="C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe:*:Disabled:Veoh Client"
"C:\\Program Files\\Mozilla Firefox 3 Beta 5\\firefox.exe"="C:\\Program Files\\Mozilla Firefox 3 Beta 5\\firefox.exe:*:Enabled:Firefox"
"C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Administrative Tools\\Recycle Bin\\kdja.exe"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Administrative Tools\\Recycle Bin\\kdja.exe:*:Enabled:windows media player streaming service"
"C:\\Program Files\\Microsoft Games\\Halo\\halo.exe"="C:\\Program Files\\Microsoft Games\\Halo\\halo.exe:*:Disabled:Halo"
"C:\\Program Files\\Steam\\steamapps\\mo3al1\\counter-strike source\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\mo3al1\\counter-strike source\\hl2.exe:*:Disabled:hl2"
"C:\\Program Files\\Steam\\steamapps\\farah010\\counter-strike source\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\farah010\\counter-strike source\\hl2.exe:*:Disabled:hl2"
"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"="C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe:*:Disabled:Kaspersky Anti-Virus"
"C:\\Program Files\\PPLive\\PPLive.exe"="C:\\Program Files\\PPLive\\PPLive.exe:*:Disabled:PPLive"
"C:\\Program Files\\PPMate\\ppmnet.exe"="C:\\Program Files\\PPMate\\ppmnet.exe:*:Disabled:PPMate"
"C:\\Program Files\\PPMate\\PPMate\\ppmate.exe"="C:\\Program Files\\PPMate\\PPMate\\ppmate.exe:*:Disabled:PPMate"
"C:\\Program Files\\PPMate\\ppmate.exe"="C:\\Program Files\\PPMate\\ppmate.exe:*:Disabled:PPMate"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\pdwpamt.exe"="C:\\pdwpamt.exe:*:Enabled:Server"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :

File Backups: - C:\DOCUME~1\Mohamed\Desktop\SDFIX\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 13 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Tue 3 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Tue 3 Aug 2004 4,639 A.SH. --- "C:\Program Files\Windows Media Player\mplayer2.exe"
Wed 18 Oct 2006 64,000 A.SH. --- "C:\Program Files\Windows Media Player\wmplayer.exe"
Sun 26 Nov 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 19 Feb 2007 25,600 ...H. --- "C:\Documents and Settings\Mohamed\My Documents\~WRL0001.tmp"
Thu 10 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\a7b63628b39fd8bdb7e535e34d0ea696\BIT2.tmp"
Wed 12 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b04031f0b83ee952189dd8beb4ee929a\BIT2.tmp"
Wed 19 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\cf7ced0e70c80a1e476f1abf49afecb1\BIT141.tmp"
Wed 7 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\BIT3.tmp"
Mon 26 Nov 2007 1,745 ...HR --- "C:\Documents and Settings\Mohamed\Application Data\SecuROM\UserData\securom_v7_01.bak"

Finished!

ComboFix 08-08-03.03 - Mohamed 2008-08-04 2:03:51.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.672 [GMT -6:00]
Running from: C:\Documents and Settings\Mohamed\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Mohamed\Application Data\macromedia\Flash Player\#SharedObjects\9LYCQ8CV\iforex.com
C:\Documents and Settings\Mohamed\Application Data\macromedia\Flash Player\#SharedObjects\9LYCQ8CV\iforex.com\Emerp\Events\flash_object.swf\user_data.sol
C:\Documents and Settings\Mohamed\Application Data\macromedia\Flash Player\#SharedObjects\9LYCQ8CV\interclick.com
C:\Documents and Settings\Mohamed\Application Data\macromedia\Flash Player\#SharedObjects\9LYCQ8CV\interclick.com\ud.sol
C:\Documents and Settings\Mohamed\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com
C:\Documents and Settings\Mohamed\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol
C:\Documents and Settings\Mohamed\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Mohamed\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Mohamed\err.log
C:\Documents and Settings\Mohamed\My Documents\FNTS~1
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\1.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\1_2.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\1_3.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\1_4.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\2.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\2_2.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\2_3.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\2_4.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\2297_1.wmv
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\2297_6.wmv
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\3.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\3_2.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\3_3.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\3_4.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\4.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\4_2.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\4_3.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\4_4.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\anime1.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\anime2.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\anime3.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\anime4.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\anime5.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\anime6.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\clip_1.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\clip_1_2.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\clip_1_3.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\clip_2.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\clip_2_2.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\clip_2_3.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\clip_3.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\clip_3_2.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\clip_3_3.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\clip_4.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\clip_4_2.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\clip_4_3.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\promo10_marked.wmv
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\promo11_marked.wmv
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\promo11_marked_2.wmv
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\promo13_marked.wmv
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\promo2_marked.wmv
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\promo3_marked.wmv
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\promo7_marked.wmv
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\promo7_marked_2.wmv
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\promo8_marked.wmv
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\Thumbs.db
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\V01222_big_02.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\V51730_big_05.mpg
C:\Documents and Settings\Mohamed\My Documents\FNTS~1\Thumbs.db
C:\Program Files\Common Files\{2028C~1
C:\Program Files\Common Files\{3028C~1
C:\temp\tn3
C:\windows\BM231bfa42.txt
C:\windows\cookies.ini
C:\windows\pskt.ini
C:\windows\Spyware Remover.ico
C:\WINDOWS\system32\aayIRXbc.ini
C:\WINDOWS\system32\aayIRXbc.ini2
C:\windows\system32\ahevlxbg.ini
C:\windows\system32\ahlxeasb.ini
C:\windows\system32\algrmgnc.ini
C:\windows\system32\attdyogx.ini
C:\windows\system32\avbsoioq.ini
C:\windows\system32\axgaiewt.ini
C:\windows\system32\bfroipub.ini
C:\windows\system32\bidkbhgk.ini
C:\windows\system32\birsbour.ini
C:\windows\system32\boctmaki.ini
C:\windows\system32\boouwqdy.ini
C:\windows\system32\cbntigyh.ini
C:\windows\system32\cbXRIyaa.dll
C:\windows\system32\cgogmzbl.dllbox
C:\windows\system32\components
C:\windows\system32\dbmrbytx.ini
C:\windows\system32\dhikhwka.ini
C:\windows\system32\dhtyxhcm.ini
C:\windows\system32\dmxbfuil.ini
C:\windows\system32\drivers\core.cache.dsk
C:\windows\system32\drvkovr.dll
C:\windows\system32\dywewjpo.ini
C:\windows\system32\eeidqtbm.ini
C:\windows\system32\enuatkux.ini
C:\windows\system32\equjioew.ini
C:\windows\system32\eqwfcoht.ini
C:\windows\system32\ffubenpx.ini
C:\windows\system32\fgwbwhfj.ini
C:\windows\system32\fisqwbrx.ini
C:\windows\system32\fnjcbokd.ini
C:\windows\system32\gacbikud.ini
C:\windows\system32\guhkcnwi.ini
C:\windows\system32\hgybukaw.ini
C:\windows\system32\hilyacmg.ini
C:\windows\system32\ijhtsltj.ini
C:\windows\system32\ilmsytma.ini
C:\windows\system32\jamfbvsg.ini
C:\windows\system32\jvwtkjca.ini
C:\windows\system32\kaiomhcl.ini
C:\WINDOWS\system32\kjkmp.ini
C:\WINDOWS\system32\kjkmp.ini2
C:\windows\system32\lieegofj.ini
C:\windows\system32\ljcqpkqf.ini
C:\windows\system32\llryxkys.ini
C:\windows\system32\lukkiikj.ini
C:\windows\system32\lyogoahv.ini
C:\windows\system32\mcrh.tmp
C:\WINDOWS\system32\mlnmp.bak1
C:\WINDOWS\system32\mlnmp.bak2
C:\windows\system32\mlnmp.ini
C:\WINDOWS\system32\mlnmp.ini2
C:\windows\system32\mlwpkobh.ini
C:\windows\system32\mtyuqcgs.ini
C:\windows\system32\nnasllxi.ini
C:\windows\system32\obtinqtl.ini
C:\windows\system32\ojigpgys.ini
C:\windows\system32\oromycrg.ini
C:\windows\system32\otvipwuw.ini
C:\windows\system32\pggjvvje.ini
C:\windows\system32\phpmwaaf.ini
C:\windows\system32\qnhlmxja.ini
C:\WINDOWS\system32\qqtss.ini
C:\WINDOWS\system32\qqtss.ini2
C:\windows\system32\raujkfxg.ini
C:\windows\system32\rbrjaebw.ini
C:\windows\system32\rjhewohf.ini
C:\windows\system32\sgattpyq.ini
C:\windows\system32\sgjytjqe.ini
C:\windows\system32\shsthgux.ini
C:\windows\system32\sysogg.dll
C:\windows\system32\tjwgukre.ini
C:\windows\system32\tmcourtp.ini
C:\windows\system32\tpbofusv.ini
C:\windows\system32\ujmcrveo.ini
C:\WINDOWS\system32\ututv.ini
C:\WINDOWS\system32\ututv.ini2
C:\windows\system32\uvojdyaf.ini
C:\windows\system32\vcxoqdou.ini
C:\windows\system32\vrbwfqdu.ini
C:\windows\system32\vsprineq.ini
C:\windows\system32\vtpbnyyj.ini
C:\windows\system32\wdddfpxd.ini
C:\windows\system32\whymkflr.ini
C:\windows\system32\wiqjwjos.ini
C:\windows\system32\wyfbtswt.ini
C:\windows\system32\xaqqsmpk.ini
C:\WINDOWS\system32\xbadd.ini
C:\WINDOWS\system32\xbadd.ini2
C:\windows\system32\xgoqfxje.ini
C:\windows\system32\ydyalepu.ini
C:\windows\system32\ygcpytqf.ini
C:\windows\system32\yorqrykr.ini
C:\windows\system32\yxaeitst.ini

.
((((((((((((((((((((((((( Files Created from 2008-07-04 to 2008-08-04 )))))))))))))))))))))))))))))))
.

2008-07-29 13:42 . 2008-07-29 13:42 <DIR> d-------- C:\Deckard
2008-07-29 13:34 . 2008-07-29 13:34 <DIR> d-------- C:\ie-spyad_zo
2008-07-28 17:14 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-07-28 17:08 . 2008-07-28 17:08 <DIR> d-------- C:\Program Files\Panda Security
2008-07-28 16:47 . 2008-07-28 16:47 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-28 16:47 . 2008-07-28 16:47 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-28 16:44 . 2008-07-28 16:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-07-27 02:03 . 2008-07-27 02:03 <DIR> d-------- C:\Documents and Settings\Mohamed\DoctorWeb
2008-07-27 01:11 . 2008-07-27 01:12 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-27 00:25 . 2008-07-27 00:25 60,416 --a------ C:\WINDOWS\ALCFDRTM.VER
2008-07-27 00:25 . 2008-07-27 00:25 60,416 --a------ C:\WINDOWS\ALCFDRTM.EXE
2008-07-25 18:14 . 2008-07-25 18:14 100 --a------ C:\WINDOWS\system32\ikhcore.cfg
2008-07-25 02:59 . 2008-07-25 02:59 <DIR> d-------- C:\Program Files\AVG
2008-07-20 21:14 . 2008-07-20 21:14 <DIR> d-------- C:\Program Files\MP3 Converter Simple
2008-07-20 21:14 . 2002-11-13 11:14 1,703,936 --a------ C:\WINDOWS\system32\NCTAudioFile.dll
2008-07-20 21:04 . 2008-07-20 21:12 <DIR> d-------- C:\Program Files\AtomixMP3
2008-07-11 13:19 . 2008-07-11 13:19 <DIR> d-------- C:\Nexon
2008-07-09 14:35 . 2006-08-16 05:58 100,352 -----c--- C:\WINDOWS\system32\dllcache\6to4svc.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-04 08:02 --------- d-----w C:\Documents and Settings\Mohamed\Application Data\DMCache
2008-08-04 07:18 60,668 --sha-w C:\windows\system32\drivers\fidbox.idx
2008-08-04 07:18 6,223,904 --sha-w C:\windows\system32\drivers\fidbox.dat
2008-08-04 07:18 12,284 --sha-w C:\windows\system32\drivers\fidbox2.idx
2008-08-04 07:18 119,584 --sha-w C:\windows\system32\drivers\fidbox2.dat
2008-08-04 06:58 --------- d-----w C:\Program Files\Mozilla Firefox 3 Beta 5
2008-07-29 19:42 --------- d-----w C:\Documents and Settings\Mohamed\Application Data\Azureus
2008-07-29 06:45 --------- d-----w C:\Program Files\Internet Download Manager
2008-07-28 23:06 --------- d-----r C:\Program Files\TypingMaster
2008-07-28 22:44 --------- d-----w C:\Program Files\Active WebCam
2008-07-28 22:43 --------- d-----w C:\Documents and Settings\Mohamed\Application Data\IDM
2008-07-27 06:12 --------- d-----w C:\Documents and Settings\Mohamed\Application Data\LimeWire
2008-07-22 18:47 --------- d-----w C:\Program Files\Winamp
2008-07-22 18:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-09 14:34 206,256 ----a-w C:\windows\system32\idmmbc.dll
2008-07-02 20:20 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-27 21:25 15,452,536 ----a-w C:\IE7-WindowsXP-x86-enu.exe
2008-06-20 17:41 245,248 ----a-w C:\windows\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\windows\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\windows\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\windows\system32\drivers\tcpip6.sys
2008-06-17 16:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-06-16 09:06 --------- d-----w C:\Documents and Settings\Mohamed\Application Data\FindeXer
2008-06-14 07:49 --------- d-----w C:\Program Files\mkv2vob
2008-06-14 07:49 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-13 13:10 272,128 ------w C:\windows\system32\drivers\bthport.sys
2008-06-11 23:46 --------- d-----w C:\Program Files\Veoh Networks
2008-06-10 20:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-15 06:12 29,480 ----a-w C:\windows\system32\msxml3a.dll
2008-05-14 18:40 166,447 ----a-w C:\windows\Video Cleaner Pro Uninstaller.exe
2008-05-14 08:15 160,373 ----a-w C:\windows\MPEG-4 Booster Pack Uninstaller.exe
2008-05-07 04:55 1,288,192 ----a-w C:\windows\system32\quartz.dll
2008-01-19 22:04 1 ----a-w C:\Documents and Settings\Mohamed\SI.bin
2007-03-18 04:10 144 ----a-w C:\Program Files\VirtualDub.jobs
2005-01-11 04:41 719,360 ----a-w C:\Program Files\VirtualDub.exe
2005-01-11 04:41 115,217 -c--a-w C:\Program Files\VirtualDub.vdi
2005-01-11 04:38 7,168 ----a-w C:\Program Files\vdremote.dll
2005-01-11 04:38 6,656 ----a-w C:\Program Files\vdicmdrv.dll
2005-01-11 04:38 5,120 -c--a-w C:\Program Files\vdsvrlnk.dll
2005-01-11 04:38 16,384 ----a-w C:\Program Files\auxsetup.exe
2005-01-11 04:37 74,186 -c--a-w C:\Program Files\VirtualDub.vdhelp
2004-02-20 06:35 18,321 -c--a-w C:\Program Files\copying
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDMan"="C:\Program Files\Internet Download Manager\IDMan.exe" [2008-07-28 08:08 2610608]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 20:25 81920]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 14:58 495616]
"WeatherEye"="C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe" [2008-05-30 14:45 4501912]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2008-05-15 16:11 3644464]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\windows\system32\NvCpl.dll" [2007-12-05 02:41 8523776]
"NvMediaCenter"="C:\windows\system32\NvMcTray.dll" [2007-12-05 02:41 81920]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-12-03 23:27 185896]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\WINDOWS\\system32\\logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.wmv3"= C:\PROGRA~1\COMBIN~1\Filters\wmv9vcm.dll
"msacm.ac3filter"= ac3filter.acm
"VIDC.FFDS"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DAEMON Tools.lnk]
backup=C:\WINDOWS\pss\DAEMON Tools.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Mohamed^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Mohamed^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS\system32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\windows\system32\dumprep 0 -k [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrevxOne

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-07 00:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a--c--- 2006-10-23 02:48 40048 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS\system32\V0250Cvw.dll]
-ra------ 2006-01-18 18:58 204800 C:\WINDOWS\system32\V0250Cvw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative WebCam Tray]
--------- 2005-10-27 04:00 299008 C:\Program Files\Creative\Shared Files\CamTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
--a------ 2008-07-28 08:08 2610608 C:\Program Files\Internet Download Manager\IDMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2004-10-13 12:21 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-12-05 02:41 8523776 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-12-05 02:41 81920 C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-12-03 23:27 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2006-10-24 23:37 35328 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"vsmon"=2 (0x2)
"usnjsvc"=3 (0x3)
"RichVideo"=2 (0x2)
"PREVXAgent"=2 (0x2)
"ose"=3 (0x3)
"NVSvc"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"IDriverT"=3 (0x3)
"AVG Anti-Spyware Guard"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Internet Download Manager\\IDMan.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\Mozilla Firefox 3 Beta 5\\firefox.exe"=
"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"=

R0 pavboot;pavboot;C:\windows\system32\drivers\pavboot.sys [2008-06-19 17:24]
R1 Asapi;Asapi;C:\windows\system32\drivers\Asapi.sys [2002-04-17 21:27]
R2 NinjaVideo Helper.exe;NinjaVideo Helper;C:\Program Files\NinjaVideo\NinjaVideo Helper\NinjaVideo Helper.exe [2008-04-10 21:01]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\windows\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
S0 Partizan;Partizan;C:\windows\system32\drivers\Partizan.sys []
S3 CEDRIVER53;CEDRIVER53;C:\Program Files\Cheat Engine\dbk32.sys []
S3 Dua1;Dua1;C:\Documents and Settings\Mohamed\Desktop\Maplestory Hacks\Dual Engine\DualEngi.sys []
S3 V0250Dev;Live! Cam Notebook Pro;C:\windows\system32\DRIVERS\V0250Dev.sys [2006-04-05 03:46]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{F8B9E5C0-4DCC-CFCF-ABA5-00401D608516}]
C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools\Recycle Bin\kdja.exe
.
Contents of the 'Scheduled Tasks' folder

2008-07-10 C:\windows\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Uniblue RegistryBooster 2 - C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
Notify-opnmLeEu - opnmLeEu.dll
MSConfigStartUp-msnmsgr - C:\Program Files\MSN Messenger\msnmsgr.exe
MSConfigStartUp-VirusBursters - C:\Program Files\VirusBursters\virusbursters.exe
MSConfigStartUp-Zone Labs Client - C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Mohamed\Application Data\Mozilla\Firefox\Profiles\3de2v76q.default\
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Java\jre1.6.0_03\bin\npjava11.dll
FF -: plugin - C:\Program Files\Java\jre1.6.0_03\bin\npjava12.dll
FF -: plugin - C:\Program Files\Java\jre1.6.0_03\bin\npjava13.dll
FF -: plugin - C:\Program Files\Java\jre1.6.0_03\bin\npjava14.dll
FF -: plugin - C:\Program Files\Java\jre1.6.0_03\bin\npjava32.dll
FF -: plugin - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
FF -: plugin - C:\Program Files\Java\jre1.6.0_03\bin\npoji610.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 5\plugins\npnul32.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 5\plugins\nppdf32.dll
FF -: plugin - C:\Program Files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-04 02:05:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2008-08-04 2:08:40
ComboFix-quarantined-files.txt 2008-08-04 08:07:38

Pre-Run: 23,216,939,008 bytes free
Post-Run: 23,201,193,984 bytes free

380 --- E O F --- 2008-07-10 02:15:20

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:20:28 AM, on 8/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\NinjaVideo\NinjaVideo Helper\NinjaVideo Helper.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\windows\system32\svchost.exe
C:\windows\system32\wscntfy.exe
C:\windows\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\windows\system32\NOTEPAD.EXE
C:\windows\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox 3 Beta 5\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Loader Class - {F880A4A8-C436-4AC4-AFD1-AA0BDC9552DD} - C:\WINDOWS\Resources\Themes\Crystal.Systema Suite\FindeXer Nightly V1.1.0.3\FindeXer.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/229?53a22baa9a8b466ba676dad31deb712d
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/230?53a22baa9a8b466ba676dad31deb712d
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NinjaVideo Helper (NinjaVideo Helper.exe) - NinjaVideo - C:\Program Files\NinjaVideo\NinjaVideo Helper\NinjaVideo Helper.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\windows\system32\spoolsv.exe (file missing)

--
End of file - 5084 bytes

Ried · 08-05-2008, 04:50 AM

Hello diddy89,

Try once again to install the Recovery Console. Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System

Download the file & save it as it's originally named, next to ComboFix.exe.

--------------------------------------------------------------------

Drag the setup package onto ComboFix.exe and drop it.
Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
At the next prompt, click 'NO'. We want to exit ComboFix.

Please post the log it produces

diddy89 · 08-05-2008, 01:59 PM

It didn't work I have Win XP pro SP2 and i downloaded that one, but after It does the registry back-up thing a window pops up and says "boot partition can not be enumerated correctly"..I tried using the Home version for the heck of it but no luck.

Ried · 08-05-2008, 02:01 PM

Please run this tool--it will only take a moment.

Download BootCheck.exe to your desktop.

Double click BootCheck.exe to run the check
When complete, a Notepad window will open with some text in it
Save the Notepad file to your desktop as BootCheck.txt
Copy the contents of BootCheck.txt and post it in your next reply

diddy89 · 08-05-2008, 02:52 PM

Sorry for the delay, here it is.

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !

Contents of boot.ini:

Ried · 08-05-2008, 06:29 PM

Hello diddy89,

Open Notepad and copy/paste the following text in the quote box

Quote:

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Save it as boot.ini and save it directly to your C:\ drive

Do not reboot the machine yet!

Run BootCheck.exe again and post the log it produces.

Again--do not reboot until I give you the OK.

diddy89 · 08-05-2008, 06:45 PM

So here's the log it produced, and no I didn't see the old post in time so I used the "corrected version".

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !

Contents of C:\boot.ini:

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

Ried · 08-05-2008, 06:54 PM

Good, now try again to drag and drop the Microsoft download into ComboFix.exe

After you receive the message that the Recovery Console has been installed, click 'No' to exit ComboFix.

Post the log it produces

diddy89 · 08-05-2008, 07:08 PM

Okay so it Worked, here's the log

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

Ried · 08-05-2008, 07:13 PM

Nice work. Now please run another online scan at Panda so we can see what remains.

Perform an online scan with Panda ActiveScan

Click on Scan Your PC Now
A "pop up" window will appear, or a new tab will open.
Click on Register
Choose the option you like most, but we recommend the Free Registration.
Click on Register
Enter your e-mail address, and create a password.
Select "I do not want to receive any type of information". (unless you want to receive such information)
Click on Send
Confirm registration, and continue by entering your user name and password, then click on Enter
Select Full Scan, then Click on Scan Now
Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.
If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect
Please ignore the offer to buy the program. Click on Export To
Export the log and save it to your desktop.
Please attach the contents of that log in your next reply.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

diddy89 · 08-05-2008, 11:18 PM

Okay took awhile but it's done log attached

Ried · 08-06-2008, 10:12 PM

Panda is only reporting undesirable cookies, backups created during the course of this fix, and items located in C:\System Volume Information\, which is where System Restore's cache is stored. Whatever is in there can't harm you unless you choose to perform a manual restore. Nevertheless, we shall be resetting/clearing the cache shortly.

Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links:

The following procedure will clear out the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

--------------------------------------------------------------------

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.

SpywareBlaster 4.0 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.

It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

IESpyAD Zoned Out to block access to malicious websites so you cannot be redirected to them from an infected site or email. This severely impairs attempts to infect your system as it basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.

Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.

In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?
Think Prevention

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
MAKING INTERNET EXPLORER SAFER
Understanding and Using Firewalls

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

-----------------------------------------------------

Follow the list above and the potential for infection will reduce dramatically.

**Kindly respond one more time and let me know if we may consider this thread resolved.

diddy89 · 08-06-2008, 11:34 PM

Thanks So Much Ried, everything looks back to normal. It took awhile, but it was well worth the wait man, thanks for your patience and time. PEACE

Ried · 08-07-2008, 04:14 AM

You're welcome, diddy89. Take care.

07-30-2008, 07:50 PM	#1 (permalink)
diddy89 Registered User Join Date: Jul 2008 Posts: 16 OS: Windows Vista	Explorer.exe Keeps Closing Hi, about a 2 weeks ago I've had constant pop-ups and I tried several antivirus removal programs, like mcafee, avg8.0, search and destroy, and some others, so in the end AVG actually removed the problem then all of a sudden explorer.exe kept closing then coming back and so forth. I've seen the other threads and forums and tried those solutions, but to no avail. So here's my logs. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:21:53 PM, on 7/29/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\windows\System32\smss.exe C:\windows\system32\winlogon.exe C:\windows\system32\services.exe C:\windows\system32\lsass.exe C:\windows\system32\svchost.exe C:\windows\System32\svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\NinjaVideo\NinjaVideo Helper\NinjaVideo Helper.exe C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe C:\windows\system32\svchost.exe C:\windows\system32\wscntfy.exe C:\windows\system32\taskmgr.exe C:\Documents and Settings\Mohamed\Desktop\dss.exe C:\DOCUME~1\Mohamed\MYDOCU~1\DOWNLO~1\Programs\Mohamed.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by SHAW Internet O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {30EE7C7E-3B4B-4065-9FFA-C87C8C10C42A} - (no file) O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing) O2 - BHO: (no name) - {4E1795E2-145A-4662-80BB-A17498ACE90A} - C:\windows\system32\cbXRIyaa.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file) O2 - BHO: Loader Class - {F880A4A8-C436-4AC4-AFD1-AA0BDC9552DD} - C:\WINDOWS\Resources\Themes\Crystal.Systema Suite\FindeXer Nightly V1.1.0.3\FindeXer.dll O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file) O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\windows\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe" O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/229?53a22baa9a8b466ba676dad31deb712d O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/230?53a22baa9a8b466ba676dad31deb712d O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633 O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O20 - Winlogon Notify: opnmLeEu - opnmLeEu.dll (file missing) O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NinjaVideo Helper (NinjaVideo Helper.exe) - NinjaVideo - C:\Program Files\NinjaVideo\NinjaVideo Helper\NinjaVideo Helper.exe O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\windows\system32\spoolsv.exe (file missing) -- End of file - 5387 bytes Deckard's System Scanner v20071014.68 Run by Mohamed on 2008-07-29 19:15:28 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Failed to create restore point; System Restore is disabled (service is not running). Backed up registry hives. Performed disk cleanup. -- HijackThis (run as Mohamed.exe) --------------------------------------------- Unable to find log (file not found); running clone. -- HijackThis Clone ------------------------------------------------------------ Emulating logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2008-07-29 19:21:25 Platform: Windows XP Service Pack 2 (5.01.2600) MSIE: Internet Explorer (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\system32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\NinjaVideo\NinjaVideo Helper\NinjaVideo Helper.exe C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\taskmgr.exe C:\Documents and Settings\Mohamed\Desktop\dss.exe C:\Documents and Settings\Mohamed\My Documents\Downloads\Programs\Mohamed.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.microsoft.com/isapi/redir...mp;ar=iesearch R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by SHAW Internet R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {30EE7C7E-3B4B-4065-9FFA-C87C8C10C42A} - (no file) O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing) O2 - BHO: (no name) - {4E1795E2-145A-4662-80BB-A17498ACE90A} - C:\WINDOWS\system32\cbXRIyaa.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file) O2 - BHO: Loader Class - {F880A4A8-C436-4AC4-AFD1-AA0BDC9552DD} - C:\WINDOWS\Resources\Themes\Crystal.Systema Suite\FindeXer Nightly V1.1.0.3\FindeXer.dll O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file) O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\windows\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\RunOnceEx: [Flags] 128 O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe" O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/229?53a22baa9a8b466ba676dad31deb712d O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/230?53a22baa9a8b466ba676dad31deb712d O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633 O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub...irector/sw.cab O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get.../ultrashim.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL O20 - Winlogon Notify: opnmLeEu - C:\windows\system32\opnmLeEu.dll (file missing) O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NinjaVideo Helper (NinjaVideo Helper.exe) - NinjaVideo - C:\Program Files\NinjaVideo\NinjaVideo Helper\NinjaVideo Helper.exe O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\windows\system32\spoolsv.exe -- End of file - 7329 bytes -- HijackThis Fixed Entries (C:\DOCUME~1\Mohamed\MYDOCU~1\DOWNLO~1\Programs\backups\) -------------------------------------------------------------------------------- backup-20080121-231657-151 O4 - HKUS\.DEFAULT\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user') backup-20080121-231657-166 O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\windows\system32\drvkov.dll,startup backup-20080121-231657-178 O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot backup-20080121-231657-186 O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" backup-20080121-231657-209 O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll backup-20080121-231657-215 O4 - HKCU\..\Policies\Explorer\Run: [{2028C971-09DC-1033-0815-021220050001}] "C:\Program Files\Common Files\{2028C971-09DC-1033-0815-021220050001}\Update.exe" mc-110-12-0000272 backup-20080121-231657-242 O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm backup-20080121-231657-262 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll backup-20080121-231657-276 O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM') backup-20080121-231657-306 O4 - HKLM\..\Run: [2028c9de] rundll32.exe "C:\windows\system32\uodqoxcv.dll",b backup-20080121-231657-377 O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" backup-20080121-231657-432 O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm backup-20080121-231657-442 O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll backup-20080121-231657-488 O4 - HKLM\..\Run: [avp] C:\windows\avp.exe backup-20080121-231657-491 O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/230?53a22baa9a8b466ba676dad31deb712d backup-20080121-231657-496 O4 - HKLM\..\Run: [BM231bfa42] Rundll32.exe "C:\windows\system32\sftfhhpc.dll",s backup-20080121-231657-522 O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent backup-20080121-231657-528 O4 - HKLM\..\Run: [SDTray] C:\Program Files\Spyware Doctor\SDTrayApp.exe backup-20080121-231657-534 O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" backup-20080121-231657-554 O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup backup-20080121-231657-564 O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm backup-20080121-231657-567 O4 - HKLM\..\Run: [smgr] mgrs.exe backup-20080121-231657-597 O4 - HKCU\..\Run: [HoleWarn] C:\DOCUME~1\Mohamed\APPLIC~1\MFCDWA~1\ball mail support.exe backup-20080121-231657-608 O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime backup-20080121-231657-620 O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\windows\system32\cgogmzbl.dll backup-20080121-231657-633 O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit backup-20080121-231657-639 O4 - HKLM\..\Run: [nwiz] nwiz.exe /install backup-20080121-231657-648 O1 - Hosts: 80.69.94.166 gameguard.mapleglobal.com backup-20080121-231657-710 O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe backup-20080121-231657-719 O4 - HKLM\..\Run: [HiHiCall] C:\Program Files\HiHiCall.com\HiHiCall.exe backup-20080121-231657-732 O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" backup-20080121-231657-814 O1 - Hosts: 80.69.94.166 63.251.217.184 backup-20080121-231657-831 O4 - HKLM\..\Run: [Mode Load Mpeg Less] C:\Documents and Settings\All Users\Application Data\two setup mode load\burn for.exe backup-20080121-231657-850 O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup backup-20080121-231657-856 O4 - HKLM\..\Run: [C:\WINDOWS\system32\V0250Cvw.dll] C:\windows\system32\RegSvr32.exe /s C:\windows\system32\V0250Cvw.dll backup-20080121-231657-890 O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background backup-20080121-231657-925 O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/229?53a22baa9a8b466ba676dad31deb712d backup-20080121-231657-948 O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot backup-20080121-231658-166 O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab backup-20080121-231658-225 O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll backup-20080121-231658-707 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL backup-20080121-231659-268 O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe backup-20080121-231659-501 O23 - Service: DomainService - - C:\windows\system32\wtbedpjq.exe backup-20080121-231659-656 O21 - SSODL: E404Helper - {4b993299-5e4c-4e73-b0e6-869763910b35} - e404d.dll (file missing) backup-20080121-231659-747 O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe backup-20080121-231659-892 O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe backup-20080121-231700-191 O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe backup-20080121-231700-244 O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe backup-20080121-231700-317 O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender S.R.L. - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe backup-20080121-231700-414 O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe backup-20080121-231700-459 O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe backup-20080121-231700-493 O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe backup-20080121-231700-594 O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe backup-20080728-165241-298 O4 - HKLM\..\Run: [nwiz] nwiz.exe /install backup-20080728-165501-402 O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab backup-20080728-165501-422 O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R1 Asapi - c:\windows\system32\drivers\asapi.sys <Not Verified; VOB Computersysteme GmbH; asapi> R2 npkcrypt - c:\nexon\maplestory\npkcrypt.sys <Not Verified; INCA Internet Co., Ltd.; nProtect KeyCrypt Driver> R3 npkcusb - c:\nexon\maplestory\npkcusb.sys <Not Verified; INCA Internet Co., Ltd.; nProtect KeyCrypt Driver> R3 NVR0Dev - c:\windows\nvoclock.sys <Not Verified; NVidia Corp.; NVidia System Utility Driver> S0 Partizan - c:\windows\system32\drivers\partizan.sys (file missing) S3 catchme - c:\docume~1\mohamed\locals~1\temp\catchme.sys (file missing) S3 CEDRIVER53 - c:\program files\cheat engine\dbk32.sys (file missing) S3 Dua1 - c:\documents and settings\mohamed\desktop\maplestory hacks\dual engine\dualengi.sys (file missing) S3 NPPTNT2 - c:\windows\system32\npptnt2.sys <Not Verified; INCA Internet Co., Ltd.; nProtect NPSC Kernel Mode Driver for NT> S3 Profos - c:\program files\common files\bitdefender\bitdefender threat scanner\profos.sys (file missing) S3 VMnetAdapter (VMware Virtual Ethernet Adapter Driver) - c:\windows\system32\drivers\vmnetadapter.sys (file missing) S3 XTrapD12 - c:\windows\system32\xtrapd12.sys (file missing) -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service> R2 NinjaVideo Helper.exe (NinjaVideo Helper) - "c:\program files\ninjavideo\ninjavideo helper\ninjavideo helper.exe" <Not Verified; NinjaVideo; NinjaVideo Helper> R2 nTuneService (nTune Service) - c:\program files\nvidia corporation\ntune\ntuneservice.exe /startservice <Not Verified; NVIDIA; NVIDIA nTune> S2 Spooler (Print Spooler) - c:\windows\system32\spoolsv.exe (file missing) S4 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution> -- Device Manager: Disabled ---------------------------------------------------- No disabled devices found. -- Scheduled Tasks ------------------------------------------------------------- 2008-07-10 12:33:02 284 --a------ C:\windows\Tasks\AppleSoftwareUpdate.job -- Files created between 2008-06-29 and 2008-07-29 ----------------------------- 2008-07-29 13:34:07 0 d-------- C:\ie-spyad_zo 2008-07-28 17:08:12 0 d-------- C:\Program Files\Panda Security 2008-07-28 16:44:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg8 2008-07-27 02:03:26 0 d-------- C:\Documents and Settings\Mohamed\DoctorWeb 2008-07-27 01:11:18 0 d-------- C:\windows\ERUNT 2008-07-27 00:25:15 60416 --a------ C:\windows\ALCFDRTM.EXE <Not Verified; Realtek Semiconductor Corp.; Realtek ALCFDRTM> 2008-07-25 03:02:05 579678 --ahs---- C:\windows\system32\aayIRXbc.ini2 2008-07-25 03:01:57 246784 --a------ C:\windows\system32\cbXRIyaa.dll 2008-07-25 02:59:23 0 d-------- C:\Program Files\AVG 2008-07-20 21:16:01 24 --a------ C:\windows\system32\sysogg.dll 2008-07-20 21:14:31 1703936 --a------ C:\windows\system32\NCTAudioFile.dll <Not Verified; NCT Company; NCTAudioFile ActiveX DLL> 2008-07-20 21:14:30 0 d-------- C:\Program Files\MP3 Converter Simple 2008-07-20 21:04:53 0 d-------- C:\Program Files\AtomixMP3 2008-07-11 13:19:27 0 d-------- C:\Nexon 2008-07-06 19:43:08 0 d-------- C:\Documents and Settings\LocalService\My Documents 2008-06-30 02:45:40 0 d--h----- C:\Documents and Settings\Administrator\Templates 2008-06-30 02:45:40 0 dr------- C:\Documents and Settings\Administrator\Start Menu 2008-06-30 02:45:40 0 dr-h----- C:\Documents and Settings\Administrator\SendTo 2008-06-30 02:45:40 0 d--h----- C:\Documents and Settings\Administrator\Recent 2008-06-30 02:45:40 0 d--h----- C:\Documents and Settings\Administrator\PrintHood 2008-06-30 02:45:40 0 d--h----- C:\Documents and Settings\Administrator\NetHood 2008-06-30 02:45:40 0 d-------- C:\Documents and Settings\Administrator\My Documents 2008-06-30 02:45:40 0 d--h----- C:\Documents and Settings\Administrator\Local Settings 2008-06-30 02:45:40 0 d-------- C:\Documents and Settings\Administrator\Favorites 2008-06-30 02:45:40 0 d-------- C:\Documents and Settings\Administrator\Desktop 2008-06-30 02:45:40 0 d---s---- C:\Documents and Settings\Administrator\Cookies 2008-06-30 02:45:40 0 dr-h----- C:\Documents and Settings\Administrator\Application Data 2008-06-30 02:45:40 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft 2008-06-30 02:45:39 516096 --a------ C:\Documents and Settings\Administrator\NTUSER.DAT -- Find3M Report --------------------------------------------------------------- 2008-07-29 14:57:26 0 d-------- C:\Program Files\Mozilla Firefox 3 Beta 5 2008-07-29 13:42:28 0 d-------- C:\Documents and Settings\Mohamed\Application Data\Azureus 2008-07-29 00:45:11 0 d-------- C:\Program Files\Internet Download Manager 2008-07-28 1715 0 dr------- C:\Program Files\TypingMaster 2008-07-28 16:44:48 0 d-------- C:\Program Files\Active WebCam 2008-07-28 16:43:11 0 d-------- C:\Documents and Settings\Mohamed\Application Data\DMCache 2008-07-28 16:43:05 0 d-------- C:\Documents and Settings\Mohamed\Application Data\IDM 2008-07-27 00:12:39 0 d-------- C:\Documents and Settings\Mohamed\Application Data\LimeWire 2008-07-22 12:47:59 0 d-------- C:\Program Files\Winamp 2008-07-22 12:24:56 0 d--h----- C:\Program Files\InstallShield Installation Information 2008-07-22 12:24:27 0 d-------- C:\Program Files\Common Files 2008-07-02 14:20:59 0 d-------- C:\Program Files\Common Files\Adobe 2008-06-16 0322 0 d-------- C:\Documents and Settings\Mohamed\Application Data\FindeXer 2008-06-14 01:49:52 0 d-------- C:\Program Files\mkv2vob 2008-06-14 01:49:44 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-06-11 17:46:49 0 d-------- C:\Program Files\Veoh Networks 2008-05-14 12:40:56 166447 --a------ C:\windows\Video Cleaner Pro Uninstaller.exe 2008-05-14 02:15:13 160373 --a------ C:\windows\MPEG-4 Booster Pack Uninstaller.exe -- Registry Dump --------------------------------------------------------------- Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30EE7C7E-3B4B-4065-9FFA-C87C8C10C42A}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E1795E2-145A-4662-80BB-A17498ACE90A}] 07/25/2008 03:01 AM 246784 --a------ C:\windows\system32\cbXRIyaa.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="C:\windows\system32\NvCpl.dll" [12/05/2007 02:41 AM] "NvMediaCenter"="C:\windows\system32\NvMcTray.dll" [12/05/2007 02:41 AM] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [12/03/2006 11:27 PM] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IDMan"="C:\Program Files\Internet Download Manager\IDMan.exe" [07/28/2008 08:08 AM] "Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [] "NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [09/04/2007 08:25 PM] "RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [09/02/2007 02:58 PM] "WeatherEye"="C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe" [05/30/2008 02:45 PM] "Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [05/15/2008 04:11 PM] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{BD3C6F7C-6C8D-48F6-AC52-5E4071AEB257}"= C:\windows\system32\opnmLeEu.dll [ ] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnmLeEu] opnmLeEu.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] "Authentication Packages"= msv1_0 C:\windows\system32\cbXRIyaa [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk] backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DAEMON Tools.lnk] backup=C:\WINDOWS\pss\DAEMON Tools.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Mohamed^Start Menu^Programs^Startup^Adobe Gamma.lnk] backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Mohamed^Start Menu^Programs^Startup^LimeWire On Startup.lnk] backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS\system32] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS\system32\V0250Cvw.dll] C:\WINDOWS\system32\RegSvr32.exe /s C:\WINDOWS\system32\V0250Cvw.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative WebCam Tray] "C:\Program Files\Creative\Shared Files\CamTray.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] %systemroot%\system32\dumprep 0 -k [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] nwiz.exe /install [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrevxOne] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusBursters] C:\Program Files\VirusBursters\virusbursters.exe /h [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] C:\Program Files\Winamp\winampa.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "vsmon"=2 (0x2) "usnjsvc"=3 (0x3) "RichVideo"=2 (0x2) "PREVXAgent"=2 (0x2) "ose"=3 (0x3) "NVSvc"=2 (0x2) "Adobe LM Service"=3 (0x3) "IDriverT"=3 (0x3) "AVG Anti-Spyware Guard"=2 (0x2) Newly Created Service - PAVBOOT [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{F8B9E5C0-4DCC-CFCF-ABA5-00401D608516}] C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools\Recycle Bin\kdja.exe -- End of Deckard's System Scanner: finished at 2008-07-29 19:24:29 ------------ ActiveScan.txt extra.txt

08-03-2008, 06:03 PM	#2 (permalink)
diddy89 Registered User Join Date: Jul 2008 Posts: 16 OS: Windows Vista	Re: Explorer.exe Keeps Closing Bump,Please

08-03-2008, 10:29 PM	#3 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 23,971 OS: WinXP and Vista	Re: Explorer.exe Keeps Closing Hello diddy89 and welcome, This will require more than one round to properly eradicate. Please stay with me until given the 'all clear' even if symptoms seemingly abate. Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. It's IMPORTANT to carry out the instructions in the sequence listed below. ************************************************* 1. Download SDFix and save it to your Desktop. Double click SDFix.exe and it will extract the files to %systemdrive% -(Drive that contains the Windows Directory, typically C:\SDFix). Do not run it yet. 2. Download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/comb...o-use-combofix Please ensure you read this guide carefully and install the Recovery Console first. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time. Once installed, you should see a blue screen prompt that says: The Recovery Console was successfully installed. Click NO to exit ComboFix now. -------------------------------------------------------------------- 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Use the up arrow key to highlight Safe Mode and press Enter. 5) Login with your usual account. Make sure to close any open browsers. -------------------------------------------------------------------- Open the extracted SDFix folder and double click RunThis.bat to start the script. Type Y to begin the cleanup process. It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. Press any Key and it will restart the PC. When the PC restarts, the Fixtool will run again and complete the removal process then display Finished. Press any key to end the script and load your desktop icons. Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt I'll need that in your next reply. -------------------------------------------------------------------- From Normal Mode... Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. -------------------------------------------------------------------- Double click on ComboFix.exe** & follow the prompts. When the tool is finished, it will produce a report for you at C:\ComboFix.txt which I will need in your next reply. -------------------------------------------------------------------- Run a new scan with HijackThis.exe (not dss.exe) and save the log. -------------------------------------------------------------------- Please include the following in your next reply: C:\SDFix\Report.txt C:\ComboFix.txt New HijackThis log __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

08-04-2008, 01:38 AM	#4 (permalink)
diddy89 Registered User Join Date: Jul 2008 Posts: 16 OS: Windows Vista	Re: Explorer.exe Keeps Closing Alrighty! so since I didn't have the the explorer.exe working for the combofix thing where I drag the XP file, so I used the task manager if that's alright. Also, I couldnt click or type No for the Combofix System Restore thing so it went ahead anyways...but I kept on going and finished the rest of the steps, it fixed the explorer.exe's disappearing act, but I'm still positive there's something wrong, because when it booted after the SDFIX scanning thing, there was a black screen and said, INVALID BOOT.INI File, or missing something like that sorry my memory's pretty bad(but it's not the first time I've seen it just opens occassionaly). Anyways here's my logs SDFix: Version 1.212 Run by Mohamed on 2008-08-04 at 01:28 Microsoft Windows XP [Version 5.1.2600] Running From: C:\DOCUME~1\Mohamed\Desktop\SDFIX\SDFix Checking Services : Restoring Default Security Values Restoring Default Hosts File Rebooting Checking Files : Trojan Files Found: C:\WINDOWS\system32\nvrsul32.dll - Deleted Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-04 01:47:07 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services & system hive ... [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] "p0"="C:\Program Files\DAEMON Tools\" "h0"=dword:00000000 "khjeh"=hex:1d,0a,a4,33,69,ce,b9,0e,15,93,0e,f8,19,a0,0d,97,58,1b,98,d9,5a,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] "a0"=hex:20,01,00,00,68,d2,1d,25,89,4c,c4,72,e0,df,8b,96,0c,fb,eb,67,6e,.. "khjeh"=hex:85,a2,26,fc,94,af,06,52,9f,bb,96,0e,9b,36,bb,6a,ec,c9,1c,8c,4e,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] "khjeh"=hex:10,0a,17,f8,fc,bf,81,a0,64,a8,f4,8a,c7,ee,46,f3,f0,2f,15,e2,2d,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41] "khjeh"=hex:2c,e7,23,b5,0a,08,3d,24,e9,e1,73,61,b6,49,4c,2e,cb,96,14,a5,c5,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] "s1"=dword:d60abf16 "s2"=dword:cd4f5905 "h0"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] "p0"="C:\Program Files\DAEMON Tools\" "h0"=dword:00000000 "khjeh"=hex:1d,0a,a4,33,69,ce,b9,0e,15,93,0e,f8,19,a0,0d,97,58,1b,98,d9,5a,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] "a0"=hex:20,01,00,00,68,d2,1d,25,89,4c,c4,72,e0,df,8b,96,0c,fb,eb,67,6e,.. "khjeh"=hex:ec,14,ef,7f,9a,49,09,2d,ea,a9,d4,22,76,e1,2a,8e,4f,51,84,19,fc,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] "khjeh"=hex:dd,e9,36,88,ee,17,82,2d,30,9a,37,6a,3f,de,ac,7a,6d,6f,82,a0,83,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41] "khjeh"=hex:32,2a,71,40,a4,b8,f0,66,65,ec,27,33,bb,e4,5f,34,a3,7d,28,50,65,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42] "khjeh"=hex:91,1f,64,94,f6,ae,6d,64,b9,49,14,90,94,2a,2e,9a,1a,4c,ed,6a,b6,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43] "khjeh"=hex:3f,db,b2,94,d9,48,4c,b0,ae,e3,2b,aa,27,34,8d,3b,f7,7e,2d,9a,9c,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] "p0"="C:\Program Files\DAEMON Tools\" "h0"=dword:00000000 "khjeh"=hex:1d,0a,a4,33,69,ce,b9,0e,15,93,0e,f8,19,a0,0d,97,58,1b,98,d9,5a,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] "a0"=hex:20,01,00,00,68,d2,1d,25,89,4c,c4,72,e0,df,8b,96,0c,fb,eb,67,6e,.. "khjeh"=hex:ec,14,ef,7f,9a,49,09,2d,ea,a9,d4,22,76,e1,2a,8e,4f,51,84,19,fc,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] "khjeh"=hex:dd,e9,36,88,ee,17,82,2d,30,9a,37,6a,3f,de,ac,7a,6d,6f,82,a0,83,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41] "khjeh"=hex:32,2a,71,40,a4,b8,f0,66,65,ec,27,33,bb,e4,5f,34,a3,7d,28,50,65,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42] "khjeh"=hex:91,1f,64,94,f6,ae,6d,64,b9,49,14,90,94,2a,2e,9a,1a,4c,ed,6a,b6,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43] "khjeh"=hex:3f,db,b2,94,d9,48,4c,b0,ae,e3,2b,aa,27,34,8d,3b,f7,7e,2d,9a,9c,.. scanning hidden registry entries ... [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="" "DeviceNotSelectedTimeout"="15" "GDIProcessHandleQuota"=dword:00002710 "Spooler"="yes" "swapdisk"="" "TransmissionRetryTimeout"="90" "USERProcessHandleQuota"=dword:00002710 scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "C:\\pdwpamt.exe"="C:\\pdwpamt.exe::Enabled:Server" "C:\\Documents and Settings\\Mohamed\\My Documents\\Downloads\\Programs\\utorrent.exe"="C:\\Documents and Settings\\Mohamed\\My Documents\\Downloads\\Programs\\utorrent.exe::Enabled:æTorrent" "C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe::Enabled:LimeWire" "C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe::Enabled:Azureus" "C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe::Enabled:Windows Messenger" "C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe::Enabled:æTorrent" "C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe::Enabled:Mozilla Firefox" "C:\\Program Files\\Internet Download Manager\\IDMan.exe"="C:\\Program Files\\Internet Download Manager\\IDMan.exe::Enabled:Internet Download Manager" "C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"="C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe::Enabled:Nexon Game Manager" "C:\\windows\\system32\\wtbedpjq.exe"="C:\\windows\\system32\\wtb" "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe::Enabled:Windows Live Messenger" "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe::Enabled:Windows Live Messenger (Phone)" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"="C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe::Enabled:Remote Assistance - Windows Messenger and Voice" "C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe::Enabled:iTunes" "C:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"="C:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe::Enabled:Java(TM) Platform SE binary" "C:\\Documents and Settings\\Mohamed\\Local Settings\\Temp\\usmt\\migwiz.exe"="C:\\Documents and Settings\\Mohamed\\Local Settings\\Temp\\usmt\\migwiz.exe::Enabled:Files and Settings Transfer Wizard" "C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"="C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe::Disabled:Veoh Client" "C:\\Program Files\\Mozilla Firefox 3 Beta 5\\firefox.exe"="C:\\Program Files\\Mozilla Firefox 3 Beta 5\\firefox.exe::Enabled:Firefox" "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Administrative Tools\\Recycle Bin\\kdja.exe"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Administrative Tools\\Recycle Bin\\kdja.exe::Enabled:windows media player streaming service" "C:\\Program Files\\Microsoft Games\\Halo\\halo.exe"="C:\\Program Files\\Microsoft Games\\Halo\\halo.exe::Disabled:Halo" "C:\\Program Files\\Steam\\steamapps\\mo3al1\\counter-strike source\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\mo3al1\\counter-strike source\\hl2.exe::Disabled:hl2" "C:\\Program Files\\Steam\\steamapps\\farah010\\counter-strike source\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\farah010\\counter-strike source\\hl2.exe::Disabled:hl2" "C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"="C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe::Disabled:Kaspersky Anti-Virus" "C:\\Program Files\\PPLive\\PPLive.exe"="C:\\Program Files\\PPLive\\PPLive.exe::Disabled:PPLive" "C:\\Program Files\\PPMate\\ppmnet.exe"="C:\\Program Files\\PPMate\\ppmnet.exe::Disabled:PPMate" "C:\\Program Files\\PPMate\\PPMate\\ppmate.exe"="C:\\Program Files\\PPMate\\PPMate\\ppmate.exe::Disabled:PPMate" "C:\\Program Files\\PPMate\\ppmate.exe"="C:\\Program Files\\PPMate\\ppmate.exe::Disabled:PPMate" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "C:\\pdwpamt.exe"="C:\\pdwpamt.exe::Enabled:Server" "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe::Enabled:Windows Live Messenger" "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe::Enabled:Windows Live Messenger (Phone)" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" Remaining Files* : File Backups: - C:\DOCUME~1\Mohamed\Desktop\SDFIX\SDFix\backups\backups.zip Files with Hidden Attributes : Wed 13 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe" Tue 3 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe" Tue 3 Aug 2004 4,639 A.SH. --- "C:\Program Files\Windows Media Player\mplayer2.exe" Wed 18 Oct 2006 64,000 A.SH. --- "C:\Program Files\Windows Media Player\wmplayer.exe" Sun 26 Nov 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak" Mon 19 Feb 2007 25,600 ...H. --- "C:\Documents and Settings\Mohamed\My Documents\~WRL0001.tmp" Thu 10 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\a7b63628b39fd8bdb7e535e34d0ea696\BIT2.tmp" Wed 12 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b04031f0b83ee952189dd8beb4ee929a\BIT2.tmp" Wed 19 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\cf7ced0e70c80a1e476f1abf49afecb1\BIT141.tmp" Wed 7 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\BIT3.tmp" Mon 26 Nov 2007 1,745 ...HR --- "C:\Documents and Settings\Mohamed\Application Data\SecuROM\UserData\securom_v7_01.bak" Finished! ComboFix 08-08-03.03 - Mohamed 2008-08-04 2:03:51.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.672 [GMT -6:00] Running from: C:\Documents and Settings\Mohamed\Desktop\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ---- Previous Run ------- . C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk C:\Documents and Settings\Mohamed\Application Data\macromedia\Flash Player\#SharedObjects\9LYCQ8CV\iforex.com C:\Documents and Settings\Mohamed\Application Data\macromedia\Flash Player\#SharedObjects\9LYCQ8CV\iforex.com\Emerp\Events\flash_object.swf\user_data.sol C:\Documents and Settings\Mohamed\Application Data\macromedia\Flash Player\#SharedObjects\9LYCQ8CV\interclick.com C:\Documents and Settings\Mohamed\Application Data\macromedia\Flash Player\#SharedObjects\9LYCQ8CV\interclick.com\ud.sol C:\Documents and Settings\Mohamed\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com C:\Documents and Settings\Mohamed\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol C:\Documents and Settings\Mohamed\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com C:\Documents and Settings\Mohamed\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol C:\Documents and Settings\Mohamed\err.log C:\Documents and Settings\Mohamed\My Documents\FNTS~1 C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\1.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\1_2.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\1_3.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\1_4.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\2.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\2_2.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\2_3.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\2_4.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\2297_1.wmv C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\2297_6.wmv C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\3.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\3_2.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\3_3.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\3_4.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\4.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\4_2.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\4_3.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\4_4.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\anime1.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\anime2.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\anime3.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\anime4.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\anime5.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\anime6.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\clip_1.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\clip_1_2.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\clip_1_3.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\clip_2.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\clip_2_2.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\clip_2_3.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\clip_3.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\clip_3_2.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\clip_3_3.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\clip_4.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\clip_4_2.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\clip_4_3.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\promo10_marked.wmv C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\promo11_marked.wmv C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\promo11_marked_2.wmv C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\promo13_marked.wmv C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\promo2_marked.wmv C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\promo3_marked.wmv C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\promo7_marked.wmv C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\promo7_marked_2.wmv C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\promo8_marked.wmv C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\Thumbs.db C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\V01222_big_02.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\New Folder\V51730_big_05.mpg C:\Documents and Settings\Mohamed\My Documents\FNTS~1\Thumbs.db C:\Program Files\Common Files\{2028C~1 C:\Program Files\Common Files\{3028C~1 C:\temp\tn3 C:\windows\BM231bfa42.txt C:\windows\cookies.ini C:\windows\pskt.ini C:\windows\Spyware Remover.ico C:\WINDOWS\system32\aayIRXbc.ini C:\WINDOWS\system32\aayIRXbc.ini2 C:\windows\system32\ahevlxbg.ini C:\windows\system32\ahlxeasb.ini C:\windows\system32\algrmgnc.ini C:\windows\system32\attdyogx.ini C:\windows\system32\avbsoioq.ini C:\windows\system32\axgaiewt.ini C:\windows\system32\bfroipub.ini C:\windows\system32\bidkbhgk.ini C:\windows\system32\birsbour.ini C:\windows\system32\boctmaki.ini C:\windows\system32\boouwqdy.ini C:\windows\system32\cbntigyh.ini C:\windows\system32\cbXRIyaa.dll C:\windows\system32\cgogmzbl.dllbox C:\windows\system32\components C:\windows\system32\dbmrbytx.ini C:\windows\system32\dhikhwka.ini C:\windows\system32\dhtyxhcm.ini C:\windows\system32\dmxbfuil.ini C:\windows\system32\drivers\core.cache.dsk C:\windows\system32\drvkovr.dll C:\windows\system32\dywewjpo.ini C:\windows\system32\eeidqtbm.ini C:\windows\system32\enuatkux.ini C:\windows\system32\equjioew.ini C:\windows\system32\eqwfcoht.ini C:\windows\system32\ffubenpx.ini C:\windows\system32\fgwbwhfj.ini C:\windows\system32\fisqwbrx.ini C:\windows\system32\fnjcbokd.ini C:\windows\system32\gacbikud.ini C:\windows\system32\guhkcnwi.ini C:\windows\system32\hgybukaw.ini C:\windows\system32\hilyacmg.ini C:\windows\system32\ijhtsltj.ini C:\windows\system32\ilmsytma.ini C:\windows\system32\jamfbvsg.ini C:\windows\system32\jvwtkjca.ini C:\windows\system32\kaiomhcl.ini C:\WINDOWS\system32\kjkmp.ini C:\WINDOWS\system32\kjkmp.ini2 C:\windows\system32\lieegofj.ini C:\windows\system32\ljcqpkqf.ini C:\windows\system32\llryxkys.ini C:\windows\system32\lukkiikj.ini C:\windows\system32\lyogoahv.ini C:\windows\system32\mcrh.tmp C:\WINDOWS\system32\mlnmp.bak1 C:\WINDOWS\system32\mlnmp.bak2 C:\windows\system32\mlnmp.ini C:\WINDOWS\system32\mlnmp.ini2 C:\windows\system32\mlwpkobh.ini C:\windows\system32\mtyuqcgs.ini C:\windows\system32\nnasllxi.ini C:\windows\system32\obtinqtl.ini C:\windows\system32\ojigpgys.ini C:\windows\system32\oromycrg.ini C:\windows\system32\otvipwuw.ini C:\windows\system32\pggjvvje.ini C:\windows\system32\phpmwaaf.ini C:\windows\system32\qnhlmxja.ini C:\WINDOWS\system32\qqtss.ini C:\WINDOWS\system32\qqtss.ini2 C:\windows\system32\raujkfxg.ini C:\windows\system32\rbrjaebw.ini C:\windows\system32\rjhewohf.ini C:\windows\system32\sgattpyq.ini C:\windows\system32\sgjytjqe.ini C:\windows\system32\shsthgux.ini C:\windows\system32\sysogg.dll C:\windows\system32\tjwgukre.ini C:\windows\system32\tmcourtp.ini C:\windows\system32\tpbofusv.ini C:\windows\system32\ujmcrveo.ini C:\WINDOWS\system32\ututv.ini C:\WINDOWS\system32\ututv.ini2 C:\windows\system32\uvojdyaf.ini C:\windows\system32\vcxoqdou.ini C:\windows\system32\vrbwfqdu.ini C:\windows\system32\vsprineq.ini C:\windows\system32\vtpbnyyj.ini C:\windows\system32\wdddfpxd.ini C:\windows\system32\whymkflr.ini C:\windows\system32\wiqjwjos.ini C:\windows\system32\wyfbtswt.ini C:\windows\system32\xaqqsmpk.ini C:\WINDOWS\system32\xbadd.ini C:\WINDOWS\system32\xbadd.ini2 C:\windows\system32\xgoqfxje.ini C:\windows\system32\ydyalepu.ini C:\windows\system32\ygcpytqf.ini C:\windows\system32\yorqrykr.ini C:\windows\system32\yxaeitst.ini . ((((((((((((((((((((((((( Files Created from 2008-07-04 to 2008-08-04 ))))))))))))))))))))))))))))))) . 2008-07-29 13:42 . 2008-07-29 13:42 <DIR> d-------- C:\Deckard 2008-07-29 13:34 . 2008-07-29 13:34 <DIR> d-------- C:\ie-spyad_zo 2008-07-28 17:14 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys 2008-07-28 17:08 . 2008-07-28 17:08 <DIR> d-------- C:\Program Files\Panda Security 2008-07-28 16:47 . 2008-07-28 16:47 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-07-28 16:47 . 2008-07-28 16:47 1,409 --a------ C:\WINDOWS\QTFont.for 2008-07-28 16:44 . 2008-07-28 16:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8 2008-07-27 02:03 . 2008-07-27 02:03 <DIR> d-------- C:\Documents and Settings\Mohamed\DoctorWeb 2008-07-27 01:11 . 2008-07-27 01:12 <DIR> d-------- C:\WINDOWS\ERUNT 2008-07-27 00:25 . 2008-07-27 00:25 60,416 --a------ C:\WINDOWS\ALCFDRTM.VER 2008-07-27 00:25 . 2008-07-27 00:25 60,416 --a------ C:\WINDOWS\ALCFDRTM.EXE 2008-07-25 18:14 . 2008-07-25 18:14 100 --a------ C:\WINDOWS\system32\ikhcore.cfg 2008-07-25 02:59 . 2008-07-25 02:59 <DIR> d-------- C:\Program Files\AVG 2008-07-20 21:14 . 2008-07-20 21:14 <DIR> d-------- C:\Program Files\MP3 Converter Simple 2008-07-20 21:14 . 2002-11-13 11:14 1,703,936 --a------ C:\WINDOWS\system32\NCTAudioFile.dll 2008-07-20 21:04 . 2008-07-20 21:12 <DIR> d-------- C:\Program Files\AtomixMP3 2008-07-11 13:19 . 2008-07-11 13:19 <DIR> d-------- C:\Nexon 2008-07-09 14:35 . 2006-08-16 05:58 100,352 -----c--- C:\WINDOWS\system32\dllcache\6to4svc.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-04 08:02 --------- d-----w C:\Documents and Settings\Mohamed\Application Data\DMCache 2008-08-04 07:18 60,668 --sha-w C:\windows\system32\drivers\fidbox.idx 2008-08-04 07:18 6,223,904 --sha-w C:\windows\system32\drivers\fidbox.dat 2008-08-04 07:18 12,284 --sha-w C:\windows\system32\drivers\fidbox2.idx 2008-08-04 07:18 119,584 --sha-w C:\windows\system32\drivers\fidbox2.dat 2008-08-04 06:58 --------- d-----w C:\Program Files\Mozilla Firefox 3 Beta 5 2008-07-29 19:42 --------- d-----w C:\Documents and Settings\Mohamed\Application Data\Azureus 2008-07-29 06:45 --------- d-----w C:\Program Files\Internet Download Manager 2008-07-28 23:06 --------- d-----r C:\Program Files\TypingMaster 2008-07-28 22:44 --------- d-----w C:\Program Files\Active WebCam 2008-07-28 22:43 --------- d-----w C:\Documents and Settings\Mohamed\Application Data\IDM 2008-07-27 06:12 --------- d-----w C:\Documents and Settings\Mohamed\Application Data\LimeWire 2008-07-22 18:47 --------- d-----w C:\Program Files\Winamp 2008-07-22 18:24 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-07-09 14:34 206,256 ----a-w C:\windows\system32\idmmbc.dll 2008-07-02 20:20 --------- d-----w C:\Program Files\Common Files\Adobe 2008-06-27 21:25 15,452,536 ----a-w C:\IE7-WindowsXP-x86-enu.exe 2008-06-20 17:41 245,248 ----a-w C:\windows\system32\mswsock.dll 2008-06-20 10:45 360,320 ----a-w C:\windows\system32\drivers\tcpip.sys 2008-06-20 10:44 138,368 ----a-w C:\windows\system32\drivers\afd.sys 2008-06-20 09:52 225,920 ----a-w C:\windows\system32\drivers\tcpip6.sys 2008-06-17 16:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage 2008-06-16 09:06 --------- d-----w C:\Documents and Settings\Mohamed\Application Data\FindeXer 2008-06-14 07:49 --------- d-----w C:\Program Files\mkv2vob 2008-06-14 07:49 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-06-13 13:10 272,128 ------w C:\windows\system32\drivers\bthport.sys 2008-06-11 23:46 --------- d-----w C:\Program Files\Veoh Networks 2008-06-10 20:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2008-05-15 06:12 29,480 ----a-w C:\windows\system32\msxml3a.dll 2008-05-14 18:40 166,447 ----a-w C:\windows\Video Cleaner Pro Uninstaller.exe 2008-05-14 08:15 160,373 ----a-w C:\windows\MPEG-4 Booster Pack Uninstaller.exe 2008-05-07 04:55 1,288,192 ----a-w C:\windows\system32\quartz.dll 2008-01-19 22:04 1 ----a-w C:\Documents and Settings\Mohamed\SI.bin 2007-03-18 04:10 144 ----a-w C:\Program Files\VirtualDub.jobs 2005-01-11 04:41 719,360 ----a-w C:\Program Files\VirtualDub.exe 2005-01-11 04:41 115,217 -c--a-w C:\Program Files\VirtualDub.vdi 2005-01-11 04:38 7,168 ----a-w C:\Program Files\vdremote.dll 2005-01-11 04:38 6,656 ----a-w C:\Program Files\vdicmdrv.dll 2005-01-11 04:38 5,120 -c--a-w C:\Program Files\vdsvrlnk.dll 2005-01-11 04:38 16,384 ----a-w C:\Program Files\auxsetup.exe 2005-01-11 04:37 74,186 -c--a-w C:\Program Files\VirtualDub.vdhelp 2004-02-20 06:35 18,321 -c--a-w C:\Program Files\copying . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IDMan"="C:\Program Files\Internet Download Manager\IDMan.exe" [2008-07-28 08:08 2610608] "NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 20:25 81920] "RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 14:58 495616] "WeatherEye"="C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe" [2008-05-30 14:45 4501912] "Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2008-05-15 16:11 3644464] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="C:\windows\system32\NvCpl.dll" [2007-12-05 02:41 8523776] "NvMediaCenter"="C:\windows\system32\NvMcTray.dll" [2007-12-05 02:41 81920] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-12-03 23:27 185896] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "UIHost"="C:\\WINDOWS\\system32\\logonui.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.wmv3"= C:\PROGRA~1\COMBIN~1\Filters\wmv9vcm.dll "msacm.ac3filter"= ac3filter.acm "VIDC.FFDS"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk] backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DAEMON Tools.lnk] backup=C:\WINDOWS\pss\DAEMON Tools.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Mohamed^Start Menu^Programs^Startup^Adobe Gamma.lnk] backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^Mohamed^Start Menu^Programs^Startup^LimeWire On Startup.lnk] backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C: HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS\system32 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] C:\windows\system32\dumprep 0 -k [X] HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrevxOne [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader] --a------ 2005-06-07 00:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] --a--c--- 2006-10-23 02:48 40048 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS\system32\V0250Cvw.dll] -ra------ 2006-01-18 18:58 204800 C:\WINDOWS\system32\V0250Cvw.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative WebCam Tray] --------- 2005-10-27 04:00 299008 C:\Program Files\Creative\Shared Files\CamTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan] --a------ 2008-07-28 08:08 2610608 C:\Program Files\Internet Download Manager\IDMan.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] ---hs---- 2004-10-13 12:21 1694208 C:\Program Files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] --a------ 2007-12-05 02:41 8523776 C:\WINDOWS\system32\nvcpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] --a------ 2007-12-05 02:41 81920 C:\WINDOWS\system32\nvmctray.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2006-12-03 23:27 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] --a------ 2006-10-24 23:37 35328 C:\Program Files\Winamp\winampa.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] --a------ 2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "vsmon"=2 (0x2) "usnjsvc"=3 (0x3) "RichVideo"=2 (0x2) "PREVXAgent"=2 (0x2) "ose"=3 (0x3) "NVSvc"=2 (0x2) "Adobe LM Service"=3 (0x3) "IDriverT"=3 (0x3) "AVG Anti-Spyware Guard"=2 (0x2) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\Program Files\\Azureus\\Azureus.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\uTorrent\\utorrent.exe"= "C:\\Program Files\\Mozilla Firefox\\firefox.exe"= "C:\\Program Files\\Internet Download Manager\\IDMan.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"= "C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"= "C:\\Program Files\\Mozilla Firefox 3 Beta 5\\firefox.exe"= "C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"= R0 pavboot;pavboot;C:\windows\system32\drivers\pavboot.sys [2008-06-19 17:24] R1 Asapi;Asapi;C:\windows\system32\drivers\Asapi.sys [2002-04-17 21:27] R2 NinjaVideo Helper.exe;NinjaVideo Helper;C:\Program Files\NinjaVideo\NinjaVideo Helper\NinjaVideo Helper.exe [2008-04-10 21:01] R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\windows\system32\DRIVERS\klim5.sys [2007-12-13 13:28] S0 Partizan;Partizan;C:\windows\system32\drivers\Partizan.sys [] S3 CEDRIVER53;CEDRIVER53;C:\Program Files\Cheat Engine\dbk32.sys [] S3 Dua1;Dua1;C:\Documents and Settings\Mohamed\Desktop\Maplestory Hacks\Dual Engine\DualEngi.sys [] S3 V0250Dev;Live! Cam Notebook Pro;C:\windows\system32\DRIVERS\V0250Dev.sys [2006-04-05 03:46] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{F8B9E5C0-4DCC-CFCF-ABA5-00401D608516}] C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools\Recycle Bin\kdja.exe . Contents of the 'Scheduled Tasks' folder 2008-07-10 C:\windows\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57] . - - - - ORPHANS REMOVED - - - - HKCU-Run-Uniblue RegistryBooster 2 - C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe Notify-opnmLeEu - opnmLeEu.dll MSConfigStartUp-msnmsgr - C:\Program Files\MSN Messenger\msnmsgr.exe MSConfigStartUp-VirusBursters - C:\Program Files\VirusBursters\virusbursters.exe MSConfigStartUp-Zone Labs Client - C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\Mohamed\Application Data\Mozilla\Firefox\Profiles\3de2v76q.default\ FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll FF -: plugin - C:\Program Files\Java\jre1.6.0_03\bin\npjava11.dll FF -: plugin - C:\Program Files\Java\jre1.6.0_03\bin\npjava12.dll FF -: plugin - C:\Program Files\Java\jre1.6.0_03\bin\npjava13.dll FF -: plugin - C:\Program Files\Java\jre1.6.0_03\bin\npjava14.dll FF -: plugin - C:\Program Files\Java\jre1.6.0_03\bin\npjava32.dll FF -: plugin - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll FF -: plugin - C:\Program Files\Java\jre1.6.0_03\bin\npoji610.dll FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 5\plugins\npnul32.dll FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 5\plugins\nppdf32.dll FF -: plugin - C:\Program Files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-04 02:05:04 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... ************************************************************************ . Completion time: 2008-08-04 2:08:40 ComboFix-quarantined-files.txt 2008-08-04 08:07:38 Pre-Run: 23,216,939,008 bytes free Post-Run: 23,201,193,984 bytes free 380 --- E O F --- 2008-07-10 02:15:20 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:20:28 AM, on 8/4/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\windows\System32\smss.exe C:\windows\system32\winlogon.exe C:\windows\system32\services.exe C:\windows\system32\lsass.exe C:\windows\system32\svchost.exe C:\windows\System32\svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\NinjaVideo\NinjaVideo Helper\NinjaVideo Helper.exe C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe C:\windows\system32\svchost.exe C:\windows\system32\wscntfy.exe C:\windows\system32\RUNDLL32.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\RocketDock\RocketDock.exe C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe C:\Program Files\Veoh Networks\Veoh\VeohClient.exe C:\windows\system32\NOTEPAD.EXE C:\windows\explorer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Program Files\Mozilla Firefox 3 Beta 5\firefox.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing) O2 - BHO: Loader Class - {F880A4A8-C436-4AC4-AFD1-AA0BDC9552DD} - C:\WINDOWS\Resources\Themes\Crystal.Systema Suite\FindeXer Nightly V1.1.0.3\FindeXer.dll O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\windows\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe" O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/229?53a22baa9a8b466ba676dad31deb712d O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/230?53a22baa9a8b466ba676dad31deb712d O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633 O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NinjaVideo Helper (NinjaVideo Helper.exe) - NinjaVideo - C:\Program Files\NinjaVideo\NinjaVideo Helper\NinjaVideo Helper.exe O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\windows\system32\spoolsv.exe (file missing) -- End of file - 5084 bytes

08-05-2008, 04:50 AM	#5 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 23,971 OS: WinXP and Vista	Re: Explorer.exe Keeps Closing Hello diddy89, Try once again to install the Recovery Console. Go to Microsoft's website => http://support.microsoft.com/kb/310994 Select the download that's appropriate for your Operating System Download the file & save it as it's originally named, next to ComboFix.exe. -------------------------------------------------------------------- Drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. At the next prompt, click 'NO'. We want to exit ComboFix. Please post the log it produces __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

08-05-2008, 01:59 PM	#6 (permalink)
diddy89 Registered User Join Date: Jul 2008 Posts: 16 OS: Windows Vista	Re: Explorer.exe Keeps Closing It didn't work I have Win XP pro SP2 and i downloaded that one, but after It does the registry back-up thing a window pops up and says "boot partition can not be enumerated correctly"..I tried using the Home version for the heck of it but no luck.

08-05-2008, 02:01 PM	#7 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 23,971 OS: WinXP and Vista	Re: Explorer.exe Keeps Closing Please run this tool--it will only take a moment. Download BootCheck.exe to your desktop. Double click BootCheck.exe to run the check When complete, a Notepad window will open with some text in it Save the Notepad file to your desktop as BootCheck.txt Copy the contents of BootCheck.txt and post it in your next reply __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

08-05-2008, 02:52 PM	#8 (permalink)
diddy89 Registered User Join Date: Jul 2008 Posts: 16 OS: Windows Vista	Re: Explorer.exe Keeps Closing Sorry for the delay, here it is. WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED ! Contents of boot.ini:

08-05-2008, 06:45 PM	#10 (permalink)
diddy89 Registered User Join Date: Jul 2008 Posts: 16 OS: Windows Vista	Re: Explorer.exe Keeps Closing So here's the log it produced, and no I didn't see the old post in time so I used the "corrected version". WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED ! Contents of C:\boot.ini: [boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect Last edited by diddy89; 08-05-2008 at 06:47 PM.

08-05-2008, 06:54 PM	#11 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 23,971 OS: WinXP and Vista	Re: Explorer.exe Keeps Closing Good, now try again to drag and drop the Microsoft download into ComboFix.exe After you receive the message that the Recovery Console has been installed, click 'No' to exit ComboFix. Post the log it produces __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

08-05-2008, 07:08 PM	#12 (permalink)
diddy89 Registered User Join Date: Jul 2008 Posts: 16 OS: Windows Vista	Re: Explorer.exe Keeps Closing Okay so it Worked, here's the log WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

08-05-2008, 07:13 PM	#13 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 23,971 OS: WinXP and Vista	Re: Explorer.exe Keeps Closing Nice work. Now please run another online scan at Panda so we can see what remains. Perform an online scan with Panda ActiveScan Click on Scan Your PC Now A "pop up" window will appear, or a new tab will open. Click on Register Choose the option you like most, but we recommend the Free Registration. Click on Register Enter your e-mail address, and create a password. Select "I do not want to receive any type of information". (unless you want to receive such information) Click on Send Confirm registration, and continue by entering your user name and password, then click on Enter Select Full Scan, then Click on Scan Now Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser. If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect Please ignore the offer to buy the program. Click on Export To Export the log and save it to your desktop. Please attach the contents of that log in your next reply. * Turn off the real time scanner of any existing antivirus program while performing the online scan __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

08-06-2008, 10:12 PM	#15 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 23,971 OS: WinXP and Vista	Re: Explorer.exe Keeps Closing Panda is only reporting undesirable cookies, backups created during the course of this fix, and items located in C:\System Volume Information\, which is where System Restore's cache is stored. Whatever is in there can't harm you unless you choose to perform a manual restore. Nevertheless, we shall be resetting/clearing the cache shortly. Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links: The following procedure will clear out the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point. Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK: ComboFix /u -------------------------------------------------------------------- To help protect your computer in the future I recommend that you get the following free programs if you do not already have them: McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad. SpywareBlaster 4.0 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items. It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page. IESpyAD Zoned Out to block access to malicious websites so you cannot be redirected to them from an infected site or email. This severely impairs attempts to infect your system as it basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released. In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles: PC Safety and Security--What Do I Need? Think Prevention HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein MAKING INTERNET EXPLORER SAFER Understanding and Using Firewalls Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them. ----------------------------------------------------- Follow the list above and the potential for infection will reduce dramatically. Kindly respond one more time and let me know if we may consider this thread resolved. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

08-06-2008, 11:34 PM	#16 (permalink)
diddy89 Registered User Join Date: Jul 2008 Posts: 16 OS: Windows Vista	Re: Explorer.exe Keeps Closing Thanks So Much Ried, everything looks back to normal. It took awhile, but it was well worth the wait man, thanks for your patience and time. PEACE

08-07-2008, 04:14 AM	#17 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 23,971 OS: WinXP and Vista	Re: Explorer.exe Keeps Closing You're welcome, diddy89. Take care. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."