Windows Keeps Restarting

Siphonblaster · 11-08-2008, 12:56 AM

Hi, i have a serious suspected malware problem.

Everytime i click the computer to shut down, it keeps restarting, not shutting down. I have a Windows XP Service Pack 3 operating system. This problem started only 2 days ago.

I believe the cause of the problem was i opened a email postcard on Facebook from somebody else (who had their identity hacked) & viruses came out including trojans like a Win 32/BHO. NJE TROJAN on file C:\WINDOWS\Temp\win23CF.tmp

Another cause could be i installed trial Video joiner software, then uninstalled it, but it came up with popups telling whether i should delete certain share files on System 32. However i don't bleieve it is the actual cause because i answered 'No' to all popups.

I believe there is a certain file in my system that periodically spams out more than 10 files on the registry key that is trying to attack system 32 files such as the windows cmd. I am currently stalling it using Antivirus programs NOD 32 & a free edition of SuperAntiSpyware which keeps picking up files such as:
HKLM\SOFTWARE\Microsoft\MSSMGR & HKLM\SOFTWARE\Microsoft\MSSMGR#Data (presumably inside the registry key)

I have run the RSIT & GMER scans as advised. I have also uninstalled P2P software including Limewire & Bitcomet as advised. I have both the gmer.txt logs & info.txt logs with the log.txt in them. Please note, some of these logs contain information regarding Eset & Digidesign. This is because i have Protools on my computer. However, they are not part of the virus cause.

the following is the gmer log:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-11-08 18:40:37
Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.14 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB6693F20]

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs DigiFilt.sys (Digidesign Filter Driver/Digidesign, A Division of Avid Technology, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs amon.sys (Amon monitor/Eset )

Device \FileSystem\Fastfat \Fat B55D7D20

AttachedDevice \FileSystem\Fastfat \Fat DigiFilt.sys (Digidesign Filter Driver/Digidesign, A Division of Avid Technology, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat amon.sys (Amon monitor/Eset )

---- EOF - GMER 1.0.14 ----

NOW THE INFO LOG:

info.txt logfile of random's system information tool 1.04 2008-11-08 18:40:56

======Uninstall list======

-->C:\Program Files\Nero\Nero8\\nero\uninstall\UNNERO.exe /UNINSTALL
-->C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
-->C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
-->C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
-->C:\WINDOWS\UNNeroVision.exe /UNINSTALL
-->C:\WINDOWS\UNRecode.exe /UNINSTALL
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
AC3Filter (remove only)-->C:\Program Files\AC3Filter\uninstall.exe
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)-->MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Atheros Communications Inc.(R) L1 Gigabit Ethernet Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6E19F210-3813-4002-B561-94D66AA182B6}\Setup.exe" -l0x9 -removeonly
BA Installer-->MsiExec.exe /I{EDA0FFC5-7964-4E2F-9014-693F04695933}
Canon PIXMA iP1000-->C:\WINDOWS\system32\CNMCP6e.exe "-PRINTERNAMECanon PIXMA iP1000" "-HELPERDLLC:\BJPrinter\CNMWINDOWS\Canon PIXMA iP1000 Installer\Inst2\cnmis.dll" "-RCDLLC:\BJPrinter\CNMWINDOWS\Canon PIXMA iP1000 Installer\Inst2\cnmi0409.dll"
Counter-Strike: Source-->"C:\Program Files\Steam\steam.exe" steam://uninstall/240
Digidesign Free Bomb Factory Plug-Ins 7.4-->C:\Program Files\InstallShield Installation Information\{82D48AB1-8E7F-4AA5-A5FA-47FA58A48110}\Setup.exe -runfromtemp -l0x0009 FromUninstall -removeonly
Digidesign Pro Tools LE 7.4-->C:\Program Files\InstallShield Installation Information\{409A13BD-5F3E-442B-BA7B-A1E32B2D8927}\setup.exe -runfromtemp -l0x0009 -removeonly
Digidesign Shared Plug-Ins 7.4-->C:\Program Files\InstallShield Installation Information\{AFE354A5-640F-4A23-94C8-0B441E8967CA}\Setup.exe -runfromtemp -l0x0009 FromUninstall -removeonly
Digidesign Structure Free 1.0.5316-->"C:\Program Files\Digidesign\Structure\unins000.exe"
DivX Codec-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Player-->C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
Ease Audio Converter 4.80-->"C:\Program Files\easetech\EaseAudioConverter\unins000.exe"
Easy-WebPrint-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\Easy-WebPrint\Uninst.isu"
High Definition Audio Driver Package - KB888111-->"C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
Interlok driver setup x32-->MsiExec.exe /X{25613C10-27D2-410B-942B-D922D5C3A7BE}
Java(TM) 6 Update 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060}
Java(TM) 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
marvell 61xx-->C:\Program Files\Marvell\61xx\uninst-61xx.exe
McAfee SiteAdvisor-->C:\Program Files\McAfee\SiteAdvisor\Uninstall.exe
McAfee SiteAdvisor-->C:\Program Files\SiteAdvisor\6261\uninstall.exe
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft Office XP Professional with FrontPage-->MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Nero 8 Essentials-->MsiExec.exe /X{523DF39E-DF7D-488F-8022-783946571033}
neroxml-->MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
NOD32 antivirus system-->C:\Program Files\Eset\Setup\setup.exe /UNINSTALL
NOD32 FiX v2.1-->"C:\Program Files\Eset\unins000.exe"
NVIDIA Drivers-->C:\WINDOWS\system32\nvuninst.exe UninstallGUI
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
QuickTime-->MsiExec.exe /I{8DC42D05-680B-41B0-8878-6C14D24602DB}
Realtek High Definition Audio Driver-->RtlUpd.exe -r -m
Reason 3.0-->"C:\Program Files\Propellerhead\Reason\Uninstall Reason\unins000.exe"
Sibelius 5-->MsiExec.exe /I{C23B8C30-E05E-4CB5-8188-F27CC3B2DD3E}
Steam-->MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
VCRedistSetup-->MsiExec.exe /I{3921A67A-5AB1-4E48-9444-C71814CF3027}
Windows Live installer-->MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger-->MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant-->MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
Xpand!-->"C:\Program Files\Digidesign\unins000.exe"

======Security center information======

AV: Eset NOD32 antivirus system 2.51

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 13, GenuineIntel
"PROCESSOR_REVISION"=0f0d
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip

-----------------EOF-----------------

Logfile of random's system information tool 1.04 (written by random/random)
Run by Administrator at 2008-11-08 18:40:54
Microsoft Windows XP Professional Service Pack 3
System drive C: has 116 GB (76%) free of 153 GB
Total RAM: 2047 MB (82% free)

HijackThis download failed

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{089FD14D-132B-48FC-8861-0048AE113215}]
C:\Program Files\SiteAdvisor\6261\SiteAdv.dll [2008-05-17 927008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2007-09-21 328752]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}]
McAfee SiteAdvisor BHO - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2008-06-03 121632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{0BF43445-2F28-4351-9252-17FE6E806AA0} - McAfee SiteAdvisor - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll [2008-05-17 927008]
{327C2873-E90D-4c37-AA9D-10AC9BABA46C} - Easy-WebPrint - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll [2004-08-26 405504]
{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - McAfee SiteAdvisor Toolbar - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2008-06-03 121632]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2008-05-02 13529088]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
"SiteAdvisor"=C:\Program Files\SiteAdvisor\6261\SiteAdv.exe [2008-05-17 36640]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2007-03-22 16126464]
"RemoteControl"=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2005-12-07 30208]
"OPSE reminder"=C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe -r C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\ereg.ini []
"nwiz"=nwiz.exe /install []
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2008-05-02 86016]
"nod32kui"=C:\Program Files\Eset\nod32kui.exe [2008-06-26 921600]
"NeroFilterCheck"=C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe [2007-03-01 153136]
"LanguageShortcut"=C:\Program Files\CyberLink\PowerDVD\Language\Language.exe [2006-04-13 49152]
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2005-05-04 69632]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-09-06 413696]
"DigidesignMMERefresh"=C:\Program Files\Digidesign\Drivers\MMERefresh.exe [2007-10-30 77824]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2008-05-28 1506544]
"LightScribe Control Panel"=C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden []

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2007-04-19 294912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winrkp32]
C:\WINDOWS\system32\winrkp32.dll [2008-11-07 32256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"ForceClassicControlPanel"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Steam\steamapps\hoplite1000\counter-strike source\hl2.exe"="C:\Program Files\Steam\steamapps\hoplite1000\counter-strike source\hl2.exe:*:Enabled:hl2"
"C:\Program Files\Steam\steamapps\spectrum_domain\counter-strike source\hl2.exe"="C:\Program Files\Steam\steamapps\spectrum_domain\counter-strike source\hl2.exe:*:Disabled:hl2"
"C:\Program Files\Steam\steamapps\common\dawn of war soulstorm demo\Soulstorm.exe"="C:\Program Files\Steam\steamapps\common\dawn of war soulstorm demo\Soulstorm.exe:*:Enabled:Soulstorm"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\Program Files\BitComet\BitComet.exe"="C:\Program Files\BitComet\BitComet.exe:*:Disabled:BitComet - a BitTorrent Client"
"C:\Program Files\BitLord\BitLord.exe"="C:\Program Files\BitLord\BitLord.exe:*:Enabled:BitLord"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\WINDOWS\system32\winver.exe"="C:\WINDOWS\system32\winver.exe:*:Enabled:winver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

======List of files/folders created in the last 1 months======

2008-11-08 18:40:55 ----D---- C:\Program Files\trend micro
2008-11-08 18:40:54 ----D---- C:\rsit
2008-11-08 18:30:01 ----A---- C:\WINDOWS\gmer.ini
2008-11-08 18:30:00 ----A---- C:\WINDOWS\gmer_uninstall.cmd
2008-11-08 18:30:00 ----A---- C:\WINDOWS\gmer.exe
2008-11-08 18:30:00 ----A---- C:\WINDOWS\gmer.dll
2008-11-07 10:40:48 ----A---- C:\WINDOWS\system32\AVERM.dll
2008-11-07 10:40:48 ----A---- C:\WINDOWS\system32\AVEQT.dll
2008-11-07 06:53:25 ----A---- C:\WINDOWS\system32\winrkp32.dll
2008-10-29 19:51:29 ----D---- C:\PROTOOLS LOOPS
2008-10-28 19:23:43 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Propellerhead Software
2008-10-28 19:23:43 ----D---- C:\Documents and Settings\Administrator\Application Data\Propellerhead Software
2008-10-28 19:23:43 ----A---- C:\WINDOWS\system32\ReWire.dll
2008-10-28 19:22:52 ----D---- C:\Program Files\Propellerhead
2008-10-28 19:02:14 ----D---- C:\Program Files\InterLok
2008-10-28 19:02:12 ----D---- C:\WINDOWS\Downloaded Installations
2008-10-28 19:00:56 ----A---- C:\WINDOWS\system32\Digi32.dll
2008-10-28 19:00:08 ----A---- C:\WINDOWS\system32\msvcr70.dll
2008-10-28 19:00:08 ----A---- C:\WINDOWS\system32\msvcp70.dll
2008-10-28 19:00:07 ----N---- C:\WINDOWS\system32\ilinet.dll
2008-10-28 19:00:07 ----A---- C:\WINDOWS\system32\REX Shared Library.dll
2008-10-28 19:00:07 ----A---- C:\WINDOWS\system32\qtmlClient.dll
2008-10-28 19:00:07 ----A---- C:\WINDOWS\system32\MFC71u.dll
2008-10-28 19:00:07 ----A---- C:\WINDOWS\system32\MFC71KOR.DLL
2008-10-28 19:00:07 ----A---- C:\WINDOWS\system32\MFC71JPN.DLL
2008-10-28 19:00:07 ----A---- C:\WINDOWS\system32\MFC71ITA.DLL
2008-10-28 19:00:07 ----A---- C:\WINDOWS\system32\MFC71FRA.DLL
2008-10-28 19:00:07 ----A---- C:\WINDOWS\system32\MFC71ESP.DLL
2008-10-28 19:00:07 ----A---- C:\WINDOWS\system32\MFC71ENU.DLL
2008-10-28 19:00:07 ----A---- C:\WINDOWS\system32\MFC71DEU.DLL
2008-10-28 19:00:07 ----A---- C:\WINDOWS\system32\MFC71CHT.DLL
2008-10-28 19:00:07 ----A---- C:\WINDOWS\system32\MFC71CHS.DLL
2008-10-28 19:00:07 ----A---- C:\WINDOWS\system32\mfc70.dll
2008-10-28 19:00:07 ----A---- C:\WINDOWS\system32\atl71.dll
2008-10-28 19:00:02 ----A---- C:\WINDOWS\system32\mbx2midu.dll
2008-10-28 19:00:02 ----A---- C:\WINDOWS\system32\dgfwdio.dll
2008-10-28 18:59:55 ----D---- C:\Program Files\Digidesign
2008-10-28 18:59:55 ----A---- C:\WINDOWS\system32\WinMMFix.dll
2008-10-28 18:59:55 ----A---- C:\WINDOWS\system32\DSI.dll
2008-10-28 18:59:55 ----A---- C:\WINDOWS\system32\DirectIO.dll
2008-10-28 18:59:55 ----A---- C:\WINDOWS\system32\Diomidi.DLL
2008-10-28 18:59:55 ----A---- C:\WINDOWS\system32\DigiPlatformSupport.dll
2008-10-28 18:59:55 ----A---- C:\WINDOWS\system32\digicoin.dll
2008-10-28 10:48:22 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Structure
2008-10-27 22:52:45 ----D---- C:\Documents and Settings\Administrator\Application Data\Digidesign
2008-10-27 22:52:33 ----D---- C:\Digidesign Databases
2008-10-27 22:52:16 ----D---- C:\Program Files\Common Files\PACE Anti-Piracy
2008-10-27 22:52:16 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\PACE Anti-Piracy
2008-10-27 22:52:16 ----D---- C:\Documents and Settings\Administrator\Application Data\PACE Anti-Piracy
2008-10-27 22:35:23 ----D---- C:\Program Files\Common Files\Digidesign
2008-10-27 21:58:01 ----A---- C:\WINDOWS\system32\mucltui.dll.mui
2008-10-27 21:58:00 ----A---- C:\WINDOWS\system32\mucltui.dll
2008-10-27 21:57:40 ----D---- C:\Program Files\xerox
2008-10-27 21:57:38 ----D---- C:\WINDOWS\system32\xircom
2008-10-27 21:57:38 ----D---- C:\Program Files\microsoft frontpage
2008-10-27 21:57:24 ----A---- C:\WINDOWS\system32\wmpns.dll
2008-10-27 21:56:55 ----D---- C:\WINDOWS\Prefetch
2008-10-27 21:51:09 ----N---- C:\WINDOWS\system32\msxml6r.dll
2008-10-27 21:51:09 ----N---- C:\WINDOWS\system32\msxml6.dll
2008-10-27 21:50:56 ----N---- C:\WINDOWS\system32\rwnh.dll
2008-10-27 21:50:56 ----N---- C:\WINDOWS\system32\comsdupd.exe
2008-10-27 21:50:55 ----N---- C:\WINDOWS\system32\smtpapi.dll
2008-10-27 21:50:54 ----N---- C:\WINDOWS\system32\ati3d1ag.dll
2008-10-27 21:50:54 ----N---- C:\WINDOWS\system32\ati2dvag.dll
2008-10-27 21:50:54 ----N---- C:\WINDOWS\system32\ati2dvaa.dll
2008-10-27 21:50:54 ----N---- C:\WINDOWS\system32\ati2cqag.dll
2008-10-27 21:50:54 ----N---- C:\WINDOWS\system32\aaclient.dll
2008-10-27 21:50:53 ----N---- C:\WINDOWS\system32\dot3ui.dll
2008-10-27 21:50:53 ----N---- C:\WINDOWS\system32\dot3svc.dll
2008-10-27 21:50:53 ----N---- C:\WINDOWS\system32\dot3msm.dll
2008-10-27 21:50:53 ----N---- C:\WINDOWS\system32\dot3gpclnt.dll
2008-10-27 21:50:53 ----N---- C:\WINDOWS\system32\dot3dlg.dll
2008-10-27 21:50:53 ----N---- C:\WINDOWS\system32\dot3cfg.dll
2008-10-27 21:50:53 ----N---- C:\WINDOWS\system32\dot3api.dll
2008-10-27 21:50:53 ----N---- C:\WINDOWS\system32\dimsroam.dll
2008-10-27 21:50:53 ----N---- C:\WINDOWS\system32\dimsntfy.dll
2008-10-27 21:50:53 ----N---- C:\WINDOWS\system32\dhcpqec.dll
2008-10-27 21:50:53 ----N---- C:\WINDOWS\system32\credssp.dll
2008-10-27 21:50:53 ----N---- C:\WINDOWS\system32\bitsprx4.dll
2008-10-27 21:50:53 ----N---- C:\WINDOWS\system32\azroles.dll
2008-10-27 21:50:53 ----N---- C:\WINDOWS\system32\ativvaxx.dll
2008-10-27 21:50:53 ----N---- C:\WINDOWS\system32\ativtmxx.dll
2008-10-27 21:50:53 ----N---- C:\WINDOWS\system32\ati3duag.dll
2008-10-27 21:50:52 ----N---- C:\WINDOWS\system32\hsfcisp2.dll
2008-10-27 21:50:52 ----N---- C:\WINDOWS\system32\eapsvc.dll
2008-10-27 21:50:52 ----N---- C:\WINDOWS\system32\eapqec.dll
2008-10-27 21:50:52 ----N---- C:\WINDOWS\system32\eappprxy.dll
2008-10-27 21:50:52 ----N---- C:\WINDOWS\system32\eapphost.dll
2008-10-27 21:50:52 ----N---- C:\WINDOWS\system32\eappgnui.dll
2008-10-27 21:50:52 ----N---- C:\WINDOWS\system32\eappcfg.dll
2008-10-27 21:50:52 ----N---- C:\WINDOWS\system32\eapp3hst.dll
2008-10-27 21:50:52 ----N---- C:\WINDOWS\system32\eapolqec.dll
2008-10-27 21:50:51 ----N---- C:\WINDOWS\system32\microsoft.managementconsole.dll
2008-10-27 21:50:51 ----N---- C:\WINDOWS\system32\mdmxsdk.dll
2008-10-27 21:50:51 ----N---- C:\WINDOWS\system32\l2gpstore.dll
2008-10-27 21:50:51 ----N---- C:\WINDOWS\system32\kmsvc.dll
2008-10-27 21:50:51 ----N---- C:\WINDOWS\system32\kbdpash.dll
2008-10-27 21:50:51 ----N---- C:\WINDOWS\system32\kbdnepr.dll
2008-10-27 21:50:51 ----N---- C:\WINDOWS\system32\kbdiultn.dll
2008-10-27 21:50:51 ----N---- C:\WINDOWS\system32\kbdbhc.dll
2008-10-27 21:50:50 ----N---- C:\WINDOWS\system32\photometadatahandler.dll
2008-10-27 21:50:50 ----N---- C:\WINDOWS\system32\onex.dll
2008-10-27 21:50:50 ----N---- C:\WINDOWS\system32\napstat.exe
2008-10-27 21:50:50 ----N---- C:\WINDOWS\system32\napmontr.dll
2008-10-27 21:50:50 ----N---- C:\WINDOWS\system32\napipsec.dll
2008-10-27 21:50:50 ----N---- C:\WINDOWS\system32\mtxparhd.dll
2008-10-27 21:50:50 ----N---- C:\WINDOWS\system32\msshavmsg.dll
2008-10-27 21:50:50 ----N---- C:\WINDOWS\system32\mssha.dll
2008-10-27 21:50:50 ----N---- C:\WINDOWS\system32\mmcperf.exe
2008-10-27 21:50:50 ----N---- C:\WINDOWS\system32\mmcfxcommon.dll
2008-10-27 21:50:50 ----N---- C:\WINDOWS\system32\mmcex.dll
2008-10-27 21:50:49 ----N---- C:\WINDOWS\system32\windowscodecsext.dll
2008-10-27 21:50:49 ----N---- C:\WINDOWS\system32\windowscodecs.dll
2008-10-27 21:50:49 ----N---- C:\WINDOWS\system32\verclsid.exe
2008-10-27 21:50:49 ----N---- C:\WINDOWS\system32\tzchange.exe
2008-10-27 21:50:49 ----N---- C:\WINDOWS\system32\tspkg.dll
2008-10-27 21:50:49 ----N---- C:\WINDOWS\system32\tsgqec.dll
2008-10-27 21:50:49 ----N---- C:\WINDOWS\system32\slserv.exe
2008-10-27 21:50:49 ----N---- C:\WINDOWS\system32\slrundll.exe
2008-10-27 21:50:49 ----N---- C:\WINDOWS\system32\slgen.dll
2008-10-27 21:50:49 ----N---- C:\WINDOWS\system32\slextspk.dll
2008-10-27 21:50:49 ----N---- C:\WINDOWS\system32\slcoinst.dll
2008-10-27 21:50:49 ----N---- C:\WINDOWS\system32\setupn.exe
2008-10-27 21:50:49 ----N---- C:\WINDOWS\system32\s3gnb.dll
2008-10-27 21:50:49 ----N---- C:\WINDOWS\system32\rhttpaa.dll
2008-10-27 21:50:49 ----N---- C:\WINDOWS\system32\rasqec.dll
2008-10-27 21:50:49 ----N---- C:\WINDOWS\system32\qutil.dll
2008-10-27 21:50:49 ----N---- C:\WINDOWS\system32\qcliprov.dll
2008-10-27 21:50:49 ----N---- C:\WINDOWS\system32\qagentrt.dll
2008-10-27 21:50:49 ----N---- C:\WINDOWS\system32\qagent.dll
2008-10-27 21:50:48 ----N---- C:\WINDOWS\system32\xmllite.dll
2008-10-27 21:50:48 ----N---- C:\WINDOWS\system32\wmphoto.dll
2008-10-27 21:50:48 ----N---- C:\WINDOWS\system32\wlanapi.dll
2008-10-27 21:50:47 ----N---- C:\WINDOWS\system32\xpsp3res.dll
2008-10-27 21:50:47 ----N---- C:\WINDOWS\slrundll.exe
2008-10-27 21:50:47 ----D---- C:\WINDOWS\system32\scripting
2008-10-27 21:50:47 ----D---- C:\WINDOWS\system32\en-us
2008-10-27 21:50:46 ----D---- C:\WINDOWS\system32\en
2008-10-27 21:50:46 ----D---- C:\WINDOWS\l2schemas
2008-10-27 21:50:45 ----D---- C:\WINDOWS\system32\bits
2008-10-27 21:48:36 ----D---- C:\WINDOWS\ServicePackFiles
2008-10-27 21:46:33 ----D---- C:\WINDOWS\network diagnostic
2008-10-27 21:45:41 ----A---- C:\WINDOWS\002555_.tmp
2008-10-27 21:43:53 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$
2008-10-25 08:48:21 ----D---- C:\Documents and Settings\Administrator\Application Data\InstallShield
2008-10-15 23:53:53 ----D---- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-10-15 23:42:50 ----D---- C:\Program Files\Common Files\Apple
2008-10-15 23:42:46 ----D---- C:\Program Files\QuickTime
2008-10-15 23:42:45 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple Computer
2008-10-15 23:42:35 ----D---- C:\Program Files\Apple Software Update
2008-10-15 23:42:35 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple

======List of files/folders modified in the last 1 months======

2008-11-08 18:40:55 ----RD---- C:\Program Files
2008-11-08 18:35:14 ----D---- C:\WINDOWS\Temp
2008-11-08 18:30:01 ----D---- C:\WINDOWS
2008-11-08 18:30:00 ----D---- C:\WINDOWS\system32\drivers
2008-11-08 14:17:12 ----A---- C:\WINDOWS\NeroDigital.ini
2008-11-08 12:55:07 ----D---- C:\Documents and Settings\Administrator\Application Data\Any Video Converter
2008-11-07 20:38:32 ----D---- C:\AudioConverter
2008-11-07 20:38:23 ----A---- C:\WINDOWS\AudioConverter.INI
2008-11-07 20:38:07 ----A---- C:\WINDOWS\aceg.ini
2008-11-07 19:53:46 ----D---- C:\WINDOWS\system32\CatRoot2
2008-11-07 11:28:33 ----D---- C:\Program Files\Steam
2008-11-07 10:40:48 ----D---- C:\WINDOWS\system32
2008-11-07 10:00:09 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\SiteAdvisor
2008-11-07 07:00:51 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-11-06 21:36:43 ----D---- C:\Documents and Settings\Administrator\Application Data\LimeWire
2008-11-06 18:28:44 ----D---- C:\Program Files\McAfee
2008-11-06 18:28:40 ----HD---- C:\WINDOWS\inf
2008-11-06 09:26:28 ----D---- C:\WINDOWS\Debug
2008-11-06 09:26:24 ----D---- C:\WINDOWS\system32\DllCache
2008-11-05 20:26:03 ----ASD---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft
2008-11-03 20:12:30 ----D---- C:\Downloads
2008-10-28 19:17:35 ----AD---- C:\Program Files\Common Files\System
2008-10-28 19:05:00 ----D---- C:\Program Files\Outlook Express
2008-10-28 19:04:59 ----D---- C:\Program Files\Common Files\Microsoft Shared
2008-10-28 19:02:19 ----SHD---- C:\WINDOWS\Installer
2008-10-28 19:02:19 ----SHD---- C:\Config.Msi
2008-10-28 19:02:18 ----DC---- C:\WINDOWS\system32\DRVSTORE
2008-10-28 18:42:02 ----D---- C:\WINDOWS\system32\config
2008-10-28 18:41:48 ----D---- C:\WINDOWS\system32\wbem
2008-10-28 18:41:48 ----D---- C:\WINDOWS\Registration
2008-10-28 18:18:07 ----HD---- C:\Program Files\InstallShield Installation Information
2008-10-27 22:52:16 ----D---- C:\Program Files\Common Files
2008-10-27 22:10:56 ----D---- C:\WINDOWS\$hf_mig$
2008-10-27 21:58:36 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-10-27 21:57:53 ----A---- C:\WINDOWS\OEWABLog.txt
2008-10-27 21:57:36 ----A---- C:\WINDOWS\setuplog.txt
2008-10-27 21:56:33 ----D---- C:\WINDOWS\system32\Setup
2008-10-27 21:56:33 ----D---- C:\WINDOWS\AppPatch
2008-10-27 21:56:31 ----RSD---- C:\WINDOWS\Fonts
2008-10-27 21:55:36 ----D---- C:\WINDOWS\security
2008-10-27 21:53:01 ----D---- C:\WINDOWS\system32\CatRoot
2008-10-27 21:51:16 ----D---- C:\WINDOWS\WinSxS
2008-10-27 21:51:13 ----D---- C:\Program Files\Messenger
2008-10-27 21:51:09 ----D---- C:\Program Files\Windows Media Player
2008-10-27 21:50:55 ----D---- C:\WINDOWS\system32\inetsrv
2008-10-27 21:50:55 ----D---- C:\WINDOWS\ime
2008-10-27 21:50:55 ----D---- C:\WINDOWS\Help
2008-10-27 21:50:47 ----D---- C:\WINDOWS\system32\usmt
2008-10-27 21:50:46 ----D---- C:\Program Files\Internet Explorer
2008-10-27 21:50:45 ----D---- C:\WINDOWS\PeerNet
2008-10-27 21:50:45 ----D---- C:\Program Files\Movie Maker
2008-10-27 21:48:22 ----D---- C:\WINDOWS\system32\Restore
2008-10-27 21:48:22 ----D---- C:\WINDOWS\system32\npp
2008-10-27 21:48:22 ----D---- C:\WINDOWS\mui
2008-10-27 21:48:21 ----D---- C:\WINDOWS\msagent
2008-10-27 21:48:20 ----D---- C:\WINDOWS\srchasst
2008-10-27 21:48:19 ----D---- C:\Program Files\NetMeeting
2008-10-27 21:48:18 ----D---- C:\WINDOWS\system32\Com
2008-10-27 21:48:15 ----D---- C:\Program Files\Windows NT
2008-10-27 21:47:57 ----D---- C:\WINDOWS\system32\oobe
2008-10-27 21:47:54 ----D---- C:\WINDOWS\system
2008-10-27 21:43:52 ----D---- C:\WINDOWS\ehome
2008-10-25 08:49:36 ----D---- C:\WINDOWS\Minidump
2008-10-25 08:23:51 ----A---- C:\WINDOWS\win.ini
2008-10-25 08:20:12 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-10-25 03:51:04 ----D---- C:\WINDOWS\nview
2008-10-24 22:58:27 ----D---- C:\WINDOWS\SoftwareDistribution
2008-10-23 09

34 ----D---- C:\Documents and Settings\Administrator\Application Data\SiteAdvisor

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 36352]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-08-23 12032]
R2 AMON;AMON; \??\C:\WINDOWS\system32\drivers\amon.sys []
R2 DigiNet;Digidesign Ethernet Support; C:\WINDOWS\system32\DRIVERS\diginet.sys [2007-10-31 16400]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller; C:\WINDOWS\system32\DRIVERS\l151x86.sys [2007-11-01 36864]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2007-03-27 4395008]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-23 12160]
R3 MTsensor;ATK0110 ACPI UTILITY; C:\WINDOWS\system32\DRIVERS\ASACPI.sys [2004-08-14 5810]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2008-05-02 6554496]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608]
S3 dalwdmservice;dal service; C:\WINDOWS\system32\drivers\dalwdm.sys [2007-10-31 97808]
S3 gmer;gmer; C:\WINDOWS\System32\DRIVERS\gmer.sys [2008-11-08 85969]
S3 MBX2DFU;MBX2DFU; C:\WINDOWS\SYSTEM32\DRIVERS\MBX2DFU.sys [2007-10-31 21648]
S3 MBX2MIDK;Digidesign Mbox 2 Midi Driver; C:\WINDOWS\system32\drivers\mbx2midk.sys [2007-10-31 21904]
S3 MusCAudio;MusCAudio; C:\WINDOWS\system32\drivers\MusCAudio.sys [2008-10-24 23096]
S3 MusCVideo;MusCVideo; C:\WINDOWS\system32\DRIVERS\MusCVideo.sys [2008-10-24 3768]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-14 60032]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-14 25856]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
S3 WpdUsb;WpdUsb; C:\WINDOWS\System32\Drivers\wpdusb.sys [2004-08-11 18944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 DigiRefresh;Digidesign MME Refresh Service; C:\Program Files\Digidesign\Drivers\MMERefresh.exe [2007-10-30 77824]
R2 Nero BackItUp Scheduler 3;Nero BackItUp Scheduler 3; C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe [2007-09-20 853288]
R2 NOD32krn;NOD32 Kernel Service; C:\Program Files\Eset\nod32krn.exe [2008-06-26 507904]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2008-05-02 159812]
R2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\CyberLink\Shared files\RichVideo.exe [2005-08-08 167936]
R2 SiteAdvisor Service;SiteAdvisor Service; C:\Program Files\SiteAdvisor\6261\SAService.exe [2008-06-26 345376]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-08-11 38912]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 digiSPTIService;digiSPTIService; C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe [2007-10-30 159744]
S3 NBService;NBService; C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [2006-09-12 724992]
S3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe [2007-10-15 382248]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]

-----------------EOF-----------------

I hope this is enough to give you clues. I will wait patiently for your response. Thankyou.

Peter

1972vet · 11-08-2008, 08:08 AM

Please download combofix from This Webpage...and read through the instructions there for running the tool.

***Important Note***
Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.

The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments.

Once installed, a blue screen prompt should appear that reads as follows:

The Recovery Console was successfully installed.

When you see that screen, please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please post back the following on your next reply:

C:\ComboFix.txt
New HijackThis log.

Siphonblaster · 11-09-2008, 12:26 AM

Thankyou for your response.

I have run the Combofix test at your request. The following is the log report from Combofix:

ComboFix 08-11-07.01 - Administrator 2008-11-09 19:19:12.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1706 [GMT 10:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2008-10-09 to 2008-11-09 )))))))))))))))))))))))))))))))
.

2008-11-08 18:40 . 2008-11-08 18:42 <DIR> d-------- C:\rsit
2008-11-08 18:40 . 2008-11-08 18:40 <DIR> d-------- c:\program files\trend micro
2008-11-08 18:30 . 2008-11-08 18:31 250 --a------ c:\windows\gmer.ini
2008-11-07 10:40 . 2007-04-12 14:19 129,024 --a------ c:\windows\system32\AVERM.dll
2008-11-07 10:40 . 2006-09-26 13:57 28,672 --a------ c:\windows\system32\AVEQT.dll
2008-11-07 06:53 . 2008-11-07 06:53 32,256 --a------ c:\windows\system32\winrkp32.dll
2008-11-06 09:25 . 2008-10-24 11:16 23,096 --a------ c:\windows\system32\drivers\MusCAudio.sys
2008-11-06 09:25 . 2008-10-24 11:16 3,768 --a------ c:\windows\system32\drivers\MusCVideo.sys
2008-10-29 19:51 . 2008-10-29 19:51 <DIR> d-------- C:\PROTOOLS LOOPS
2008-10-28 19:23 . 2008-10-28 19:23 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Propellerhead Software
2008-10-28 19:23 . 2008-10-28 19:30 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Propellerhead Software
2008-10-28 19:23 . 2008-10-28 19:23 225,280 --a------ c:\windows\system32\ReWire.dll
2008-10-28 19:22 . 2008-10-28 19:22 <DIR> d-------- c:\program files\Propellerhead
2008-10-28 19:02 . 2008-10-28 19:02 <DIR> d-------- c:\windows\Downloaded Installations
2008-10-28 19:02 . 2008-10-28 19:02 <DIR> d-------- c:\program files\InterLok
2008-10-28 19:02 . 2006-12-08 21:50 16,384 --a------ c:\windows\system32\drivers\DigiFilt.sys
2008-10-28 18:59 . 2008-10-28 19:12 <DIR> d-------- c:\program files\Digidesign
2008-10-28 18:59 . 2007-10-31 02:16 3,683,014 --a------ c:\windows\system32\DirectIO.dll
2008-10-28 18:59 . 2007-10-30 23:03 659,456 --a------ c:\windows\system32\DSI.dll
2008-10-28 18:59 . 2007-10-30 22:03 270,336 --a------ c:\windows\system32\DigiPlatformSupport.dll
2008-10-28 18:59 . 2007-10-30 23:35 172,032 --a------ c:\windows\system32\Diomidi.DLL
2008-10-28 18:59 . 2007-10-31 01:15 97,808 --a------ c:\windows\system32\drivers\Dalwdm.sys
2008-10-28 18:59 . 2006-12-08 22:21 90,112 --a------ c:\windows\system32\WinMMFix.dll
2008-10-28 18:59 . 2007-10-31 01:16 16,400 --a------ c:\windows\system32\drivers\diginet.sys
2008-10-28 18:59 . 2007-10-30 23:36 15,872 --a------ c:\windows\system32\digicoin.dll
2008-10-28 10:48 . 2008-10-28 19:11 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Structure
2008-10-27 22:52 . 2008-10-27 22:52 <DIR> d-------- c:\program files\Common Files\PACE Anti-Piracy
2008-10-27 22:52 . 2008-10-28 19:04 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\PACE Anti-Piracy
2008-10-27 22:52 . 2008-10-28 11:10 <DIR> d-------- c:\documents and settings\Administrator\Application Data\PACE Anti-Piracy
2008-10-27 22:52 . 2008-11-09 15:24 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Digidesign
2008-10-27 22:52 . 2008-10-27 22:52 <DIR> d-------- C:\Digidesign Databases
2008-10-27 22:35 . 2008-10-27 22:35 <DIR> d-------- c:\program files\Common Files\Digidesign
2008-10-27 22:35 . 2007-10-31 00:03 1,362,460 --a------ c:\windows\system32\ExpansionHD_Firmware.bin
2008-10-27 21:58 . 2007-07-30 19:19 271,224 --a------ c:\windows\system32\mucltui.dll
2008-10-27 21:58 . 2007-07-30 19:19 30,072 --a------ c:\windows\system32\mucltui.dll.mui
2008-10-27 21:57 . 2008-10-27 21:57 <DIR> d-------- c:\windows\system32\xircom
2008-10-27 21:57 . 2008-10-27 21:57 <DIR> d-------- c:\program files\microsoft frontpage
2008-10-27 21:57 . 2008-04-14 05:42 221,184 --a------ c:\windows\system32\wmpns.dll
2008-10-27 21:50 . 2008-10-27 21:50 <DIR> d-------- c:\windows\system32\scripting
2008-10-27 21:48 . 2008-10-27 21:48 <DIR> d-------- c:\windows\ServicePackFiles
2008-10-27 21:45 . 2006-12-29 00:31 19,569 --a------ c:\windows\002555_.tmp
2008-10-25 08:48 . 2008-10-25 08:48 <DIR> d-------- c:\documents and settings\Administrator\Application Data\InstallShield
2008-10-25 08:46 . 2008-04-14 00:15 60,032 --a------ c:\windows\system32\drivers\usbaudio.sys
2008-10-25 08:46 . 2008-04-14 00:15 32,128 --a------ c:\windows\system32\drivers\usbccgp.sys
2008-10-24 23:34 . 2008-09-17 23:55 201,050 --a------ c:\windows\system32\nvapps.nvb
2008-10-15 23:53 . 2008-10-15 23:53 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Apple Computer
2008-10-15 23:42 . 2008-10-15 23:43 <DIR> d-------- c:\program files\QuickTime
2008-10-15 23:42 . 2008-10-15 23:42 <DIR> d-------- c:\program files\Common Files\Apple
2008-10-15 23:42 . 2008-10-15 23:42 <DIR> d-------- c:\program files\Apple Software Update
2008-10-15 23:42 . 2008-10-15 23:42 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer
2008-10-15 23:42 . 2008-10-15 23:42 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-08 02:55 --------- d-----w c:\documents and settings\Administrator\Application Data\Any Video Converter
2008-11-07 01:28 --------- d-----w c:\program files\Steam
2008-11-07 00:00 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\SiteAdvisor
2008-11-06 11:36 --------- d-----w c:\documents and settings\Administrator\Application Data\LimeWire
2008-11-06 08:28 --------- d-----w c:\program files\McAfee
2008-11-02 05:15 32,032 ----a-w c:\documents and settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2008-10-28 08:18 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-22 23:06 --------- d-----w c:\documents and settings\Administrator\Application Data\SiteAdvisor
2008-09-20 07:25 --------- d-----w c:\documents and settings\Administrator\Application Data\Audacity
2008-09-09 09:53 --------- d-----w c:\program files\easetech
2008-05-24 09:03 604 ---ha-w c:\program files\STLL Notifier
2007-11-08 10:05 155,760 --sha-w c:\windows\system32\fiber.exe
2007-11-08 10:05 99,840 --sha-w c:\windows\system32\imapde.dll
2008-03-22 11:32 174,513 --sha-r c:\windows\system32\kinza.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-02 13529088]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"SiteAdvisor"="c:\program files\SiteAdvisor\6261\SiteAdv.exe" [2008-05-17 36640]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 30208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-02 86016]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-06-26 921600]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-04-13 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"DigidesignMMERefresh"="c:\program files\Digidesign\Drivers\MMERefresh.exe" [2007-10-30 77824]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-22 c:\windows\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2008-05-02 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-03 44544]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrkp32]
2008-11-07 06:53 32256 c:\windows\system32\winrkp32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave2"= Digi32.dll
"midi1"= mbx2midu.dll
"MIDI2"= diomidi.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Steam\\steamapps\\hoplite1000\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\spectrum_domain\\counter-strike source\\hl2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\winver.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"19505:TCP"= 19505:TCP:BitComet 19505 TCP
"19505:UDP"= 19505:UDP:BitComet 19505 UDP

R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [2006-12-08 16384]
R0 mv61xx;mv61xx;c:\windows\system32\DRIVERS\mv61xx.sys [2007-05-25 137728]
R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\DRIVERS\diginet.sys [2007-10-31 16400]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\DRIVERS\l151x86.sys [2007-11-01 36864]
S3 dalwdmservice;dal service;c:\windows\system32\drivers\dalwdm.sys [2007-10-31 97808]
S3 MBX2DFU;MBX2DFU;c:\windows\system32\DRIVERS\MBX2DFU.sys [2007-10-31 21648]
S3 MBX2MIDK;Digidesign Mbox 2 Midi Driver;c:\windows\system32\drivers\mbx2midk.sys [2007-10-31 21904]
S3 MusCAudio;MusCAudio;c:\windows\system32\drivers\MusCAudio.sys [2008-10-24 23096]
S3 MusCVideo;MusCVideo;c:\windows\system32\DRIVERS\MusCVideo.sys [2008-10-24 3768]

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-LightScribe Control Panel - c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
HKLM-Run-OPSE reminder - c:\program files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe

.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com.au/
O8 -: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 -: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 -: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 -: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 -: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

O16 -: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://gamenextus.oberon-media.com/Gameshell/GameHost/1.0/OberonGameHost.cab
c:\windows\Downloaded Program Files\OberonGameHost_dbg.inf
c:\windows\Downloaded Program Files\OberonGameHost.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-09 19:20:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: c:\windows\system32\winlogon.exe
-> c:\windows\system32\winrkp32.dll
.
Completion time: 2008-11-09 19:21:27
ComboFix-quarantined-files.txt 2008-11-09 09:20:58

Pre-Run: 121,569,349,632 bytes free
Post-Run: 123,043,532,800 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

185

I await patiently for your next instructions. Thankyou for your assistance.

1972vet · 11-09-2008, 09:00 AM

Open notepad and copy/paste the text in the quotebox below into it...please be sure to include the link at the top of the quotebox when you copy/paste:

Quote:

http://www.techsupportforum.com/secu...ml#post1793822

Collect::
c:\windows\system32\winrkp32.dll
c:\windows\system32\fiber.exe
c:\windows\system32\imapde.dll
c:\windows\system32\kinza.exe

Suspect::
c:\windows\system32\drivers\MusCAudio.sys
c:\windows\system32\drivers\MusCVideo.sys

File::
c:\windows\002555_.tmp

Folder::
c:\documents and settings\Administrator\Application Data\LimeWire

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrkp32]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"19505:TCP"=-
"19505:UDP"=-

Save this as CFScript.txt

Now drag and drop CFScript.txt into the ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK on the message box. A browser will open. Simply follow the instructions to copy/paste/send the requested file.

Your Java is out of date and causes a slight security risk as a result.

Please follow these steps to remove older version Java components:

Close any open programs you may have running, especially your web browser.
Click Start-->Control Panel-->Add or Remove Programs.
Click once on any item having Java Runtime Environment in it's name then click the "Remove" button.

Not every version of Java will begin with "Java" so be sure to read each entry in the list.
Repeat the third step above as many times as necessary to remove all versions of Java.

***NOTE***
If you are asked to reboot at any point during the uninstallations, please do so. Then go back to Add/Remove and continue with the rest of the removals...when finished uninstalling all of them, reboot the computer.

Navigate to and delete: C:\Program Files\Java<--the Java folder indicated in Bold Red Text (if found)
Then go to this page.
Scroll down to where it says "The Java Runtime Environment (JRE) allows end-users to run Java applications" and click the "Download" button to the right. Select the platform for "Windows".
Check the box that says: "I agree to the Java SE Runtime Environment # License Agreement", then click Continue...The page will refresh

Then, click on the link to download Windows Offline Installation. Save it to your desktop.
Now, from your desktop, double-click on the executable to install the newest version.

Siphonblaster · 11-10-2008, 12:20 AM

Hi. The following log is the log produced by Combofix after using the CFscript notepad as you requested:

ComboFix 08-11-09.01 - Administrator 2008-11-10 19:08:04.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1699 [GMT 10:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt.txt
* Created a new restore point
* Resident AV is active

FILE ::
c:\windows\002555_.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\LimeWire
c:\documents and settings\Administrator\Application Data\LimeWire\active.mojito
c:\documents and settings\Administrator\Application Data\LimeWire\bugs.data
c:\documents and settings\Administrator\Application Data\LimeWire\certificate\limewire.keystore
c:\documents and settings\Administrator\Application Data\LimeWire\createtimes.cache
c:\documents and settings\Administrator\Application Data\LimeWire\downloads.dat
c:\documents and settings\Administrator\Application Data\LimeWire\fileurns.bak
c:\documents and settings\Administrator\Application Data\LimeWire\fileurns.cache
c:\documents and settings\Administrator\Application Data\LimeWire\filters.props
c:\documents and settings\Administrator\Application Data\LimeWire\gnutella.net
c:\documents and settings\Administrator\Application Data\LimeWire\installation.props
c:\documents and settings\Administrator\Application Data\LimeWire\library.dat
c:\documents and settings\Administrator\Application Data\LimeWire\limewire.props
c:\documents and settings\Administrator\Application Data\LimeWire\mojito.props
c:\documents and settings\Administrator\Application Data\LimeWire\promotion\promodb.backup
c:\documents and settings\Administrator\Application Data\LimeWire\promotion\promodb.data
c:\documents and settings\Administrator\Application Data\LimeWire\promotion\promodb.properties
c:\documents and settings\Administrator\Application Data\LimeWire\promotion\promodb.script
c:\documents and settings\Administrator\Application Data\LimeWire\questions.props
c:\documents and settings\Administrator\Application Data\LimeWire\responses.cache
c:\documents and settings\Administrator\Application Data\LimeWire\simpp.xml
c:\documents and settings\Administrator\Application Data\LimeWire\spam.dat
c:\documents and settings\Administrator\Application Data\LimeWire\tables.props
c:\documents and settings\Administrator\Application Data\LimeWire\themes\windows_theme.lwtp
c:\documents and settings\Administrator\Application Data\LimeWire\themes\windows_theme\01_star.gif
c:\documents and settings\Administrator\Application Data\LimeWire\themes\windows_theme\02_star.gif
c:\documents and settings\Administrator\Application Data\LimeWire\themes\windows_theme\03_star.gif
c:\documents and settings\Administrator\Application Data\LimeWire\themes\windows_theme\04_star.gif
c:\documents and settings\Administrator\Application Data\LimeWire\themes\windows_theme\05_star.gif
c:\documents and settings\Administrator\Application Data\LimeWire\themes\windows_theme\chat.gif
c:\documents and settings\Administrator\Application Data\LimeWire\themes\windows_theme\forward_dn.gif
c:\documents and settings\Administrator\Application Data\LimeWire\themes\windows_theme\forward_up.gif
c:\documents and settings\Administrator\Application Data\LimeWire\themes\windows_theme\kill.gif
c:\documents and settings\Administrator\Application Data\LimeWire\themes\windows_theme\kill_on.gif
c:\documents and settings\Administrator\Application Data\LimeWire\themes\windows_theme\pause_dn.gif
c:\documents and settings\Administrator\Application Data\LimeWire\themes\windows_theme\pause_up.gif
c:\documents and settings\Administrator\Application Data\LimeWire\themes\windows_theme\play_dn.gif
c:\documents and settings\Administrator\Application Data\LimeWire\themes\windows_theme\play_up.gif
c:\documents and settings\Administrator\Application Data\LimeWire\themes\windows_theme\question.gif
c:\documents and settings\Administrator\Application Data\LimeWire\themes\windows_theme\rewind_dn.gif
c:\documents and settings\Administrator\Application Data\LimeWire\themes\windows_theme\rewind_up.gif
c:\documents and settings\Administrator\Application Data\LimeWire\themes\windows_theme\stop_dn.gif
c:\documents and settings\Administrator\Application Data\LimeWire\themes\windows_theme\stop_up.gif
c:\documents and settings\Administrator\Application Data\LimeWire\themes\windows_theme\theme.txt
c:\documents and settings\Administrator\Application Data\LimeWire\themes\windows_theme\version.txt
c:\documents and settings\Administrator\Application Data\LimeWire\themes\windows_theme\warning.gif
c:\documents and settings\Administrator\Application Data\LimeWire\ttrees.cache
c:\documents and settings\Administrator\Application Data\LimeWire\ttroot.cache
c:\documents and settings\Administrator\Application Data\LimeWire\version.xml
c:\documents and settings\Administrator\Application Data\LimeWire\versions.props
c:\documents and settings\Administrator\Application Data\LimeWire\xml\data\audio.sxml2
c:\documents and settings\Administrator\Application Data\LimeWire\xml\data\video.sxml2
c:\windows\002555_.tmp
c:\windows\system32\fiber.exe
c:\windows\system32\imapde.dll
c:\windows\system32\kinza.exe
c:\windows\system32\winrkp32.dll

.
((((((((((((((((((((((((( Files Created from 2008-10-10 to 2008-11-10 )))))))))))))))))))))))))))))))
.

2008-11-08 18:40 . 2008-11-08 18:42 <DIR> d-------- C:\rsit
2008-11-08 18:40 . 2008-11-08 18:40 <DIR> d-------- c:\program files\trend micro
2008-11-08 18:30 . 2008-11-08 18:31 250 --a------ c:\windows\gmer.ini
2008-11-07 10:40 . 2007-04-12 14:19 129,024 --a------ c:\windows\system32\AVERM.dll
2008-11-07 10:40 . 2006-09-26 13:57 28,672 --a------ c:\windows\system32\AVEQT.dll
2008-11-06 09:25 . 2008-10-24 11:16 23,096 --a------ c:\windows\system32\drivers\MusCAudio.sys
2008-11-06 09:25 . 2008-10-24 11:16 3,768 --a------ c:\windows\system32\drivers\MusCVideo.sys
2008-10-29 19:51 . 2008-10-29 19:51 <DIR> d-------- C:\PROTOOLS LOOPS
2008-10-28 19:23 . 2008-10-28 19:23 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Propellerhead Software
2008-10-28 19:23 . 2008-10-28 19:30 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Propellerhead Software
2008-10-28 19:23 . 2008-10-28 19:23 225,280 --a------ c:\windows\system32\ReWire.dll
2008-10-28 19:22 . 2008-10-28 19:22 <DIR> d-------- c:\program files\Propellerhead
2008-10-28 19:02 . 2008-10-28 19:02 <DIR> d-------- c:\windows\Downloaded Installations
2008-10-28 19:02 . 2008-10-28 19:02 <DIR> d-------- c:\program files\InterLok
2008-10-28 19:02 . 2006-12-08 21:50 16,384 --a------ c:\windows\system32\drivers\DigiFilt.sys
2008-10-28 18:59 . 2008-10-28 19:12 <DIR> d-------- c:\program files\Digidesign
2008-10-28 18:59 . 2007-10-31 02:16 3,683,014 --a------ c:\windows\system32\DirectIO.dll
2008-10-28 18:59 . 2007-10-30 23:03 659,456 --a------ c:\windows\system32\DSI.dll
2008-10-28 18:59 . 2007-10-30 22:03 270,336 --a------ c:\windows\system32\DigiPlatformSupport.dll
2008-10-28 18:59 . 2007-10-30 23:35 172,032 --a------ c:\windows\system32\Diomidi.DLL
2008-10-28 18:59 . 2007-10-31 01:15 97,808 --a------ c:\windows\system32\drivers\Dalwdm.sys
2008-10-28 18:59 . 2006-12-08 22:21 90,112 --a------ c:\windows\system32\WinMMFix.dll
2008-10-28 18:59 . 2007-10-31 01:16 16,400 --a------ c:\windows\system32\drivers\diginet.sys
2008-10-28 18:59 . 2007-10-30 23:36 15,872 --a------ c:\windows\system32\digicoin.dll
2008-10-28 10:48 . 2008-10-28 19:11 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Structure
2008-10-27 22:52 . 2008-10-27 22:52 <DIR> d-------- c:\program files\Common Files\PACE Anti-Piracy
2008-10-27 22:52 . 2008-10-28 19:04 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\PACE Anti-Piracy
2008-10-27 22:52 . 2008-10-28 11:10 <DIR> d-------- c:\documents and settings\Administrator\Application Data\PACE Anti-Piracy
2008-10-27 22:52 . 2008-11-10 10:09 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Digidesign
2008-10-27 22:52 . 2008-10-27 22:52 <DIR> d-------- C:\Digidesign Databases
2008-10-27 22:35 . 2008-10-27 22:35 <DIR> d-------- c:\program files\Common Files\Digidesign
2008-10-27 22:35 . 2007-10-31 00:03 1,362,460 --a------ c:\windows\system32\ExpansionHD_Firmware.bin
2008-10-27 21:58 . 2007-07-30 19:19 271,224 --a------ c:\windows\system32\mucltui.dll
2008-10-27 21:58 . 2007-07-30 19:19 30,072 --a------ c:\windows\system32\mucltui.dll.mui
2008-10-27 21:57 . 2008-10-27 21:57 <DIR> d-------- c:\windows\system32\xircom
2008-10-27 21:57 . 2008-10-27 21:57 <DIR> d-------- c:\program files\microsoft frontpage
2008-10-27 21:57 . 2008-04-14 05:42 221,184 --a------ c:\windows\system32\wmpns.dll
2008-10-27 21:50 . 2008-10-27 21:50 <DIR> d-------- c:\windows\system32\scripting
2008-10-27 21:48 . 2008-10-27 21:48 <DIR> d-------- c:\windows\ServicePackFiles
2008-10-25 08:48 . 2008-10-25 08:48 <DIR> d-------- c:\documents and settings\Administrator\Application Data\InstallShield
2008-10-25 08:46 . 2008-04-14 00:15 60,032 --a------ c:\windows\system32\drivers\usbaudio.sys
2008-10-25 08:46 . 2008-04-14 00:15 32,128 --a------ c:\windows\system32\drivers\usbccgp.sys
2008-10-24 23:34 . 2008-09-17 23:55 201,050 --a------ c:\windows\system32\nvapps.nvb
2008-10-15 23:53 . 2008-10-15 23:53 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Apple Computer
2008-10-15 23:42 . 2008-10-15 23:43 <DIR> d-------- c:\program files\QuickTime
2008-10-15 23:42 . 2008-10-15 23:42 <DIR> d-------- c:\program files\Common Files\Apple
2008-10-15 23:42 . 2008-10-15 23:42 <DIR> d-------- c:\program files\Apple Software Update
2008-10-15 23:42 . 2008-10-15 23:42 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer
2008-10-15 23:42 . 2008-10-15 23:42 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-10 04:27 --------- d-----w c:\program files\Steam
2008-11-10 04:21 --------- d-----w c:\program files\SUPERAntiSpyware
2008-11-08 02:55 --------- d-----w c:\documents and settings\Administrator\Application Data\Any Video Converter
2008-11-07 00:00 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\SiteAdvisor
2008-11-06 08:28 --------- d-----w c:\program files\McAfee
2008-11-02 05:15 32,032 ----a-w c:\documents and settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2008-10-28 08:18 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-22 23:06 --------- d-----w c:\documents and settings\Administrator\Application Data\SiteAdvisor
2008-09-20 07:25 --------- d-----w c:\documents and settings\Administrator\Application Data\Audacity
2008-05-24 09:03 604 ---ha-w c:\program files\STLL Notifier
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-02 13529088]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"SiteAdvisor"="c:\program files\SiteAdvisor\6261\SiteAdv.exe" [2008-05-17 36640]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 30208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-02 86016]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-06-26 921600]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-04-13 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"DigidesignMMERefresh"="c:\program files\Digidesign\Drivers\MMERefresh.exe" [2007-10-30 77824]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-22 c:\windows\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2008-05-02 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-03 44544]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave2"= Digi32.dll
"midi1"= mbx2midu.dll
"MIDI2"= diomidi.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Steam\\steamapps\\hoplite1000\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\spectrum_domain\\counter-strike source\\hl2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\winver.exe"=

R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [2006-12-08 16384]
R0 mv61xx;mv61xx;c:\windows\system32\DRIVERS\mv61xx.sys [2007-05-25 137728]
R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\DRIVERS\diginet.sys [2007-10-31 16400]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\DRIVERS\l151x86.sys [2007-11-01 36864]
S3 dalwdmservice;dal service;c:\windows\system32\drivers\dalwdm.sys [2007-10-31 97808]
S3 MBX2DFU;MBX2DFU;c:\windows\system32\DRIVERS\MBX2DFU.sys [2007-10-31 21648]
S3 MBX2MIDK;Digidesign Mbox 2 Midi Driver;c:\windows\system32\drivers\mbx2midk.sys [2007-10-31 21904]
S3 MusCAudio;MusCAudio;c:\windows\system32\drivers\MusCAudio.sys [2008-10-24 23096]
S3 MusCVideo;MusCVideo;c:\windows\system32\DRIVERS\MusCVideo.sys [2008-10-24 3768]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-10 19:11:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\program files\ESET\nod32krn.exe
c:\windows\system32\nvsvc32.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\program files\SiteAdvisor\6261\SAService.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-11-10 19:15:34 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-10 09:15:31

Pre-Run: 122,991,222,784 bytes free
Post-Run: 122,982,993,920 bytes free

213

I await your next instructions. Thankyou.

1972vet · 11-10-2008, 04:15 AM

That log looks much better. May we see a fresh HijackThis log now please? Also, please advise how the system behaves for you now and what issues you may be experiencing. Thanks!

Siphonblaster · 11-11-2008, 05:49 AM

Sry to ask, but do u mean i run one last combofix scan, or rsit scan or gmer scan?

Otherwise, the computer is perfectly fine & the viruses r gone. I hav checked on my antivirus software & all the previous readings of trojans have now disappeared.

Thankyou for your assistance. It has been greatly appreciated!

1972vet · 11-11-2008, 08:48 AM

Quote:

Sry to ask, but do u mean i run one last combofix scan, or rsit scan or gmer scan?

...no, I mean "HijackThis":

Click HERE to download HijackThis.

Click the Download button then select the link to Download HijackThis Installer.

Double click on the HJTInstall.exe then click "Install". It will be installed by default here:
C:\Program Files\Trend Micro\HijackThis

...and A shortcut to the application will also be placed on your Desktop.

The program will open automatically after installation.
You can double click the icon that was placed on the Desktop to run subsequent hijackthis scans or you can use the icon inside the folder.

The folder HijackThis is where you will find the HJT logs that you save. When you use the application to remove anything, you will also find the backup copies made by HJT inside this folder.

Click Do a system scan and save a logfile. Copy and paste the contents of THAT log in your next reply. Thanks!

Siphonblaster · 11-11-2008, 11:06 PM

The following log is from the HijackThis system scan:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:03:17 PM, on 11/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nLite] %systemroot%\inf\nlite.cmd (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nLite] %systemroot%\inf\nlite.cmd (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1214470099906
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1224886787328
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://gamenextus.oberon-media.com/G...onGameHost.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe

--
End of file - 8111 bytes

Thanks for your assistance. Finally, i would like to ask, a folder named C:\Qoobox is in my C drive containing CFscripts & quarantined files from past viruses. Is it ok now to delete that folder (it only appeared since the running of Combo Fix & not prior)?

1972vet · 11-12-2008, 05:19 AM

Very good! You can run HijackThis again and check the box next to this entry:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
Close all windows except for hijackthis, then click the Fix Checked button then reboot to properly record the changes made to the hard disk.

Click start-->run...then copy and paste the Bold text below into the run box and click "OK":

ComboFix /u

Performing this function will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again for you automatically.

To assist in the prevention of spyware infections:

Immunize your browser by installing Spywareblaster. What does it do?

Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restricts the actions of potentially unwanted sites in Internet Explorer.

Keep your anti-virus and spyware definitions up to date. Be sure to scan often.

Below you can choose from several of the freeware Firewalls available on the public domain. Even though you may have a Firewall already installed, keep this list handy should you choose not to renew your subscription for whatever reason.

You should always have at least (but not more than ) one of these types of third party firewalls running on board:
Kerio Personal Firewall
Zone Alarm
Outpost Free
Comodo

Install the free security tool "Secunia PSI" to help protect your system against software vulnerabilities. The free utility scans your system's software applications and offers a one button "Download "Solution" feature that updates the exploited software AND provides other related information/patching if warranted.

Stay updated with the most recent Windows patches as well...using Microsoft's Windows Update. Make it easy on yourself, and set this feature to Automatic.

Using an alternate browser can reduce your chance of certain infections installing themselves. We recommend installing Mozilla Firefox. If you don't already have "Firefox", please consider installing and using this browser for surfing.

If you still wish to use Internet Explorer, please make sure you install SpywareBlaster (from above) to protect you from most ActiveX infections.

Become familiar with the MalwareBytes anti-malware application. Use it often especially if you begin to notice the system performance behavior is not what it should be. Learn more about the program Here where you can also request assistance if you have some concerns about the programs findings.
***Note***
The licensed version provides real time protection and other automatic features otherwise not available.

Run CCleaner often. The Yahoo Toolbar is included by default during the installation...if you DO NOT WANT IT, be sure to remove the check from the "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser" option during installation setup.

Or if you just want to run your on board Disk Cleanup ("Start--> Programs-->Accessories-->System Tools-->Disk Cleanup" ), just open the utility and check off the following:
Downloaded Program Files, Temporary Internet Files, Recycle Bin, and Temporary Files. Don't forget to defrag the system.

So how did I get infected in the first place?
Regards, and Happy Surfing!

Siphonblaster · 11-14-2008, 06:04 AM

How can i uninstall Combofix, if i've already manually deleted the Combofix.exe file & the subsequent C-drive folder with it? I know this certain 'USB' A-drive still exists in my computer & my clock speed hasnt reverted back to normal??? When i type in ComboFix /u, it says that it can't read a Combofix file, since i've manually deleted it...

1972vet · 11-14-2008, 06:43 AM

Quote:

How can i uninstall Combofix, if i've already manually deleted the Combofix.exe file & the subsequent C-drive folder with it? I know this certain 'USB' A-drive still exists in my computer & my clock speed hasnt reverted back to normal??? When i type in ComboFix /u, it says that it can't read a Combofix file, since i've manually deleted it...

Ahh...I see you jumped ahead of me and already deleted the file. You should still be just fine. The command ComboFix /u removes the file and related folders but performs a few other functions along with it. Your clock may not need to be reset but we may need to hide your system/hidden files and reset System Restore manually.

Does your system clock show the correct time? If not, you can change it by double clicking the clock in the system tray.

To re-hide the system's "hidden files and folder" please do the following:
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select
"Do not show hidden files and folders"
* Check the "Hide protected operating system files"
(recommended) option and "Hide extensions for known file types"
* Apply it and Click Yes to confirm.
* Click OK.

The restore points you have would only serve to restore the infection(s) we've removed so we need to delete them and create a new restore point. This is also a feature the combofix /u would have performed for you automatically.

To remove all restore points and create a new one:

Click start-->Control Panel-->System-->System Restore...Check the box Turn off System Restore on all drives then click "Apply" and "OK" to close the System Properties box. Reboot the system. When the system comes back up and the desktop appears stable, return to the System Properties box "System Restore" tab. Remove the check from Turn off System Restore on all drives". In a blink, the system will have created a new clean restore point for you and named it "System Check Point".

11-08-2008, 12:56 AM	#1 (permalink)
Siphonblaster Registered User Join Date: Nov 2008 Posts: 8 OS: Windows XP Service Pack 3	Windows Keeps Restarting Hi, i have a serious suspected malware problem. Everytime i click the computer to shut down, it keeps restarting, not shutting down. I have a Windows XP Service Pack 3 operating system. This problem started only 2 days ago. I believe the cause of the problem was i opened a email postcard on Facebook from somebody else (who had their identity hacked) & viruses came out including trojans like a Win 32/BHO. NJE TROJAN on file C:\WINDOWS\Temp\win23CF.tmp Another cause could be i installed trial Video joiner software, then uninstalled it, but it came up with popups telling whether i should delete certain share files on System 32. However i don't bleieve it is the actual cause because i answered 'No' to all popups. I believe there is a certain file in my system that periodically spams out more than 10 files on the registry key that is trying to attack system 32 files such as the windows cmd. I am currently stalling it using Antivirus programs NOD 32 & a free edition of SuperAntiSpyware which keeps picking up files such as: HKLM\SOFTWARE\Microsoft\MSSMGR & HKLM\SOFTWARE\Microsoft\MSSMGR#Data (presumably inside the registry key) I have run the RSIT & GMER scans as advised. I have also uninstalled P2P software including Limewire & Bitcomet as advised. I have both the gmer.txt logs & info.txt logs with the log.txt in them. Please note, some of these logs contain information regarding Eset & Digidesign. This is because i have Protools on my computer. However, they are not part of the virus cause. the following is the gmer log: GMER 1.0.14.14536 - http://www.gmer.net Rootkit scan 2008-11-08 18:40:37 Windows 5.1.2600 Service Pack 3 ---- System - GMER 1.0.14 ---- SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB6693F20] ---- Devices - GMER 1.0.14 ---- AttachedDevice \FileSystem\Ntfs \Ntfs DigiFilt.sys (Digidesign Filter Driver/Digidesign, A Division of Avid Technology, Inc.) AttachedDevice \FileSystem\Ntfs \Ntfs amon.sys (Amon monitor/Eset ) Device \FileSystem\Fastfat \Fat B55D7D20 AttachedDevice \FileSystem\Fastfat \Fat DigiFilt.sys (Digidesign Filter Driver/Digidesign, A Division of Avid Technology, Inc.) AttachedDevice \FileSystem\Fastfat \Fat amon.sys (Amon monitor/Eset ) ---- EOF - GMER 1.0.14 ---- NOW THE INFO LOG: info.txt logfile of random's system information tool 1.04 2008-11-08 18:40:56 ======Uninstall list====== -->C:\Program Files\Nero\Nero8\\nero\uninstall\UNNERO.exe /UNINSTALL -->C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL -->C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL -->C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL -->C:\WINDOWS\UNNeroVision.exe /UNINSTALL -->C:\WINDOWS\UNRecode.exe /UNINSTALL -->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf AC3Filter (remove only)-->C:\Program Files\AC3Filter\uninstall.exe Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)-->MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7} Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe Adobe Reader 8.1.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003} Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033} Atheros Communications Inc.(R) L1 Gigabit Ethernet Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6E19F210-3813-4002-B561-94D66AA182B6}\Setup.exe" -l0x9 -removeonly BA Installer-->MsiExec.exe /I{EDA0FFC5-7964-4E2F-9014-693F04695933} Canon PIXMA iP1000-->C:\WINDOWS\system32\CNMCP6e.exe "-PRINTERNAMECanon PIXMA iP1000" "-HELPERDLLC:\BJPrinter\CNMWINDOWS\Canon PIXMA iP1000 Installer\Inst2\cnmis.dll" "-RCDLLC:\BJPrinter\CNMWINDOWS\Canon PIXMA iP1000 Installer\Inst2\cnmi0409.dll" Counter-Strike: Source-->"C:\Program Files\Steam\steam.exe" steam://uninstall/240 Digidesign Free Bomb Factory Plug-Ins 7.4-->C:\Program Files\InstallShield Installation Information\{82D48AB1-8E7F-4AA5-A5FA-47FA58A48110}\Setup.exe -runfromtemp -l0x0009 FromUninstall -removeonly Digidesign Pro Tools LE 7.4-->C:\Program Files\InstallShield Installation Information\{409A13BD-5F3E-442B-BA7B-A1E32B2D8927}\setup.exe -runfromtemp -l0x0009 -removeonly Digidesign Shared Plug-Ins 7.4-->C:\Program Files\InstallShield Installation Information\{AFE354A5-640F-4A23-94C8-0B441E8967CA}\Setup.exe -runfromtemp -l0x0009 FromUninstall -removeonly Digidesign Structure Free 1.0.5316-->"C:\Program Files\Digidesign\Structure\unins000.exe" DivX Codec-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC DivX Player-->C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER Ease Audio Converter 4.80-->"C:\Program Files\easetech\EaseAudioConverter\unins000.exe" Easy-WebPrint-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\Easy-WebPrint\Uninst.isu" High Definition Audio Driver Package - KB888111-->"C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe" Interlok driver setup x32-->MsiExec.exe /X{25613C10-27D2-410B-942B-D922D5C3A7BE} Java(TM) 6 Update 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060} Java(TM) 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070} marvell 61xx-->C:\Program Files\Marvell\61xx\uninst-61xx.exe McAfee SiteAdvisor-->C:\Program Files\McAfee\SiteAdvisor\Uninstall.exe McAfee SiteAdvisor-->C:\Program Files\SiteAdvisor\6261\uninstall.exe Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28} Microsoft Office XP Professional with FrontPage-->MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9} Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d} Nero 8 Essentials-->MsiExec.exe /X{523DF39E-DF7D-488F-8022-783946571033} neroxml-->MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B} NOD32 antivirus system-->C:\Program Files\Eset\Setup\setup.exe /UNINSTALL NOD32 FiX v2.1-->"C:\Program Files\Eset\unins000.exe" NVIDIA Drivers-->C:\WINDOWS\system32\nvuninst.exe UninstallGUI PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall QuickTime-->MsiExec.exe /I{8DC42D05-680B-41B0-8878-6C14D24602DB} Realtek High Definition Audio Driver-->RtlUpd.exe -r -m Reason 3.0-->"C:\Program Files\Propellerhead\Reason\Uninstall Reason\unins000.exe" Sibelius 5-->MsiExec.exe /I{C23B8C30-E05E-4CB5-8188-F27CC3B2DD3E} Steam-->MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3} SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA} VCRedistSetup-->MsiExec.exe /I{3921A67A-5AB1-4E48-9444-C71814CF3027} Windows Live installer-->MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320} Windows Live Messenger-->MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0} Windows Live Sign-in Assistant-->MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986} Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe" WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe Xpand!-->"C:\Program Files\Digidesign\unins000.exe" ======Security center information====== AV: Eset NOD32 antivirus system 2.51 ======Environment variables====== "ComSpec"=%SystemRoot%\system32\cmd.exe "Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\ "windir"=%SystemRoot% "FP_NO_HOST_CHECK"=NO "OS"=Windows_NT "PROCESSOR_ARCHITECTURE"=x86 "PROCESSOR_LEVEL"=6 "PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 13, GenuineIntel "PROCESSOR_REVISION"=0f0d "NUMBER_OF_PROCESSORS"=2 "PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH "TEMP"=%SystemRoot%\TEMP "TMP"=%SystemRoot%\TEMP "CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip "QTJAVA"=C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip -----------------EOF----------------- Logfile of random's system information tool 1.04 (written by random/random) Run by Administrator at 2008-11-08 18:40:54 Microsoft Windows XP Professional Service Pack 3 System drive C: has 116 GB (76%) free of 153 GB Total RAM: 2047 MB (82% free) HijackThis download failed ======Registry dump====== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}] Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{089FD14D-132B-48FC-8861-0048AE113215}] C:\Program Files\SiteAdvisor\6261\SiteAdv.dll [2008-05-17 927008] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}] SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}] Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2007-09-21 328752] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}] McAfee SiteAdvisor BHO - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2008-06-03 121632] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] {0BF43445-2F28-4351-9252-17FE6E806AA0} - McAfee SiteAdvisor - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll [2008-05-17 927008] {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - Easy-WebPrint - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll [2004-08-26 405504] {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - McAfee SiteAdvisor Toolbar - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2008-06-03 121632] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2008-05-02 13529088] "SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784] "SiteAdvisor"=C:\Program Files\SiteAdvisor\6261\SiteAdv.exe [2008-05-17 36640] "RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2007-03-22 16126464] "RemoteControl"=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2005-12-07 30208] "OPSE reminder"=C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe -r C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\ereg.ini [] "nwiz"=nwiz.exe /install [] "NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2008-05-02 86016] "nod32kui"=C:\Program Files\Eset\nod32kui.exe [2008-06-26 921600] "NeroFilterCheck"=C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe [2007-03-01 153136] "LanguageShortcut"=C:\Program Files\CyberLink\PowerDVD\Language\Language.exe [2006-04-13 49152] "Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2005-05-04 69632] "Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792] "QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-09-06 413696] "DigidesignMMERefresh"=C:\Program Files\Digidesign\Drivers\MMERefresh.exe [2007-10-30 77824] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2008-05-28 1506544] "LightScribe Control Panel"=C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [] C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2007-04-19 294912] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winrkp32] C:\WINDOWS\system32\winrkp32.dll [2008-11-07 32256] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] "dontdisplaylastusername"=0 "legalnoticecaption"= "legalnoticetext"= "shutdownwithoutlogon"=1 "undockwithoutlogon"=1 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer] "NoDriveTypeAutoRun"=145 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer] "ForceClassicControlPanel"= [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe::Enabled:Windows Messenger" "C:\Program Files\Steam\steamapps\hoplite1000\counter-strike source\hl2.exe"="C:\Program Files\Steam\steamapps\hoplite1000\counter-strike source\hl2.exe::Enabled:hl2" "C:\Program Files\Steam\steamapps\spectrum_domain\counter-strike source\hl2.exe"="C:\Program Files\Steam\steamapps\spectrum_domain\counter-strike source\hl2.exe::Disabled:hl2" "C:\Program Files\Steam\steamapps\common\dawn of war soulstorm demo\Soulstorm.exe"="C:\Program Files\Steam\steamapps\common\dawn of war soulstorm demo\Soulstorm.exe::Enabled:Soulstorm" "C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe::Enabled:LimeWire" "C:\Program Files\BitComet\BitComet.exe"="C:\Program Files\BitComet\BitComet.exe::Disabled:BitComet - a BitTorrent Client" "C:\Program Files\BitLord\BitLord.exe"="C:\Program Files\BitLord\BitLord.exe::Enabled:BitLord" "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" "C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe::Enabled:Windows Live Messenger" "C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe::Enabled:Windows Live Messenger (Phone)" "C:\WINDOWS\system32\winver.exe"="C:\WINDOWS\system32\winver.exe::Enabled:winver" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" "C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe::Enabled:Windows Live Messenger" "C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe::Enabled:Windows Live Messenger (Phone)" ======List of files/folders created in the last 1 months====== 2008-11-08 18:40:55 ----D---- C:\Program Files\trend micro 2008-11-08 18:40:54 ----D---- C:\rsit 2008-11-08 18:30:01 ----A---- C:\WINDOWS\gmer.ini 2008-11-08 18:30:00 ----A---- C:\WINDOWS\gmer_uninstall.cmd 2008-11-08 18:30:00 ----A---- C:\WINDOWS\gmer.exe 2008-11-08 18:30:00 ----A---- C:\WINDOWS\gmer.dll 2008-11-07 10:40:48 ----A---- C:\WINDOWS\system32\AVERM.dll 2008-11-07 10:40:48 ----A---- C:\WINDOWS\system32\AVEQT.dll 2008-11-07 06:53:25 ----A---- C:\WINDOWS\system32\winrkp32.dll 2008-10-29 19:51:29 ----D---- C:\PROTOOLS LOOPS 2008-10-28 19:23:43 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Propellerhead Software 2008-10-28 19:23:43 ----D---- C:\Documents and Settings\Administrator\Application Data\Propellerhead Software 2008-10-28 19:23:43 ----A---- C:\WINDOWS\system32\ReWire.dll 2008-10-28 19:22:52 ----D---- C:\Program Files\Propellerhead 2008-10-28 19:02:14 ----D---- C:\Program Files\InterLok 2008-10-28 19:02:12 ----D---- C:\WINDOWS\Downloaded Installations 2008-10-28 19:00:56 ----A---- C:\WINDOWS\system32\Digi32.dll 2008-10-28 19:00:08 ----A---- C:\WINDOWS\system32\msvcr70.dll 2008-10-28 19:00:08 ----A---- C:\WINDOWS\system32\msvcp70.dll 2008-10-28 19:00:07 ----N---- C:\WINDOWS\system32\ilinet.dll 2008-10-28 19:00:07 ----A---- C:\WINDOWS\system32\REX Shared Library.dll 2008-10-28 19:00:07 ----A---- C:\WINDOWS\system32\qtmlClient.dll 2008-10-28 19:00:07 ----A---- C:\WINDOWS\system32\MFC71u.dll 2008-10-28 19:00:07 ----A---- C:\WINDOWS\system32\MFC71KOR.DLL 2008-10-28 19:00:07 ----A---- C:\WINDOWS\system32\MFC71JPN.DLL 2008-10-28 19:00:07 ----A---- C:\WINDOWS\system32\MFC71ITA.DLL 2008-10-28 19:00:07 ----A---- C:\WINDOWS\system32\MFC71FRA.DLL 2008-10-28 19:00:07 ----A---- C:\WINDOWS\system32\MFC71ESP.DLL 2008-10-28 19:00:07 ----A---- C:\WINDOWS\system32\MFC71ENU.DLL 2008-10-28 19:00:07 ----A---- C:\WINDOWS\system32\MFC71DEU.DLL 2008-10-28 19:00:07 ----A---- C:\WINDOWS\system32\MFC71CHT.DLL 2008-10-28 19:00:07 ----A---- C:\WINDOWS\system32\MFC71CHS.DLL 2008-10-28 19:00:07 ----A---- C:\WINDOWS\system32\mfc70.dll 2008-10-28 19:00:07 ----A---- C:\WINDOWS\system32\atl71.dll 2008-10-28 19:00:02 ----A---- C:\WINDOWS\system32\mbx2midu.dll 2008-10-28 19:00:02 ----A---- C:\WINDOWS\system32\dgfwdio.dll 2008-10-28 18:59:55 ----D---- C:\Program Files\Digidesign 2008-10-28 18:59:55 ----A---- C:\WINDOWS\system32\WinMMFix.dll 2008-10-28 18:59:55 ----A---- C:\WINDOWS\system32\DSI.dll 2008-10-28 18:59:55 ----A---- C:\WINDOWS\system32\DirectIO.dll 2008-10-28 18:59:55 ----A---- C:\WINDOWS\system32\Diomidi.DLL 2008-10-28 18:59:55 ----A---- C:\WINDOWS\system32\DigiPlatformSupport.dll 2008-10-28 18:59:55 ----A---- C:\WINDOWS\system32\digicoin.dll 2008-10-28 10:48:22 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Structure 2008-10-27 22:52:45 ----D---- C:\Documents and Settings\Administrator\Application Data\Digidesign 2008-10-27 22:52:33 ----D---- C:\Digidesign Databases 2008-10-27 22:52:16 ----D---- C:\Program Files\Common Files\PACE Anti-Piracy 2008-10-27 22:52:16 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\PACE Anti-Piracy 2008-10-27 22:52:16 ----D---- C:\Documents and Settings\Administrator\Application Data\PACE Anti-Piracy 2008-10-27 22:35:23 ----D---- C:\Program Files\Common Files\Digidesign 2008-10-27 21:58:01 ----A---- C:\WINDOWS\system32\mucltui.dll.mui 2008-10-27 21:58:00 ----A---- C:\WINDOWS\system32\mucltui.dll 2008-10-27 21:57:40 ----D---- C:\Program Files\xerox 2008-10-27 21:57:38 ----D---- C:\WINDOWS\system32\xircom 2008-10-27 21:57:38 ----D---- C:\Program Files\microsoft frontpage 2008-10-27 21:57:24 ----A---- C:\WINDOWS\system32\wmpns.dll 2008-10-27 21:56:55 ----D---- C:\WINDOWS\Prefetch 2008-10-27 21:51:09 ----N---- C:\WINDOWS\system32\msxml6r.dll 2008-10-27 21:51:09 ----N---- C:\WINDOWS\system32\msxml6.dll 2008-10-27 21:50:56 ----N---- C:\WINDOWS\system32\rwnh.dll 2008-10-27 21:50:56 ----N---- C:\WINDOWS\system32\comsdupd.exe 2008-10-27 21:50:55 ----N---- C:\WINDOWS\system32\smtpapi.dll 2008-10-27 21:50:54 ----N---- C:\WINDOWS\system32\ati3d1ag.dll 2008-10-27 21:50:54 ----N---- C:\WINDOWS\system32\ati2dvag.dll 2008-10-27 21:50:54 ----N---- C:\WINDOWS\system32\ati2dvaa.dll 2008-10-27 21:50:54 ----N---- C:\WINDOWS\system32\ati2cqag.dll 2008-10-27 21:50:54 ----N---- C:\WINDOWS\system32\aaclient.dll 2008-10-27 21:50:53 ----N---- C:\WINDOWS\system32\dot3ui.dll 2008-10-27 21:50:53 ----N---- C:\WINDOWS\system32\dot3svc.dll 2008-10-27 21:50:53 ----N---- C:\WINDOWS\system32\dot3msm.dll 2008-10-27 21:50:53 ----N---- C:\WINDOWS\system32\dot3gpclnt.dll 2008-10-27 21:50:53 ----N---- C:\WINDOWS\system32\dot3dlg.dll 2008-10-27 21:50:53 ----N---- C:\WINDOWS\system32\dot3cfg.dll 2008-10-27 21:50:53 ----N---- C:\WINDOWS\system32\dot3api.dll 2008-10-27 21:50:53 ----N---- C:\WINDOWS\system32\dimsroam.dll 2008-10-27 21:50:53 ----N---- C:\WINDOWS\system32\dimsntfy.dll 2008-10-27 21:50:53 ----N---- C:\WINDOWS\system32\dhcpqec.dll 2008-10-27 21:50:53 ----N---- C:\WINDOWS\system32\credssp.dll 2008-10-27 21:50:53 ----N---- C:\WINDOWS\system32\bitsprx4.dll 2008-10-27 21:50:53 ----N---- C:\WINDOWS\system32\azroles.dll 2008-10-27 21:50:53 ----N---- C:\WINDOWS\system32\ativvaxx.dll 2008-10-27 21:50:53 ----N---- C:\WINDOWS\system32\ativtmxx.dll 2008-10-27 21:50:53 ----N---- C:\WINDOWS\system32\ati3duag.dll 2008-10-27 21:50:52 ----N---- C:\WINDOWS\system32\hsfcisp2.dll 2008-10-27 21:50:52 ----N---- C:\WINDOWS\system32\eapsvc.dll 2008-10-27 21:50:52 ----N---- C:\WINDOWS\system32\eapqec.dll 2008-10-27 21:50:52 ----N---- C:\WINDOWS\system32\eappprxy.dll 2008-10-27 21:50:52 ----N---- C:\WINDOWS\system32\eapphost.dll 2008-10-27 21:50:52 ----N---- C:\WINDOWS\system32\eappgnui.dll 2008-10-27 21:50:52 ----N---- C:\WINDOWS\system32\eappcfg.dll 2008-10-27 21:50:52 ----N---- C:\WINDOWS\system32\eapp3hst.dll 2008-10-27 21:50:52 ----N---- C:\WINDOWS\system32\eapolqec.dll 2008-10-27 21:50:51 ----N---- C:\WINDOWS\system32\microsoft.managementconsole.dll 2008-10-27 21:50:51 ----N---- C:\WINDOWS\system32\mdmxsdk.dll 2008-10-27 21:50:51 ----N---- C:\WINDOWS\system32\l2gpstore.dll 2008-10-27 21:50:51 ----N---- C:\WINDOWS\system32\kmsvc.dll 2008-10-27 21:50:51 ----N---- C:\WINDOWS\system32\kbdpash.dll 2008-10-27 21:50:51 ----N---- C:\WINDOWS\system32\kbdnepr.dll 2008-10-27 21:50:51 ----N---- C:\WINDOWS\system32\kbdiultn.dll 2008-10-27 21:50:51 ----N---- C:\WINDOWS\system32\kbdbhc.dll 2008-10-27 21:50:50 ----N---- C:\WINDOWS\system32\photometadatahandler.dll 2008-10-27 21:50:50 ----N---- C:\WINDOWS\system32\onex.dll 2008-10-27 21:50:50 ----N---- C:\WINDOWS\system32\napstat.exe 2008-10-27 21:50:50 ----N---- C:\WINDOWS\system32\napmontr.dll 2008-10-27 21:50:50 ----N---- C:\WINDOWS\system32\napipsec.dll 2008-10-27 21:50:50 ----N---- C:\WINDOWS\system32\mtxparhd.dll 2008-10-27 21:50:50 ----N---- C:\WINDOWS\system32\msshavmsg.dll 2008-10-27 21:50:50 ----N---- C:\WINDOWS\system32\mssha.dll 2008-10-27 21:50:50 ----N---- C:\WINDOWS\system32\mmcperf.exe 2008-10-27 21:50:50 ----N---- C:\WINDOWS\system32\mmcfxcommon.dll 2008-10-27 21:50:50 ----N---- C:\WINDOWS\system32\mmcex.dll 2008-10-27 21:50:49 ----N---- C:\WINDOWS\system32\windowscodecsext.dll 2008-10-27 21:50:49 ----N---- C:\WINDOWS\system32\windowscodecs.dll 2008-10-27 21:50:49 ----N---- C:\WINDOWS\system32\verclsid.exe 2008-10-27 21:50:49 ----N---- C:\WINDOWS\system32\tzchange.exe 2008-10-27 21:50:49 ----N---- C:\WINDOWS\system32\tspkg.dll 2008-10-27 21:50:49 ----N---- C:\WINDOWS\system32\tsgqec.dll 2008-10-27 21:50:49 ----N---- C:\WINDOWS\system32\slserv.exe 2008-10-27 21:50:49 ----N---- C:\WINDOWS\system32\slrundll.exe 2008-10-27 21:50:49 ----N---- C:\WINDOWS\system32\slgen.dll 2008-10-27 21:50:49 ----N---- C:\WINDOWS\system32\slextspk.dll 2008-10-27 21:50:49 ----N---- C:\WINDOWS\system32\slcoinst.dll 2008-10-27 21:50:49 ----N---- C:\WINDOWS\system32\setupn.exe 2008-10-27 21:50:49 ----N---- C:\WINDOWS\system32\s3gnb.dll 2008-10-27 21:50:49 ----N---- C:\WINDOWS\system32\rhttpaa.dll 2008-10-27 21:50:49 ----N---- C:\WINDOWS\system32\rasqec.dll 2008-10-27 21:50:49 ----N---- C:\WINDOWS\system32\qutil.dll 2008-10-27 21:50:49 ----N---- C:\WINDOWS\system32\qcliprov.dll 2008-10-27 21:50:49 ----N---- C:\WINDOWS\system32\qagentrt.dll 2008-10-27 21:50:49 ----N---- C:\WINDOWS\system32\qagent.dll 2008-10-27 21:50:48 ----N---- C:\WINDOWS\system32\xmllite.dll 2008-10-27 21:50:48 ----N---- C:\WINDOWS\system32\wmphoto.dll 2008-10-27 21:50:48 ----N---- C:\WINDOWS\system32\wlanapi.dll 2008-10-27 21:50:47 ----N---- C:\WINDOWS\system32\xpsp3res.dll 2008-10-27 21:50:47 ----N---- C:\WINDOWS\slrundll.exe 2008-10-27 21:50:47 ----D---- C:\WINDOWS\system32\scripting 2008-10-27 21:50:47 ----D---- C:\WINDOWS\system32\en-us 2008-10-27 21:50:46 ----D---- C:\WINDOWS\system32\en 2008-10-27 21:50:46 ----D---- C:\WINDOWS\l2schemas 2008-10-27 21:50:45 ----D---- C:\WINDOWS\system32\bits 2008-10-27 21:48:36 ----D---- C:\WINDOWS\ServicePackFiles 2008-10-27 21:46:33 ----D---- C:\WINDOWS\network diagnostic 2008-10-27 21:45:41 ----A---- C:\WINDOWS\002555_.tmp 2008-10-27 21:43:53 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$ 2008-10-25 08:48:21 ----D---- C:\Documents and Settings\Administrator\Application Data\InstallShield 2008-10-15 23:53:53 ----D---- C:\Documents and Settings\Administrator\Application Data\Apple Computer 2008-10-15 23:42:50 ----D---- C:\Program Files\Common Files\Apple 2008-10-15 23:42:46 ----D---- C:\Program Files\QuickTime 2008-10-15 23:42:45 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple Computer 2008-10-15 23:42:35 ----D---- C:\Program Files\Apple Software Update 2008-10-15 23:42:35 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple ======List of files/folders modified in the last 1 months====== 2008-11-08 18:40:55 ----RD---- C:\Program Files 2008-11-08 18:35:14 ----D---- C:\WINDOWS\Temp 2008-11-08 18:30:01 ----D---- C:\WINDOWS 2008-11-08 18:30:00 ----D---- C:\WINDOWS\system32\drivers 2008-11-08 14:17:12 ----A---- C:\WINDOWS\NeroDigital.ini 2008-11-08 12:55:07 ----D---- C:\Documents and Settings\Administrator\Application Data\Any Video Converter 2008-11-07 20:38:32 ----D---- C:\AudioConverter 2008-11-07 20:38:23 ----A---- C:\WINDOWS\AudioConverter.INI 2008-11-07 20:38:07 ----A---- C:\WINDOWS\aceg.ini 2008-11-07 19:53:46 ----D---- C:\WINDOWS\system32\CatRoot2 2008-11-07 11:28:33 ----D---- C:\Program Files\Steam 2008-11-07 10:40:48 ----D---- C:\WINDOWS\system32 2008-11-07 10:00:09 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\SiteAdvisor 2008-11-07 07:00:51 ----A---- C:\WINDOWS\SchedLgU.Txt 2008-11-06 21:36:43 ----D---- C:\Documents and Settings\Administrator\Application Data\LimeWire 2008-11-06 18:28:44 ----D---- C:\Program Files\McAfee 2008-11-06 18:28:40 ----HD---- C:\WINDOWS\inf 2008-11-06 09:26:28 ----D---- C:\WINDOWS\Debug 2008-11-06 09:26:24 ----D---- C:\WINDOWS\system32\DllCache 2008-11-05 20:26:03 ----ASD---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft 2008-11-03 20:12:30 ----D---- C:\Downloads 2008-10-28 19:17:35 ----AD---- C:\Program Files\Common Files\System 2008-10-28 19:05:00 ----D---- C:\Program Files\Outlook Express 2008-10-28 19:04:59 ----D---- C:\Program Files\Common Files\Microsoft Shared 2008-10-28 19:02:19 ----SHD---- C:\WINDOWS\Installer 2008-10-28 19:02:19 ----SHD---- C:\Config.Msi 2008-10-28 19:02:18 ----DC---- C:\WINDOWS\system32\DRVSTORE 2008-10-28 18:42:02 ----D---- C:\WINDOWS\system32\config 2008-10-28 18:41:48 ----D---- C:\WINDOWS\system32\wbem 2008-10-28 18:41:48 ----D---- C:\WINDOWS\Registration 2008-10-28 18:18:07 ----HD---- C:\Program Files\InstallShield Installation Information 2008-10-27 22:52:16 ----D---- C:\Program Files\Common Files 2008-10-27 22:10:56 ----D---- C:\WINDOWS\$hf_mig$ 2008-10-27 21:58:36 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI 2008-10-27 21:57:53 ----A---- C:\WINDOWS\OEWABLog.txt 2008-10-27 21:57:36 ----A---- C:\WINDOWS\setuplog.txt 2008-10-27 21:56:33 ----D---- C:\WINDOWS\system32\Setup 2008-10-27 21:56:33 ----D---- C:\WINDOWS\AppPatch 2008-10-27 21:56:31 ----RSD---- C:\WINDOWS\Fonts 2008-10-27 21:55:36 ----D---- C:\WINDOWS\security 2008-10-27 21:53:01 ----D---- C:\WINDOWS\system32\CatRoot 2008-10-27 21:51:16 ----D---- C:\WINDOWS\WinSxS 2008-10-27 21:51:13 ----D---- C:\Program Files\Messenger 2008-10-27 21:51:09 ----D---- C:\Program Files\Windows Media Player 2008-10-27 21:50:55 ----D---- C:\WINDOWS\system32\inetsrv 2008-10-27 21:50:55 ----D---- C:\WINDOWS\ime 2008-10-27 21:50:55 ----D---- C:\WINDOWS\Help 2008-10-27 21:50:47 ----D---- C:\WINDOWS\system32\usmt 2008-10-27 21:50:46 ----D---- C:\Program Files\Internet Explorer 2008-10-27 21:50:45 ----D---- C:\WINDOWS\PeerNet 2008-10-27 21:50:45 ----D---- C:\Program Files\Movie Maker 2008-10-27 21:48:22 ----D---- C:\WINDOWS\system32\Restore 2008-10-27 21:48:22 ----D---- C:\WINDOWS\system32\npp 2008-10-27 21:48:22 ----D---- C:\WINDOWS\mui 2008-10-27 21:48:21 ----D---- C:\WINDOWS\msagent 2008-10-27 21:48:20 ----D---- C:\WINDOWS\srchasst 2008-10-27 21:48:19 ----D---- C:\Program Files\NetMeeting 2008-10-27 21:48:18 ----D---- C:\WINDOWS\system32\Com 2008-10-27 21:48:15 ----D---- C:\Program Files\Windows NT 2008-10-27 21:47:57 ----D---- C:\WINDOWS\system32\oobe 2008-10-27 21:47:54 ----D---- C:\WINDOWS\system 2008-10-27 21:43:52 ----D---- C:\WINDOWS\ehome 2008-10-25 08:49:36 ----D---- C:\WINDOWS\Minidump 2008-10-25 08:23:51 ----A---- C:\WINDOWS\win.ini 2008-10-25 08:20:12 ----SD---- C:\WINDOWS\Downloaded Program Files 2008-10-25 03:51:04 ----D---- C:\WINDOWS\nview 2008-10-24 22:58:27 ----D---- C:\WINDOWS\SoftwareDistribution 2008-10-23 0934 ----D---- C:\Documents and Settings\Administrator\Application Data\SiteAdvisor ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 36352] R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [] R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys [] R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-08-23 12032] R2 AMON;AMON; \??\C:\WINDOWS\system32\drivers\amon.sys [] R2 DigiNet;Digidesign Ethernet Support; C:\WINDOWS\system32\DRIVERS\diginet.sys [2007-10-31 16400] R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller; C:\WINDOWS\system32\DRIVERS\l151x86.sys [2007-11-01 36864] R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384] R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368] R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2007-03-27 4395008] R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-23 12160] R3 MTsensor;ATK0110 ACPI UTILITY; C:\WINDOWS\system32\DRIVERS\ASACPI.sys [2004-08-14 5810] R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2008-05-02 6554496] R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS [] R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208] R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520] R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608] S3 dalwdmservice;dal service; C:\WINDOWS\system32\drivers\dalwdm.sys [2007-10-31 97808] S3 gmer;gmer; C:\WINDOWS\System32\DRIVERS\gmer.sys [2008-11-08 85969] S3 MBX2DFU;MBX2DFU; C:\WINDOWS\SYSTEM32\DRIVERS\MBX2DFU.sys [2007-10-31 21648] S3 MBX2MIDK;Digidesign Mbox 2 Midi Driver; C:\WINDOWS\system32\drivers\mbx2midk.sys [2007-10-31 21904] S3 MusCAudio;MusCAudio; C:\WINDOWS\system32\drivers\MusCAudio.sys [2008-10-24 23096] S3 MusCVideo;MusCVideo; C:\WINDOWS\system32\DRIVERS\MusCVideo.sys [2008-10-24 3768] S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-14 60032] S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128] S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-14 25856] S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368] S3 WpdUsb;WpdUsb; C:\WINDOWS\System32\Drivers\wpdusb.sys [2004-08-11 18944] S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys [] ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R2 DigiRefresh;Digidesign MME Refresh Service; C:\Program Files\Digidesign\Drivers\MMERefresh.exe [2007-10-30 77824] R2 Nero BackItUp Scheduler 3;Nero BackItUp Scheduler 3; C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe [2007-09-20 853288] R2 NOD32krn;NOD32 Kernel Service; C:\Program Files\Eset\nod32krn.exe [2008-06-26 507904] R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2008-05-02 159812] R2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\CyberLink\Shared files\RichVideo.exe [2005-08-08 167936] R2 SiteAdvisor Service;SiteAdvisor Service; C:\Program Files\SiteAdvisor\6261\SAService.exe [2008-06-26 345376] R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-08-11 38912] S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800] S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144] S3 digiSPTIService;digiSPTIService; C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe [2007-10-30 159744] S3 NBService;NBService; C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [2006-09-12 724992] S3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe [2007-10-15 382248] S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328] S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240] -----------------EOF----------------- I hope this is enough to give you clues. I will wait patiently for your response. Thankyou. Peter

11-08-2008, 08:08 AM	#2 (permalink)
1972vet Analyst, Security Team Join Date: Jun 2008 Location: Midwest, U.S.A. Posts: 467 OS: Dual Boot Setup, Vista SP2 and XPSP3	Re: Windows Keeps Restarting Please download combofix from This Webpage...and read through the instructions there for running the tool. *Important Note* Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED. The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments. Once installed, a blue screen prompt should appear that reads as follows: The Recovery Console was successfully installed. When you see that screen, please continue as follows: Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Click Yes to allow ComboFix to continue scanning for malware. When the tool is finished, it will produce a report for you. Please post back the following on your next reply: C:\ComboFix.txt New HijackThis log. __________________ Disabled Veteran, U.S.C.G. 1972 - 1978 Windows XP Performance and Maintenance Windows Vista Performance and Maintenance

11-09-2008, 12:26 AM	#3 (permalink)
Siphonblaster Registered User Join Date: Nov 2008 Posts: 8 OS: Windows XP Service Pack 3	Re: Windows Keeps Restarting Thankyou for your response. I have run the Combofix test at your request. The following is the log report from Combofix: ComboFix 08-11-07.01 - Administrator 2008-11-09 19:19:12.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1706 [GMT 10:00] Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe * Created a new restore point * Resident AV is active . ((((((((((((((((((((((((( Files Created from 2008-10-09 to 2008-11-09 ))))))))))))))))))))))))))))))) . 2008-11-08 18:40 . 2008-11-08 18:42 <DIR> d-------- C:\rsit 2008-11-08 18:40 . 2008-11-08 18:40 <DIR> d-------- c:\program files\trend micro 2008-11-08 18:30 . 2008-11-08 18:31 250 --a------ c:\windows\gmer.ini 2008-11-07 10:40 . 2007-04-12 14:19 129,024 --a------ c:\windows\system32\AVERM.dll 2008-11-07 10:40 . 2006-09-26 13:57 28,672 --a------ c:\windows\system32\AVEQT.dll 2008-11-07 06:53 . 2008-11-07 06:53 32,256 --a------ c:\windows\system32\winrkp32.dll 2008-11-06 09:25 . 2008-10-24 11:16 23,096 --a------ c:\windows\system32\drivers\MusCAudio.sys 2008-11-06 09:25 . 2008-10-24 11:16 3,768 --a------ c:\windows\system32\drivers\MusCVideo.sys 2008-10-29 19:51 . 2008-10-29 19:51 <DIR> d-------- C:\PROTOOLS LOOPS 2008-10-28 19:23 . 2008-10-28 19:23 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Propellerhead Software 2008-10-28 19:23 . 2008-10-28 19:30 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Propellerhead Software 2008-10-28 19:23 . 2008-10-28 19:23 225,280 --a------ c:\windows\system32\ReWire.dll 2008-10-28 19:22 . 2008-10-28 19:22 <DIR> d-------- c:\program files\Propellerhead 2008-10-28 19:02 . 2008-10-28 19:02 <DIR> d-------- c:\windows\Downloaded Installations 2008-10-28 19:02 . 2008-10-28 19:02 <DIR> d-------- c:\program files\InterLok 2008-10-28 19:02 . 2006-12-08 21:50 16,384 --a------ c:\windows\system32\drivers\DigiFilt.sys 2008-10-28 18:59 . 2008-10-28 19:12 <DIR> d-------- c:\program files\Digidesign 2008-10-28 18:59 . 2007-10-31 02:16 3,683,014 --a------ c:\windows\system32\DirectIO.dll 2008-10-28 18:59 . 2007-10-30 23:03 659,456 --a------ c:\windows\system32\DSI.dll 2008-10-28 18:59 . 2007-10-30 22:03 270,336 --a------ c:\windows\system32\DigiPlatformSupport.dll 2008-10-28 18:59 . 2007-10-30 23:35 172,032 --a------ c:\windows\system32\Diomidi.DLL 2008-10-28 18:59 . 2007-10-31 01:15 97,808 --a------ c:\windows\system32\drivers\Dalwdm.sys 2008-10-28 18:59 . 2006-12-08 22:21 90,112 --a------ c:\windows\system32\WinMMFix.dll 2008-10-28 18:59 . 2007-10-31 01:16 16,400 --a------ c:\windows\system32\drivers\diginet.sys 2008-10-28 18:59 . 2007-10-30 23:36 15,872 --a------ c:\windows\system32\digicoin.dll 2008-10-28 10:48 . 2008-10-28 19:11 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Structure 2008-10-27 22:52 . 2008-10-27 22:52 <DIR> d-------- c:\program files\Common Files\PACE Anti-Piracy 2008-10-27 22:52 . 2008-10-28 19:04 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\PACE Anti-Piracy 2008-10-27 22:52 . 2008-10-28 11:10 <DIR> d-------- c:\documents and settings\Administrator\Application Data\PACE Anti-Piracy 2008-10-27 22:52 . 2008-11-09 15:24 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Digidesign 2008-10-27 22:52 . 2008-10-27 22:52 <DIR> d-------- C:\Digidesign Databases 2008-10-27 22:35 . 2008-10-27 22:35 <DIR> d-------- c:\program files\Common Files\Digidesign 2008-10-27 22:35 . 2007-10-31 00:03 1,362,460 --a------ c:\windows\system32\ExpansionHD_Firmware.bin 2008-10-27 21:58 . 2007-07-30 19:19 271,224 --a------ c:\windows\system32\mucltui.dll 2008-10-27 21:58 . 2007-07-30 19:19 30,072 --a------ c:\windows\system32\mucltui.dll.mui 2008-10-27 21:57 . 2008-10-27 21:57 <DIR> d-------- c:\windows\system32\xircom 2008-10-27 21:57 . 2008-10-27 21:57 <DIR> d-------- c:\program files\microsoft frontpage 2008-10-27 21:57 . 2008-04-14 05:42 221,184 --a------ c:\windows\system32\wmpns.dll 2008-10-27 21:50 . 2008-10-27 21:50 <DIR> d-------- c:\windows\system32\scripting 2008-10-27 21:48 . 2008-10-27 21:48 <DIR> d-------- c:\windows\ServicePackFiles 2008-10-27 21:45 . 2006-12-29 00:31 19,569 --a------ c:\windows\002555_.tmp 2008-10-25 08:48 . 2008-10-25 08:48 <DIR> d-------- c:\documents and settings\Administrator\Application Data\InstallShield 2008-10-25 08:46 . 2008-04-14 00:15 60,032 --a------ c:\windows\system32\drivers\usbaudio.sys 2008-10-25 08:46 . 2008-04-14 00:15 32,128 --a------ c:\windows\system32\drivers\usbccgp.sys 2008-10-24 23:34 . 2008-09-17 23:55 201,050 --a------ c:\windows\system32\nvapps.nvb 2008-10-15 23:53 . 2008-10-15 23:53 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Apple Computer 2008-10-15 23:42 . 2008-10-15 23:43 <DIR> d-------- c:\program files\QuickTime 2008-10-15 23:42 . 2008-10-15 23:42 <DIR> d-------- c:\program files\Common Files\Apple 2008-10-15 23:42 . 2008-10-15 23:42 <DIR> d-------- c:\program files\Apple Software Update 2008-10-15 23:42 . 2008-10-15 23:42 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer 2008-10-15 23:42 . 2008-10-15 23:42 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Apple . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-08 02:55 --------- d-----w c:\documents and settings\Administrator\Application Data\Any Video Converter 2008-11-07 01:28 --------- d-----w c:\program files\Steam 2008-11-07 00:00 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\SiteAdvisor 2008-11-06 11:36 --------- d-----w c:\documents and settings\Administrator\Application Data\LimeWire 2008-11-06 08:28 --------- d-----w c:\program files\McAfee 2008-11-02 05:15 32,032 ----a-w c:\documents and settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT 2008-10-28 08:18 --------- d--h--w c:\program files\InstallShield Installation Information 2008-10-22 23:06 --------- d-----w c:\documents and settings\Administrator\Application Data\SiteAdvisor 2008-09-20 07:25 --------- d-----w c:\documents and settings\Administrator\Application Data\Audacity 2008-09-09 09:53 --------- d-----w c:\program files\easetech 2008-05-24 09:03 604 ---ha-w c:\program files\STLL Notifier 2007-11-08 10:05 155,760 --sha-w c:\windows\system32\fiber.exe 2007-11-08 10:05 99,840 --sha-w c:\windows\system32\imapde.dll 2008-03-22 11:32 174,513 --sha-r c:\windows\system32\kinza.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 1506544] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-02 13529088] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "SiteAdvisor"="c:\program files\SiteAdvisor\6261\SiteAdv.exe" [2008-05-17 36640] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 30208] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-02 86016] "nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-06-26 921600] "NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136] "LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-04-13 49152] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696] "DigidesignMMERefresh"="c:\program files\Digidesign\Drivers\MMERefresh.exe" [2007-10-30 77824] "RTHDCPL"="RTHDCPL.EXE" [2007-03-22 c:\windows\RTHDCPL.exe] "nwiz"="nwiz.exe" [2008-05-02 c:\windows\system32\nwiz.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-03 44544] c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "ForceClassicControlPanel"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2007-04-19 13:41 294912 c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrkp32] 2008-11-07 06:53 32256 c:\windows\system32\winrkp32.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "wave2"= Digi32.dll "midi1"= mbx2midu.dll "MIDI2"= diomidi.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Steam\\steamapps\\hoplite1000\\counter-strike source\\hl2.exe"= "c:\\Program Files\\Steam\\steamapps\\spectrum_domain\\counter-strike source\\hl2.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "c:\\WINDOWS\\system32\\winver.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "19505:TCP"= 19505:TCP:BitComet 19505 TCP "19505:UDP"= 19505:UDP:BitComet 19505 UDP R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [2006-12-08 16384] R0 mv61xx;mv61xx;c:\windows\system32\DRIVERS\mv61xx.sys [2007-05-25 137728] R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\DRIVERS\diginet.sys [2007-10-31 16400] R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\DRIVERS\l151x86.sys [2007-11-01 36864] S3 dalwdmservice;dal service;c:\windows\system32\drivers\dalwdm.sys [2007-10-31 97808] S3 MBX2DFU;MBX2DFU;c:\windows\system32\DRIVERS\MBX2DFU.sys [2007-10-31 21648] S3 MBX2MIDK;Digidesign Mbox 2 Midi Driver;c:\windows\system32\drivers\mbx2midk.sys [2007-10-31 21904] S3 MusCAudio;MusCAudio;c:\windows\system32\drivers\MusCAudio.sys [2008-10-24 23096] S3 MusCVideo;MusCVideo;c:\windows\system32\DRIVERS\MusCVideo.sys [2008-10-24 3768] Newly Created Service - CATCHME Newly Created Service - PROCEXP90 . - - - - ORPHANS REMOVED - - - - HKCU-Run-LightScribe Control Panel - c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe HKLM-Run-OPSE reminder - c:\program files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe . ------- Supplementary Scan ------- . R0 -: HKCU-Main,Start Page = hxxp://www.google.com.au/ O8 -: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office10\EXCEL.EXE/3000 O8 -: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 -: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 -: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 -: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O16 -: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://gamenextus.oberon-media.com/Gameshell/GameHost/1.0/OberonGameHost.cab c:\windows\Downloaded Program Files\OberonGameHost_dbg.inf c:\windows\Downloaded Program Files\OberonGameHost.dll . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-09 19:20:24 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: c:\windows\system32\winlogon.exe -> c:\windows\system32\winrkp32.dll . Completion time: 2008-11-09 19:21:27 ComboFix-quarantined-files.txt 2008-11-09 09:20:58 Pre-Run: 121,569,349,632 bytes free Post-Run: 123,043,532,800 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 185 I await patiently for your next instructions. Thankyou for your assistance.

11-10-2008, 12:20 AM	#5 (permalink)
Siphonblaster Registered User Join Date: Nov 2008 Posts: 8 OS: Windows XP Service Pack 3	Re: Windows Keeps Restarting Hi. The following log is the log produced by Combofix after using the CFscript notepad as you requested: ComboFix 08-11-09.01 - Administrator 2008-11-10 19:08:04.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1699 [GMT 10:00] Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt.txt * Created a new restore point * Resident AV is active FILE :: c:\windows\002555_.tmp . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Administrator\Application Data\LimeWire c:\documents and settings\Administrator\Application Data\LimeWire\active.mojito c:\documents and settings\Administrator\Application Data\LimeWire\bugs.data c:\documents and settings\Administrator\Application Data\LimeWire\certificate\limewire.keystore c:\documents and settings\Administrator\Application Data\LimeWire\createtimes.cache c:\documents and settings\Administrator\Application Data\LimeWire\downloads.dat c:\documents and settings\Administrator\Application Data\LimeWire\fileurns.bak c:\documents and settings\Administrator\Application Data\LimeWire\fileurns.cache c:\documents and settings\Administrator\Application Data\LimeWire\filters.props c:\documents and settings\Administrator\Application Data\LimeWire\gnutella.net c:\documents and settings\Administrator\Application Data\LimeWire\installation.props c:\documents and settings\Administrator\Application Data\LimeWire\library.dat c:\documents and settings\Administrator\Application Data\LimeWire\limewire.props c:\documents and settings\Administrator\Application Data\LimeWire\mojito.props c:\documents and settings\Administrator\Application Data\LimeWire\promotion\promodb.backup c:\documents and settings\Administrator\Application Data\LimeWire\promotion\promodb.data c:\documents and settings\Administrator\Application Data\LimeWire\promotion\promodb.properties c:\documents and settings\Administrator\Application Data\LimeWire\promotion\promodb.script c:\documents and settings\Administrator\Application Data\LimeWire\questions.props c:\documents and settings\Administrator\Application Data\LimeWire\responses.cache c:\documents and settings\Administrator\Application Data\LimeWire\simpp.xml c:\documents and settings\Administrator\Application Data\LimeWire\spam.dat c:\documents and settings\Administrator\Application Data\LimeWire\tables.props c:\documents and settings\Administrator\Application Data\LimeWire\themes\windows_theme.lwtp c:\documents and settings\Administrator\Application Data\LimeWire\themes\windows_theme\01_star.gif c:\documents and settings\Administrator\Application Data\LimeWire\themes\windows_theme\02_star.gif c:\documents and settings\Administrator\Application Data\LimeWire\themes\windows_theme\03_star.gif c:\documents and settings\Administrator\Application Data\LimeWire\themes\windows_theme\04_star.gif c:\documents and settings\Administrator\Application Data\LimeWire\themes\windows_theme\05_star.gif c:\documents and settings\Administrator\Application Data\LimeWire\themes\windows_theme\chat.gif c:\documents and settings\Administrator\Application Data\LimeWire\themes\windows_theme\forward_dn.gif c:\documents and settings\Administrator\Application Data\LimeWire\themes\windows_theme\forward_up.gif c:\documents and settings\Administrator\Application Data\LimeWire\themes\windows_theme\kill.gif c:\documents and settings\Administrator\Application Data\LimeWire\themes\windows_theme\kill_on.gif c:\documents and settings\Administrator\Application Data\LimeWire\themes\windows_theme\pause_dn.gif c:\documents and settings\Administrator\Application Data\LimeWire\themes\windows_theme\pause_up.gif c:\documents and settings\Administrator\Application Data\LimeWire\themes\windows_theme\play_dn.gif c:\documents and settings\Administrator\Application Data\LimeWire\themes\windows_theme\play_up.gif c:\documents and settings\Administrator\Application Data\LimeWire\themes\windows_theme\question.gif c:\documents and settings\Administrator\Application Data\LimeWire\themes\windows_theme\rewind_dn.gif c:\documents and settings\Administrator\Application Data\LimeWire\themes\windows_theme\rewind_up.gif c:\documents and settings\Administrator\Application Data\LimeWire\themes\windows_theme\stop_dn.gif c:\documents and settings\Administrator\Application Data\LimeWire\themes\windows_theme\stop_up.gif c:\documents and settings\Administrator\Application Data\LimeWire\themes\windows_theme\theme.txt c:\documents and settings\Administrator\Application Data\LimeWire\themes\windows_theme\version.txt c:\documents and settings\Administrator\Application Data\LimeWire\themes\windows_theme\warning.gif c:\documents and settings\Administrator\Application Data\LimeWire\ttrees.cache c:\documents and settings\Administrator\Application Data\LimeWire\ttroot.cache c:\documents and settings\Administrator\Application Data\LimeWire\version.xml c:\documents and settings\Administrator\Application Data\LimeWire\versions.props c:\documents and settings\Administrator\Application Data\LimeWire\xml\data\audio.sxml2 c:\documents and settings\Administrator\Application Data\LimeWire\xml\data\video.sxml2 c:\windows\002555_.tmp c:\windows\system32\fiber.exe c:\windows\system32\imapde.dll c:\windows\system32\kinza.exe c:\windows\system32\winrkp32.dll . ((((((((((((((((((((((((( Files Created from 2008-10-10 to 2008-11-10 ))))))))))))))))))))))))))))))) . 2008-11-08 18:40 . 2008-11-08 18:42 <DIR> d-------- C:\rsit 2008-11-08 18:40 . 2008-11-08 18:40 <DIR> d-------- c:\program files\trend micro 2008-11-08 18:30 . 2008-11-08 18:31 250 --a------ c:\windows\gmer.ini 2008-11-07 10:40 . 2007-04-12 14:19 129,024 --a------ c:\windows\system32\AVERM.dll 2008-11-07 10:40 . 2006-09-26 13:57 28,672 --a------ c:\windows\system32\AVEQT.dll 2008-11-06 09:25 . 2008-10-24 11:16 23,096 --a------ c:\windows\system32\drivers\MusCAudio.sys 2008-11-06 09:25 . 2008-10-24 11:16 3,768 --a------ c:\windows\system32\drivers\MusCVideo.sys 2008-10-29 19:51 . 2008-10-29 19:51 <DIR> d-------- C:\PROTOOLS LOOPS 2008-10-28 19:23 . 2008-10-28 19:23 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Propellerhead Software 2008-10-28 19:23 . 2008-10-28 19:30 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Propellerhead Software 2008-10-28 19:23 . 2008-10-28 19:23 225,280 --a------ c:\windows\system32\ReWire.dll 2008-10-28 19:22 . 2008-10-28 19:22 <DIR> d-------- c:\program files\Propellerhead 2008-10-28 19:02 . 2008-10-28 19:02 <DIR> d-------- c:\windows\Downloaded Installations 2008-10-28 19:02 . 2008-10-28 19:02 <DIR> d-------- c:\program files\InterLok 2008-10-28 19:02 . 2006-12-08 21:50 16,384 --a------ c:\windows\system32\drivers\DigiFilt.sys 2008-10-28 18:59 . 2008-10-28 19:12 <DIR> d-------- c:\program files\Digidesign 2008-10-28 18:59 . 2007-10-31 02:16 3,683,014 --a------ c:\windows\system32\DirectIO.dll 2008-10-28 18:59 . 2007-10-30 23:03 659,456 --a------ c:\windows\system32\DSI.dll 2008-10-28 18:59 . 2007-10-30 22:03 270,336 --a------ c:\windows\system32\DigiPlatformSupport.dll 2008-10-28 18:59 . 2007-10-30 23:35 172,032 --a------ c:\windows\system32\Diomidi.DLL 2008-10-28 18:59 . 2007-10-31 01:15 97,808 --a------ c:\windows\system32\drivers\Dalwdm.sys 2008-10-28 18:59 . 2006-12-08 22:21 90,112 --a------ c:\windows\system32\WinMMFix.dll 2008-10-28 18:59 . 2007-10-31 01:16 16,400 --a------ c:\windows\system32\drivers\diginet.sys 2008-10-28 18:59 . 2007-10-30 23:36 15,872 --a------ c:\windows\system32\digicoin.dll 2008-10-28 10:48 . 2008-10-28 19:11 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Structure 2008-10-27 22:52 . 2008-10-27 22:52 <DIR> d-------- c:\program files\Common Files\PACE Anti-Piracy 2008-10-27 22:52 . 2008-10-28 19:04 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\PACE Anti-Piracy 2008-10-27 22:52 . 2008-10-28 11:10 <DIR> d-------- c:\documents and settings\Administrator\Application Data\PACE Anti-Piracy 2008-10-27 22:52 . 2008-11-10 10:09 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Digidesign 2008-10-27 22:52 . 2008-10-27 22:52 <DIR> d-------- C:\Digidesign Databases 2008-10-27 22:35 . 2008-10-27 22:35 <DIR> d-------- c:\program files\Common Files\Digidesign 2008-10-27 22:35 . 2007-10-31 00:03 1,362,460 --a------ c:\windows\system32\ExpansionHD_Firmware.bin 2008-10-27 21:58 . 2007-07-30 19:19 271,224 --a------ c:\windows\system32\mucltui.dll 2008-10-27 21:58 . 2007-07-30 19:19 30,072 --a------ c:\windows\system32\mucltui.dll.mui 2008-10-27 21:57 . 2008-10-27 21:57 <DIR> d-------- c:\windows\system32\xircom 2008-10-27 21:57 . 2008-10-27 21:57 <DIR> d-------- c:\program files\microsoft frontpage 2008-10-27 21:57 . 2008-04-14 05:42 221,184 --a------ c:\windows\system32\wmpns.dll 2008-10-27 21:50 . 2008-10-27 21:50 <DIR> d-------- c:\windows\system32\scripting 2008-10-27 21:48 . 2008-10-27 21:48 <DIR> d-------- c:\windows\ServicePackFiles 2008-10-25 08:48 . 2008-10-25 08:48 <DIR> d-------- c:\documents and settings\Administrator\Application Data\InstallShield 2008-10-25 08:46 . 2008-04-14 00:15 60,032 --a------ c:\windows\system32\drivers\usbaudio.sys 2008-10-25 08:46 . 2008-04-14 00:15 32,128 --a------ c:\windows\system32\drivers\usbccgp.sys 2008-10-24 23:34 . 2008-09-17 23:55 201,050 --a------ c:\windows\system32\nvapps.nvb 2008-10-15 23:53 . 2008-10-15 23:53 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Apple Computer 2008-10-15 23:42 . 2008-10-15 23:43 <DIR> d-------- c:\program files\QuickTime 2008-10-15 23:42 . 2008-10-15 23:42 <DIR> d-------- c:\program files\Common Files\Apple 2008-10-15 23:42 . 2008-10-15 23:42 <DIR> d-------- c:\program files\Apple Software Update 2008-10-15 23:42 . 2008-10-15 23:42 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer 2008-10-15 23:42 . 2008-10-15 23:42 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Apple . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-10 04:27 --------- d-----w c:\program files\Steam 2008-11-10 04:21 --------- d-----w c:\program files\SUPERAntiSpyware 2008-11-08 02:55 --------- d-----w c:\documents and settings\Administrator\Application Data\Any Video Converter 2008-11-07 00:00 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\SiteAdvisor 2008-11-06 08:28 --------- d-----w c:\program files\McAfee 2008-11-02 05:15 32,032 ----a-w c:\documents and settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT 2008-10-28 08:18 --------- d--h--w c:\program files\InstallShield Installation Information 2008-10-22 23:06 --------- d-----w c:\documents and settings\Administrator\Application Data\SiteAdvisor 2008-09-20 07:25 --------- d-----w c:\documents and settings\Administrator\Application Data\Audacity 2008-05-24 09:03 604 ---ha-w c:\program files\STLL Notifier . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-02 13529088] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "SiteAdvisor"="c:\program files\SiteAdvisor\6261\SiteAdv.exe" [2008-05-17 36640] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 30208] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-02 86016] "nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-06-26 921600] "NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136] "LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-04-13 49152] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696] "DigidesignMMERefresh"="c:\program files\Digidesign\Drivers\MMERefresh.exe" [2007-10-30 77824] "RTHDCPL"="RTHDCPL.EXE" [2007-03-22 c:\windows\RTHDCPL.exe] "nwiz"="nwiz.exe" [2008-05-02 c:\windows\system32\nwiz.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-03 44544] c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "ForceClassicControlPanel"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "wave2"= Digi32.dll "midi1"= mbx2midu.dll "MIDI2"= diomidi.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Steam\\steamapps\\hoplite1000\\counter-strike source\\hl2.exe"= "c:\\Program Files\\Steam\\steamapps\\spectrum_domain\\counter-strike source\\hl2.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "c:\\WINDOWS\\system32\\winver.exe"= R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [2006-12-08 16384] R0 mv61xx;mv61xx;c:\windows\system32\DRIVERS\mv61xx.sys [2007-05-25 137728] R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\DRIVERS\diginet.sys [2007-10-31 16400] R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\DRIVERS\l151x86.sys [2007-11-01 36864] S3 dalwdmservice;dal service;c:\windows\system32\drivers\dalwdm.sys [2007-10-31 97808] S3 MBX2DFU;MBX2DFU;c:\windows\system32\DRIVERS\MBX2DFU.sys [2007-10-31 21648] S3 MBX2MIDK;Digidesign Mbox 2 Midi Driver;c:\windows\system32\drivers\mbx2midk.sys [2007-10-31 21904] S3 MusCAudio;MusCAudio;c:\windows\system32\drivers\MusCAudio.sys [2008-10-24 23096] S3 MusCVideo;MusCVideo;c:\windows\system32\DRIVERS\MusCVideo.sys [2008-10-24 3768] . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-10 19:11:14 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe c:\program files\ESET\nod32krn.exe c:\windows\system32\nvsvc32.exe c:\program files\CyberLink\Shared files\RichVideo.exe c:\program files\SiteAdvisor\6261\SAService.exe c:\windows\system32\wdfmgr.exe c:\windows\system32\rundll32.exe . ************************************************************************ . Completion time: 2008-11-10 19:15:34 - machine was rebooted ComboFix-quarantined-files.txt 2008-11-10 09:15:31 Pre-Run: 122,991,222,784 bytes free Post-Run: 122,982,993,920 bytes free 213 I await your next instructions. Thankyou.

11-10-2008, 04:15 AM	#6 (permalink)
1972vet Analyst, Security Team Join Date: Jun 2008 Location: Midwest, U.S.A. Posts: 467 OS: Dual Boot Setup, Vista SP2 and XPSP3	Re: Windows Keeps Restarting That log looks much better. May we see a fresh HijackThis log now please? Also, please advise how the system behaves for you now and what issues you may be experiencing. Thanks! __________________ Disabled Veteran, U.S.C.G. 1972 - 1978 Windows XP Performance and Maintenance Windows Vista Performance and Maintenance

11-11-2008, 05:49 AM	#7 (permalink)
Siphonblaster Registered User Join Date: Nov 2008 Posts: 8 OS: Windows XP Service Pack 3	Re: Windows Keeps Restarting Sry to ask, but do u mean i run one last combofix scan, or rsit scan or gmer scan? Otherwise, the computer is perfectly fine & the viruses r gone. I hav checked on my antivirus software & all the previous readings of trojans have now disappeared. Thankyou for your assistance. It has been greatly appreciated!

11-11-2008, 11:06 PM	#9 (permalink)
Siphonblaster Registered User Join Date: Nov 2008 Posts: 8 OS: Windows XP Service Pack 3	Re: Windows Keeps Restarting The following log is from the HijackThis system scan: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:03:17 PM, on 11/12/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\SiteAdvisor\6261\SiteAdv.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Eset\nod32kui.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Digidesign\Drivers\MMERefresh.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\CyberLink\Shared files\RichVideo.exe C:\Program Files\SiteAdvisor\6261\SAService.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Program Files\Windows Live\Messenger\usnsvc.exe C:\Program Files\Windows Media Player\wmplayer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-19\..\RunOnce: [nLite] %systemroot%\inf\nlite.cmd (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [nLite] %systemroot%\inf\nlite.cmd (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user') O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/...oUploader5.cab O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1214470099906 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1224886787328 O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://gamenextus.oberon-media.com/G...onGameHost.cab O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe -- End of file - 8111 bytes Thanks for your assistance. Finally, i would like to ask, a folder named C:\Qoobox is in my C drive containing CFscripts & quarantined files from past viruses. Is it ok now to delete that folder (it only appeared since the running of Combo Fix & not prior)?

11-12-2008, 05:19 AM	#10 (permalink)
1972vet Analyst, Security Team Join Date: Jun 2008 Location: Midwest, U.S.A. Posts: 467 OS: Dual Boot Setup, Vista SP2 and XPSP3	Re: Windows Keeps Restarting Very good! You can run HijackThis again and check the box next to this entry: O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) Close all windows except for hijackthis, then click the Fix Checked button then reboot to properly record the changes made to the hard disk. Click start-->run...then copy and paste the Bold text below into the run box and click "OK": ComboFix /u Performing this function will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again for you automatically. To assist in the prevention of spyware infections: Immunize your browser by installing Spywareblaster. What does it do? Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox. Restricts the actions of potentially unwanted sites in Internet Explorer. Keep your anti-virus and spyware definitions up to date. Be sure to scan often. Below you can choose from several of the freeware Firewalls available on the public domain. Even though you may have a Firewall already installed, keep this list handy should you choose not to renew your subscription for whatever reason. You should always have at least (but not more than ) one of these types of third party firewalls running on board: Kerio Personal Firewall Zone Alarm Outpost Free Comodo Install the free security tool "Secunia PSI" to help protect your system against software vulnerabilities. The free utility scans your system's software applications and offers a one button "Download "Solution" feature that updates the exploited software AND provides other related information/patching if warranted. Stay updated with the most recent Windows patches as well...using Microsoft's Windows Update. Make it easy on yourself, and set this feature to Automatic. Using an alternate browser can reduce your chance of certain infections installing themselves. We recommend installing Mozilla Firefox. If you don't already have "Firefox", please consider installing and using this browser for surfing. If you still wish to use Internet Explorer, please make sure you install SpywareBlaster (from above) to protect you from most ActiveX infections. Become familiar with the MalwareBytes anti-malware application. Use it often especially if you begin to notice the system performance behavior is not what it should be. Learn more about the program Here where you can also request assistance if you have some concerns about the programs findings. *Note* The licensed version provides real time protection and other automatic features otherwise not available. Run CCleaner often. The Yahoo Toolbar is included by default during the installation...if you DO NOT WANT IT, be sure to remove the check from the "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser" option during installation setup. Or if you just want to run your on board Disk Cleanup ("Start--> Programs-->Accessories-->System Tools-->Disk Cleanup" ), just open the utility and check off the following: Downloaded Program Files, Temporary Internet Files, Recycle Bin, and Temporary Files. Don't forget to defrag the system. So how did I get infected in the first place? Regards, and Happy Surfing! __________________ Disabled Veteran, U.S.C.G. 1972 - 1978 Windows XP Performance and Maintenance Windows Vista Performance and Maintenance

11-14-2008, 06:04 AM	#11 (permalink)
Siphonblaster Registered User Join Date: Nov 2008 Posts: 8 OS: Windows XP Service Pack 3	Re: Windows Keeps Restarting How can i uninstall Combofix, if i've already manually deleted the Combofix.exe file & the subsequent C-drive folder with it? I know this certain 'USB' A-drive still exists in my computer & my clock speed hasnt reverted back to normal??? When i type in ComboFix /u, it says that it can't read a Combofix file, since i've manually deleted it...