Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

can't update anti-virus programs, connect to these sites...

This is a discussion on can't update anti-virus programs, connect to these sites... within the Resolved HJT Threads forums, part of the Tech Support Forum category. Hello there! I'm new in here. I have several problems with my system (Vostro 1500) which is running windows XP


 
 
Thread Tools Search this Thread
Old 05-16-2009, 02:57 AM   #1
Guest
 
Join Date: May 2009
Posts: 5
OS:



Hello there!
I'm new in here. I have several problems with my system (Vostro 1500) which is running windows XP SP2.

1- I can't connect to any update source of my anti-virus programs (kaspersky internet security 7.0) or any other.

2- I can't browse any anti-virus sites such as kaspersky or symantic...

3- Although I can browse some other sites like google or etc. but after some
period of times my laptop's working I also can't open even those sites like google. then when I restart my laptop and retry to connect to these sites i can do this. but still can't browse anti-virus sites.

I searched through internet for this problem and found something about this such as a rootkit name "Seneka" might cause this problem. but this didn't work for me. and I'm very confused now.
Please Help!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

DDS run:

DDS (Ver_09-03-16.01) - NTFSx86
Run by aa at 12:52:00.48 on Sat 05/16/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1553 [GMT 4.5:30]

AV: AVG 7.5.516 *On-access scanning enabled* (Outdated)
FW: AVG Firewall 7.5.500 *enabled*

============== Running Processes ===============

C:\windows\system32\svchost -k DcomLaunch
svchost.exe
C:\windows\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\Program Files\USB Disk Security\USBGuard.exe
D:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
D:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
D:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\windows\OEM02Mon.exe
C:\windows\Samsung\PanelMgr\SSMMgr.exe
C:\windows\system32\inetsrv\inetinfo.exe
C:\windows\system32\ctfmon.exe
D:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Dell\DELL Webcam Manager\DellWMgr.exe
C:\Program Files\Internet explorer\iexplore.exe
C:\windows\system32\nvsvc32.exe
C:\windows\system32\PnkBstrA.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\windows\system32\wscntfy.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\windows\system32\igfxsrvc.exe
C:\windows\system32\NOTEPAD.EXE
C:\Documents and Settings\aa\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = www.npshop.net
mStart Page = hxxp://www.microsoft.com
mWindow Title = Microsoft Internet Explorer
BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - d:\program files\internet download manager\IDMIECC.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Ask.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Ask.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [IDMan] d:\program files\internet download manager\IDMan.exe /onboot
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
uRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
uRun: [Yahoo! Pager] "d:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [systemadd] "c:\documents and settings\aa\application data\sysdate32.exe"
uRun: [RegistryMechanic] "c:\program files\registry mechanic\RegMech.exe" /H
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [IgfxTray] "c:\windows\system32\igfxtray.exe"
mRun: [HotKeysCmds] "c:\windows\system32\hkcmd.exe"
mRun: [Persistence] "c:\windows\system32\igfxpers.exe"
mRun: [USB Antivirus] "c:\program files\usb disk security\USBGuard.exe"
mRun: [CloneCDTray] "d:\program files\slysoft\clonecd\CloneCDTray.exe" /s
mRun: [VirtualCloneDrive] "d:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
mRun: [Babylon Client] "d:\program files\babylon\babylon-pro\Babylon.exe" -AutoStart
mRun: [Acrobat Assistant 8.0] "d:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [OEM02Mon.exe] "c:\windows\OEM02Mon.exe"
mRun: [Samsung PanelMgr] c:\windows\samsung\panelmgr\SSMMgr.exe /autorun
mRun: [TkBellExe] "c:\program files\k-lite codec pack\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "d:\program files\k-lite codec pack\quicktime\qttask.exe" -atboottime
mRun: [AVG7_CC] "d:\progra~1\grisoft\avg7\avgcc.exe" /STARTUP
dRun: [AVG7_Run] d:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1025-0000-7760-000000000003}\_SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~2.lnk - d:\program files\adobe\acrobat 8.0\acrobat\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
IE: Append to existing PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: Download All Links with IDM - d:\program files\internet download manager\IEGetAll.htm
IE: Download with IDM - d:\program files\internet download manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\windows\system32\idmmbc.dll
LSP: c:\windows\system32\avgfwafu.dll
TCP: {87717D8B-35F1-4C78-9376-AEF610464483} = 80.191.89.2 217.218.210.2
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\aa\applic~1\mozilla\firefox\profiles\qw7usywd.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: keyword.URL - hxxp://supertoolbar.ask.com/redirect?client=ff&src=kw&tb=WBR&o=13997&locale=en_US&q=
FF - prefs.js: network.proxy.ftp - 194.225.33.7
FF - prefs.js: network.proxy.ftp_port - 3128
FF - prefs.js: network.proxy.gopher - 194.225.33.7
FF - prefs.js: network.proxy.gopher_port - 3128
FF - prefs.js: network.proxy.http - 194.225.33.7
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.socks - 194.225.33.7
FF - prefs.js: network.proxy.socks_port - 3128
FF - prefs.js: network.proxy.ssl - 194.225.33.7
FF - prefs.js: network.proxy.ssl_port - 3128
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\google\google updater\2.4.1508.6312\npCIDetect13.dll
FF - plugin: d:\program files\k-lite codec pack\quicktime\plugins\npqtplugin.dll
FF - plugin: d:\program files\k-lite codec pack\quicktime\plugins\npqtplugin2.dll
FF - plugin: d:\program files\k-lite codec pack\quicktime\plugins\npqtplugin3.dll
FF - plugin: d:\program files\k-lite codec pack\quicktime\plugins\npqtplugin4.dll
FF - plugin: d:\program files\k-lite codec pack\quicktime\plugins\npqtplugin5.dll

============= SERVICES / DRIVERS ===============

R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2009-5-13 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2009-5-13 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2009-5-13 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2009-5-13 10760]
R2 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2009-5-13 4960]
R3 OEM02Afx;Provides a software interface to control audio effects of M08 Internal webcam.;c:\windows\system32\drivers\OEM02Afx.sys [2009-3-7 141376]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [2009-3-7 234496]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [2009-3-7 7424]
S2 Avg7Alrt;AVG7 Alert Manager Server;d:\progra~1\grisoft\avg7\avgamsvr.exe [2009-5-13 418816]
S2 Avg7UpdSvc;AVG7 Update Service;d:\progra~1\grisoft\avg7\avgupsvc.exe [2009-5-13 49664]
S2 AVGEMS;AVG E-mail Scanner;d:\progra~1\grisoft\avg7\avgemc.exe [2009-5-13 406528]
S2 AVGFwSrv;AVG Firewall;d:\progra~1\grisoft\avg7\avgfwsrv.exe [2009-5-13 838656]
S2 dhyrrdbvp;Image Config;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]

=============== Created Last 30 ================

2009-05-15 19:44 <DIR> a-dshr-- C:\cmdcons
2009-05-15 17:41 161,792 a------- c:\windows\SWREG.exe
2009-05-15 17:41 98,816 a------- c:\windows\sed.exe
2009-05-15 17:41 <DIR> --d----- C:\Combo-Fix
2009-05-15 12:48 <DIR> --d----- c:\windows\ERUNT
2009-05-15 12:05 <DIR> --d----- C:\SDFix
2009-05-15 11:03 <DIR> --d----- c:\documents and settings\aa\Pavark
2009-05-14 19:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-05-14 19:10 <DIR> --d----- c:\docume~1\aa\applic~1\SUPERAntiSpyware.com
2009-05-14 19:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ParetoLogic Anti-Spyware
2009-05-14 18:15 2,236 a------- c:\windows\system32\askcom.xml
2009-05-14 18:15 <DIR> --d----- c:\program files\Ask.com
2009-05-14 18:15 <DIR> --d----- c:\program files\MSSOAP
2009-05-14 18:14 <DIR> --d----- c:\program files\Webroot
2009-05-14 18:09 <DIR> --d----- c:\docume~1\aa\applic~1\GetRightToGo
2009-05-13 17:41 <DIR> --d----- c:\docume~1\aa\applic~1\AVG7
2009-05-13 17:41 110,592 a------- c:\windows\system32\avgfwafu.dll
2009-05-13 17:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Grisoft
2009-05-03 20:35 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-05-03 20:35 3,581 a------- c:\windows\system32\services.rar
2009-04-30 06:54 138,184 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-04-30 06:54 183,112 a------- c:\windows\system32\PnkBstrB.exe
2009-04-30 06:54 66,872 a------- c:\windows\system32\PnkBstrA.exe
2009-04-28 19:08 65,536 ac------ c:\windows\system32\dllcache\EXCH_mailmsg.dll
2009-04-28 19:07 9,216 ac------ c:\windows\system32\dllcache\wamps51.dll
2009-04-28 19:04 456,704 ac------ c:\windows\system32\dllcache\smtpsvc.dll
2009-04-25 23:43 <DIR> --d----- c:\program files\TFTCo
2009-04-25 23:32 188,416 a------- c:\docume~1\aa\applic~1\sysdate32.exe
2009-04-25 23:32 116,224 a------- c:\docume~1\aa\applic~1\sysdate.dll
2009-04-18 18:47 <DIR> --d----- C:\Noor

==================== Find3M ====================

2009-05-12 22:59 79,042 a------- c:\windows\system32\nvModes.dat
2009-03-07 15:15 811,008 a------- c:\windows\system32\cximage.dll
2009-03-07 15:15 376,832 a------- c:\windows\system32\OEM02Cvw.dll
2009-03-07 15:15 90,112 a------- c:\windows\CtDrvIns.exe
2009-03-07 15:15 36,864 a------- c:\windows\system32\OEM02Pin.dll
2009-03-07 15:15 36,864 a------- c:\windows\system32\CtCamMgr.dll
2009-03-07 15:15 36,864 a------- c:\windows\OEM02Mon.exe
2009-03-07 15:15 32,768 a------- c:\windows\system32\OEM02Hwx.dll
2009-03-07 15:15 28,672 a------- c:\windows\OEM02Cfg.exe
2009-03-07 15:15 24,576 a------- c:\windows\system32\OEM02Srv.exe
2007-10-22 15:14 76 ---shr-- c:\windows\CT4CET.bin
2004-08-04 05:37 168,096 a--shr-- c:\windows\system32\ohuewqh.dll

============= FINISH: 12:52:14.40 ===============
Attached Files
File Type: zip Attach.zip (4.5 KB, 15 views)
gygulance is offline  
Sponsored Links
Advertisement
 
Old 05-17-2009, 12:43 PM   #2
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



Hello gygulance,

In the future, kindly heed the ComboFix Disclaimer and only run this tool under guidance. As noted in our pre-posting topic...
Quote:
Why we don't ask you to run ComboFix from the onset

As stated by the author of ComboFix:

ComboFix is a very powerful tool which when improperly used may render your machine to a doorstop.

We first need to verify if there's any rootkits present and how they could affect our tools. DDS & GMER are preliminary scans. We use their logs to map our strategy for attack.

With these logs we can determine the infections present & decide whether to deploy ComboFix.
I'll need to review the C:\ComboFix.txt. Please copy/paste the contents in your next reply.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 05-17-2009, 11:22 PM   #3
Guest
 
Join Date: May 2009
Posts: 5
OS:



Hello again! and thanks for your reply and attention.
I've just uninstalled my AVG anti-virus and ran the ComboFix (in Normal Mode not in Safe Mode)
and the result:

ComboFix 09-05-14.05 - aa 05/18/2009 9:35.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1583 [GMT 4.5:30]
Running from: c:\documents and settings\aa\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((( Files Created from 2009-04-18 to 2009-05-18 )))))))))))))))))))))))))))))))
.

2009-05-18 05:02 . 2009-05-18 05:02 -------- d-----w c:\documents and settings\All Users\Application Data\Avg7
2009-05-15 08:18 . 2009-05-15 08:19 -------- d-----w c:\windows\ERUNT
2009-05-15 07:35 . 2009-05-15 08:30 -------- d-----w C:\SDFix
2009-05-15 06:33 . 2009-05-15 06:55 -------- d-----w c:\documents and settings\aa\Pavark
2009-05-14 14:40 . 2009-05-14 14:40 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-14 14:40 . 2009-05-16 08:09 -------- d-----w c:\documents and settings\aa\Application Data\SUPERAntiSpyware.com
2009-05-14 14:37 . 2009-05-14 14:37 -------- d-----w c:\documents and settings\All Users\Application Data\ParetoLogic Anti-Spyware
2009-05-14 13:55 . 2009-05-16 08:10 -------- d-----w c:\documents and settings\aa\Local Settings\Application Data\AskToolbar
2009-05-14 13:45 . 2009-05-14 13:45 -------- d-----w c:\program files\Ask.com
2009-05-14 13:45 . 2009-05-14 13:45 -------- d-----w c:\program files\MSSOAP
2009-05-14 13:44 . 2009-05-14 13:44 -------- d-----w c:\program files\Webroot
2009-05-14 13:39 . 2009-05-14 13:43 -------- d-----w c:\documents and settings\aa\Application Data\GetRightToGo
2009-05-14 13:35 . 2009-05-18 05:04 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-05-03 16:05 . 2009-05-03 16:05 -------- d--h--w c:\windows\system32\GroupPolicy
2009-04-30 02:24 . 2009-05-12 17:56 138184 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-04-30 02:24 . 2009-05-12 17:55 183112 ----a-w c:\windows\system32\PnkBstrB.exe
2009-04-30 02:24 . 2009-04-30 02:24 66872 ----a-w c:\windows\system32\PnkBstrA.exe
2009-04-28 14:38 . 2001-08-17 18:06 7168 -c--a-w c:\windows\system32\dllcache\EXCH_snprfdll.dll
2009-04-28 14:38 . 2001-08-17 18:06 7168 ----a-w c:\windows\system32\snprfdll.dll
2009-04-28 14:38 . 2001-08-17 18:06 12288 -c--a-w c:\windows\system32\dllcache\EXCH_smtpctrs.dll
2009-04-28 14:38 . 2001-08-17 18:06 12288 ----a-w c:\windows\system32\smtpctrs.dll
2009-04-28 14:38 . 2001-08-17 18:06 57856 -c--a-w c:\windows\system32\dllcache\EXCH_scripto.dll
2009-04-28 14:38 . 2001-08-17 18:06 23040 -c--a-w c:\windows\system32\dllcache\EXCH_regtrace.exe
2009-04-28 14:38 . 2001-08-17 18:06 23040 ----a-w c:\windows\system32\regtrace.exe
2009-04-28 14:38 . 2001-08-17 18:06 38912 -c--a-w c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2009-04-28 14:38 . 2001-08-17 18:06 65536 -c--a-w c:\windows\system32\dllcache\EXCH_mailmsg.dll
2009-04-28 14:38 . 2001-08-17 18:06 43520 -c--a-w c:\windows\system32\dllcache\EXCH_fcachdll.dll
2009-04-28 14:38 . 2001-08-17 18:06 43520 ----a-w c:\windows\system32\fcachdll.dll
2009-04-28 14:38 . 2001-08-17 18:06 5632 -c--a-w c:\windows\system32\dllcache\EXCH_adsiisex.dll
2009-04-28 14:38 . 2001-08-17 18:06 5632 ----a-w c:\windows\system32\adsiisex.dll
2009-04-28 14:34 . 2004-08-04 01:07 456704 -c--a-w c:\windows\system32\dllcache\smtpsvc.dll
2009-04-25 19:13 . 2009-04-25 19:13 -------- d-----w c:\program files\TFTCo
2009-04-25 19:02 . 2009-04-25 19:02 116224 ----a-w c:\documents and settings\aa\Application Data\sysdate.dll
2009-04-25 19:02 . 2009-04-25 19:02 188416 ----a-w c:\documents and settings\aa\Application Data\sysdate32.exe
2009-04-18 14:17 . 2009-04-18 14:17 -------- d-----w C:\Noor

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-16 08:09 . 2009-03-01 05:13 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-13 10:33 . 2009-03-21 16:24 -------- d-----w c:\program files\Microsoft SQL Server
2009-05-12 18:29 . 2007-10-22 08:17 79042 ----a-w c:\windows\system32\nvModes.dat
2009-04-28 17:35 . 2007-10-22 07:31 73280 ----a-w c:\documents and settings\aa\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-28 15:00 . 2009-03-21 16:09 160056 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-04-28 14:50 . 2009-03-21 16:12 -------- d-----w c:\program files\Microsoft.NET
2009-04-25 19:13 . 2007-10-22 08:19 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-18 14:05 . 2007-10-22 08:17 -------- d-----w c:\program files\Common Files\InstallShield
2009-04-15 06:31 . 2009-04-15 06:31 -------- d-----w c:\program files\Business Objects
2009-04-15 06:26 . 2009-04-15 06:26 -------- d-----w c:\program files\Microsoft Synchronization Services
2009-03-24 05:43 . 2007-10-22 10:30 -------- d-----w c:\program files\Yahoo!
2009-03-23 06:03 . 2009-03-18 04:03 -------- d-----w c:\program files\Cyberlink
2009-03-21 16:24 . 2009-03-21 16:24 -------- d-----w c:\program files\Microsoft Device Emulator
2009-03-21 16:23 . 2009-03-21 16:23 -------- d-----w c:\program files\Windows Mobile 5.0 SDK R2
2009-03-21 16:22 . 2009-03-21 16:22 -------- d-----w c:\program files\Microsoft SQL Server Compact Edition
2009-03-21 16:14 . 2009-03-21 16:12 -------- d-----w c:\program files\HTML Help Workshop
2009-03-21 16:12 . 2009-03-21 16:12 -------- d-----w c:\program files\Microsoft SDKs
2009-03-21 16:12 . 2009-03-21 16:12 -------- d-----w c:\program files\Common Files\Merge Modules
2009-03-21 16:12 . 2009-03-21 16:12 -------- d-----w c:\program files\CE Remote Tools
2009-03-21 16:11 . 2009-03-21 16:11 -------- d-----w c:\program files\Microsoft Web Designer Tools
2009-03-21 16:07 . 2009-03-21 16:07 -------- d-----w c:\program files\MSBuild
2009-03-21 16:07 . 2009-03-21 16:07 -------- d-----w c:\program files\Reference Assemblies
2009-03-21 16:04 . 2009-03-21 16:04 -------- d-----w c:\program files\MSXML 6.0
2009-03-07 10:45 . 2009-03-07 10:45 90112 ----a-w c:\windows\CtDrvIns.exe
2009-03-07 10:45 . 2009-03-07 10:45 811008 ----a-w c:\windows\system32\cximage.dll
2009-03-07 10:45 . 2009-03-07 10:45 7424 ----a-w c:\windows\system32\drivers\OEM02Vfx.sys
2009-03-07 10:45 . 2009-03-07 10:45 376832 ----a-w c:\windows\system32\OEM02Cvw.dll
2009-03-07 10:45 . 2009-03-07 10:45 36864 ----a-w c:\windows\system32\OEM02Pin.dll
2009-03-07 10:45 . 2009-03-07 10:45 36864 ----a-w c:\windows\system32\CtCamMgr.dll
2009-03-07 10:45 . 2009-03-07 10:45 36864 ----a-w c:\windows\OEM02Mon.exe
2009-03-07 10:45 . 2009-03-07 10:45 32768 ----a-w c:\windows\system32\OEM02Hwx.dll
2009-03-07 10:45 . 2009-03-07 10:45 28672 ----a-w c:\windows\OEM02Cfg.exe
2009-03-07 10:45 . 2009-03-07 10:45 24576 ----a-w c:\windows\system32\OEM02Srv.exe
2009-03-07 10:45 . 2009-03-07 10:45 234496 ----a-w c:\windows\system32\drivers\OEM02Dev.sys
2009-03-07 10:45 . 2009-03-07 10:45 141376 ----a-w c:\windows\system32\drivers\OEM02Afx.sys
2009-03-01 06:08 . 2009-03-01 06:08 0 ----a-w c:\windows\nsreg.dat
2009-03-01 05:13 . 2009-03-01 05:13 271360 ----a-w c:\windows\system32\drivers\atksgt.sys
2009-03-01 05:13 . 2009-03-01 05:13 18048 ----a-w c:\windows\system32\drivers\lirsgt.sys
2009-03-01 04:03 . 2009-03-01 05:04 24 --sh--w c:\windows\S26F01AFB.tmp
2007-10-22 10:44 . 2007-10-22 10:44 76 --sh--r c:\windows\CT4CET.bin
2004-08-04 01:07 . 2004-08-04 01:07 168096 --sha-r c:\windows\system32\ohuewqh.dll
.

((((((((((((((((((((((((((((( [email protected]_15.17.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-04 01:07 . 2009-05-18 04:59 548226 c:\windows\system32\perfh009.dat
- 2004-08-04 01:07 . 2009-05-15 08:31 548226 c:\windows\system32\perfh009.dat
+ 2004-08-04 01:07 . 2009-05-18 04:59 109472 c:\windows\system32\perfc009.dat
- 2004-08-04 01:07 . 2009-05-15 08:31 109472 c:\windows\system32\perfc009.dat
+ 2009-04-28 14:38 . 2009-05-18 05:05 229865 c:\windows\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-02-09 10:36 764296 ----a-w c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-02-09 764296]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-02-09 764296]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"IDMan"="d:\program files\Internet Download Manager\IDMan.exe" [2005-05-16 502272]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-03-04 160592]
"DELL Webcam Manager"="c:\program files\Dell\DELL Webcam Manager\DellWMgr.exe" [2007-06-07 118784]
"Yahoo! Pager"="d:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"systemadd"="c:\documents and settings\aa\Application Data\sysdate32.exe" [2009-04-25 188416]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-11 8429568]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-16 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-16 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-16 138008]
"USB Antivirus"="c:\program files\USB Disk Security\USBGuard.exe" [2008-09-23 798720]
"CloneCDTray"="d:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 57344]
"VirtualCloneDrive"="d:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2006-04-29 94208]
"Babylon Client"="d:\program files\Babylon\Babylon-Pro\Babylon.exe" [2009-03-10 2655272]
"Acrobat Assistant 8.0"="d:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 620152]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2009-03-07 36864]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2008-04-14 536576]
"TkBellExe"="c:\program files\K-Lite Codec Pack\Real\Update_OB\realsched.exe" [2009-03-18 180269]
"QuickTime Task"="d:\program files\K-Lite Codec Pack\QuickTime\qttask.exe" [2006-09-01 282624]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-04 158208]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1025-0000-7760-000000000003}\_SC_Acrobat.exe [2009-3-6 295606]
Adobe Acrobat Synchronizer.lnk - d:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-5-24 622653]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AVGFwSrv"=2 (0x2)
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"d:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"d:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6446:TCP"= 6446:TCP:wcphwkke

R3 OEM02Afx;Provides a software interface to control audio effects of M08 Internal webcam.;c:\windows\system32\drivers\OEM02Afx.sys [3/7/2009 3:15 PM 141376]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [3/7/2009 3:15 PM 234496]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [3/7/2009 3:15 PM 7424]
S2 dhyrrdbvp;Image Config;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 5:37 AM 14336]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
dhyrrdbvp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1676d142-808a-11dc-81bd-806d6172696f}]
\Shell\AutoRun\command - f:\bootcd\wintools\autorun.exe
.
Contents of the 'Scheduled Tasks' folder

2009-05-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-08-29 09:51]

2009-05-18 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-03 11:53]

2009-05-18 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2009-02-09 10:36]
.
.
------- Supplementary Scan -------
.
uStart Page = www.npshop.net
mStart Page = hxxp://www.microsoft.com
mWindow Title = Microsoft Internet Explorer
IE: Append to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Download All Links with IDM - d:\program files\Internet Download Manager\IEGetAll.htm
IE: Download with IDM - d:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
LSP: c:\windows\system32\idmmbc.dll
FF - ProfilePath - c:\documents and settings\aa\Application Data\Mozilla\Firefox\Profiles\qw7usywd.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: keyword.URL - hxxp://supertoolbar.ask.com/redirect?client=ff&src=kw&tb=WBR&o=13997&locale=en_US&q=
FF - prefs.js: network.proxy.ftp - 194.225.33.7
FF - prefs.js: network.proxy.ftp_port - 3128
FF - prefs.js: network.proxy.gopher - 194.225.33.7
FF - prefs.js: network.proxy.gopher_port - 3128
FF - prefs.js: network.proxy.http - 194.225.33.7
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.socks - 194.225.33.7
FF - prefs.js: network.proxy.socks_port - 3128
FF - prefs.js: network.proxy.ssl - 194.225.33.7
FF - prefs.js: network.proxy.ssl_port - 3128
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Google\Google Updater\2.4.1508.6312\npCIDetect13.dll
FF - plugin: d:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin.dll
FF - plugin: d:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: d:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: d:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: d:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin5.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2009-05-18 09:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\dhyrrdbvp]
"ServiceDll"="c:\windows\system32\ohuewqh.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1040)
c:\windows\system32\idmmbc.dll

- - - - - - - > 'explorer.exe'(2316)
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
d:\program files\Babylon\Babylon-Pro\CAPTLIB.DLL
c:\windows\system32\browselc.dll
d:\program files\Internet Download Manager\IDMIECC.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
c:\program files\Siber Systems\AI RoboForm\roboform.dll
c:\windows\system32\shdoclc.dll
d:\program files\Internet Download Manager\idmmkb.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
.
Completion time: 2009-05-18 9:38
ComboFix-quarantined-files.txt 2009-05-18 05:08
ComboFix2.txt 2009-05-15 15:18

Pre-Run: 11,850,952,704 bytes free
Post-Run: 11,838,132,224 bytes free

257

With Best Regards
gygulance is offline  
Sponsored Links
Advertisement
 
Old 05-17-2009, 11:30 PM   #4
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



That's great, but what I needed to see was the very first run of ComboFix.

Click Start>Run and copy/paste the following bolded text into the Run box and click OK:

C:\Qoobox\ComboFix2.txt

A report should pop open for you. Please post the contents in your next reply.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 05-19-2009, 06:58 AM   #5
Guest
 
Join Date: May 2009
Posts: 5
OS:



Thanks for your attentions. That's what you need:

ComboFix 09-05-14.05 - aa 05/15/2009 19:45.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1209 [GMT 4.5:30]
Running from: c:\documents and settings\aa\Desktop\Combo-Fix.exe
AV: AVG 7.5.516 *On-access scanning enabled* (Outdated) {41564737-3200-1071-989B-0000E87B4FB1}
AV: Webroot AntiVirus with AntiSpyware *On-access scanning enabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
FW: AVG Firewall 7.5.500 *enabled* {8DECF618-9569-4340-B34A-D78D28969B66}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Cache

.
((((((((((((((((((((((((( Files Created from 2009-04-15 to 2009-05-15 )))))))))))))))))))))))))))))))
.

2009-05-15 08:18 . 2009-05-15 08:19 -------- d-----w c:\windows\ERUNT
2009-05-15 07:35 . 2009-05-15 08:30 -------- d-----w C:\SDFix
2009-05-15 06:33 . 2009-05-15 06:55 -------- d-----w c:\documents and settings\aa\Pavark
2009-05-14 14:40 . 2009-05-14 14:40 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-14 14:40 . 2009-05-14 14:40 -------- d-----w c:\documents and settings\aa\Application Data\SUPERAntiSpyware.com
2009-05-14 14:37 . 2009-05-14 14:37 -------- d-----w c:\documents and settings\All Users\Application Data\ParetoLogic Anti-Spyware
2009-05-14 14:37 . 2009-05-14 14:37 -------- d-----w c:\program files\Common Files\ParetoLogic
2009-05-14 13:55 . 2009-05-14 13:55 -------- d-----w c:\documents and settings\aa\Local Settings\Application Data\AskToolbar
2009-05-14 13:45 . 2009-05-14 13:45 -------- d-----w c:\program files\Ask.com
2009-05-14 13:45 . 2009-05-14 13:45 -------- d-----w c:\program files\MSSOAP
2009-05-14 13:44 . 2009-04-06 09:02 1563008 ----a-w c:\windows\WRSetup.dll
2009-05-14 13:44 . 2009-05-14 13:44 -------- d-----w c:\program files\Webroot
2009-05-14 13:44 . 2009-05-14 13:44 -------- d-----w c:\documents and settings\aa\Application Data\Webroot
2009-05-14 13:44 . 2009-05-14 13:49 -------- d-----w c:\documents and settings\All Users\Application Data\Webroot
2009-05-14 13:39 . 2009-05-14 13:43 -------- d-----w c:\documents and settings\aa\Application Data\GetRightToGo
2009-05-14 13:35 . 2008-12-11 04:08 159600 ----a-w c:\windows\system32\drivers\pctgntdi.sys
2009-05-14 13:35 . 2009-04-03 06:48 130936 ----a-w c:\windows\system32\drivers\PCTCore.sys
2009-05-14 13:35 . 2008-12-18 07:46 73840 ----a-w c:\windows\system32\drivers\PCTAppEvent.sys
2009-05-14 13:35 . 2009-05-15 13:12 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-05-14 13:35 . 2009-05-14 13:36 -------- d-----w c:\program files\Common Files\PC Tools
2009-05-14 13:35 . 2008-12-10 07:06 64392 ----a-w c:\windows\system32\drivers\pctplsg.sys
2009-05-14 13:35 . 2009-05-14 13:35 -------- d-----w c:\documents and settings\All Users\Application Data\PC Tools
2009-05-14 13:35 . 2009-05-14 13:35 -------- d-----w c:\documents and settings\aa\Application Data\PC Tools
2009-05-13 13:13 . 2009-05-13 13:13 -------- d-----w c:\documents and settings\LocalService\Application Data\AVG7
2009-05-13 13:11 . 2009-05-15 06:38 -------- d-----w c:\documents and settings\aa\Application Data\AVG7
2009-05-13 13:11 . 2009-05-13 13:11 110592 ----a-w c:\windows\system32\avgfwafu.dll
2009-05-13 13:11 . 2009-05-13 13:58 -------- d-----w c:\documents and settings\All Users\Application Data\avg7
2009-05-13 13:11 . 2009-05-13 13:11 -------- d-----w c:\documents and settings\All Users\Application Data\Grisoft
2009-05-03 16:05 . 2009-05-03 16:05 -------- d--h--w c:\windows\system32\GroupPolicy
2009-04-30 02:24 . 2009-05-12 17:56 138184 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-04-30 02:24 . 2009-05-12 17:55 183112 ----a-w c:\windows\system32\PnkBstrB.exe
2009-04-30 02:24 . 2009-04-30 02:24 66872 ----a-w c:\windows\system32\PnkBstrA.exe
2009-04-28 14:38 . 2001-08-17 18:06 7168 -c--a-w c:\windows\system32\dllcache\EXCH_snprfdll.dll
2009-04-28 14:38 . 2001-08-17 18:06 7168 ----a-w c:\windows\system32\snprfdll.dll
2009-04-28 14:38 . 2001-08-17 18:06 12288 -c--a-w c:\windows\system32\dllcache\EXCH_smtpctrs.dll
2009-04-28 14:38 . 2001-08-17 18:06 12288 ----a-w c:\windows\system32\smtpctrs.dll
2009-04-28 14:38 . 2001-08-17 18:06 57856 -c--a-w c:\windows\system32\dllcache\EXCH_scripto.dll
2009-04-28 14:38 . 2001-08-17 18:06 23040 -c--a-w c:\windows\system32\dllcache\EXCH_regtrace.exe
2009-04-28 14:38 . 2001-08-17 18:06 23040 ----a-w c:\windows\system32\regtrace.exe
2009-04-28 14:38 . 2001-08-17 18:06 38912 -c--a-w c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2009-04-28 14:38 . 2001-08-17 18:06 65536 -c--a-w c:\windows\system32\dllcache\EXCH_mailmsg.dll
2009-04-28 14:38 . 2001-08-17 18:06 43520 -c--a-w c:\windows\system32\dllcache\EXCH_fcachdll.dll
2009-04-28 14:38 . 2001-08-17 18:06 43520 ----a-w c:\windows\system32\fcachdll.dll
2009-04-28 14:38 . 2001-08-17 18:06 5632 -c--a-w c:\windows\system32\dllcache\EXCH_adsiisex.dll
2009-04-28 14:38 . 2001-08-17 18:06 5632 ----a-w c:\windows\system32\adsiisex.dll
2009-04-28 14:34 . 2004-08-04 01:07 456704 -c--a-w c:\windows\system32\dllcache\smtpsvc.dll
2009-04-25 19:13 . 2009-04-25 19:13 -------- d-----w c:\program files\TFTCo
2009-04-25 19:02 . 2009-04-25 19:02 116224 ----a-w c:\documents and settings\aa\Application Data\sysdate.dll
2009-04-25 19:02 . 2009-04-25 19:02 188416 ----a-w c:\documents and settings\aa\Application Data\sysdate32.exe
2009-04-18 14:17 . 2009-04-18 14:17 -------- d-----w C:\Noor

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-14 14:39 . 2009-03-01 05:13 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-13 10:33 . 2009-03-21 16:24 -------- d-----w c:\program files\Microsoft SQL Server
2009-05-12 18:29 . 2007-10-22 08:17 79042 ----a-w c:\windows\system32\nvModes.dat
2009-04-28 17:35 . 2007-10-22 07:31 73280 ----a-w c:\documents and settings\aa\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-28 15:00 . 2009-03-21 16:09 160056 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-04-28 14:50 . 2009-03-21 16:12 -------- d-----w c:\program files\Microsoft.NET
2009-04-25 19:13 . 2007-10-22 08:19 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-18 14:05 . 2007-10-22 08:17 -------- d-----w c:\program files\Common Files\InstallShield
2009-04-15 06:31 . 2009-04-15 06:31 -------- d-----w c:\program files\Business Objects
2009-04-15 06:26 . 2009-04-15 06:26 -------- d-----w c:\program files\Microsoft Synchronization Services
2009-04-02 10:00 . 2009-04-02 10:00 176752 ----a-w c:\windows\system32\drivers\ssidrv.sys
2009-04-02 10:00 . 2009-04-02 10:00 23152 ----a-w c:\windows\system32\drivers\sshrmd.sys
2009-04-02 10:00 . 2009-04-02 10:00 29808 ----a-w c:\windows\system32\drivers\ssfs0bbc.sys
2009-03-24 05:43 . 2007-10-22 10:30 -------- d-----w c:\program files\Yahoo!
2009-03-23 06:03 . 2009-03-18 04:03 -------- d-----w c:\program files\Cyberlink
2009-03-21 16:24 . 2009-03-21 16:24 -------- d-----w c:\program files\Microsoft Device Emulator
2009-03-21 16:23 . 2009-03-21 16:23 -------- d-----w c:\program files\Windows Mobile 5.0 SDK R2
2009-03-21 16:22 . 2009-03-21 16:22 -------- d-----w c:\program files\Microsoft SQL Server Compact Edition
2009-03-21 16:14 . 2009-03-21 16:12 -------- d-----w c:\program files\HTML Help Workshop
2009-03-21 16:12 . 2009-03-21 16:12 -------- d-----w c:\program files\Microsoft SDKs
2009-03-21 16:12 . 2009-03-21 16:12 -------- d-----w c:\program files\Common Files\Merge Modules
2009-03-21 16:12 . 2009-03-21 16:12 -------- d-----w c:\program files\CE Remote Tools
2009-03-21 16:11 . 2009-03-21 16:11 -------- d-----w c:\program files\Microsoft Web Designer Tools
2009-03-21 16:07 . 2009-03-21 16:07 -------- d-----w c:\program files\MSBuild
2009-03-21 16:07 . 2009-03-21 16:07 -------- d-----w c:\program files\Reference Assemblies
2009-03-21 16:04 . 2009-03-21 16:04 -------- d-----w c:\program files\MSXML 6.0
2009-03-18 03:37 . 2009-03-18 03:37 -------- d-----w c:\program files\Apple Software Update
2009-03-18 03:36 . 2009-03-18 03:36 -------- d-----w c:\program files\Common Files\xing shared
2009-03-18 03:36 . 2009-03-18 03:36 -------- d-----w c:\program files\Common Files\Real
2009-03-18 03:36 . 2009-03-18 03:36 -------- d-----w c:\program files\Real
2009-03-18 03:35 . 2009-03-18 03:35 -------- d-----w c:\program files\Common Files\Ulead
2009-03-07 10:45 . 2009-03-07 10:45 90112 ----a-w c:\windows\CtDrvIns.exe
2009-03-07 10:45 . 2009-03-07 10:45 811008 ----a-w c:\windows\system32\cximage.dll
2009-03-07 10:45 . 2009-03-07 10:45 7424 ----a-w c:\windows\system32\drivers\OEM02Vfx.sys
2009-03-07 10:45 . 2009-03-07 10:45 376832 ----a-w c:\windows\system32\OEM02Cvw.dll
2009-03-07 10:45 . 2009-03-07 10:45 36864 ----a-w c:\windows\system32\OEM02Pin.dll
2009-03-07 10:45 . 2009-03-07 10:45 36864 ----a-w c:\windows\system32\CtCamMgr.dll
2009-03-07 10:45 . 2009-03-07 10:45 36864 ----a-w c:\windows\OEM02Mon.exe
2009-03-07 10:45 . 2009-03-07 10:45 32768 ----a-w c:\windows\system32\OEM02Hwx.dll
2009-03-07 10:45 . 2009-03-07 10:45 28672 ----a-w c:\windows\OEM02Cfg.exe
2009-03-07 10:45 . 2009-03-07 10:45 24576 ----a-w c:\windows\system32\OEM02Srv.exe
2009-03-07 10:45 . 2009-03-07 10:45 234496 ----a-w c:\windows\system32\drivers\OEM02Dev.sys
2009-03-07 10:45 . 2009-03-07 10:45 141376 ----a-w c:\windows\system32\drivers\OEM02Afx.sys
2009-03-01 06:08 . 2009-03-01 06:08 0 ----a-w c:\windows\nsreg.dat
2009-03-01 05:13 . 2009-03-01 05:13 271360 ----a-w c:\windows\system32\drivers\atksgt.sys
2009-03-01 05:13 . 2009-03-01 05:13 18048 ----a-w c:\windows\system32\drivers\lirsgt.sys
2009-03-01 04:03 . 2009-03-01 05:04 24 --sh--w c:\windows\S26F01AFB.tmp
2007-10-22 10:44 . 2007-10-22 10:44 76 --sh--r c:\windows\CT4CET.bin
2004-08-04 01:07 . 2004-08-04 01:07 168096 --sha-r c:\windows\system32\ohuewqh.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-02-09 10:36 764296 ----a-w c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-02-09 764296]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-02-09 764296]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2009-04-06 08:56 238968 ----a-w c:\program files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_10.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"IDMan"="d:\program files\Internet Download Manager\IDMan.exe" [2005-05-16 502272]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-03-04 160592]
"DELL Webcam Manager"="c:\program files\Dell\DELL Webcam Manager\DellWMgr.exe" [2007-06-07 118784]
"Yahoo! Pager"="d:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"systemadd"="c:\documents and settings\aa\Application Data\sysdate32.exe" [2009-04-25 188416]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]
"ParetoLogic Anti-Spyware"="d:\program files\ParetoLogic\Anti-Spyware\Pareto_AS.exe" [2007-04-02 2639472]
"SUPERAntiSpyware"="d:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-25 476702]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-11 8429568]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-16 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-16 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-16 138008]
"USB Antivirus"="c:\program files\USB Disk Security\USBGuard.exe" [2008-09-23 798720]
"CloneCDTray"="d:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 57344]
"VirtualCloneDrive"="d:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2006-04-29 94208]
"Babylon Client"="d:\program files\Babylon\Babylon-Pro\Babylon.exe" [2009-03-10 2655272]
"Acrobat Assistant 8.0"="d:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 620152]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2009-03-07 36864]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2008-04-14 536576]
"TkBellExe"="c:\program files\K-Lite Codec Pack\Real\Update_OB\realsched.exe" [2009-03-18 180269]
"QuickTime Task"="d:\program files\K-Lite Codec Pack\QuickTime\qttask.exe" [2006-09-01 282624]
"AVG7_CC"="d:\progra~1\Grisoft\AVG7\avgcc.exe" [2009-05-13 579072]
"SpySweeper"="c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2009-04-06 6345840]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="d:\progra~1\Grisoft\AVG7\avgw.exe" [2009-05-13 219136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1025-0000-7760-000000000003}\_SC_Acrobat.exe [2009-3-6 295606]
Adobe Acrobat Synchronizer.lnk - d:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-5-24 622653]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{51C55F9E-C308-4c95-89AB-8858D8AFD819}"= "d:\program files\ParetoLogic\Anti-Spyware\PASShlExt.dll" [2007-03-29 98304]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"d:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"d:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"d:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"d:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6446:TCP"= 6446:TCP:wcphwkke

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [5/14/2009 6:05 PM 130936]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [4/2/2009 2:30 PM 29808]
R1 SASDIFSV;SASDIFSV;d:\program files\SUPERAntiSpyware\sasdifsv.sys [10/10/2006 1:53 PM 5632]
R1 SASKUTIL;SASKUTIL;d:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/27/2007 12:39 PM 32256]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [5/14/2009 6:15 PM 1181040]
R3 OEM02Afx;Provides a software interface to control audio effects of M08 Internal webcam.;c:\windows\system32\drivers\OEM02Afx.sys [3/7/2009 3:15 PM 141376]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [3/7/2009 3:15 PM 234496]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [3/7/2009 3:15 PM 7424]
R3 SASENUM;SASENUM;d:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 5:51 PM 4096]
S2 dhyrrdbvp;Image Config;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 5:37 AM 14336]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;d:\program files\Spyware Doctor\pctsAuxs.exe [5/14/2009 6:05 PM 348752]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
dhyrrdbvp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1676d142-808a-11dc-81bd-806d6172696f}]
\Shell\AutoRun\command - f:\bootcd\wintools\autorun.exe
.
Contents of the 'Scheduled Tasks' folder

2009-05-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-08-29 09:51]

2009-05-15 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-03 11:53]

2009-05-14 c:\windows\Tasks\ParetoLogic Anti-Spyware.job
- d:\program files\ParetoLogic\Anti-Spyware\Pareto_AS.exe [2007-04-02 23:40]

2009-05-14 c:\windows\Tasks\ParetoLogic Update.job
- c:\program files\Common Files\ParetoLogic\UUS\Pareto_Update.exe [2007-03-29 17:08]

2009-05-15 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2009-02-09 10:36]

2009-05-14 c:\windows\Tasks\wrSpySweeper_LC5CF3BA8839047498C8A31F83F211EC1.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2009-05-14 09:02]

2009-05-14 c:\windows\Tasks\wrSpySweeper_LC5CF3BA8839047498C8A31F83F211EC1.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2009-05-14 09:02]
.
.
------- Supplementary Scan -------
.
uStart Page = www.npshop.net
mStart Page = hxxp://www.microsoft.com
mWindow Title = Microsoft Internet Explorer
IE: Append to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Download All Links with IDM - d:\program files\Internet Download Manager\IEGetAll.htm
IE: Download with IDM - d:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
LSP: c:\windows\system32\idmmbc.dll
LSP: c:\windows\system32\avgfwafu.dll
TCP: {87717D8B-35F1-4C78-9376-AEF610464483} = 80.191.89.2 217.218.210.2
FF - ProfilePath - c:\documents and settings\aa\Application Data\Mozilla\Firefox\Profiles\qw7usywd.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: keyword.URL - hxxp://supertoolbar.ask.com/redirect?client=ff&src=kw&tb=WBR&o=13997&locale=en_US&q=
FF - prefs.js: network.proxy.ftp - 194.225.33.7
FF - prefs.js: network.proxy.ftp_port - 3128
FF - prefs.js: network.proxy.gopher - 194.225.33.7
FF - prefs.js: network.proxy.gopher_port - 3128
FF - prefs.js: network.proxy.http - 194.225.33.7
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.socks - 194.225.33.7
FF - prefs.js: network.proxy.socks_port - 3128
FF - prefs.js: network.proxy.ssl - 194.225.33.7
FF - prefs.js: network.proxy.ssl_port - 3128
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Google\Google Updater\2.4.1508.6312\npCIDetect13.dll
FF - plugin: d:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin.dll
FF - plugin: d:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: d:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: d:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: d:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin5.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2009-05-15 19:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\dhyrrdbvp]
"ServiceDll"="c:\windows\system32\ohuewqh.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1004)
c:\windows\System32\BCMLogon.dll
c:\windows\system32\igfxdev.dll

- - - - - - - > 'lsass.exe'(1064)
c:\windows\system32\idmmbc.dll
c:\windows\system32\avgfwafu.dll

- - - - - - - > 'explorer.exe'(3844)
c:\program files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_10.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
d:\program files\Babylon\Babylon-Pro\CAPTLIB.DLL
c:\windows\system32\browselc.dll
d:\program files\Internet Download Manager\IDMIECC.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
c:\program files\Siber Systems\AI RoboForm\roboform.dll
c:\windows\system32\shdoclc.dll
d:\program files\Internet Download Manager\idmmkb.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
.
Completion time: 2009-05-15 19:48
ComboFix-quarantined-files.txt 2009-05-15 15:18

Pre-Run: 11,871,350,784 bytes free
Post-Run: 11,860,647,936 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\windows
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\windows="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

324
gygulance is offline  
Old 05-19-2009, 08:49 PM   #6
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



Thank you, gygulance. :)


Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.


It's IMPORTANT to carry out the instructions in the sequence listed below.


***************************************************

Before we continue, you currently have 2 Anti Virus programs installed. While it may seem to be added protection for you, more than 1 Anti Virus can cause conflicts and confusion between the AV programs as well as system instability. Please choose and run only 1 and uninstall the other via the Add/Remove Programs in the Control Panel.

***************************************************


After you've completed the above,

Open notepad and copy/paste the text in the code box below into it:

Quote:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/376493-cant-update-anti-virus-programs-connect-these-sites.html#post2141985

Collect::
c:\windows\system32\ohuewqh.dll
c:\documents and settings\aa\Application Data\sysdate32.exe
c:\documents and settings\aa\Application Data\sysdate.dll

Driver::
dhyrrdbvp

NetSvc::
dhyrrdbvp

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

***************************************************





Refering to the picture above, drag CFScript into ComboFix.exe


When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
---------------------------------------------------------------------

It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer or Firefox, visit https://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.



  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

---------------------------------------------------------------

Please include the following in your next reply:

C:\ComboFix.txt
Kaspersky results
Update on system behavior
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 05-22-2009, 01:27 AM   #7
Guest
 
Join Date: May 2009
Posts: 5
OS:



Hello again! Thank you so much for your assistance. I did what you told to me and everything goes fine now. I can now update my anti-virus program KIS 7.0
and browse these sites also. But beside these I will appreciate if you tell me what kind of trojan or spyware my system was infected and how you could understand what was wrong with my system (I mean the process in detail). I also included the files you asked for.
I should thank you so much again for helping me!!!!!!!!!

ComboFix 09-05-14.05 - aa 05/20/2009 11:14.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1608 [GMT 4.5:30]
Running from: c:\documents and settings\aa\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\aa\Desktop\CFScript.txt

file zipped: c:\documents and settings\aa\Application Data\sysdate.dll
file zipped: c:\documents and settings\aa\Application Data\sysdate32.exe
file zipped: c:\windows\system32\ohuewqh.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\aa\Application Data\sysdate.dll
c:\documents and settings\aa\Application Data\sysdate32.exe
c:\windows\system32\ohuewqh.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DHYRRDBVP
-------\Service_dhyrrdbvp


((((((((((((((((((((((((( Files Created from 2009-04-20 to 2009-05-20 )))))))))))))))))))))))))))))))
.

2009-05-18 05:02 . 2009-05-18 05:02 -------- d-----w c:\documents and settings\All Users\Application Data\Avg7
2009-05-15 08:18 . 2009-05-15 08:19 -------- d-----w c:\windows\ERUNT
2009-05-15 07:35 . 2009-05-15 08:30 -------- d-----w C:\SDFix
2009-05-15 06:33 . 2009-05-15 06:55 -------- d-----w c:\documents and settings\aa\Pavark
2009-05-14 14:40 . 2009-05-14 14:40 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-14 14:40 . 2009-05-16 08:09 -------- d-----w c:\documents and settings\aa\Application Data\SUPERAntiSpyware.com
2009-05-14 14:37 . 2009-05-14 14:37 -------- d-----w c:\documents and settings\All Users\Application Data\ParetoLogic Anti-Spyware
2009-05-14 13:55 . 2009-05-18 10:41 -------- d-----w c:\documents and settings\aa\Local Settings\Application Data\AskToolbar
2009-05-14 13:45 . 2009-05-14 13:45 -------- d-----w c:\program files\Ask.com
2009-05-14 13:45 . 2009-05-14 13:45 -------- d-----w c:\program files\MSSOAP
2009-05-14 13:44 . 2009-05-14 13:44 -------- d-----w c:\program files\Webroot
2009-05-14 13:39 . 2009-05-14 13:43 -------- d-----w c:\documents and settings\aa\Application Data\GetRightToGo
2009-05-14 13:35 . 2009-05-20 06:35 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-05-03 16:05 . 2009-05-03 16:05 -------- d--h--w c:\windows\system32\GroupPolicy
2009-04-30 02:24 . 2009-05-12 17:56 138184 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-04-30 02:24 . 2009-05-12 17:55 183112 ----a-w c:\windows\system32\PnkBstrB.exe
2009-04-30 02:24 . 2009-04-30 02:24 66872 ----a-w c:\windows\system32\PnkBstrA.exe
2009-04-28 14:38 . 2001-08-17 18:06 7168 -c--a-w c:\windows\system32\dllcache\EXCH_snprfdll.dll
2009-04-28 14:38 . 2001-08-17 18:06 7168 ----a-w c:\windows\system32\snprfdll.dll
2009-04-28 14:38 . 2001-08-17 18:06 12288 -c--a-w c:\windows\system32\dllcache\EXCH_smtpctrs.dll
2009-04-28 14:38 . 2001-08-17 18:06 12288 ----a-w c:\windows\system32\smtpctrs.dll
2009-04-28 14:38 . 2001-08-17 18:06 57856 -c--a-w c:\windows\system32\dllcache\EXCH_scripto.dll
2009-04-28 14:38 . 2001-08-17 18:06 23040 -c--a-w c:\windows\system32\dllcache\EXCH_regtrace.exe
2009-04-28 14:38 . 2001-08-17 18:06 23040 ----a-w c:\windows\system32\regtrace.exe
2009-04-28 14:38 . 2001-08-17 18:06 38912 -c--a-w c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2009-04-28 14:38 . 2001-08-17 18:06 65536 -c--a-w c:\windows\system32\dllcache\EXCH_mailmsg.dll
2009-04-28 14:38 . 2001-08-17 18:06 43520 -c--a-w c:\windows\system32\dllcache\EXCH_fcachdll.dll
2009-04-28 14:38 . 2001-08-17 18:06 43520 ----a-w c:\windows\system32\fcachdll.dll
2009-04-28 14:38 . 2001-08-17 18:06 5632 -c--a-w c:\windows\system32\dllcache\EXCH_adsiisex.dll
2009-04-28 14:38 . 2001-08-17 18:06 5632 ----a-w c:\windows\system32\adsiisex.dll
2009-04-28 14:34 . 2004-08-04 01:07 456704 -c--a-w c:\windows\system32\dllcache\smtpsvc.dll
2009-04-25 19:13 . 2009-04-25 19:13 -------- d-----w c:\program files\TFTCo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-20 06:35 . 2009-02-18 13:43 -------- d-----w c:\program files\USB Disk Security
2009-05-19 15:15 . 2007-10-22 07:31 77696 ----a-w c:\documents and settings\aa\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-16 08:09 . 2009-03-01 05:13 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-13 10:33 . 2009-03-21 16:24 -------- d-----w c:\program files\Microsoft SQL Server
2009-05-12 18:29 . 2007-10-22 08:17 79042 ----a-w c:\windows\system32\nvModes.dat
2009-04-28 15:00 . 2009-03-21 16:09 160056 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-04-28 14:50 . 2009-03-21 16:12 -------- d-----w c:\program files\Microsoft.NET
2009-04-25 19:13 . 2007-10-22 08:19 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-18 14:05 . 2007-10-22 08:17 -------- d-----w c:\program files\Common Files\InstallShield
2009-04-15 06:31 . 2009-04-15 06:31 -------- d-----w c:\program files\Business Objects
2009-04-15 06:26 . 2009-04-15 06:26 -------- d-----w c:\program files\Microsoft Synchronization Services
2009-03-24 05:43 . 2007-10-22 10:30 -------- d-----w c:\program files\Yahoo!
2009-03-23 06:03 . 2009-03-18 04:03 -------- d-----w c:\program files\Cyberlink
2009-03-21 16:24 . 2009-03-21 16:24 -------- d-----w c:\program files\Microsoft Device Emulator
2009-03-21 16:23 . 2009-03-21 16:23 -------- d-----w c:\program files\Windows Mobile 5.0 SDK R2
2009-03-21 16:22 . 2009-03-21 16:22 -------- d-----w c:\program files\Microsoft SQL Server Compact Edition
2009-03-21 16:14 . 2009-03-21 16:12 -------- d-----w c:\program files\HTML Help Workshop
2009-03-21 16:12 . 2009-03-21 16:12 -------- d-----w c:\program files\Microsoft SDKs
2009-03-21 16:12 . 2009-03-21 16:12 -------- d-----w c:\program files\Common Files\Merge Modules
2009-03-21 16:12 . 2009-03-21 16:12 -------- d-----w c:\program files\CE Remote Tools
2009-03-21 16:11 . 2009-03-21 16:11 -------- d-----w c:\program files\Microsoft Web Designer Tools
2009-03-21 16:07 . 2009-03-21 16:07 -------- d-----w c:\program files\MSBuild
2009-03-21 16:07 . 2009-03-21 16:07 -------- d-----w c:\program files\Reference Assemblies
2009-03-21 16:04 . 2009-03-21 16:04 -------- d-----w c:\program files\MSXML 6.0
2009-03-07 10:45 . 2009-03-07 10:45 90112 ----a-w c:\windows\CtDrvIns.exe
2009-03-07 10:45 . 2009-03-07 10:45 811008 ----a-w c:\windows\system32\cximage.dll
2009-03-07 10:45 . 2009-03-07 10:45 7424 ----a-w c:\windows\system32\drivers\OEM02Vfx.sys
2009-03-07 10:45 . 2009-03-07 10:45 376832 ----a-w c:\windows\system32\OEM02Cvw.dll
2009-03-07 10:45 . 2009-03-07 10:45 36864 ----a-w c:\windows\system32\OEM02Pin.dll
2009-03-07 10:45 . 2009-03-07 10:45 36864 ----a-w c:\windows\system32\CtCamMgr.dll
2009-03-07 10:45 . 2009-03-07 10:45 36864 ----a-w c:\windows\OEM02Mon.exe
2009-03-07 10:45 . 2009-03-07 10:45 32768 ----a-w c:\windows\system32\OEM02Hwx.dll
2009-03-07 10:45 . 2009-03-07 10:45 28672 ----a-w c:\windows\OEM02Cfg.exe
2009-03-07 10:45 . 2009-03-07 10:45 24576 ----a-w c:\windows\system32\OEM02Srv.exe
2009-03-07 10:45 . 2009-03-07 10:45 234496 ----a-w c:\windows\system32\drivers\OEM02Dev.sys
2009-03-07 10:45 . 2009-03-07 10:45 141376 ----a-w c:\windows\system32\drivers\OEM02Afx.sys
2009-03-01 06:08 . 2009-03-01 06:08 0 ----a-w c:\windows\nsreg.dat
2009-03-01 05:13 . 2009-03-01 05:13 271360 ----a-w c:\windows\system32\drivers\atksgt.sys
2009-03-01 05:13 . 2009-03-01 05:13 18048 ----a-w c:\windows\system32\drivers\lirsgt.sys
2009-03-01 04:03 . 2009-03-01 05:04 24 --sh--w c:\windows\S26F01AFB.tmp
2007-10-22 10:44 . 2007-10-22 10:44 76 --sh--r c:\windows\CT4CET.bin
.

((((((((((((((((((((((((((((( [email protected]_15.17.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-11-02 16:10 . 2006-11-02 16:10 80912 c:\windows\system32\sherlock2.exe
+ 2004-08-10 06:52 . 2004-08-10 06:52 49221 c:\windows\system32\rv40.dll
+ 2004-08-10 06:52 . 2004-08-10 06:52 49221 c:\windows\system32\rv30.dll
+ 2004-08-10 06:51 . 2004-08-10 06:51 57411 c:\windows\system32\rv20.dll
+ 2004-08-10 06:50 . 2004-08-10 06:50 49216 c:\windows\system32\rv10.dll
+ 2009-05-18 13:19 . 2004-05-18 14:46 39936 c:\windows\system32\huffyuv.dll
+ 2007-01-09 17:05 . 2007-01-09 17:05 26112 c:\windows\system32\ff_wmv9.dll
+ 2009-05-18 13:19 . 2007-09-28 12:35 81920 c:\windows\system32\dpl100.dll
+ 2004-08-10 06:50 . 2004-08-10 06:50 65602 c:\windows\system32\cook.dll
+ 2004-08-10 06:50 . 2004-08-10 06:50 77889 c:\windows\system32\atrc.dll
+ 2009-05-19 14:25 . 2009-05-19 14:25 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2009-05-19 14:25 . 2009-05-19 14:25 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2009-05-19 14:25 . 2009-05-19 14:25 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-05-19 14:24 . 2009-05-19 14:24 11544 c:\windows\assembly\GAC\Policy.11.0.office\12.0.0.0__71e9bce111e9429c\Policy.11.0.Office.dll
+ 2009-05-19 14:24 . 2009-05-19 14:24 12080 c:\windows\assembly\GAC\Policy.11.0.Microsoft.Vbe.Interop\12.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Vbe.Interop.dll
+ 2009-05-19 14:25 . 2009-05-19 14:25 12096 c:\windows\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.Word\12.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.Word.dll
+ 2009-05-19 14:24 . 2009-05-19 14:24 64288 c:\windows\assembly\GAC\Microsoft.Vbe.Interop\12.0.0.0__71e9bce111e9429c\Microsoft.Vbe.Interop.dll
+ 2009-05-19 14:24 . 2009-05-19 14:24 80696 c:\windows\assembly\GAC\Microsoft.Office.Interop.Access.Dao\12.0.0.0__71e9bce111e9429c\Microsoft.Office.interop.access.dao.dll
+ 2009-05-18 13:19 . 2007-07-29 12:21 7680 c:\windows\system32\ff_vfw.dll
+ 2009-05-18 13:19 . 2004-01-25 12:48 217088 c:\windows\system32\yv12vfw.dll
+ 2009-05-18 13:19 . 2007-03-10 08:21 282624 c:\windows\system32\xvidvfw.dll
+ 2009-05-18 13:19 . 2007-06-09 00:44 564224 c:\windows\system32\x264vfw.dll
+ 2006-10-26 09:15 . 2006-10-26 09:15 293376 c:\windows\system32\WISPTIS.EXE
+ 2007-09-03 13:35 . 2007-09-03 13:35 966656 c:\windows\system32\VSFilter.dll
+ 2009-05-18 13:19 . 2006-04-02 09:17 630784 c:\windows\system32\vp7vfw.dll
+ 2009-05-18 13:19 . 2004-12-10 04:33 438272 c:\windows\system32\vp6vfw.dll
+ 2009-05-18 13:19 . 2007-09-04 13:26 164352 c:\windows\system32\unrar.dll
+ 2004-08-10 06:50 . 2004-08-10 06:50 106561 c:\windows\system32\sipr.dll
+ 2003-11-25 23:32 . 2003-11-25 23:32 123392 c:\windows\system32\pncrt.dll
- 2004-08-04 01:07 . 2009-05-15 08:31 548226 c:\windows\system32\perfh009.dat
+ 2004-08-04 01:07 . 2009-05-20 06:18 548226 c:\windows\system32\perfh009.dat
- 2004-08-04 01:07 . 2009-05-15 08:31 109472 c:\windows\system32\perfc009.dat
+ 2004-08-04 01:07 . 2009-05-20 06:18 109472 c:\windows\system32\perfc009.dat
+ 2004-04-20 22:00 . 2004-04-20 22:00 172032 c:\windows\system32\OptimFROG.dll
+ 2007-06-17 11:43 . 2007-06-17 11:43 405504 c:\windows\system32\libmplayer.dll
+ 2006-10-26 09:15 . 2006-10-26 09:15 207360 c:\windows\system32\INKED.DLL
- 2009-04-28 14:38 . 2009-05-15 08:30 229864 c:\windows\system32\inetsrv\MetaBase.bin
+ 2009-04-28 14:38 . 2009-05-20 06:48 229864 c:\windows\system32\inetsrv\MetaBase.bin
+ 2009-05-18 13:19 . 1998-11-18 10:03 144384 c:\windows\system32\Iacenc.dll
+ 2009-05-18 13:19 . 1997-04-07 13:49 391680 c:\windows\system32\I263_32.drv
+ 2004-08-10 06:52 . 2004-08-10 06:52 241723 c:\windows\system32\hxltcolor.dll
+ 2007-10-22 10:32 . 2009-05-19 14:29 306008 c:\windows\system32\FNTCACHE.DAT
+ 2007-07-01 10:59 . 2007-07-01 10:59 517632 c:\windows\system32\ff_x264.dll
+ 2007-06-12 11:21 . 2007-06-12 11:21 208896 c:\windows\system32\ff_theora.dll
+ 2004-10-03 17:50 . 2004-10-03 17:50 129024 c:\windows\system32\ff_mpeg2enc.dll
+ 2004-11-24 19:25 . 2004-11-24 19:25 335872 c:\windows\system32\drvc.dll
+ 2004-08-10 06:51 . 2004-08-10 06:51 176195 c:\windows\system32\drv2.dll
+ 2004-08-10 06:50 . 2004-08-10 06:50 102464 c:\windows\system32\drv1.dll
+ 2009-05-18 13:19 . 2007-09-28 12:35 739840 c:\windows\system32\divx.dll
- 2009-03-21 16:11 . 2009-03-21 16:11 217864 c:\windows\Installer\{90120000-006E-0409-0000-0000000FF1CE}\misc.exe
+ 2009-05-19 14:28 . 2009-05-19 14:28 217864 c:\windows\Installer\{90120000-006E-0409-0000-0000000FF1CE}\misc.exe
+ 2009-05-19 14:25 . 2009-05-19 14:25 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2009-05-19 14:25 . 2009-05-19 14:25 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2009-05-19 14:25 . 2009-05-19 14:25 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2009-05-19 14:25 . 2009-05-19 14:25 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
+ 2009-05-19 14:25 . 2009-05-19 14:25 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2009-05-19 14:25 . 2009-05-19 14:25 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2009-05-19 14:25 . 2009-05-19 14:25 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2009-05-19 14:24 . 2009-05-19 14:24 416544 c:\windows\assembly\GAC\office\12.0.0.0__71e9bce111e9429c\OFFICE.DLL
+ 2009-05-19 14:25 . 2009-05-19 14:25 229376 c:\windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\MSCOMCTL.DLL
+ 2009-05-19 14:24 . 2009-05-19 14:24 781104 c:\windows\assembly\GAC\Microsoft.Office.Interop.Word\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Word.dll
+ 2009-05-18 13:19 . 2007-07-25 09:54 1559040 c:\windows\system32\xvidcore.dll
- 2008-04-04 18:52 . 2006-11-15 17:31 3596288 c:\windows\system32\qt-dx331.dll
+ 2009-05-18 13:19 . 2007-09-28 12:37 3596288 c:\windows\system32\qt-dx331.dll
+ 2007-07-01 11:12 . 2007-07-01 11:12 3145728 c:\windows\system32\libavcodec.dll
+ 2009-05-19 14:25 . 2009-05-19 14:25 1172240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2009-05-19 14:25 . 2009-05-19 14:25 1165584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-02-09 10:36 764296 ----a-w c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-02-09 764296]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-02-09 764296]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"IDMan"="d:\program files\Internet Download Manager\IDMan.exe" [2005-05-16 502272]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-03-04 160592]
"DELL Webcam Manager"="c:\program files\Dell\DELL Webcam Manager\DellWMgr.exe" [2007-06-07 118784]
"Yahoo! Pager"="d:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-11 8429568]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-16 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-16 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-16 138008]
"CloneCDTray"="d:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 57344]
"VirtualCloneDrive"="d:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2006-04-29 94208]
"Babylon Client"="d:\program files\Babylon\Babylon-Pro\Babylon.exe" [2009-03-10 2655272]
"Acrobat Assistant 8.0"="d:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 620152]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2009-03-07 36864]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2008-04-14 536576]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-04 158208]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1025-0000-7760-000000000003}\_SC_Acrobat.exe [2009-3-6 295606]
Adobe Acrobat Synchronizer.lnk - d:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-5-24 622653]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AVGFwSrv"=2 (0x2)
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"d:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"d:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6446:TCP"= 6446:TCP:wcphwkke

R3 OEM02Afx;Provides a software interface to control audio effects of M08 Internal webcam.;c:\windows\system32\drivers\OEM02Afx.sys [3/7/2009 3:15 PM 141376]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [3/7/2009 3:15 PM 234496]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [3/7/2009 3:15 PM 7424]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1676d142-808a-11dc-81bd-806d6172696f}]
\Shell\AutoRun\command - f:\bootcd\wintools\autorun.exe
.
Contents of the 'Scheduled Tasks' folder

2009-05-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-08-29 09:51]

2009-05-20 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-03 11:53]

2009-05-20 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2009-02-09 10:36]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-systemadd - c:\documents and settings\aa\Application Data\sysdate32.exe


.
------- Supplementary Scan -------
.
uStart Page = www.npshop.net
mStart Page = hxxp://www.microsoft.com
mWindow Title = Microsoft Internet Explorer
IE: Append to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Download All Links with IDM - d:\program files\Internet Download Manager\IEGetAll.htm
IE: Download with IDM - d:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
LSP: c:\windows\system32\idmmbc.dll
TCP: {87717D8B-35F1-4C78-9376-AEF610464483} = 80.191.89.2 217.218.210.2
FF - ProfilePath - c:\documents and settings\aa\Application Data\Mozilla\Firefox\Profiles\qw7usywd.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://supertoolbar.ask.com/redirect?client=ff&src=kw&tb=WBR&o=13997&locale=en_US&q=
FF - prefs.js: network.proxy.ftp - 194.225.33.7
FF - prefs.js: network.proxy.ftp_port - 3128
FF - prefs.js: network.proxy.gopher - 194.225.33.7
FF - prefs.js: network.proxy.gopher_port - 3128
FF - prefs.js: network.proxy.http - 194.225.33.7
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.socks - 194.225.33.7
FF - prefs.js: network.proxy.socks_port - 3128
FF - prefs.js: network.proxy.ssl - 194.225.33.7
FF - prefs.js: network.proxy.ssl_port - 3128
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Google\Google Updater\2.4.1508.6312\npCIDetect13.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2009-05-20 11:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1044)
c:\windows\system32\idmmbc.dll

- - - - - - - > 'explorer.exe'(2488)
d:\program files\Babylon\Babylon-Pro\CAPTLIB.DLL
d:\program files\Internet Download Manager\idmmkb.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\wscntfy.exe
d:\program files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe
c:\program files\WIDCOMM\Bluetooth Software\BTStackServer.exe
d:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2009-05-20 11:21 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-20 06:51
ComboFix2.txt 2009-05-18 05:08
ComboFix3.txt 2009-05-15 15:18

Pre-Run: 11,136,745,472 bytes free
Post-Run: 11,026,337,792 bytes free

333
Attached Files
File Type: rar Scan.rar (676 Bytes, 10 views)
File Type: rar ComboFix.rar (6.1 KB, 15 views)
gygulance is offline  
Old 05-22-2009, 01:30 PM   #8
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



You're welcome.

Downloading a cracked Anti Malware program is a bit counterproductive, don't you think...? Please take the time to educate yourself and anyone else using this PC about Cracked/Illegal Software

***************************************

Just a bit more to do and you're all set.

Open notepad and copy/paste the text in the code box below into it:

Quote:

File::
C:\Documents and Settings\aa\Desktop\Rohani\Crack.Spyware.Doctor.v6.0.1.441.exe

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6446:TCP"=-

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

***************************************************





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt


--------------------------------------------------------------------

After you've completed the above, your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links:

The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.


Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

--------------------------------------------------------------------

Should you wish to contribute to the ongoing development of ComboFix, donations are being accepted via PayPal.



To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.

SpywareBlaster 4.0 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.
  • It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.


Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.


Scan here https://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer


In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?
Think Prevention


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

-----------------------------------------------------

Follow the list above and the potential for infection will reduce dramatically.

**Kindly respond one more time and let me know if we may consider this thread resolved.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 12:44 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts