Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

Virus that disables everything

This is a discussion on Virus that disables everything within the Resolved HJT Threads forums, part of the Tech Support Forum category. Hi i have a unknown virus infection. Tried all the steps and the only one that i could perform was


 
 
Thread Tools Search this Thread
Old 10-21-2008, 04:00 AM   #1
Guest
 
Join Date: Oct 2008
Posts: 14
OS:



Hi i have a unknown virus infection.
Tried all the steps and the only one that i could perform was the installation of spywareblaster.

I cant perform the online scane because is fails due to some error when installing.
I cant remove anything by hand because my control panel is gone.
I cant install anti virus programs.
I cant use taskmanager.
I cant run any online virus scanner.
I have a VIRUS alert text in my taskbar
Registry is disabled so cant to anything there.
So basicly i cant do anything but i can run the hijackthis scan
I cannot start in to Save mode

I did run Bitdefender Rescue disk (updated) but it could not remove 4 suspected files. So thats where the virus is i guess.
Bitdefender could not indentify the virus.



Quote:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:59: VIRUS ALERT!, on 10/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CyberLink\PowerCinema\PCMService.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Wanadoo\NL\Mnu\igomnu.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\DS-3200 Wireless Optical Slimline Deskset\MouseDrv.exe
C:\Program Files\DS-3200 Wireless Optical Slimline Deskset\PS2USBKbdDrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\PokerOffice\bin\javaw.exe
C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\VMware\VMware Server\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\VMware\VMware Server\vmserverdWin32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\Program Files\SpywareBlaster\spywareblaster.exe
C:\Program Files\SpywareBlaster\spywareblaster.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Wanadoo
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {1a29a79a-b9c8-44a9-bedf-7fadde3cf33f} - (no file)
O3 - Toolbar: rosqxvmn - {148BDBE0-051C-4B70-84B3-889274D33E60} - C:\WINDOWS\rosqxvmn.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [mnu] C:\Program Files\Wanadoo\NL\Mnu\igomnu.exe /S:T
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [WireLessMouse] C:\Program Files\DS-3200 Wireless Optical Slimline Deskset\MouseDrv.exe
O4 - HKLM\..\Run: [WireLessKeyboard] C:\Program Files\DS-3200 Wireless Optical Slimline Deskset\PS2USBKbdDrv.exe
O4 - HKLM\..\Run: [POEngine] "C:\Program Files\PokerOffice\POEngine.exe" C:\Program Files\PokerOffice
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [50298a62] rundll32.exe "C:\WINDOWS\system32\yabffadv.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [mnu] C:\Program Files\Wanadoo\NL\Mnu\igomnu.exe /S:T
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-527237240-854245398-725345543-1004\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'postgres')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: The Matrix_ Path of Neo Registration.lnk = C:\Documents and Settings\iceball1\Local Settings\Temp\{743F4A69-530E-4E09-9935-D8B2DBF1B53E}\{E571E8B1-9771-465D-9DE0-3BA2D1BDAE99}\ATR1.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Firefox Preloader.lnk = C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: MrBpoker Poker - {0932285F-432B-42b0-B960-7946B1950802} - C:\Program Files\MrBookmakerMPP\MPPoker.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Rob's Poker Room - {40B2063F-DB01-4962-BE63-59435C01283C} - C:\PROGRA~1\ROB'SP~1\client.exe
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe
O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe
O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - https://www.fileplanet.com/fpdlmgr/ca...C_2.1.1.74.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - https://update.microsoft.com/windowsu...?1133981140406
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - https://update.microsoft.com/microsof...?1133981276249
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.com/Regi...18/flashax.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O20 - AppInit_DLLs: qolfcu.dll
O21 - SSODL: qrbgltos - {FD866F32-312F-4C4F-A378-3D58320874EC} - C:\WINDOWS\qrbgltos.dll
O21 - SSODL: ngwstxfd - {0E76F727-73CB-4561-B543-E869292EBBD0} - C:\WINDOWS\ngwstxfd.dll
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CVSNT Locking Service 2.5.03.2382 (cvslock) - Unknown owner - C:\Program Files\CVSNT\cvslock.exe
O23 - Service: CVSNT Dispatch service 2.5.03.2382 (cvsnt) - March Hare Software Ltd - C:\Program Files\CVSNT\cvsservice.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PostgreSQL Database Server 8.2 (pgsql-8.2) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.2\bin\pg_ctl.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Radmin Server V3 (RServer3) - Famatech International Corp. - C:\WINDOWS\system32\rserver30\RServer3.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware Registration Service (vmserverdWin32) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmserverdWin32.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 13602 bytes
iceball is offline  
Sponsored Links
Advertisement
 
Old 10-23-2008, 07:40 AM   #2
Guest
 
Join Date: Oct 2008
Posts: 14
OS:



bump

extra info, is puts 3 short cuts on the desktop to malware defender
protect your privacy and system error fixer.
iceball is offline  
Old 10-24-2008, 05:29 AM   #3
TSF Team, Emeritus
 
Join Date: Oct 2006
Location: UK
Posts: 5,264
OS: OS



Hello and welcome to TSF

You may need to download Combofix to a non-infected computer, then transfer Combofix using usb stick/flash drive or any other removable media device to the infected computer.

=========

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3





--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:ComboFix.txt along with a HijackThis log so we can continue cleaning the system.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


==========

Click Start > Run and copy/paste the following single-line command into the Run box and click OK:

C:\Qoobox\Add-Remove Programs.txt

A text file should open. Please post the contents of that file in your next reply.

============

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

============
Logs Required
C:\Combofix.txt
C:\Qoobox\Add-Remove Programs.txt
Hijackthis Log


Let me how your system is running now, can you connect to the internet, do you still receive pop-ups.

========

If there is no response to this post within 72hrs, this thread will be closed.
TheBruce1 is offline  
Sponsored Links
Advertisement
 
Old 10-24-2008, 07:05 AM   #4
Guest
 
Join Date: Oct 2008
Posts: 14
OS:



the 3 shortcuts on the desktop are back
Taskmanager is disabled again ( i fixed it before running combofix and rebooten) and automatic update etc is still disabled
Control panel is back and datetime is taskbar is fixed.
So far no popups but i did not get to many anyways

Internet is fine , never was a problem


Combofix log

Quote:
ComboFix 08-10-23.08 - iceball1 2008-10-24 15:39:34.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1308 [GMT 2:00]
Running from: C:\cleaning\Combo-Fix.exe
* Created a new restore point
* Resident AV is active

.
Error: Cfiles.dat

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\iceball1\Favorites\Online Security Test.url
C:\Documents and Settings\postgres\Application Data\wsnpoem
C:\Documents and Settings\postgres\Application Data\wsnpoem\audio.dll
C:\Program Files\videokeycodec
C:\Program Files\videokeycodec\ot.ico
C:\Program Files\videokeycodec\ts.ico
C:\WINDOWS\esmf.exe
C:\WINDOWS\grfxbanodkx.dll
C:\WINDOWS\system32\byqhwp.dll
C:\WINDOWS\system32\cvorhruw.ini
C:\WINDOWS\system32\DNXaIRqr.ini
C:\WINDOWS\system32\DNXaIRqr.ini2
C:\WINDOWS\system32\dsoekurr.dll
C:\WINDOWS\system32\duzriq.dll
C:\WINDOWS\system32\dwxrtvmm.ini
C:\WINDOWS\system32\flpdajjf.dll
C:\WINDOWS\system32\ilsiep.dll
C:\WINDOWS\system32\lckuot.dll
C:\WINDOWS\system32\leeusekt.dll
C:\WINDOWS\system32\mmdvudav.ini
C:\WINDOWS\system32\ntlwluyn.ini
C:\WINDOWS\system32\opnnmNef.dll
C:\WINDOWS\system32\qolfcu.dll
C:\WINDOWS\system32\qqlobhdx.ini
C:\WINDOWS\system32\rysvwwds.dll
C:\WINDOWS\system32\smkwqbxl.dll
C:\WINDOWS\system32\ssqOEVoO.dll
C:\WINDOWS\system32\TDSSerrors.log
C:\WINDOWS\system32\tdssinit.dll
C:\WINDOWS\system32\tdssl.dll
C:\WINDOWS\system32\tdssservers.dat
C:\WINDOWS\system32\uclwkgcg.dll
C:\WINDOWS\system32\vdaffbay.ini
C:\WINDOWS\system32\vukctvam.ini
C:\WINDOWS\system32\wdaeirpb.dll
C:\WINDOWS\system32\wsnpoem
C:\WINDOWS\system32\wsnpoem\000B5DD9.uf
C:\WINDOWS\system32\wsnpoem\000B5DE9.uf
C:\WINDOWS\system32\wsnpoem\000B5E37.uf
C:\WINDOWS\system32\wsnpoem\000B5E56.uf
C:\WINDOWS\system32\wsnpoem\audio.dll
C:\WINDOWS\system32\wsnpoem\audio.dll.cla
C:\WINDOWS\system32\wsnpoem\video.dll
C:\WINDOWS\system32\xdhbolqq.dll
C:\WINDOWS\system32\xswbdt.dll
C:\WINDOWS\system32\xveazk.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV
-------\Legacy_VMWARE_NAT_SERVICE
-------\Service_TDSSserv
-------\Service_VMware NAT Service


((((((((((((((((((((((((( Files Created from 2008-09-24 to 2008-10-24 )))))))))))))))))))))))))))))))
.

2008-10-24 15:45 . 2008-10-24 15:45 <DIR> d-------- C:\Documents and Settings\iceball1\Application Data\TmpRecentIcons
2008-10-24 15:30 . 2008-10-24 15:30 <DIR> d-------- C:\cleaning
2008-10-21 12:41 . 2008-10-21 12:41 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-21 12:37 . 2008-10-21 12:37 <DIR> d-------- C:\Program Files\Panda Security
2008-10-17 13:58 . 2008-10-17 13:58 <DIR> d-------- C:\Program Files\AVG
2008-10-17 05:36 . 2008-10-17 05:36 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2008-10-17 05:36 . 2008-10-17 05:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-10-17 05:35 . 2008-10-17 05:35 <DIR> d-------- C:\WINDOWS\147BCE03C0F14C9F81576A89B6D2D973.TMP
2008-10-17 05:35 . 2008-10-17 05:36 <DIR> d-------- C:\Program Files\McAfee
2008-10-17 05:22 . 2008-10-17 05:22 261,632 --a------ C:\WINDOWS\system32\rqRIaXND.dll
2008-10-17 05:16 . 2008-10-16 18:18 323,584 --a------ C:\WINDOWS\qrbgltos.dll
2008-10-17 05:16 . 2008-10-16 18:18 270,336 --a------ C:\WINDOWS\ngwstxfd.dll
2008-10-17 05:16 . 2008-10-16 18:18 212,992 --a------ C:\WINDOWS\rosqxvmn.dll
2008-10-17 05:16 . 2008-10-16 18:18 131,072 --a------ C:\WINDOWS\lomxeqsn.exe
2008-10-17 04:12 . 2008-10-17 04:12 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Xfire
2008-10-16 22:28 . 2008-10-16 22:28 <DIR> d-------- C:\scrips
2008-10-13 22:37 . 2008-10-13 22:38 <DIR> d-------- C:\popophist
2008-10-13 02:06 . 2008-10-13 02:22 <DIR> d-------- C:\PopopopPlayer
2008-10-12 14:47 . 2008-10-12 14:47 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire
2008-10-09 16:49 . 2008-10-09 16:49 20,022 --a------ C:\fulltiltplo.pah
2008-10-09 02:47 . 2008-10-09 02:47 42,320 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-10-07 16:34 . 2008-10-07 16:34 <DIR> d-------- C:\willem
2008-10-03 05:49 . 2008-10-21 23:21 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-10-03 05:49 . 2008-10-03 05:49 1,409 --a------ C:\WINDOWS\QTFont.for
2008-09-29 21:05 . 2008-09-29 21:05 18,474 --a------ C:\fulltiltlayout.pah

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-24 13:48 --------- d-----w C:\Documents and Settings\postgres\Application Data\VMware
2008-10-24 13:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
2008-10-24 13:47 --------- d-----w C:\Documents and Settings\iceball1\Application Data\Xfire
2008-10-24 13:30 --------- d-----w C:\Program Files\Full Tilt Poker
2008-10-24 12:42 138,376 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-10-24 12:41 182,928 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-10-24 12:40 --------- d-----w C:\Documents and Settings\LocalService\Application Data\VMware
2008-10-24 10:34 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\VMware
2008-10-22 23:30 --------- d-----w C:\Program Files\Poker Tracker Omaha
2008-10-22 23:24 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-21 21:23 --------- d-----w C:\Program Files\Zoom Player
2008-10-21 20:09 --------- d-----w C:\Program Files\Poker Tracker V2
2008-10-21 14:04 --------- d-----w C:\Program Files\SpywareBlaster
2008-10-17 18:10 --------- d-----w C:\Program Files\VirusBursters
2008-10-17 18:10 --------- d-----w C:\Program Files\LaTeXPiX
2008-10-17 18:10 --------- d-----w C:\Program Files\DAEMON Tools
2008-10-17 18:10 --------- d-----w C:\Program Files\Bridge Building Game
2008-10-17 03:50 98,304 ----a-w C:\WINDOWS\DUMPbf0a.tmp
2008-10-16 03:17 --------- d-s---w C:\Program Files\Xfire
2008-10-14 21:45 --------- d-----w C:\Program Files\Everest Poker
2008-10-10 18:57 --------- d-----w C:\Program Files\Everest Casino
2008-10-06 01:01 --------- d-----w C:\Program Files\PokerEV
2008-09-24 01:19 --------- d-----w C:\Documents and Settings\iceball1\Application Data\Azureus
2008-09-23 16:53 --------- d--h--w C:\Documents and Settings\All Users\Application Data\{0E8E33D8-193A-414A-A909-0F101A142D26}
2008-09-23 00:19 --------- d-----w C:\Program Files\PokerStars
2008-09-21 03:27 --------- d-----w C:\Program Files\Azureus
2008-09-21 03:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Azureus
2008-09-18 12:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-18 12:41 --------- d-----w C:\Program Files\Logitech
2008-09-18 12:41 --------- d-----w C:\Program Files\Common Files\Logitech
2008-09-15 11:57 1,846,016 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-12 15:07 --------- d-----w C:\Program Files\RealVNC
2008-08-28 10:04 333,056 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-28 03:26 --------- d-----w C:\Documents and Settings\iceball1\Application Data\dvdcss
2008-08-26 07:24 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-14 10:00 2,180,352 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:22 2,057,728 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-08-08 01:47 3,811,580 ----a-w C:\PokerEV Installer(9).exe
2008-08-06 23:22 38,674,984 ----a-w C:\175.19_geforce_winxp_32bit_english_whql.exe
2008-08-06 20:31 5,702,435 ----a-w C:\hmupdate1.06.01p.exe
2008-08-06 16:58 2,037 ----a-w C:\caseysconfig_v2.zip
2008-08-05 14:01 6,589,711 ----a-w C:\ArcadeInstallFull205-google.exe
2008-08-05 14:00 17,920 ----a-w C:\eyeinst(2).exe
2008-08-05 13:59 11,776 ----a-w C:\EyeInstaller.exe
2008-08-05 09:30 17,920 ----a-w C:\eyeinst.exe
2007-07-25 20:31 1,228,800 ----a-w C:\Program Files\FLV PlayerRCSetup.exe
2006-10-03 01:43 2,402,550 ----a-w C:\WINDOWS\inf\SET1E82.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{70677030-9d6c-42a9-ac42-d4ca92cc251f}]
2008-10-24 15:57 112640 --a------ C:\WINDOWS\system32\zkcwjy.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D25D0BF4-5D08-4EB5-AC29-322035A126B1}]
2008-10-17 05:22 261632 --a------ C:\WINDOWS\system32\rqRIaXND.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{148BDBE0-051C-4B70-84B3-889274D33E60}"= "C:\WINDOWS\rosqxvmn.dll" [2008-10-16 212992]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseSVN]
@="{30351346-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{30351346-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseSVN]
@="{30351347-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{30351347-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseSVN]
@="{30351348-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{30351348-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseSVN]
@="{3035134B-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{3035134B-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseSVN]
@="{3035134C-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{3035134C-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseSVN]
@="{3035134D-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{3035134D-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseSVN]
@="{3035134E-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{3035134E-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"mnu"="C:\Program Files\Wanadoo\NL\Mnu\igomnu.exe" [2005-02-15 430328]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-16 13529088]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-12-21 180269]
"PCMService"="C:\Program Files\CyberLink\PowerCinema\PCMService.exe" [2005-05-23 127118]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"mnu"="C:\Program Files\Wanadoo\NL\Mnu\igomnu.exe" [2005-02-15 430328]
"CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [2005-05-19 57344]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 131072]
"WireLessMouse"="C:\Program Files\DS-3200 Wireless Optical Slimline Deskset\MouseDrv.exe" [2005-08-30 303104]
"WireLessKeyboard"="C:\Program Files\DS-3200 Wireless Optical Slimline Deskset\PS2USBKbdDrv.exe" [2005-08-30 319488]
"POEngine"="C:\Program Files\PokerOffice\POEngine.exe" [2005-07-13 18944]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2006-10-31 921600]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 257088]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-15 35328]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-09-14 157592]
"UltraMon"="C:\Program Files\UltraMon\UltraMon.exe" [2007-04-01 299520]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-16 86016]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]
"50298a62"="C:\WINDOWS\system32\fqawckio.dll" [2008-10-24 76800]
"nwiz"="nwiz.exe" [2008-05-16 C:\WINDOWS\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-11-11 C:\WINDOWS\soundman.exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-11-03 C:\WINDOWS\KHALMNPR.Exe]
"CTHelper"="CTHELPER.EXE" [2005-12-08 C:\WINDOWS\CTHELPER.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Firefox Preloader.lnk - C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe [2007-06-06 98304]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2005-12-07 532480]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)
"NoDispCPL"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
"NoToolbarCustomize"= 1 (0x1)
"StartMenuLogoff"= 1 (0x1)
"NoStartMenuMorePrograms"= 1 (0x1)
"NoSetFolders"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"qrbgltos"= {FD866F32-312F-4C4F-A378-3D58320874EC} - C:\WINDOWS\qrbgltos.dll [2008-10-16 323584]
"ngwstxfd"= {0E76F727-73CB-4561-B543-E869292EBBD0} - C:\WINDOWS\ngwstxfd.dll [2008-10-16 270336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=byqhwp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 setuid C:\WINDOWS\system32\rqRIaXND

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"E:\\gamezz(2)\\Command & Conquer The First Decade\\Command & Conquer(tm) Generals Zero Hour\\generals.exe"=
"C:\\games\\quake3-2\\quake3.exe"=
"C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"C:\\Program Files\\Starcraft\\StarCraft.exe"=
"C:\\Program Files\\The All-Seeing Eye\\eye.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\download\\Virtua Tennis\\VIRTUA_TENNIS_PC.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"E:\\gamezz\\fifa06\\FIFA06.exe"=
"E:\\gamezz\\pes5\\PES5.exe"=
"C:\\backup\\ultrafxp\\UltraFxp.exe"=
"C:\\games\\quake\\fuhquake-gl.exe"=
"C:\\Program Files\\TrackMania Nations ESWC\\TmNationsESWC.exe"=
"C:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\Hamachi\\hamachi.exe"=
"C:\\Program Files\\Electronic Arts\\Battlefield 2142 Demo\\BF2142.exe"=
"C:\\WINDOWS\\system32\\javaw.exe"=
"C:\\Program Files\\PokerOffice\\bin\\javaw.exe"=
"C:\\gamezz\\bf2\\BF2142.exe"=
"C:\\Program Files\\InterPoker\\UA.exe"=
"C:\\games\\quake\\ezquake-gl.exe"=
"C:\\gamezz\\UT2004\\System\\UT2004.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\games\\Warcraft III\\Warcraft III.exe"=
"C:\\games\\Warcraft III\\War3.exe"=
"C:\\Documents and Settings\\iceball1\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"=
"C:\\gamezz\\TrackMania United\\TmUnited.exe"=
"C:\\gamezz\\dirt\\DiRT.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver2.exe"=
"C:\\exclipse\\eclipse\\eclipse.exe"=
"E:\\gamezz(2)\\Command & Conquer The First Decade\\Command & Conquer(tm) Generals\\game.dat"=
"E:\\gamezz\\daw\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"E:\\gamezz\\coh\\RelicCOH.exe"=
"E:\\gamezz\\sup\\Supreme Commander - Forged Alliance\\bin\\ForgedAlliance.exe"=
"E:\\gamezz\\sup\\GPGNet\\GPG.Multiplayer.Client.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Everest Poker\\CStart.exe"=
"C:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"E:\\gamezz\\AA\\System\\ArmyOps.exe"=
"E:\\gamezz\\steam\\SteamApps\\iceball13\\counter-strike source\\hl2.exe"=
"E:\\gamezz\\steam\\SteamApps\\iceball13\\half-life 2 deathmatch\\hl2.exe"=
"C:\\Program Files\\RealVNC\\VNC4\\vncviewer.exe"=
"C:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"=
"E:\\gamezz\\steam\\SteamApps\\iceball13\\team fortress 2\\hl2.exe"=
"E:\\gamezz\\soloar\\Sins of a Solar Empire.exe"=
"C:\\Program Files\\Xfire\\Xfire.exe"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"2799:UDP"= 2799:UDP:Altova License Metering Port (UDP)
"2799:TCP"= 2799:TCP:Altova License Metering Port (TCP)
"5432:TCP"= 5432:TCP:postgresql
"6666:TCP"= 6666:TCP:vnc servertje
"6666:UDP"= 6666:UDP:vnc udp

R0 SSI;SSI;C:\WINDOWS\system32\Drivers\SSI.SYS [2005-12-14 78336]
R1 raddrvv3;raddrvv3;C:\WINDOWS\system32\rserver30\raddrvv3.sys [2007-02-02 41176]
R2 pgsql-8.2;PostgreSQL Database Server 8.2;C:\Program Files\PostgreSQL\8.2\bin\pg_ctl.exe runservice -N pgsql-8.2 -D C:\Program Files\PostgreSQL\8.2\data\ [ ]
R2 UltraMonUtility;UltraMon Utility Driver;C:\Program Files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [2006-09-24 11776]
R2 vmserverdWin32;VMware Registration Service;C:\Program Files\VMware\VMware Server\vmserverdWin32.exe [2008-03-04 1650781]
R3 mirrorv3;mirrorv3;C:\WINDOWS\system32\DRIVERS\rminiv3.sys [2006-11-01 3328]
R3 UltraMonMirror;UltraMonMirror;C:\WINDOWS\system32\DRIVERS\UltraMonMirror.sys [2006-09-24 3584]
S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys [2006-10-19 10664]
S3 RServer3;Radmin Server V3;C:\WINDOWS\system32\rserver30\RServer3.exe [2007-02-02 1235032]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{CF8FF8B8-44A2-4BA8-97A1-9A4DC143F07B}]
C:\WINDOWS\system32\msiexec.exe /qn /fpu {CF8FF8B8-44A2-4BA8-97A1-9A4DC143F07B}
.
Contents of the 'Scheduled Tasks' folder

2008-10-21 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 15:42]
.
- - - - ORPHANS REMOVED - - - -

BHO-{083B32AD-4448-4F60-B38B-BBD1C8197630} - C:\WINDOWS\grfxbanodkx.dll
BHO-{E7602565-6B9E-49EC-B0B5-55F5CDA67DBB} - C:\WINDOWS\system32\ssqOEVoO.dll
HKCU-Run-MsnMsgr - C:\Program Files\MSN Messenger\MsnMsgr.Exe
HKU-Default-Run-Spyware Doctor - (no file)
ShellExecuteHooks-{E7602565-6B9E-49EC-B0B5-55F5CDA67DBB} - C:\WINDOWS\system32\ssqOEVoO.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\iceball1\Application Data\Mozilla\Firefox\Profiles\xiuur77l.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/ig
FF -: plugin - C:\Documents and Settings\All Users\Application Data\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\IGN\Download Manager\npfpdlm.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPLM32.DLL
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npmozax.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npzylomgamesplayer.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2008-10-24 15:45:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\system32\rqRIaXND.dll
-> C:\Program Files\Eset\pr_imon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\PokerOffice\bin\javaw.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\ESET\nod32krn.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\PostgreSQL\8.2\bin\pg_ctl.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\PostgreSQL\8.2\bin\postgres.exe
C:\Program Files\PostgreSQL\8.2\bin\postgres.exe
C:\Program Files\PostgreSQL\8.2\bin\postgres.exe
C:\Program Files\PostgreSQL\8.2\bin\postgres.exe
C:\Program Files\VMware\VMware Server\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-10-24 15:59:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-24 13:59:13

Pre-Run: 6,017,413,120 bytes free
Post-Run: 15,972,954,112 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

394 --- E O F --- 2008-10-17 01:03:29

Add and Remove

Quote:
AC3Filter (remove only)
Ad-Aware SE Personal
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Download Manager 2.0 (Remove Only)
Adobe Dreamweaver CS3
Adobe Dreamweaver CS3
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Flash Player 9 ActiveX
Adobe Flash Player Plugin
Adobe Help Viewer CS3
Adobe PDF Library Files
Adobe Reader 7.0.8
Adobe Setup
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Age of Empires III
Age of Empires III
AGEIA PhysX v2.6.0
allSnap version 1.30.6 Release
ALShow
Altova UModel 2008 Enterprise Edition
Altova UModel 2008 for Eclipse
America's Army
Apple Software Update
AstroPop Deluxe
AutoHotkey 1.0.46.17
Azureus
Battlefield 2142
Battlefield 2142 Demo
BitTornado 0.3.7
Black & White® 2
Blackjack Ballroom Casino
Blaze Media Pro
Blaze Media Pro
Bridge Building Game
Call of Duty(R) 2
Call of Duty(R) 2
Call of Duty(R) 2 Demo
Call of Duty(R) 2 Demo
Call of Duty(R) 2 Patch 1.2
Call of Duty(R) 2 Patch 1.3
CloneCD
CloneDVD 3.9.1
Command & Conquer The First Decade
Company of Heroes
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Counter-Strike: Source
Counter-Strike: Source
Creative Audio Console
CVSNT 2.5.03.2382
Dawn of War - Dark Crusade
Day of Defeat: Source
DesertCombat 0.7
DEVIL MAY CRY 4
DiRT
eMusic - 100 Free MP3 offer
Everest Casino (Remove Only)
Everest Poker (Remove Only)
Excessive Plus
FIFA 06
FIFA 99
Firefox Preloader
FLV Player
FreePHG V2.09
Full Tilt Poker
GameSpy Arcade
GameTime+
Google Earth
GPGNet
GPL Ghostscript 8.15
GPL Ghostscript Fonts
GSview 4.7
Gunner2 + Xmas Pack 1
Half-Life 2: Deathmatch
Half-Life 2: Lost Coast
Hamachi 1.0.2.2
HijackThis 2.0.2
Hitman Pro
Holdem Manager
Holdem Manager
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
IGN Download Manager 2.1.1
iiyama Monitor Test 2.1
InterPoker
iTunes
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java DB 10.2.2.0
Java(TM) 6 Update 2
Java(TM) 6 Update 5
Java(TM) SE Development Kit 6 Update 2
Juniper Terminal Services Client
KDiff3 (remove only)
LaTeXPiX Uninstaller (Remove Only)
LiveMath Plug-In/ActiveX 3.5.9 [U10] - July 2007
Logitech Gaming Software
Logitech SetPoint
Macromedia Shockwave Player
MANSION Poker (remove only)
MathGV 3.1
McAfee Agent
McPoker 1.3
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Premium
Microsoft Robotics Studio (1.0)
Microsoft Robotics Studio Help (1.0)
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual J# 2.0 Redistributable Package
Microsoft Visual J# 2.0 Redistributable Package
Microsoft XML Parser and SDK
Microsoft XNA Framework
MiKTeX
mIRC
Mozilla Firefox (3.0.3)
mpegable DS decoder
MrBpoker
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
Multi Table Helper
NewsLeecher
NewsLeecher v3.9 Beta 2
NOD32 antivirus systeem
Notepad++
NVIDIA Drivers
NvMixer
Pacific Poker
PartyCasino
PartyPoker
Peter's Flexible RenAmiNg Kit (PFrank) 1.95
PlayLinc
Poker Grapher
Poker Ocean
Poker Superstars Invitational
Poker Tracker Omaha Version 1.09.02
Poker Tracker Omaha Version 1.11.01
Poker Tracker Version 2.16.02b
PokerAce Hud (remove only)
PokerEV
PokerOffice (remove only)
PokerRoom.com (remove only)
PokerStars
PokerStove version 1.21
PostgreSQL 8.2
PowerCinema 4.0
Prince of Persia T2T
Pro Evolution Soccer 5
Pro Evolution Soccer 5
Python 2.5.1
Quake 4(TM)
Quake 4(TM)
Quake 4(TM) 1.0.4 Patch
QuickPar 0.9
QuickTime
Radmin Server 3.0
RealPlayer
Realtek AC'97 Audio
Remote Administrator v2.1
Rob's Poker Room
Roguescanfix 1.5
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Setometer
Sins of a Solar Empire
Sins of a Solar Empire
SLD Codec Pack
SmartSVN 3.0.3_01
SpeechRedist
Spy Sweeper
Spybot - Search & Destroy 1.4
Spyware Doctor 4.0
SpywareBlaster 4.1
SSL WRAPPER
Starcraft
Steam(TM)
Super Castle Attack
Supreme Commander - Forged Alliance
T6poker
Team Fortress 2
TetriNet2
The Matrix - Path of Neo
THE SETTLERS - Heritage of Kings
The Settlers II - 10th Anniversary
TortoiseCVS 1.10.4
TortoiseSVN 1.4.5.10425 (32 bit)
Tourney Manager
TrackMania Nations ESWC 1.7.9
TrackMania Sunrise Extreme Demo 1.5.0
TrackMania United 0.2.0.8
Trust DS-3200 Wireless Optical Slimline Deskset
Trust DS-3200 Wireless Optical Slimline Deskset
UltimateBet
UltraMon
Universal Replayer
Unreal Tournament 2004
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
VideoKeyCodec 11.0
VideoLAN VLC media player 0.8.6a
Virtua Tennis 3
VMware Server
VNC Enterprise Edition E4.4.1
VNC Mirror Driver 1.8.0
Vuze
Vuze Launcher
Wanadoo menu component
Warcraft III
WebFldrs XP
Winamp (remove only)
Windows Communication Foundation
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Workflow Foundation
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888162
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinEdt
WinRAR archiver
WPF v3.0.6715.0
Xfire (remove only)
XML Paper Specification Shared Components Pack 1.0
Yahoo! Toolbar
Yahoo! Toolbar
Zoom Player (remove only)
Zuma Deluxe
Zylom Games Player Plugin
HiJackThis log

Quote:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:02: VIRUS ALERT!, on 10/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CyberLink\PowerCinema\PCMService.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Wanadoo\NL\Mnu\igomnu.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\DS-3200 Wireless Optical Slimline Deskset\MouseDrv.exe
C:\Program Files\DS-3200 Wireless Optical Slimline Deskset\PS2USBKbdDrv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PokerOffice\bin\javaw.exe
C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\VMware\VMware Server\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\VMware\VMware Server\vmserverdWin32.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: rosqxvmn - {148BDBE0-051C-4B70-84B3-889274D33E60} - C:\WINDOWS\rosqxvmn.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [mnu] C:\Program Files\Wanadoo\NL\Mnu\igomnu.exe /S:T
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [WireLessMouse] C:\Program Files\DS-3200 Wireless Optical Slimline Deskset\MouseDrv.exe
O4 - HKLM\..\Run: [WireLessKeyboard] C:\Program Files\DS-3200 Wireless Optical Slimline Deskset\PS2USBKbdDrv.exe
O4 - HKLM\..\Run: [POEngine] "C:\Program Files\PokerOffice\POEngine.exe" C:\Program Files\PokerOffice
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [50298a62] rundll32.exe "C:\WINDOWS\system32\fqawckio.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [mnu] C:\Program Files\Wanadoo\NL\Mnu\igomnu.exe /S:T
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-527237240-854245398-725345543-1004\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'postgres')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: The Matrix_ Path of Neo Registration.lnk = C:\Documents and Settings\iceball1\Local Settings\Temp\{743F4A69-530E-4E09-9935-D8B2DBF1B53E}\{E571E8B1-9771-465D-9DE0-3BA2D1BDAE99}\ATR1.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Firefox Preloader.lnk = C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: MrBpoker Poker - {0932285F-432B-42b0-B960-7946B1950802} - C:\Program Files\MrBookmakerMPP\MPPoker.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Rob's Poker Room - {40B2063F-DB01-4962-BE63-59435C01283C} - C:\PROGRA~1\ROB'SP~1\client.exe
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe
O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe
O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - https://www.fileplanet.com/fpdlmgr/ca...C_2.1.1.74.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - https://update.microsoft.com/windowsu...?1133981140406
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - https://update.microsoft.com/microsof...?1133981276249
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.com/Regi...18/flashax.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O20 - AppInit_DLLs: byqhwp.dll
O21 - SSODL: qrbgltos - {FD866F32-312F-4C4F-A378-3D58320874EC} - C:\WINDOWS\qrbgltos.dll
O21 - SSODL: ngwstxfd - {0E76F727-73CB-4561-B543-E869292EBBD0} - C:\WINDOWS\ngwstxfd.dll
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CVSNT Locking Service 2.5.03.2382 (cvslock) - Unknown owner - C:\Program Files\CVSNT\cvslock.exe
O23 - Service: CVSNT Dispatch service 2.5.03.2382 (cvsnt) - March Hare Software Ltd - C:\Program Files\CVSNT\cvsservice.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PostgreSQL Database Server 8.2 (pgsql-8.2) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.2\bin\pg_ctl.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Radmin Server V3 (RServer3) - Famatech International Corp. - C:\WINDOWS\system32\rserver30\RServer3.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware Registration Service (vmserverdWin32) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmserverdWin32.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 12605 bytes
iceball is offline  
Old 10-24-2008, 09:54 AM   #5
TSF Team, Emeritus
 
Join Date: Oct 2006
Location: UK
Posts: 5,264
OS: OS



Hello again

Download ATF-Cleaner by Atribune to your desktop. Do not run just yet, we will shortly

=========

From your logs you would appear to have two antivirus programs installed, Mcafee and NOD32, please uninstall one of them. Having two of these programs installed on the same machine will cause system slowdowns, furthermore, it does not offer greater protection.

=========

P2P

P2P - I see you have P2P software Azureus, BitTornado 0.3.7, Vuze and Vuze Launcher installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares and their infections.

References for the risk of these programs are Here,
Here and Here.

=========

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs:

Blackjack Ballroom Casino<---https://www.bleepingcomputer.com/unin...om-Casino.html
eMusic - 100 Free MP3 offer<---https://www.bleepingcomputer.com/unin...MP3-offer.html
(Everest Casino
Everest Poker )<---
https://www.threatexpert.com/report.a...8-87f6049a830e
Full Tilt Poker<---https://www.bleepingcomputer.com/unin...ilt-Poker.html
GameSpy Arcade<---https://www.spywareguide.com/product_show.php?id=1242
Pacific Poker<---https://www.prevx.com/filenames/12590...POKER.EXE.html
PartyCasino<---https://www.emsisoft.com/en/malware/?...n32.PartyPoker
PartyPoker<---https://www.emsisoft.com/en/malware/?...n32.PartyPoker
VideoKeyCodec 11.0<---https://www.bleepingcomputer.com/unin...odec-11.0.html

=========

Open notepad and copy/paste the text in the quotebox below into it:

Quote:
https://www.techsupportforum.com/security-center/hijackthis-log-help/304604-virus-disables-everything.html

Collect::
C:\WINDOWS\system32\rqRIaXND.dll
C:\WINDOWS\qrbgltos.dll
C:\WINDOWS\ngwstxfd.dll
C:\WINDOWS\rosqxvmn.dll
C:\WINDOWS\lomxeqsn.exe
C:\WINDOWS\system32\fqawckio.dll

DirLook::
C:\WINDOWS\147BCE03C0F14C9F81576A89B6D2D973.TMP

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{70677030-9d6c-42a9-ac42-d4ca92cc251f}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D25D0BF4-5D08-4EB5-AC29-322035A126B1}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"50298a62"="-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"qrbgltos"=-
"ngwstxfd"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"=-
Save this as CFscript







Refering to the picture above, drag CFscript into ComboFix.exe

Follow the prompts, and post the resulting log, C:\ComboFix.txt

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file(s).

===========


JAVA OUTDATED


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 10. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
  • Click the "Download" button to the right.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: "Accept License Agreement". Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u10-windows-i586-p.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
        Trace and Log Files
    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.

============

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

If you have Firefox installed:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you have Opera installed:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

==========

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
**Note**

This animation will guide you through the process:




To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

============

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

============
Logs Required
C:\Combofix.txt
Kaspersky Scan Report
Hijackthis Log


How is you system running now.
TheBruce1 is offline  
Old 10-24-2008, 11:10 AM   #6
Guest
 
Join Date: Oct 2008
Posts: 14
OS:



ok i will do all this tomorrow, just one quick question
do you think i really need to remove Fulltilt and EverestPoker
as i really need them.
iceball is offline  
Old 10-24-2008, 12:34 PM   #7
TSF Team, Emeritus
 
Join Date: Oct 2006
Location: UK
Posts: 5,264
OS: OS



Hello again

As for Full Tilt Poker the webpage states:

Quote:
If this program gave you the option to not install the malware or adware during setup, and you chose that option, then it should be safe to leave the program installed.
So if you did not install that part of the programme, then it is fine to leave, otherwise uninstall, then you can re-install and decline that part of the bundle that can install the adware.

For EverestPoker:

Quote:
A Low Risk Software application may be a program that you knowingly and deliberately installed and that you wish to keep. Although some Low Risk Software programs may track online habits -- as provided for in a privacy policy or End User License Agreement (EULA) -- or display advertising within the applications themselves, these programs have only vague, minimal or negligible effects on your privacy.
https://research.sunbelt-software.com...threatid=50666

Since you chose to install it, you can leave it installed, be aware it may track what you do online.
TheBruce1 is offline  
Old 10-26-2008, 11:37 AM   #8
Guest
 
Join Date: Oct 2008
Posts: 14
OS:



i am scanning right now but one step has not had the result it should have had i think
i created the text file for CF and dragged it
it seemed to have done some stuff (some thing at a couple of stages) but there was no file to be saved at the end of it. It simply ran restarted and gave the log file.
Btw is it normal for CF to take 10+ min to create te log file?

Once the scan is complete is will upload the log files.
So far alot seems to be fixed. Taskman is back up the clock is fixed
control panel is back
automatic update is back.
And restarts dont seem to mess up anything again.
One problem i just found is that i cant seem to make changes to the startup list with msconfig.
Whatever i change i get a warning that it failed due to an error.
And then tells me to make sure i logged in with a administrator account. Which i did.
Is this a result from the infection?
Logs are on the way, if virus scan takes to long i will upload the other logs earlier
iceball is offline  
Old 10-26-2008, 02:14 PM   #9
TSF Team, Emeritus
 
Join Date: Oct 2006
Location: UK
Posts: 5,264
OS: OS



The logfile for Combofix can be found at C:\Combofix.txt

Quote:
Btw is it normal for CF to take 10+ min to create te log file?
Not if is is only to create a log, Combofix can take over 10 mins to run from start to finish.

Quote:
One problem i just found is that i cant seem to make changes to the startup list with msconfig.
Whatever i change i get a warning that it failed due to an error.
And then tells me to make sure i logged in with a administrator account. Which i did.
Is this a result from the infection?
Do not make any changes, yes the infection could be the cause.

Quote:
Logs are on the way, if virus scan takes to long i will upload the other logs earlier
Post all the required logs at the same time..
TheBruce1 is offline  
Old 10-26-2008, 03:45 PM   #10
Guest
 
Join Date: Oct 2008
Posts: 14
OS:



Ok combofix after the scrips

ComboFix 08-10-25.01 - iceball1 2008-10-26 16:04:56.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1238 [GMT 1:00]
Running from: C:\cleaning\Combo-Fix.exe
Command switches used :: C:\cleaning\CFScript.txt
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\test.txt
C:\WINDOWS\lomxeqsn.exe
C:\WINDOWS\ngwstxfd.dll
C:\WINDOWS\qrbgltos.dll
C:\WINDOWS\rosqxvmn.dll
C:\WINDOWS\system32\DNXaIRqr.ini
C:\WINDOWS\system32\DNXaIRqr.ini2
C:\WINDOWS\system32\fqawckio.dll
C:\WINDOWS\system32\gthbutqc.dll
C:\WINDOWS\system32\mdm.exe
C:\WINDOWS\system32\Memman.vxd
C:\WINDOWS\system32\oikcwaqf.ini
C:\WINDOWS\system32\rqRIaXND.dll
C:\WINDOWS\system32\skinboxer43.dll
C:\WINDOWS\system32\zkcwjy.dll

.
((((((((((((((((((((((((( Files Created from 2008-09-26 to 2008-10-26 )))))))))))))))))))))))))))))))
.

2008-10-24 14:30 . 2008-10-26 16:04 <DIR> d-------- C:\cleaning
2008-10-21 11:41 . 2008-10-21 11:41 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-21 11:37 . 2008-10-21 11:37 <DIR> d-------- C:\Program Files\Panda Security
2008-10-17 12:58 . 2008-10-17 12:58 <DIR> d-------- C:\Program Files\AVG
2008-10-17 04:36 . 2008-10-17 04:36 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2008-10-17 04:36 . 2008-10-17 04:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-10-17 04:35 . 2008-10-17 04:35 <DIR> d-------- C:\WINDOWS\147BCE03C0F14C9F81576A89B6D2D973.TMP
2008-10-17 04:35 . 2008-10-17 04:36 <DIR> d-------- C:\Program Files\McAfee
2008-10-17 03:12 . 2008-10-17 03:12 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Xfire
2008-10-16 21:28 . 2008-10-16 21:28 <DIR> d-------- C:\scrips
2008-10-13 21:37 . 2008-10-13 21:38 <DIR> d-------- C:\popophist
2008-10-13 01:06 . 2008-10-13 01:22 <DIR> d-------- C:\PopopopPlayer
2008-10-12 13:47 . 2008-10-12 13:47 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire
2008-10-09 15:49 . 2008-10-09 15:49 20,022 --a------ C:\fulltiltplo.pah
2008-10-09 01:47 . 2008-10-09 01:47 42,320 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-10-07 15:34 . 2008-10-07 15:34 <DIR> d-------- C:\willem
2008-10-03 04:49 . 2008-10-21 22:21 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-10-03 04:49 . 2008-10-03 04:49 1,409 --a------ C:\WINDOWS\QTFont.for
2008-09-29 20:05 . 2008-09-29 20:05 18,474 --a------ C:\fulltiltlayout.pah

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-26 15:15 --------- d-----w C:\Documents and Settings\postgres\Application Data\VMware
2008-10-26 15:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
2008-10-26 15:04 --------- d-----w C:\Program Files\Full Tilt Poker
2008-10-26 15:01 --------- d-----w C:\Program Files\PartyGaming
2008-10-26 15:00 --------- d-----w C:\Program Files\PacificPoker
2008-10-26 14:58 --------- d-----w C:\Program Files\PokerRoom.com
2008-10-26 14:58 --------- d-----w C:\Program Files\GameSpy Arcade
2008-10-26 14:57 --------- d-----w C:\Program Files\Winamp
2008-10-26 14:56 --------- d-----w C:\Program Files\Azureus
2008-10-26 14:53 --------- d-----w C:\Program Files\Sun
2008-10-26 14:53 --------- d-----w C:\Program Files\Java
2008-10-26 14:24 --------- d-----w C:\Documents and Settings\iceball1\Application Data\Xfire
2008-10-26 12:51 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\VMware
2008-10-25 01:36 138,376 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-10-24 12:40 --------- d-----w C:\Documents and Settings\LocalService\Application Data\VMware
2008-10-22 23:30 --------- d-----w C:\Program Files\Poker Tracker Omaha
2008-10-22 23:24 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-21 21:23 --------- d-----w C:\Program Files\Zoom Player
2008-10-21 20:09 --------- d-----w C:\Program Files\Poker Tracker V2
2008-10-21 14:04 --------- d-----w C:\Program Files\SpywareBlaster
2008-10-17 18:10 --------- d-----w C:\Program Files\VirusBursters
2008-10-17 18:10 --------- d-----w C:\Program Files\LaTeXPiX
2008-10-17 18:10 --------- d-----w C:\Program Files\DAEMON Tools
2008-10-17 18:10 --------- d-----w C:\Program Files\Bridge Building Game
2008-10-17 03:50 98,304 ----a-w C:\WINDOWS\DUMPbf0a.tmp
2008-10-16 03:17 --------- d-s---w C:\Program Files\Xfire
2008-10-14 21:45 --------- d-----w C:\Program Files\Everest Poker
2008-10-06 01:01 --------- d-----w C:\Program Files\PokerEV
2008-09-24 01:19 --------- d-----w C:\Documents and Settings\iceball1\Application Data\Azureus
2008-09-23 16:53 --------- d--h--w C:\Documents and Settings\All Users\Application Data\{0E8E33D8-193A-414A-A909-0F101A142D26}
2008-09-23 00:19 --------- d-----w C:\Program Files\PokerStars
2008-09-21 03:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Azureus
2008-09-18 12:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-18 12:41 --------- d-----w C:\Program Files\Logitech
2008-09-18 12:41 --------- d-----w C:\Program Files\Common Files\Logitech
2008-09-12 15:07 --------- d-----w C:\Program Files\RealVNC
2008-08-28 10:04 333,056 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-28 03:26 --------- d-----w C:\Documents and Settings\iceball1\Application Data\dvdcss
2008-08-08 01:47 3,811,580 ----a-w C:\PokerEV Installer(9).exe
2008-08-06 23:22 38,674,984 ----a-w C:\175.19_geforce_winxp_32bit_english_whql.exe
2008-08-06 20:31 5,702,435 ----a-w C:\hmupdate1.06.01p.exe
2008-08-06 16:58 2,037 ----a-w C:\caseysconfig_v2.zip
2008-08-05 14:01 6,589,711 ----a-w C:\ArcadeInstallFull205-google.exe
2008-08-05 14:00 17,920 ----a-w C:\eyeinst(2).exe
2008-08-05 13:59 11,776 ----a-w C:\EyeInstaller.exe
2008-08-05 09:30 17,920 ----a-w C:\eyeinst.exe
2007-07-25 20:31 1,228,800 ----a-w C:\Program Files\FLV PlayerRCSetup.exe
2006-10-03 01:43 2,402,550 ----a-w C:\WINDOWS\inf\SET1E82.tmp
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\WINDOWS\147BCE03C0F14C9F81576A89B6D2D973.TMP ----

2008-10-17 04:42 6763 --a------ C:\WINDOWS\147BCE03C0F14C9F81576A89B6D2D973.TMP\WiseData.ini
2008-10-17 04:41 61457 --a------ C:\WINDOWS\147BCE03C0F14C9F81576A89B6D2D973.TMP\WiseCustomCalla.dll


((((((((((((((((((((((((((((( [email protected]_15.58.54.89 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-10-20 18:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-20 19:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\ERDNT.EXE
- 2005-10-20 18:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE
+ 2005-10-20 19:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE
- 2000-08-31 06:00:00 28,672 ----a-w C:\WINDOWS\NIRCMD.exe
+ 2000-08-31 07:00:00 28,672 ----a-w C:\WINDOWS\NIRCMD.exe
- 2000-08-31 06:00:00 161,792 ----a-w C:\WINDOWS\SWREG.exe
+ 2000-08-31 07:00:00 161,792 ----a-w C:\WINDOWS\SWREG.exe
- 2008-02-22 00:23:35 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-06-10 00:21:01 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2008-02-22 00:23:39 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-06-10 00:21:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2008-02-22 01:33:32 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-06-10 01:32:34 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
- 2008-04-12 01:03:09 71,000 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-10-26 14:24:30 71,000 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-12 01:03:09 441,262 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-10-26 14:24:30 441,262 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2008-10-24 12:41:58 182,928 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
+ 2008-10-25 01:36:07 182,928 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseSVN]
@="{30351346-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{30351346-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 10:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseSVN]
@="{30351347-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{30351347-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 10:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseSVN]
@="{30351348-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{30351348-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 10:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseSVN]
@="{3035134B-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{3035134B-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 10:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseSVN]
@="{3035134C-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{3035134C-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 10:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseSVN]
@="{3035134D-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{3035134D-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 10:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseSVN]
@="{3035134E-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{3035134E-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 10:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"mnu"="C:\Program Files\Wanadoo\NL\Mnu\igomnu.exe" [2005-02-15 430328]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-16 13529088]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-12-21 180269]
"PCMService"="C:\Program Files\CyberLink\PowerCinema\PCMService.exe" [2005-05-23 127118]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"mnu"="C:\Program Files\Wanadoo\NL\Mnu\igomnu.exe" [2005-02-15 430328]
"CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [2005-05-19 57344]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 131072]
"WireLessMouse"="C:\Program Files\DS-3200 Wireless Optical Slimline Deskset\MouseDrv.exe" [2005-08-30 303104]
"WireLessKeyboard"="C:\Program Files\DS-3200 Wireless Optical Slimline Deskset\PS2USBKbdDrv.exe" [2005-08-30 319488]
"POEngine"="C:\Program Files\PokerOffice\POEngine.exe" [2005-07-13 18944]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2006-10-31 921600]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 257088]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-14 35328]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-09-14 157592]
"UltraMon"="C:\Program Files\UltraMon\UltraMon.exe" [2007-04-01 299520]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-16 86016]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]
"nwiz"="nwiz.exe" [2008-05-16 C:\WINDOWS\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-11-11 C:\WINDOWS\soundman.exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-11-03 C:\WINDOWS\KHALMNPR.Exe]
"CTHelper"="CTHELPER.EXE" [2005-12-08 C:\WINDOWS\CTHELPER.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Firefox Preloader.lnk - C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe [2007-06-06 98304]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2005-12-06 532480]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 setuid

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"E:\\gamezz(2)\\Command & Conquer The First Decade\\Command & Conquer(tm) Generals Zero Hour\\generals.exe"=
"C:\\games\\quake3-2\\quake3.exe"=
"C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"C:\\Program Files\\Starcraft\\StarCraft.exe"=
"C:\\Program Files\\The All-Seeing Eye\\eye.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\download\\Virtua Tennis\\VIRTUA_TENNIS_PC.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"E:\\gamezz\\fifa06\\FIFA06.exe"=
"E:\\gamezz\\pes5\\PES5.exe"=
"C:\\backup\\ultrafxp\\UltraFxp.exe"=
"C:\\games\\quake\\fuhquake-gl.exe"=
"C:\\Program Files\\TrackMania Nations ESWC\\TmNationsESWC.exe"=
"C:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\Hamachi\\hamachi.exe"=
"C:\\Program Files\\Electronic Arts\\Battlefield 2142 Demo\\BF2142.exe"=
"C:\\WINDOWS\\system32\\javaw.exe"=
"C:\\Program Files\\PokerOffice\\bin\\javaw.exe"=
"C:\\gamezz\\bf2\\BF2142.exe"=
"C:\\Program Files\\InterPoker\\UA.exe"=
"C:\\games\\quake\\ezquake-gl.exe"=
"C:\\gamezz\\UT2004\\System\\UT2004.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\games\\Warcraft III\\Warcraft III.exe"=
"C:\\games\\Warcraft III\\War3.exe"=
"C:\\Documents and Settings\\iceball1\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"=
"C:\\gamezz\\TrackMania United\\TmUnited.exe"=
"C:\\gamezz\\dirt\\DiRT.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver2.exe"=
"C:\\exclipse\\eclipse\\eclipse.exe"=
"E:\\gamezz(2)\\Command & Conquer The First Decade\\Command & Conquer(tm) Generals\\game.dat"=
"E:\\gamezz\\daw\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"E:\\gamezz\\coh\\RelicCOH.exe"=
"E:\\gamezz\\sup\\Supreme Commander - Forged Alliance\\bin\\ForgedAlliance.exe"=
"E:\\gamezz\\sup\\GPGNet\\GPG.Multiplayer.Client.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Everest Poker\\CStart.exe"=
"E:\\gamezz\\AA\\System\\ArmyOps.exe"=
"E:\\gamezz\\steam\\SteamApps\\iceball13\\counter-strike source\\hl2.exe"=
"E:\\gamezz\\steam\\SteamApps\\iceball13\\half-life 2 deathmatch\\hl2.exe"=
"C:\\Program Files\\RealVNC\\VNC4\\vncviewer.exe"=
"C:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"=
"E:\\gamezz\\steam\\SteamApps\\iceball13\\team fortress 2\\hl2.exe"=
"E:\\gamezz\\soloar\\Sins of a Solar Empire.exe"=
"C:\\Program Files\\Xfire\\Xfire.exe"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"2799:UDP"= 2799:UDP:Altova License Metering Port (UDP)
"2799:TCP"= 2799:TCP:Altova License Metering Port (TCP)
"5432:TCP"= 5432:TCP:postgresql
"6666:TCP"= 6666:TCP:vnc servertje
"6666:UDP"= 6666:UDP:vnc udp

R0 SSI;SSI;C:\WINDOWS\system32\Drivers\SSI.SYS [2005-12-14 78336]
R1 raddrvv3;raddrvv3;C:\WINDOWS\system32\rserver30\raddrvv3.sys [2007-02-02 41176]
R2 pgsql-8.2;PostgreSQL Database Server 8.2;C:\Program Files\PostgreSQL\8.2\bin\pg_ctl.exe runservice -N pgsql-8.2 -D C:\Program Files\PostgreSQL\8.2\data\ [ ]
R2 UltraMonUtility;UltraMon Utility Driver;C:\Program Files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [2006-09-24 11776]
R2 vmserverdWin32;VMware Registration Service;C:\Program Files\VMware\VMware Server\vmserverdWin32.exe [2008-03-04 1650781]
R3 mirrorv3;mirrorv3;C:\WINDOWS\system32\DRIVERS\rminiv3.sys [2006-11-01 3328]
R3 UltraMonMirror;UltraMonMirror;C:\WINDOWS\system32\DRIVERS\UltraMonMirror.sys [2006-09-24 3584]
S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys [2006-10-19 10664]
S3 RServer3;Radmin Server V3;C:\WINDOWS\system32\rserver30\RServer3.exe [2007-02-02 1235032]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{CF8FF8B8-44A2-4BA8-97A1-9A4DC143F07B}]
C:\WINDOWS\system32\msiexec.exe /qn /fpu {CF8FF8B8-44A2-4BA8-97A1-9A4DC143F07B}
.
Contents of the 'Scheduled Tasks' folder

2008-10-21 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 14:42]
.
- - - - ORPHANS REMOVED - - - -

BHO-{AA648284-F2A4-4A62-B504-3088EA73F3AE} - C:\WINDOWS\system32\rqRIaXND.dll
HKLM-Run-50298a62 - C:\WINDOWS\system32\fqawckio.dll



**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2008-10-26 16:13:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\Program Files\Eset\pr_imon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\PokerOffice\bin\javaw.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\ESET\nod32krn.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PostgreSQL\8.2\bin\pg_ctl.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\PostgreSQL\8.2\bin\postgres.exe
C:\Program Files\PostgreSQL\8.2\bin\postgres.exe
C:\Program Files\VMware\VMware Server\vmware-authd.exe
C:\Program Files\PostgreSQL\8.2\bin\postgres.exe
C:\Program Files\PostgreSQL\8.2\bin\postgres.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-10-26 16:27:17 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-26 15:27:13
ComboFix2.txt 2008-10-24 13:59:17

Pre-Run: 15,899,369,472 bytes free
Post-Run: 15,951,532,032 bytes free

336 --- E O F --- 2008-10-17 01:03:29


KAS LOG

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, October 26, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: 26 October 2008 14:30:40
Records in database: 1348246
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 341197
Threat name: 8
Infected objects: 22
Suspicious objects: 0
Duration of the scan: 05:42:55


File name / Threat name / Threats count
C:\Program Files\Hitman Pro\packages\sdsetup.exe Infected: not-a-virus:Monitor.Win32.KeyLogger.dq 1
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.62 1
C:\Program Files\Radmin\AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 1
C:\Program Files\Spyware Doctor\tools\swpg.DAT Infected: not-a-virus:Monitor.Win32.KeyLogger.dq 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\duzriq.dll.vir Infected: Trojan.Win32.Agent.ajkx 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\flpdajjf.dll.vir Infected: Trojan.Win32.Agent.ajkx 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ilsiep.dll.vir Infected: Trojan.Win32.Agent.ajkx 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\smkwqbxl.dll.vir Infected: Trojan.Win32.Agent.ajkx 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSl.dll.vir Infected: Backdoor.Win32.TDSS.zj 1
C:\Qoobox\Quarantine\[4][email protected] Infected: Trojan.Win32.Vapsup.mgf 1
C:\Qoobox\Quarantine\[4][email protected] Infected: Trojan.Win32.Vapsup.mge 1
C:\vnc-4_1_2-x86_win32_viewer(2).exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\vnc-4_1_2-x86_win32_viewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\WINDOWS\system32\admdll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 1
E:\download\usenet\vnc-4_1_2-x86_win32(2).exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 4
E:\download\usenet\vnc-4_1_2-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 4

The selected area was scanned.


HIJACK LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:39, on 10/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\DS-3200 Wireless Optical Slimline Deskset\MouseDrv.exe
C:\Program Files\DS-3200 Wireless Optical Slimline Deskset\PS2USBKbdDrv.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CyberLink\PowerCinema\PCMService.exe
C:\Program Files\Wanadoo\NL\Mnu\igomnu.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\PokerOffice\bin\javaw.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [WireLessMouse] C:\Program Files\DS-3200 Wireless Optical Slimline Deskset\MouseDrv.exe
O4 - HKLM\..\Run: [WireLessKeyboard] C:\Program Files\DS-3200 Wireless Optical Slimline Deskset\PS2USBKbdDrv.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [POEngine] "C:\Program Files\PokerOffice\POEngine.exe" C:\Program Files\PokerOffice
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [mnu] C:\Program Files\Wanadoo\NL\Mnu\igomnu.exe /S:T
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-527237240-854245398-725345543-1004\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'postgres')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Firefox Preloader.lnk = C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: MrBpoker Poker - {0932285F-432B-42b0-B960-7946B1950802} - C:\Program Files\MrBookmakerMPP\MPPoker.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Rob's Poker Room - {40B2063F-DB01-4962-BE63-59435C01283C} - C:\PROGRA~1\ROB'SP~1\client.exe
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - https://www.fileplanet.com/fpdlmgr/ca...C_2.1.1.74.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - https://update.microsoft.com/windowsu...?1133981140406
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - https://update.microsoft.com/microsof...?1133981276249
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.com/Regi...18/flashax.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CVSNT Locking Service 2.5.03.2382 (cvslock) - Unknown owner - C:\Program Files\CVSNT\cvslock.exe
O23 - Service: CVSNT Dispatch service 2.5.03.2382 (cvsnt) - March Hare Software Ltd - C:\Program Files\CVSNT\cvsservice.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PostgreSQL Database Server 8.2 (pgsql-8.2) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.2\bin\pg_ctl.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Radmin Server V3 (RServer3) - Famatech International Corp. - C:\WINDOWS\system32\rserver30\RServer3.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 10859 bytes
iceball is offline  
Old 10-26-2008, 03:48 PM   #11
Guest
 
Join Date: Oct 2008
Posts: 14
OS:



and it does take around 10 min everytime i ran the combofix to create the log file
it reboots
then it seems to not start the shell completely cause not all programs that normally start have run. Then about 10min later (while CB is still creating the log) shell starts normally (rest of programs run, icons etc) and then the CF finishes
iceball is offline  
Old 10-26-2008, 06:53 PM   #12
Guest
 
Join Date: Oct 2008
Posts: 14
OS:



in the step program i first had to do before posting i had to install AVG
that failed. But i tried it again after the last steps and now i can install it.
SO i did. Shall i run a full system scan ? The online kasparsky scanner only scanned and does not clean right?
It seems like the virus is gone , or silent at the moment. As i could not install virus scanners before.
And all other things are gone aswel
Except the fact that i cant change anything in msconfig. (did not try again as you mentioned.)
iceball is offline  
Old 10-27-2008, 03:23 AM   #13
TSF Team, Emeritus
 
Join Date: Oct 2006
Location: UK
Posts: 5,264
OS: OS



Hello again

File did not upload, please go to this website:

https://www.bleepingcomputer.com/subm....php?channel=4

And upload this file:

C:\Qoobox\Quarantine\[4][email protected]

Include this link into your submission:

https://www.techsupportforum.com/security-center/hijackthis-log-help/304604-virus-disables-everything.html

Let me know when this has been completed.
TheBruce1 is offline  
Old 10-27-2008, 05:56 AM   #14
Guest
 
Join Date: Oct 2008
Posts: 14
OS:



done, that is what i tried to tell you
combofix did not popup with anything to submit, only the log file.
But i uploaded it on the site.
Btw i uninstalled all virus scanners and installed AVG.
iceball is offline  
Old 10-27-2008, 07:21 AM   #15
TSF Team, Emeritus
 
Join Date: Oct 2006
Location: UK
Posts: 5,264
OS: OS



Hello again

File uploaded successfully, thank uoi.

==========

Open notepad and copy/paste the text in the quotebox below into it:

Quote:
SkipFix::
Folder::
C:\Program Files\VirusBursters
Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Java\\jre1.5.0_06"=-
Save this as CFscript







Refering to the picture above, drag CFscript into ComboFix.exe

Follow the prompts, and post the resulting log, C:\ComboFix.txt

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

======

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

======
Logs Required
C:\Combofix.txt
Hijackthis Log
TheBruce1 is offline  
Old 10-27-2008, 07:46 AM   #16
Guest
 
Join Date: Oct 2008
Posts: 14
OS:



ComboFix 08-10-25.01 - iceball1 2008-10-27 15:33:40.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1344 [GMT 1:00]
Running from: C:\cleaning\Combo-Fix.exe
Command switches used :: C:\cleaning\CFScript.txt
* Created a new restore point
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\VirusBursters
C:\Program Files\VirusBursters\ignored.lst
C:\Program Files\VirusBursters\virusburster.ini

.
((((((((((((((((((((((((( Files Created from 2008-09-27 to 2008-10-27 )))))))))))))))))))))))))))))))
.

2008-10-27 02:46 . 2008-10-27 13:34 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-10-27 02:46 . 2008-10-27 02:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-10-27 02:46 . 2008-10-27 02:46 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-10-27 02:46 . 2008-10-27 02:46 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-10-27 02:46 . 2008-10-27 02:46 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-10-24 14:30 . 2008-10-27 15:33 <DIR> d-------- C:\cleaning
2008-10-21 11:41 . 2008-10-21 11:41 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-21 11:37 . 2008-10-21 11:37 <DIR> d-------- C:\Program Files\Panda Security
2008-10-17 12:58 . 2008-10-17 12:58 <DIR> d-------- C:\Program Files\AVG
2008-10-17 04:36 . 2008-10-17 04:36 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2008-10-17 04:36 . 2008-10-27 02:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-10-17 04:35 . 2008-10-17 04:35 <DIR> d-------- C:\WINDOWS\147BCE03C0F14C9F81576A89B6D2D973.TMP
2008-10-17 04:35 . 2008-10-27 02:45 <DIR> d-------- C:\Program Files\McAfee
2008-10-17 03:12 . 2008-10-17 03:12 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Xfire
2008-10-16 21:28 . 2008-10-16 21:28 <DIR> d-------- C:\scrips
2008-10-13 21:37 . 2008-10-13 21:38 <DIR> d-------- C:\popophist
2008-10-13 01:06 . 2008-10-13 01:22 <DIR> d-------- C:\PopopopPlayer
2008-10-12 13:47 . 2008-10-12 13:47 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire
2008-10-09 15:49 . 2008-10-09 15:49 20,022 --a------ C:\fulltiltplo.pah
2008-10-09 01:47 . 2008-10-09 01:47 42,320 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-10-07 15:34 . 2008-10-07 15:34 <DIR> d-------- C:\willem
2008-10-03 04:49 . 2008-10-21 22:21 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-10-03 04:49 . 2008-10-03 04:49 1,409 --a------ C:\WINDOWS\QTFont.for
2008-09-29 20:05 . 2008-09-29 20:05 18,474 --a------ C:\fulltiltlayout.pah

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-27 12:48 --------- d-----w C:\Documents and Settings\iceball1\Application Data\Xfire
2008-10-27 03:22 --------- d-----w C:\Program Files\Full Tilt Poker
2008-10-27 03:01 182,928 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-10-27 03:01 138,376 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-10-27 01:49 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-26 16:16 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\VMware
2008-10-26 16:16 --------- d-----w C:\Documents and Settings\LocalService\Application Data\VMware
2008-10-26 16:15 --------- d-----w C:\Documents and Settings\postgres\Application Data\VMware
2008-10-26 16:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
2008-10-26 16:07 --------- d-----w C:\Program Files\ESET
2008-10-26 15:56 --------- d-----w C:\Program Files\Java
2008-10-26 15:01 --------- d-----w C:\Program Files\PartyGaming
2008-10-26 15:00 --------- d-----w C:\Program Files\PacificPoker
2008-10-26 14:58 --------- d-----w C:\Program Files\PokerRoom.com
2008-10-26 14:58 --------- d-----w C:\Program Files\GameSpy Arcade
2008-10-26 14:57 --------- d-----w C:\Program Files\Winamp
2008-10-26 14:56 --------- d-----w C:\Program Files\Azureus
2008-10-26 14:53 --------- d-----w C:\Program Files\Sun
2008-10-22 23:30 --------- d-----w C:\Program Files\Poker Tracker Omaha
2008-10-21 21:23 --------- d-----w C:\Program Files\Zoom Player
2008-10-21 20:09 --------- d-----w C:\Program Files\Poker Tracker V2
2008-10-21 14:04 --------- d-----w C:\Program Files\SpywareBlaster
2008-10-17 18:10 --------- d-----w C:\Program Files\LaTeXPiX
2008-10-17 18:10 --------- d-----w C:\Program Files\DAEMON Tools
2008-10-17 18:10 --------- d-----w C:\Program Files\Bridge Building Game
2008-10-17 03:50 98,304 ----a-w C:\WINDOWS\DUMPbf0a.tmp
2008-10-16 03:17 --------- d-s---w C:\Program Files\Xfire
2008-10-14 21:45 --------- d-----w C:\Program Files\Everest Poker
2008-10-06 01:01 --------- d-----w C:\Program Files\PokerEV
2008-09-24 01:19 --------- d-----w C:\Documents and Settings\iceball1\Application Data\Azureus
2008-09-23 16:53 --------- d--h--w C:\Documents and Settings\All Users\Application Data\{0E8E33D8-193A-414A-A909-0F101A142D26}
2008-09-23 00:19 --------- d-----w C:\Program Files\PokerStars
2008-09-21 03:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Azureus
2008-09-18 12:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-18 12:41 --------- d-----w C:\Program Files\Logitech
2008-09-18 12:41 --------- d-----w C:\Program Files\Common Files\Logitech
2008-09-15 11:57 1,846,016 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-12 15:07 --------- d-----w C:\Program Files\RealVNC
2008-08-28 10:04 333,056 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-28 03:26 --------- d-----w C:\Documents and Settings\iceball1\Application Data\dvdcss
2008-08-26 07:24 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-14 10:00 2,180,352 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:22 2,057,728 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-08-08 01:47 3,811,580 ----a-w C:\PokerEV Installer(9).exe
2008-08-06 23:22 38,674,984 ----a-w C:\175.19_geforce_winxp_32bit_english_whql.exe
2008-08-06 20:31 5,702,435 ----a-w C:\hmupdate1.06.01p.exe
2008-08-06 16:58 2,037 ----a-w C:\caseysconfig_v2.zip
2008-08-05 14:01 6,589,711 ----a-w C:\ArcadeInstallFull205-google.exe
2008-08-05 14:00 17,920 ----a-w C:\eyeinst(2).exe
2008-08-05 13:59 11,776 ----a-w C:\EyeInstaller.exe
2008-08-05 09:30 17,920 ----a-w C:\eyeinst.exe
2007-07-25 20:31 1,228,800 ----a-w C:\Program Files\FLV PlayerRCSetup.exe
2006-10-03 01:43 2,402,550 ----a-w C:\WINDOWS\inf\SET1E82.tmp
.

((((((((((((((((((((((((((((( [email protected]_15.58.54.89 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-10-20 18:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-20 19:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\ERDNT.EXE
- 2005-10-20 18:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE
+ 2005-10-20 19:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE
- 2000-08-31 06:00:00 28,672 ----a-w C:\WINDOWS\NIRCMD.exe
+ 2000-08-31 07:00:00 28,672 ----a-w C:\WINDOWS\NIRCMD.exe
- 2000-08-31 06:00:00 161,792 ----a-w C:\WINDOWS\SWREG.exe
+ 2000-08-31 07:00:00 161,792 ----a-w C:\WINDOWS\SWREG.exe
- 2006-08-17 12:28:27 332,288 -c----w C:\WINDOWS\system32\dllcache\netapi32.dll
+ 2008-10-15 16:57:55 332,800 -c----w C:\WINDOWS\system32\dllcache\netapi32.dll
+ 2008-10-27 01:46:52 26,824 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
- 2008-02-22 00:23:35 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-06-10 00:21:01 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2008-02-22 00:23:39 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-06-10 00:21:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2008-02-22 01:33:32 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-06-10 01:32:34 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-03-20 1736 1,480,232 ------w C:\WINDOWS\system32\LegitCheckControl.dll
- 2006-08-17 12:28:27 332,288 ----a-w C:\WINDOWS\system32\netapi32.dll
+ 2008-10-15 16:57:55 332,800 ----a-w C:\WINDOWS\system32\netapi32.dll
- 2008-04-12 01:03:09 71,000 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-10-26 16:17:20 69,790 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-12 01:03:09 441,262 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-10-26 16:17:20 438,578 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseSVN]
@="{30351346-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{30351346-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 10:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseSVN]
@="{30351347-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{30351347-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 10:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseSVN]
@="{30351348-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{30351348-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 10:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseSVN]
@="{3035134B-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{3035134B-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 10:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseSVN]
@="{3035134C-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{3035134C-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 10:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseSVN]
@="{3035134D-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{3035134D-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 10:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseSVN]
@="{3035134E-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{3035134E-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 10:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-16 13529088]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 131072]
"WireLessMouse"="C:\Program Files\DS-3200 Wireless Optical Slimline Deskset\MouseDrv.exe" [2005-08-30 303104]
"WireLessKeyboard"="C:\Program Files\DS-3200 Wireless Optical Slimline Deskset\PS2USBKbdDrv.exe" [2005-08-30 319488]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-14 35328]
"UltraMon"="C:\Program Files\UltraMon\UltraMon.exe" [2007-04-01 299520]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-16 86016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-12-21 180269]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 282624]
"POEngine"="C:\Program Files\PokerOffice\POEngine.exe" [2005-07-13 18944]
"PCMService"="C:\Program Files\CyberLink\PowerCinema\PCMService.exe" [2005-05-23 127118]
"mnu"="C:\Program Files\Wanadoo\NL\Mnu\igomnu.exe" [2005-02-15 430328]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 257088]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-09-14 157592]
"CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [2005-05-19 57344]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-10-27 1234712]
"nwiz"="nwiz.exe" [2008-05-16 C:\WINDOWS\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-11-11 C:\WINDOWS\soundman.exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-11-03 C:\WINDOWS\KHALMNPR.Exe]
"CTHelper"="CTHELPER.EXE" [2005-12-08 C:\WINDOWS\CTHELPER.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\iceball1\Start Menu\Programs\Startup\
Xfire.lnk - C:\Program Files\Xfire\Xfire.exe [2008-10-09 3098448]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Firefox Preloader.lnk - C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe [2007-06-06 98304]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2005-12-06 532480]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^iceball1^Start Menu^Programs^Startup^The Matrix_ Path of Neo Registration.lnk]
path=C:\Documents and Settings\iceball1\Start Menu\Programs\Startup\The Matrix_ Path of Neo Registration.lnk
backup=C:\WINDOWS\pss\The Matrix_ Path of Neo Registration.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"E:\\gamezz(2)\\Command & Conquer The First Decade\\Command & Conquer(tm) Generals Zero Hour\\generals.exe"=
"C:\\games\\quake3-2\\quake3.exe"=
"C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"C:\\Program Files\\Starcraft\\StarCraft.exe"=
"C:\\Program Files\\The All-Seeing Eye\\eye.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\download\\Virtua Tennis\\VIRTUA_TENNIS_PC.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"E:\\gamezz\\fifa06\\FIFA06.exe"=
"E:\\gamezz\\pes5\\PES5.exe"=
"C:\\backup\\ultrafxp\\UltraFxp.exe"=
"C:\\games\\quake\\fuhquake-gl.exe"=
"C:\\Program Files\\TrackMania Nations ESWC\\TmNationsESWC.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\Hamachi\\hamachi.exe"=
"C:\\Program Files\\Electronic Arts\\Battlefield 2142 Demo\\BF2142.exe"=
"C:\\WINDOWS\\system32\\javaw.exe"=
"C:\\Program Files\\PokerOffice\\bin\\javaw.exe"=
"C:\\gamezz\\bf2\\BF2142.exe"=
"C:\\Program Files\\InterPoker\\UA.exe"=
"C:\\games\\quake\\ezquake-gl.exe"=
"C:\\gamezz\\UT2004\\System\\UT2004.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\games\\Warcraft III\\Warcraft III.exe"=
"C:\\games\\Warcraft III\\War3.exe"=
"C:\\Documents and Settings\\iceball1\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"=
"C:\\gamezz\\TrackMania United\\TmUnited.exe"=
"C:\\gamezz\\dirt\\DiRT.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver2.exe"=
"C:\\exclipse\\eclipse\\eclipse.exe"=
"E:\\gamezz(2)\\Command & Conquer The First Decade\\Command & Conquer(tm) Generals\\game.dat"=
"E:\\gamezz\\daw\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"E:\\gamezz\\coh\\RelicCOH.exe"=
"E:\\gamezz\\sup\\Supreme Commander - Forged Alliance\\bin\\ForgedAlliance.exe"=
"E:\\gamezz\\sup\\GPGNet\\GPG.Multiplayer.Client.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Everest Poker\\CStart.exe"=
"E:\\gamezz\\AA\\System\\ArmyOps.exe"=
"E:\\gamezz\\steam\\SteamApps\\iceball13\\counter-strike source\\hl2.exe"=
"E:\\gamezz\\steam\\SteamApps\\iceball13\\half-life 2 deathmatch\\hl2.exe"=
"C:\\Program Files\\RealVNC\\VNC4\\vncviewer.exe"=
"C:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"=
"E:\\gamezz\\steam\\SteamApps\\iceball13\\team fortress 2\\hl2.exe"=
"E:\\gamezz\\soloar\\Sins of a Solar Empire.exe"=
"C:\\Program Files\\Xfire\\Xfire.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"2799:UDP"= 2799:UDP:Altova License Metering Port (UDP)
"2799:TCP"= 2799:TCP:Altova License Metering Port (TCP)
"5432:TCP"= 5432:TCP:postgresql
"6666:TCP"= 6666:TCP:vnc servertje
"6666:UDP"= 6666:UDP:vnc udp

R0 SSI;SSI;C:\WINDOWS\system32\Drivers\SSI.SYS [2005-12-14 78336]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-10-27 97928]
R1 raddrvv3;raddrvv3;C:\WINDOWS\system32\rserver30\raddrvv3.sys [2007-02-02 41176]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-10-27 875288]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-10-27 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-10-27 76040]
R2 pgsql-8.2;PostgreSQL Database Server 8.2;C:\Program Files\PostgreSQL\8.2\bin\pg_ctl.exe runservice -N pgsql-8.2 -D C:\Program Files\PostgreSQL\8.2\data\ [ ]
R2 UltraMonUtility;UltraMon Utility Driver;C:\Program Files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [2006-09-24 11776]
R3 mirrorv3;mirrorv3;C:\WINDOWS\system32\DRIVERS\rminiv3.sys [2006-11-01 3328]
R3 UltraMonMirror;UltraMonMirror;C:\WINDOWS\system32\DRIVERS\UltraMonMirror.sys [2006-09-24 3584]
S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys [2006-10-19 10664]
S3 RServer3;Radmin Server V3;C:\WINDOWS\system32\rserver30\RServer3.exe [2007-02-02 1235032]

*Newly Created Service* - CATCHME

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{CF8FF8B8-44A2-4BA8-97A1-9A4DC143F07B}]
C:\WINDOWS\system32\msiexec.exe /qn /fpu {CF8FF8B8-44A2-4BA8-97A1-9A4DC143F07B}
.
Contents of the 'Scheduled Tasks' folder

2008-10-21 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 14:42]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2008-10-27 15:34:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-27 15:44:57
ComboFix-quarantined-files.txt 2008-10-27 14:44:55
ComboFix2.txt 2008-10-26 15:54:11
ComboFix3.txt 2008-10-26 15:27:19
ComboFix4.txt 2008-10-24 13:59:17

Pre-Run: 15,704,961,024 bytes free
Post-Run: 15,780,315,136 bytes free

302 --- E O F --- 2008-10-27 02:02:43
iceball is offline  
Old 10-27-2008, 12:50 PM   #17
TSF Team, Emeritus
 
Join Date: Oct 2006
Location: UK
Posts: 5,264
OS: OS



Can you post a fresh Hijackthis log.
TheBruce1 is offline  
Old 10-27-2008, 01:24 PM   #18
Guest
 
Join Date: Oct 2008
Posts: 14
OS:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:22, on 10/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\DS-3200 Wireless Optical Slimline Deskset\MouseDrv.exe
C:\Program Files\DS-3200 Wireless Optical Slimline Deskset\PS2USBKbdDrv.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CyberLink\PowerCinema\PCMService.exe
C:\Program Files\PokerOffice\bin\javaw.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\Wanadoo\NL\Mnu\igomnu.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Full Tilt Poker\FullTiltPoker.exe
C:\Program Files\RVG Software\Holdem Manager\HoldemManager.exe
C:\Program Files\RVG Software\Holdem Manager\HMImport.exe
C:\Program Files\RVG Software\Holdem Manager\HMHud.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [WireLessMouse] C:\Program Files\DS-3200 Wireless Optical Slimline Deskset\MouseDrv.exe
O4 - HKLM\..\Run: [WireLessKeyboard] C:\Program Files\DS-3200 Wireless Optical Slimline Deskset\PS2USBKbdDrv.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [POEngine] "C:\Program Files\PokerOffice\POEngine.exe" C:\Program Files\PokerOffice
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [mnu] C:\Program Files\Wanadoo\NL\Mnu\igomnu.exe /S:T
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-527237240-854245398-725345543-1004\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'postgres')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Firefox Preloader.lnk = C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: MrBpoker Poker - {0932285F-432B-42b0-B960-7946B1950802} - C:\Program Files\MrBookmakerMPP\MPPoker.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Rob's Poker Room - {40B2063F-DB01-4962-BE63-59435C01283C} - C:\PROGRA~1\ROB'SP~1\client.exe
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - https://www.fileplanet.com/fpdlmgr/ca...C_2.1.1.74.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - https://update.microsoft.com/windowsu...?1133981140406
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - https://update.microsoft.com/microsof...?1133981276249
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.com/Regi...18/flashax.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CVSNT Locking Service 2.5.03.2382 (cvslock) - Unknown owner - C:\Program Files\CVSNT\cvslock.exe
O23 - Service: CVSNT Dispatch service 2.5.03.2382 (cvsnt) - March Hare Software Ltd - C:\Program Files\CVSNT\cvsservice.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PostgreSQL Database Server 8.2 (pgsql-8.2) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.2\bin\pg_ctl.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Radmin Server V3 (RServer3) - Unknown owner - C:\WINDOWS\system32\rserver30\RServer3.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 11122 bytes
iceball is offline  
Old 10-27-2008, 01:27 PM   #19
Guest
 
Join Date: Oct 2008
Posts: 14
OS:



when creating this log
i at the same time get a popup from AVG
with a warning about a file in windows\system32\Rserver3.exe it put in the vault , but i think is it something from hjackthis? cause AVG tells me that the hjackthis.exe used the object
iceball is offline  
Old 10-27-2008, 01:43 PM   #20
TSF Team, Emeritus
 
Join Date: Oct 2006
Location: UK
Posts: 5,264
OS: OS



Quote:
i at the same time get a popup from AVG
with a warning about a file in windows\system32\Rserver3.exe it put in the vault , but i think is it something from hjackthis? cause AVG tells me that the hjackthis.exe used the object
Rserver3.exe is a file that belongs to Radmin, you`ll need to remove it from the vault or contact Grisoft.

=======

If there are no further issues, continue below.

=======

Delete RSIT from your desktop, also delete this folder c:\rsit. Uninstall Hijackthis via add/remove, you can keep ATF-Cleaner if you wish.

=======

Well done, your logs are clean.

Click start>run>type(or copy/paste command into run box):

ComboFix /u

Click ok.

=========

Clear IE7 cookies

*On the Internet Explorer 7 Tools menu, click Internet Options. The Internet Options box should open to the General tab.
*On the General tab, in the Browsing History, click the Delete button. This will delete all the files that are currently stored in your cache [that includes cookies too].
*Click OK, and then click OK again.


Clear Firefox cookies/cache

• Select "Tools"
• Select "Options".
• Select "Privacy".
• In "Settings" window put the check mark for Cookies,Cache,Browsing history and any others you want.
• Click OK.
• In Private area click "Clear Now".

-------------------------------------------------------------------------------------------

MICROSOFT UPDATES

1.Click Start,Run, type sysdm.cpl, and then press OK.
2.Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended).

Microsoft updates are released every second Tuesday of each month,what is called "Patch Tuesday".

------------------------------------------------------------------------------------------

Useful Information and Programs to keep you safe.

TrendProtect is a FREE browser plug-in that helps you avoid Web pages with unwanted content and hidden threats. TrendProtect rates the current page and pages listed in Google, MSN, and Yahoo search results. You can use the rating to decide if you want to visit or avoid a given Web page. To rate Web pages, TrendProtect refers to an extensive database that covers the following information for billions of Web pages:

* Content category
* Phishing scam detection
* Site reputation
* Page reputation

WOT Free helps you avoid disingenuous Internet content by allowing you to learn from others' experiences. WOT shows you website reputations on your browser, telling you how much other users trust a website. This helps you make better decisions while browsing and avoid phishing, malware, and other types of fraud. Reputations can also be added to web search results, Gmail, Wikipedia, and other selected sites.

WOT reputations are computed mainly from user testimonies. Sharing your knowledge with others is just a click away, without ever having to leave the site. We also collect data from hundreds of other sources (including PhishTank) to quickly warn you of emerging threats. Currently, WOT knows over 12 million websites.
Note:Only compatible with Firefox 1.5 and higher.

--------------------------------------------------------------------------------------

Alternate Browsers
Try the following free alternate browsers rather than Internet Explorer
Avant
Firefox
Opera
K-Meleon

------------------------------------------------------------------------------------------

Free Antispyware Products
SuperAntiSpyware
Malwarebytes ' Anti-Malware

SpywareBlaster to help prevent spyware from installing in the first place.
  • Install & update SpywareBlaster with the latest definitions.
    After you have updated, click the button - enable protection for all unprotected items

------------------------------------------------------------------

IE-Spyad™ is a freeware utility that places more than 4000 dubious websites and domains in the Internet Explorer Restricted List.

Download and installation instructions for IE-Spyad™ Here

-----------------------------------------

The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Note that if you use a company provided HOSTS file you should not use the MVPS HOSTS file.

If your having trouble downloading & extracting,see link below for guidance:
https://www.mvps.org/winhelp2002/hosts2.htm

Once you have extracted the host file,double click on it and a new window will open.

Double-click on mvps.batand follow the prompts

---------------------------------------------------------------

Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here:
Using Winpatrol to protect your computer.

----------------------------------------

SnoopFree is a programme that informs you when another programme is wanting to log your keystrokes or read your screen.Only for XP users.

Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released.

==============================================

Also, please take a look at this well written article:

PC Safety and Security--What Do I Need?

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Please reply to this thread once more, as we may mark this as resolved, thanks.
TheBruce1 is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 11:20 AM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts