[infamous_21]

I'm keep getting message:
Application Error : The exception unknown software exception (0xc0000409) occurred in the application at location 0x5b86a510, and I have no idea what it could be. Can anyone help me please !!! this is the hijackthis log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:03:48, on 14.11.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
D:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Skype\Phone\Skype.exe
D:\Program Files\Skype\Plugin Manager\skypePM.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toggle.com/en/index.php?rvs=hompag&d=79918991
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - D:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - D:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &Clean Traces - D:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - D:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs:
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 3704 bytes

 

[Katana]

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:

1. Please Read All Instructions Carefully
2. If you don't understand something, stop and ask! Don't keep going on.
3. Please do not run any other tools or scans whilst I am helping you
4. Please continue to respond until I give you the "All Clear"
   (Just because you can't see a problem doesn't mean it isn't there)

If you can do those few things, everything should go smoothly

Please ensure that any USB/Flash/External drives are connected whilst we are cleaning your machine.

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe
----------------------------------------------------------------------------------------


Download and Run RSIT

• Please download Random's System Information Tool by random/random from here and save it to your desktop.
• Double click on RSIT.exe to run RSIT.
• Click Continue at the disclaimer screen.
• Once it has finished, two logs will open:
  • log.txt will be opened maximized.
  • info.txt will be opened minimized.
• Please post the contents of both log.txt and info.txt.

 

[infamous_21]

This is the log file:

Logfile of random's system information tool 1.04 (written by random/random)
Run by A.ANGELOV at 2008-11-24 01:13:35
Microsoft Windows XP Professional Service Pack 2
System drive C: has 5 GB (45%) free of 10 GB
Total RAM: 255 MB (20% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:13:56, on 24.11.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\cmd.exe
D:\Program Files\Skype\Phone\Skype.exe
D:\Program Files\Skype\Plugin Manager\skypePM.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\DAP\DAP.EXE
C:\Documents and Settings\A.ANGELOV\My Documents\My Completed Downloads\RSIT.exe
D:\Program Files\Trend Micro\HijackThis\A.ANGELOV.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toggle.com/en/index.php?rvs=hompag&d=79918991
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - D:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - D:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O8 - Extra context menu item: &Clean Traces - D:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - D:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Download Using &BitSpirit - D:\Program Files\BitSpirit\bsurl.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs:
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Windows Host Services (SVCHOSTS32) - Unknown owner - C:\WINDOWS\system\svchost.exe (file missing)

--
End of file - 4128 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - D:\Program Files\Java\jre1.6.0\bin\ssv.dll [2008-10-06 501384]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C451C08A-EC37-45DF-AAAD-18B51AB5E837}]
PDFCreator Toolbar Helper - D:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll [2008-10-13 806912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - PDFCreator Toolbar - D:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll [2008-10-13 806912]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2003-03-21 4616192]
"nwiz"=nwiz.exe /install []
"COMODO Firewall Pro"=D:\Program Files\COMODO\Firewall\cfp.exe -h []
"SunJavaUpdateSched"=D:\Program Files\Java\jre1.6.0\bin\jusched.exe [2008-10-06 77824]
"SoundMan"=C:\WINDOWS\SOUNDMAN.EXE [2007-04-16 577536]
"avast!"=D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2008-11-18 81000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"=" "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"D:\Program Files\Shareaza\Shareaza.exe"="D:\Program Files\Shareaza\Shareaza.exe:*:Enabled:Shareaza Ultimate File Sharing"
"D:\Program Files\uTorrent\uTorrent.exe"="D:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent"
"D:\Program Files\BitSpirit\BitSpirit.exe"="D:\Program Files\BitSpirit\BitSpirit.exe:*:Enabled:The powerful and easy-to-use BitTorrent Client"
"D:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe"="D:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe:*:Enabled:VideoAccelerator"
"D:\Program Files\DNA\btdna.exe"="D:\Program Files\DNA\btdna.exe:*:EnabledNA"
"D:\Program Files\BitTorrent\bittorrent.exe"="D:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"
"D:\Program Files\LimeWire\LimeWire.exe"="D:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\WINDOWS\system\svchost.exe"="C:\WINDOWS\system\svchost.exe:*:Enabled:Microsoft Enabled"
"G:\RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\autorunme.exe"="G:\RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\autorunme.exe:*:Enabled:Microsoft Enabled"
"D:\Program Files\Skype\Phone\Skype.exe"="D:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype. Take a deep breath "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019"

======List of files/folders created in the last 1 months======

2008-11-24 01:13:35 ----D---- C:\rsit
2008-11-23 22:25:46 ----A---- C:\WINDOWS\system32\MFC71.dll
2008-11-23 22:23:07 ----A---- C:\WINDOWS\system32\aswBoot.exe
2008-11-23 22:23:05 ----D---- D:\Program Files\Alwil Software
2008-11-23 22:14:02 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-11-23 21:51:21 ----D---- D:\Program Files\ProcessExplorer
2008-11-23 21:47:27 ----D---- D:\Program Files\Autoruns
2008-11-23 01:21:59 ----D---- C:\Program Files\Common Files\Skype
2008-11-22 22:36:38 ----D---- D:\Program Files\GameSpy Arcade
2008-11-22 22:33:49 ----D---- D:\Program Files\PDFCreator Toolbar
2008-11-22 22:30:03 ----D---- D:\Program Files\uTorrent
2008-11-22 22:29:02 ----D---- C:\Documents and Settings\All Users\Application Data\comodo
2008-11-22 22:28:44 ----D---- C:\Documents and Settings\A.ANGELOV\Application Data\vlc
2008-11-22 22:28:21 ----D---- C:\Documents and Settings\A.ANGELOV\Application Data\Skype
2008-11-22 22:28:21 ----D---- C:\Config.Msi
2008-11-22 22:28:11 ----D---- C:\Documents and Settings\A.ANGELOV\Application Data\uTorrent
2008-11-22 22:18:58 ----A---- C:\WINDOWS\ntbtlog.txt
2008-11-22 21:59:11 ----D---- D:\Program Files\FormatFactory
2008-11-22 02:09:49 ----D---- D:\Program Files\Common Files
2008-11-22 02:09:39 ----D---- D:\Program Files\Text to Speech Maker
2008-11-21 20:36:54 ----D---- D:\Program Files\Allok AVI to DVD SVCD VCD Converter
2008-11-20 01:14:28 ----D---- C:\Documents and Settings\A.ANGELOV\Application Data\Skype(2)
2008-11-19 21:49:24 ----D---- C:\Documents and Settings\All Users\Application Data\Macromedia
2008-11-19 21:48:48 ----D---- D:\Program Files\Macromedia
2008-11-19 21:48:48 ----D---- C:\Program Files\Common Files\Macromedia
2008-11-19 21:47:45 ----D---- C:\WINDOWS\Downloaded Installations
2008-11-18 13:55:04 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe(2)
2008-11-18 13:54:39 ----D---- D:\Program Files\Adobe
2008-11-18 13:54:39 ----D---- C:\Program Files\Common Files\Adobe(2)
2008-11-16 19:05:28 ----D---- D:\Program Files\IObit
2008-11-14 23:51:56 ----D---- D:\Program Files\EvilLyrics
2008-11-12 13:42:33 ----D---- C:\Documents and Settings\A.ANGELOV\Application Data\MathWorks
2008-11-12 12:54:35 ----D---- D:\Program Files\MATLAB
2008-11-12 01:14:29 ----D---- C:\Documents and Settings\A.ANGELOV\Application Data\BSplayer Pro
2008-11-12 01:14:29 ----D---- C:\Documents and Settings\A.ANGELOV\Application Data\BSplayer
2008-11-12 00:43:32 ----D---- C:\Documents and Settings\A.ANGELOV\Application Data\vlc(2)
2008-11-10 01:56:25 ----D---- D:\Program Files\Folder Lock
2008-11-09 22:39:07 ----D---- D:\Program Files\pl
2008-11-09 04:00:09 ----D---- D:\Program Files\Streamripper
2008-11-08 23:58:07 ----D---- C:\Documents and Settings\A.ANGELOV\Application Data\Thinstall
2008-11-03 07:28:41 ----D---- C:\Program Files\Common Files\HTML Executable Viewer
2008-11-02 20:56:10 ----D---- C:\Documents and Settings\A.ANGELOV\Application Data\foobar2000
2008-11-02 20:56:02 ----D---- D:\Program Files\foobar2000
2008-11-02 19:42:25 ----D---- C:\Documents and Settings\A.ANGELOV\Application Data\MSNInstaller
2008-11-02 18:03:32 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-02 01:40:36 ----D---- C:\Documents and Settings\All Users\Application Data\WhereIsIt
2008-11-02 01:40:26 ----D---- D:\Program Files\Portable_WhereIsIt_3.92_Build_405_
2008-11-02 01:39:40 ----D---- D:\Program Files\Portable_SpeedConnect_Internet_Accelerator_7_1.5_Www.SoftArchive.Net
2008-11-01 17:36:51 ----D---- D:\Program Files\Recuva
2008-11-01 02:17:00 ----D---- D:\Program Files\P_PhotoshopCs4-
2008-10-30 01:12:21 ----D---- D:\Program Files\DNA
2008-10-30 00:31:02 ----D---- C:\Documents and Settings\All Users\Application Data\Team MediaPortal
2008-10-30 00:30:05 ----D---- D:\Program Files\Team MediaPortal
2008-10-29 21:12:54 ----D---- C:\Documents and Settings\A.ANGELOV\Application Data\LimeWire
2008-10-29 21:12:20 ----D---- D:\Program Files\LimeWire
2008-10-28 19:50:03 ----D---- D:\Program Files\Microsoft SQL Server
2008-10-28 19:44:30 ----D---- D:\Program Files\Microsoft Device Emulator
2008-10-28 19:43:54 ----D---- D:\Program Files\Microsoft SQL Server 2005 Mobile Edition
2008-10-28 19:26:54 ----D---- D:\Program Files\MSBuild
2008-10-28 19:15:14 ----D---- D:\Program Files\Microsoft Visual Studio 8
2008-10-28 19:15:14 ----D---- D:\Program Files\HTML Help Workshop
2008-10-28 19:15:14 ----D---- D:\Program Files\CE Remote Tools
2008-10-28 19:15:14 ----D---- C:\WINDOWS\Symbols
2008-10-28 19:15:14 ----D---- C:\Program Files\Common Files\Merge Modules
2008-10-28 19:15:14 ----D---- C:\Program Files\Common Files\Business Objects
2008-10-28 19:15:14 ----D---- C:\Documents and Settings\All Users\Application Data\PreEmptive Solutions
2008-10-27 22:06:11 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-10-27 22:02:36 ----RSD---- C:\WINDOWS\assembly
2008-10-27 22:01:38 ----D---- C:\WINDOWS\Microsoft.NET

======List of files/folders modified in the last 1 months======

2008-11-24 01:13:12 ----D---- C:\WINDOWS\Prefetch
2008-11-24 01:11:56 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2008-11-24 01:03:44 ----D---- D:\Program Files\Mozilla Firefox
2008-11-24 01:02:18 ----D---- C:\WINDOWS\system32
2008-11-24 00:05:38 ----D---- C:\WINDOWS\Temp
2008-11-24 00:03:06 ----D---- C:\Documents and Settings\A.ANGELOV\Application Data\skypePM
2008-11-23 23:50:16 ----D---- C:\WINDOWS\system32\CatRoot2
2008-11-23 23:44:53 ----D---- D:\Program Files\COMODO
2008-11-23 23:44:53 ----D---- C:\Documents and Settings\A.ANGELOV\Application Data\Comodo
2008-11-23 23:43:25 ----D---- C:\WINDOWS\system32\drivers
2008-11-23 23:38:34 ----D---- C:\WINDOWS\system32\config
2008-11-23 23:37:51 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-11-23 22:15:30 ----D---- D:\Program Files\Unlocker
2008-11-23 22:14:25 ----D---- C:\WINDOWS
2008-11-23 17:14:46 ----SHD---- C:\WINDOWS\Installer
2008-11-23 05:38:44 ----A---- C:\WINDOWS\NeroDigital.ini
2008-11-23 01:22:00 ----RD---- D:\Program Files\Skype
2008-11-23 01:21:59 ----D---- C:\Documents and Settings\All Users\Application Data\Skype
2008-11-23 01:21:15 ----D---- C:\WINDOWS\system32\appmgmt
2008-11-22 23:28:57 ----D---- C:\WINDOWS\system
2008-11-22 22:45:32 ----D---- D:\Program Files\ElcomSoft
2008-11-22 22:37:04 ----D---- C:\WINDOWS\system32\wbem
2008-11-22 22:37:02 ----D---- C:\WINDOWS\Registration
2008-11-22 22:36:45 ----D---- D:\Program Files\BitSpirit
2008-11-22 22:35:50 ----D---- D:\Program Files\Gimp-2.0
2008-11-22 22:33:51 ----D---- D:\Program Files\AIMP2
2008-11-22 22:28:44 ----SHD---- C:\RECYCLER
2008-11-22 22:28:23 ----D---- C:\Program Files\Common Files\InstallShield
2008-11-22 22:28:23 ----D---- C:\Documents and Settings\A.ANGELOV\Application Data\Macromedia
2008-11-22 22:27:46 ----D---- C:\WINDOWS\system32\Restore
2008-11-22 22:19:21 ----D---- C:\Documents and Settings
2008-11-22 16:39:09 ----D---- C:\WINDOWS\Debug
2008-11-22 02:09:58 ----SD---- C:\Documents and Settings\A.ANGELOV\Application Data\Microsoft
2008-11-18 13:58:41 ----D---- C:\Documents and Settings\A.ANGELOV\Application Data\Adobe
2008-11-15 22:15:49 ----D---- C:\WINDOWS\security
2008-11-10 20:09:49 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-11-10 01:42:33 ----D---- C:\WINDOWS\addins
2008-10-31 19:16:46 ----HD---- C:\WINDOWS\inf
2008-10-28 20:01:20 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-10-28 19:57:29 ----D---- D:\Program Files\Microsoft.NET
2008-10-28 19:32:10 ----A---- C:\WINDOWS\ODBC.INI
2008-10-28 19:28:39 ----D---- C:\Program Files\Common Files\Microsoft Shared
2008-10-28 19:26:31 ----D---- C:\WINDOWS\Help
2008-10-28 19:25:52 ----D---- C:\WINDOWS\system32\1033
2008-10-28 19:15:38 ----RSD---- C:\WINDOWS\Fonts
2008-10-28 19:15:14 ----D---- C:\WINDOWS\pchealth
2008-10-27 22:11:55 ----D---- C:\WINDOWS\WinSxS
2008-10-27 22:01:44 ----D---- D:\Program Files\internet explorer
2008-10-27 22:01:44 ----D---- C:\WINDOWS\system32\mui

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Aavmker4;avast! Asynchronous Virus Monitor; C:\WINDOWS\system32\drivers\Aavmker4.sys [2008-11-18 26944]
R1 aswSP;avast! Self Protection; C:\WINDOWS\system32\drivers\aswSP.sys [2008-11-18 110160]
R1 aswTdi;avast! Network Shield Support; C:\WINDOWS\system32\drivers\aswTdi.sys [2008-11-18 50864]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2005-10-15 36096]
R2 aswFsBlk;aswFsBlk; C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-11-18 20560]
R2 aswMon2;avast! Standard Shield Support; C:\WINDOWS\system32\drivers\aswMon2.sys [2008-11-18 94032]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2008-09-24 4122368]
R3 aswRdr;aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [2008-11-18 23152]
R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver; C:\WINDOWS\system32\drivers\msmpu401.sys [2001-08-17 2944]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2003-03-21 1261418]
R3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2006-01-16 27264]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2005-10-15 57856]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-03 20480]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-12-28 26368]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aswUpdSv;avast! iAVS4 Control Service; D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2008-11-18 18752]
R2 avast! Antivirus;avast! Antivirus; D:\Program Files\Alwil Software\Avast4\ashServ.exe [2008-11-18 155160]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 MSSQL$SQLEXPRESS;SQL Server (SQLEXPRESS); d:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2005-10-14 28768528]
R2 NVSvc;NVIDIA Driver Helper Service; C:\WINDOWS\system32\nvsvc32.exe [2003-03-21 69632]
R3 avast! Mail Scanner;avast! Mail Scanner; D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2008-11-18 254040]
R3 avast! Web Scanner;avast! Web Scanner; D:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2008-11-18 352920]
S2 SVCHOSTS32;Windows Host Services ; C:\WINDOWS\system\svchost.exe []
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 SQLWriter;SQL Server VSS Writer; d:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe [2005-10-14 87768]
S3 WMConnectCDS;Windows Media Connect Service; C:\Program Files\Windows Media Connect 2\wmccds.exe [2005-10-06 855552]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; D:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S4 MSSQLServerADHelper;SQL Server Active Directory Helper; d:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [2005-10-14 45272]
S4 msvsmon80;Visual Studio 2005 Remote Debugger; D:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 2799808]
S4 SQLBrowser;SQL Server Browser; d:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe [2005-10-14 239320]

-----------------EOF-----------------


here is the info file

info.txt logfile of random's system information tool 1.04 2008-11-24 01:14:00

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
7-Zip 4.60 beta-->"D:\Program Files\7-Zip\Uninstall.exe"
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
AIMP2-->D:\Program Files\AIMP2\UnInstall.exe
avast! Antivirus-->D:\Program Files\Alwil Software\Avast4\aswRunDll.exe "D:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
BitSpirit v3.3.2.327 Stable-->"D:\Program Files\BitSpirit\unins000.exe"
Cam On 1.0-->"C:\Documents and Settings\All Users\Application Data\Skype\Plugins\Plugins\177A970D7E05474FBE7059A182672B58\Cam On\unins000.exe"
CDRoller version 7.61-->"D:\Program Files\CDRoller\unins000.exe"
Download Accelerator Plus (DAP)-->D:\PROGRA~1\DAP\DAPREMOVE.EXE
foobar2000 v0.9.6 beta 5-->"D:\Program Files\foobar2000\uninstall.exe" _?=D:\Program Files\foobar2000
FormatFactory-->MsiExec.exe /X{E42420E7-D4A5-4264-BFF2-29743465A791}
Foxit Reader-->D:\Program Files\Foxit Software\Foxit Reader\Uninstall.exe
GameSpy Arcade-->D:\PROGRA~1\GAMESP~1\UNWISE.EXE D:\PROGRA~1\GAMESP~1\INSTALL.LOG
Gimp 2.6.1-->"D:\Program Files\Gimp-2.0\setup\unins000.exe"
GOM Player-->"D:\Program Files\GRETECH\GomPlayer\Uninstall.exe"
HijackThis 2.0.2-->"D:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows XP (KB926239)-->"C:\WINDOWS\$NtUninstallKB926239$\spuninst\spuninst.exe"
Intel Application Accelerator-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{9984DF60-1C5B-11D3-ACA1-908A4FC10801}\Setup.exe" -INTELUNINST
IrfanView (remove only)-->D:\Program Files\IrfanView\iv_uninstall.exe
Java(TM) SE Runtime Environment 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160000}
LimeWire PRO 4.18.2-->"D:\Program Files\LimeWire\uninstall.exe"
MediaCoder 0.6.1-->D:\Program Files\MediaCoder\uninst.exe
Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft Age of Empires II Trial Version-->"D:\Igri\Age of Empires II\UNINSTAL.EXE" /runtemp /uninstall
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Device Emulator version 1.0 - ENU-->MsiExec.exe /X{78B75C6D-E53C-424C-BF83-4B63BD4A6682}
Microsoft Document Explorer 2005-->C:\Program Files\Common Files\Microsoft Shared\Help 8\Microsoft Document Explorer 2005\install.exe
Microsoft Document Explorer 2005-->MsiExec.exe /X{44D4AF75-6870-41F5-9181-662EA05507E1}
Microsoft Office 2003 Edition Macedonian Interface Pack-->MsiExec.exe /I{91FF042F-6000-11D3-8CFE-0150048383C9}
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Rise Of Nations-->"D:\Igri\Rise of Nations\UNINSTAL.EXE" /runtemp /addremove
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)-->MsiExec.exe /I{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}
Microsoft SQL Server 2005 Mobile [ENU] Developer Tools-->MsiExec.exe /X{1389C6A4-4965-4AEC-9175-08B54A10FA48}
Microsoft SQL Server 2005 Tools Express Edition-->MsiExec.exe /I{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}
Microsoft SQL Server 2005-->"d:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\ARPWrapper.exe" /Remove
Microsoft SQL Server Native Client-->MsiExec.exe /I{BF251EAF-8697-4E89-BF09-C998F97BBC40}
Microsoft SQL Server Setup Support Files (English)-->MsiExec.exe /X{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}
Microsoft SQL Server VSS Writer-->MsiExec.exe /I{1CBE3804-20DF-48DA-B048-895C206E80A5}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual J# 2.0 Redistributable Package-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft Visual J# 2.0 Redistributable Package\install.exe
Microsoft Visual Studio 2005 Professional Edition - ENU-->D:\Program Files\Microsoft Visual Studio 8\Microsoft Visual Studio 2005 Professional Edition - ENU\setup.exe
Mozilla Firefox (3.0.4)-->D:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN-->C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
MSXML 6.0 Parser-->MsiExec.exe /I{AEB9948B-4FF2-47C9-990E-47014492A0FE}
MSXML4 Parser-->MsiExec.exe /I{01501EBA-EC35-4F9F-8889-3BE346E5DA13}
Nero 8 Lite 8.3.2.1b-->"D:\Program Files\Nero\unins000.exe"
NVIDIA Windows 2000/XP Display Drivers-->rundll32.exe C:\WINDOWS\system32\nvinstnt.dll,NvUninstallNT4 nv4_disp.inf
PDFCreator Toolbar-->"C:\WINDOWS\PDFCreator_Toolbar_Uninstaller_8734.exe" _?=D:\Program Files\PDFCreator Toolbar
PDFCreator-->"C:\WINDOWS\PDFCreator_Toolbar_Uninstaller_8734.exe" -hu _?=D:\Program Files\PDFCreator Toolbar
Realtek AC'97 Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" -l0x9 -removeonly
Recuva (remove only)-->"D:\Program Files\Recuva\uninst.exe"
Skype™ Beta 4.0-->MsiExec.exe /X{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}
Unlocker 1.8.7-->D:\Program Files\Unlocker\uninst.exe
VideoGet-->"D:\Program Files\Nuclear Coffee\VideoGet\unins000.exe"
VLC media player 0.9.2-->D:\Program Files\VideoLAN\VLC\uninstall.exe
Winamp-->"D:\Program Files\Winamp\UninstWA.exe"
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"D:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows Media Player 11-->"D:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 9 Series TweakMP PowerToy-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\tweakmp.inf,DefaultUninstall

======Hosts File======

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

======Security center information======

AV: avast! antivirus 4.8.1290 [VPS 081123-0]
FW: COMODO Firewall

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;d:\Program Files\Microsoft SQL Server\90\Tools\binn\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 2 Stepping 7, GenuineIntel
"PROCESSOR_REVISION"=0207
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"VS80COMNTOOLS"=D:\Program Files\Microsoft Visual Studio 8\Common7\Tools\

-----------------EOF-----------------




p.s. My avast 4! antivirus found a virus:
original name: y.exe
description: Win32:Spywere-gen [Trj]
folder: C:\windows\system32
but it can't be deleted because it keeps coming back.

Thank you for your help!!

 

[Katana]

Information


==============================WARNING==============================
There is some evidence of what may be a very nasty infection.
If the Computer has been used for any important data, you are strongly advised to do the following, immediately:

• Back up all important data on the machine.
• From a clean computer, change ALL your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
• DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
• Take any other steps you think appropriate for an attempted identity theft.

==============================WARNING==============================


IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Shareaza
uTorrent
BitSpirit
DNA
BitTorrent
LimeWire

I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

Also available here.

My recommendation is you go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).
Please note: you must NOT use this whilst we are cleaning your machine.


----------------------------------------------------------- -----------------------------------------------------------

Step 1


Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

----------------------------------------------------------- -----------------------------------------------------------
Step 2


Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  See HERE for help
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

----------------------------------------------------------- -----------------------------------------------------------
Step 3

Logs/Information to Post in Reply
Please post the following logs/Information in your reply

• MalwareBytes Log
• Combofix Log

----------------------------------------------------------- -----------------------------------------------------------

Additional Notes

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

• Double-click on JavaRa.exe to start the program.
• From the drop-down menu, choose English and click on Select.
• JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
• Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
• A logfile will pop up. Please save it to a convenient location.

Now download and install Java Runtime Environment (JRE) .

 

[infamous_21]

Malwarebytes' Anti-Malware 1.30
Database version: 1419
Windows 5.1.2600 Service Pack 2

24.11.2008 21:05:50
mbam-log-2008-11-24 (21-05-50).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 247777
Time elapsed: 1 hour(s), 50 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
D:\PROGRAMI\Nero 8 Lite 8.3.2.1b\KeyGen.exe (Trojan.Agent) -> Quarantined and deleted successfully.




ComboFix 08-11-23.02 - A.ANGELOV 2008-11-24 21:09:18.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1251.1.1033.18.48 [GMT 1:00]
Running from: c:\documents and settings\A.ANGELOV\Desktop\FORUM recomendation\step 2\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\A.ANGELOV\Favorites\Download programs.url
c:\documents and settings\A.ANGELOV\Favorites\Games.url
c:\documents and settings\A.ANGELOV\Favorites\Translator.url
c:\documents and settings\A.ANGELOV\Favorites\Videos.url
c:\documents and settings\A.ANGELOV\Start Menu\Programs\Download programs.url
c:\documents and settings\A.ANGELOV\Start Menu\Programs\Games.url
c:\documents and settings\A.ANGELOV\Start Menu\Programs\Translator.url
c:\documents and settings\A.ANGELOV\Start Menu\Programs\Videos.url

.
((((((((((((((((((((((((( Files Created from 2008-10-24 to 2008-11-24 )))))))))))))))))))))))))))))))
.

2008-11-24 16:43 . 2008-11-24 16:43 <DIR> d-------- d:\program files\Malwarebytes' Anti-Malware
2008-11-24 16:43 . 2008-11-24 16:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-24 16:43 . 2008-11-24 16:43 <DIR> d-------- c:\documents and settings\A.ANGELOV\Application Data\Malwarebytes
2008-11-24 16:43 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-24 16:43 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-24 16:27 . 2008-11-24 16:27 <DIR> d-------- d:\program files\CDisplay
2008-11-24 01:13 . 2008-11-24 01:14 <DIR> d-------- C:\rsit
2008-11-23 22:25 . 2003-03-18 21:20 1,060,864 --a------ c:\windows\system32\MFC71.dll
2008-11-23 22:23 . 2008-11-23 22:23 <DIR> d-------- d:\program files\Alwil Software
2008-11-23 22:14 . 2008-11-23 22:14 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-23 21:51 . 2008-11-23 21:51 <DIR> d-------- d:\program files\ProcessExplorer
2008-11-23 21:47 . 2008-11-23 21:47 <DIR> d-------- d:\program files\Autoruns
2008-11-23 01:21 . 2008-11-23 01:21 <DIR> d-------- c:\program files\Common Files\Skype
2008-11-22 22:36 . 2008-11-22 22:36 <DIR> d-------- d:\program files\GameSpy Arcade
2008-11-22 22:33 . 2008-11-23 02:43 <DIR> d-------- d:\program files\PDFCreator Toolbar
2008-11-22 22:29 . 2008-11-23 23:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\comodo
2008-11-22 22:28 . 2008-11-23 18:05 <DIR> d-------- c:\documents and settings\A.ANGELOV\Application Data\vlc
2008-11-22 22:28 . 2008-11-22 22:28 <DIR> d-------- c:\documents and settings\A.ANGELOV\Application Data\uTorrent
2008-11-22 22:28 . 2008-11-24 05:29 <DIR> d-------- c:\documents and settings\A.ANGELOV\Application Data\Skype
2008-11-22 22:19 . 2008-11-22 22:28 <DIR> d---s---- c:\documents and settings\Administrator
2008-11-22 22:16 . 2008-11-24 14:55 59 --a------ c:\windows\system32\i
2008-11-22 21:59 . 2008-11-23 17:14 <DIR> d-------- d:\program files\FormatFactory
2008-11-22 02:09 . 2008-11-22 22:30 <DIR> d-------- d:\program files\Text to Speech Maker
2008-11-22 02:09 . 2008-11-22 22:30 <DIR> d-------- d:\program files\Common Files
2008-11-21 20:36 . 2008-11-22 22:30 <DIR> d-------- d:\program files\Allok AVI to DVD SVCD VCD Converter
2008-11-20 01:14 . 2008-11-22 22:28 <DIR> d-------- c:\documents and settings\A.ANGELOV\Application Data\Skype(2)
2008-11-19 21:48 . 2008-11-19 21:49 <DIR> d-------- d:\program files\Macromedia
2008-11-19 21:48 . 2008-11-22 22:28 <DIR> d-------- c:\program files\Common Files\Macromedia
2008-11-19 21:47 . 2008-11-19 21:47 <DIR> d-------- c:\windows\Downloaded Installations
2008-11-18 13:55 . 2008-11-18 13:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Adobe(2)
2008-11-18 13:54 . 2008-11-22 22:28 <DIR> d-------- c:\program files\Common Files\Adobe(2)
2008-11-16 19:05 . 2008-11-16 19:05 <DIR> d-------- d:\program files\IObit
2008-11-14 23:51 . 2008-11-22 22:35 <DIR> d-------- d:\program files\EvilLyrics
2008-11-12 13:42 . 2008-11-12 13:42 <DIR> d-------- c:\documents and settings\A.ANGELOV\Application Data\MathWorks
2008-11-12 12:54 . 2008-11-12 12:54 <DIR> d-------- d:\program files\MATLAB
2008-11-12 01:14 . 2008-11-12 01:14 <DIR> d-------- c:\documents and settings\A.ANGELOV\Application Data\BSplayer Pro
2008-11-12 01:14 . 2008-11-22 22:28 <DIR> d-------- c:\documents and settings\A.ANGELOV\Application Data\BSplayer
2008-11-12 00:43 . 2008-11-22 22:28 <DIR> d-------- c:\documents and settings\A.ANGELOV\Application Data\vlc(2)
2008-11-10 01:56 . 2008-11-22 22:36 <DIR> d-------- d:\program files\Folder Lock
2008-11-10 01:42 . 2008-11-10 01:48 1,004 --ahs---- c:\windows\system32\sys_drv.dat
2008-11-09 22:39 . 2008-11-22 22:36 <DIR> d-------- d:\program files\pl
2008-11-09 16:18 . 2008-11-09 16:18 56 --ah----- c:\windows\system32\ezsidmv.dat
2008-11-09 04:00 . 2008-11-22 22:36 <DIR> d-------- d:\program files\Streamripper
2008-11-08 23:58 . 2008-11-08 23:58 <DIR> d-------- c:\documents and settings\A.ANGELOV\Application Data\Thinstall
2008-11-03 07:28 . 2008-11-22 22:28 <DIR> d-------- c:\program files\Common Files\HTML Executable Viewer
2008-11-02 20:56 . 2008-11-23 02:52 <DIR> d-------- d:\program files\foobar2000
2008-11-02 20:56 . 2008-11-24 16:51 <DIR> d-------- c:\documents and settings\A.ANGELOV\Application Data\foobar2000
2008-11-02 19:42 . 2008-11-02 19:42 <DIR> d-------- c:\documents and settings\A.ANGELOV\Application Data\MSNInstaller
2008-11-02 18:03 . 2008-11-22 22:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-02 01:40 . 2008-11-02 01:40 <DIR> d-------- d:\program files\Portable_WhereIsIt_3.92_Build_405_
2008-11-02 01:40 . 2008-11-02 01:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\WhereIsIt
2008-11-02 01:39 . 2008-11-02 01:39 <DIR> d-------- d:\program files\Portable_SpeedConnect_Internet_Accelerator_7_1.5_Www.SoftArchive.Net
2008-11-01 23:42 . 2008-11-01 23:43 <DIR> d-------- c:\documents and settings\A.ANGELOV\MeCat
2008-11-01 17:36 . 2008-11-01 17:36 <DIR> d-------- d:\program files\Recuva
2008-11-01 02:17 . 2008-11-01 02:17 <DIR> d-------- d:\program files\P_PhotoshopCs4-
2008-10-30 01:12 . 2008-11-23 16:58 <DIR> d-------- d:\program files\DNA
2008-10-30 00:31 . 2008-10-30 00:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Team MediaPortal
2008-10-30 00:30 . 2008-10-30 00:30 <DIR> d-------- d:\program files\Team MediaPortal
2008-10-29 21:12 . 2008-11-08 18:47 <DIR> d-------- c:\documents and settings\A.ANGELOV\Application Data\LimeWire
2008-10-28 19:50 . 2008-10-28 20:02 <DIR> d-------- d:\program files\Microsoft SQL Server
2008-10-28 19:44 . 2008-10-28 19:44 <DIR> d-------- d:\program files\Microsoft Device Emulator
2008-10-28 19:43 . 2008-10-28 19:43 <DIR> d-------- d:\program files\Microsoft SQL Server 2005 Mobile Edition
2008-10-28 19:26 . 2008-10-28 19:26 <DIR> d-------- d:\program files\MSBuild
2008-10-28 19:15 . 2008-10-28 19:27 <DIR> d-------- d:\program files\Microsoft Visual Studio 8
2008-10-28 19:15 . 2008-10-28 19:26 <DIR> d-------- d:\program files\HTML Help Workshop
2008-10-28 19:15 . 2008-10-28 19:15 <DIR> d-------- d:\program files\CE Remote Tools
2008-10-28 19:15 . 2008-10-28 19:15 <DIR> d-------- c:\windows\Symbols
2008-10-28 19:15 . 2008-10-28 19:24 <DIR> d-------- c:\program files\Common Files\Merge Modules
2008-10-28 19:15 . 2008-10-28 19:17 <DIR> d-------- c:\program files\Common Files\Business Objects
2008-10-28 19:15 . 2008-10-28 19:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\PreEmptive Solutions
2008-10-27 22:06 . 2008-11-22 22:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-24 15:26 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-24 02:35 --------- d-----w c:\documents and settings\A.ANGELOV\Application Data\skypePM
2008-11-23 22:44 --------- d-----w d:\program files\COMODO
2008-11-23 22:44 --------- d-----w c:\documents and settings\A.ANGELOV\Application Data\Comodo
2008-11-23 21:15 --------- d-----w d:\program files\Unlocker
2008-11-23 00:22 --------- d-----r d:\program files\Skype
2008-11-23 00:21 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2008-11-22 21:45 --------- d-----w d:\program files\ElcomSoft
2008-11-22 21:35 --------- d-----w d:\program files\Gimp-2.0
2008-11-22 21:33 --------- d-----w d:\program files\AIMP2
2008-11-22 21:28 --------- d-----w c:\program files\Common Files\InstallShield
2008-10-28 18:57 --------- d-----w d:\program files\Microsoft.NET
2008-10-23 21:57 --------- d-----w c:\documents and settings\A.ANGELOV\Application Data\IrfanView
2008-10-20 16:53 --------- d-----w d:\program files\FDRLab
2008-10-19 21:06 --------- d-----w d:\program files\Trend Micro
2008-10-19 19:06 --------- d-----w c:\documents and settings\A.ANGELOV\Application Data\Winamp
2008-10-19 17:33 --------- d-----w d:\program files\Winamp
2008-10-18 16:58 --------- d-----w c:\documents and settings\A.ANGELOV\Application Data\Microsoft Games
2008-10-16 22:51 --------- d-----w d:\program files\Realtek AC97
2008-10-13 19:21 --------- d-----w d:\program files\VideoLAN
2008-10-13 19:21 --------- d-----w d:\program files\The KMPlayer1431
2008-10-13 18:21 253,139 ----a-w c:\windows\PDFCreator_Toolbar_Uninstaller_8734.exe
2008-10-13 18:21 --------- d-----w d:\program files\PDFCreator
2008-10-13 15:43 --------- d-----w c:\program files\Common Files\L&H
2008-10-13 15:42 --------- d-----w d:\program files\Microsoft ActiveSync
2008-10-13 15:41 --------- d-----w d:\program files\Microsoft Works
2008-10-09 14:01 --------- d-----w c:\documents and settings\All Users\Application Data\Trymedia
2008-10-06 16:39 --------- d-----w d:\program files\Java
2008-10-06 16:39 --------- d-----w c:\program files\Common Files\Java
2008-10-05 20:44 --------- d-----w d:\program files\MediaCoder
2008-10-04 20:13 --------- d-----w d:\program files\IrfanView
2008-10-03 20:00 --------- d-----w d:\program files\CDRoller
2008-10-03 20:00 --------- d-----w c:\documents and settings\A.ANGELOV\Application Data\CDRoller
2008-10-03 19:45 --------- d-----w d:\program files\Nuclear Coffee
2008-10-01 13:51 --------- d-----w d:\program files\DAP
2008-10-01 13:47 --------- d-----w c:\documents and settings\All Users\Application Data\SpeedBit
2008-10-01 03:27 --------- d-----w c:\documents and settings\A.ANGELOV\Application Data\GRETECH
2008-09-30 23:01 --------- d-----w d:\program files\Windows Media Connect 2
2008-09-30 23:01 --------- d-----w d:\program files\Runtime Software
2008-09-30 20:48 --------- d-----w c:\documents and settings\A.ANGELOV\Application Data\BitSpirit
2008-09-29 21:31 --------- d-----w d:\program files\Nero
2008-09-29 21:31 --------- d-----w c:\documents and settings\A.ANGELOV\Application Data\Nero
2008-09-29 21:30 --------- d-----w c:\program files\Common Files\Nero
2008-09-29 21:30 --------- d-----w c:\documents and settings\All Users\Application Data\Nero
2008-09-29 21:21 --------- d-----w d:\program files\GRETECH
2008-09-29 21:20 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2008-09-29 21:20 --------- d-----w d:\program files\Foxit Software
2008-09-29 21:17 --------- d--h--w d:\program files\InstallShield Installation Information
2008-09-29 21:01 --------- d-----w d:\program files\microsoft frontpage
2008-09-29 20:59 --------- d-----w d:\program files\AvRack
2008-09-29 20:59 --------- d-----w d:\program files\Avance Sound Manager
2008-09-29 20:36 --------- d-----w d:\program files\7-Zip
2008-09-24 08:40 4,122,368 ----a-r c:\windows\system32\drivers\alcxwdm.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-03-21 4616192]
"SunJavaUpdateSched"="d:\program files\Java\jre1.6.0\bin\jusched.exe" [2008-10-06 77824]
"avast!"="d:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-18 81000]
"nwiz"="nwiz.exe" [2003-03-21 c:\windows\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 c:\windows\soundman.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-23 110160]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-11-23 20560]
S2 SVCHOSTS32;Windows Host Services ;"c:\windows\system\svchost.exe" []
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"d:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [2005-09-23 2799808]

*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-COMODO Firewall Pro - d:\program files\COMODO\Firewall\cfp.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\A.ANGELOV\Application Data\Mozilla\Firefox\Profiles\13d5rvix.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-USfficial
FF -: plugin - d:\program files\Java\jre1.6.0\bin\npjava11.dll
FF -: plugin - d:\program files\Java\jre1.6.0\bin\npjava12.dll
FF -: plugin - d:\program files\Java\jre1.6.0\bin\npjava13.dll
FF -: plugin - d:\program files\Java\jre1.6.0\bin\npjava14.dll
FF -: plugin - d:\program files\Java\jre1.6.0\bin\npjava32.dll
FF -: plugin - d:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF -: plugin - d:\program files\Java\jre1.6.0\bin\npoji610.dll
FF -: plugin - d:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF -: plugin - d:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-24 21:12:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(528)
c:\windows\system32\rsaenh.dll

- - - - - - - > 'lsass.exe'(584)
c:\windows\system32\msprivs.dll
c:\windows\system32\rsaenh.dll
.
Completion time: 2008-11-24 21:23:00
ComboFix-quarantined-files.txt 2008-11-24 20:22:57

Pre-Run: 4.647.079.936 bytes free
Post-Run: 4,779,073,536 bytes free

215

 

[Katana]

Cracks, Keygens and Warez

Nero 8 Lite 8.3.2.1b\KeyGen.exe

In doing the crack, the 'cracker' has broken the 'End User Licence Agreement' (EULA) of the product.
The distribution and use of cracked software is illegal in almost every developed country.
They are also one of the biggest causes of infection.

This applies to Cracks, Keygens and Warez

In the future I strongly suggest you stay away from using cracks and/or Keygens.
If you have any other files like this, please remove them now.



Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.


**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs.
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

 

[Katana]

Due to lack of response, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

IMPORTANT - Read This Before Posting For Malware Removal Help