Tech Support Guy banner
  • Please post in our Community Feedback thread for help with the new forum software! If you are having trouble logging in, please Contact Us for assistance.
Status
Not open for further replies.
1 - 11 of 11 Posts

·
Registered
Joined
·
5 Posts
Discussion Starter · #1 ·
Well, I don't know what happened but now every time I try to look at my computer properties or access control panel or even my programs list it says that I am not allowed to access it because I do not have administrative properties. I have gone into safe mode and created another administrator account to see if my original profile became a limited profile but it is still marked as administrator. How can I fix this?

Hijackthis log

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11:54:55 PM, on 2/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Canon\CAL\CALMAIN.exe
D:\WINDOWS\system32\VTTimer.exe
D:\WINDOWS\system32\Rundll32.exe
D:\Program Files\Picasa2\PicasaMediaDetector.exe
D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\QuickTime\QTTask.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\PROGRA~1\Grisoft\AVG7\avgcc.exe
D:\Program Files\AIM6\aim6.exe
D:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
D:\Program Files\AIM6\aolsoftware.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
D:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
D:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Steam\steam.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\Iskah\Desktop\HiJackThis_v2.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe D:\WINDOWS\shell.exe
F3 - REG:win.ini: run="D:\WINDOWS\system32\winupdate.exe"
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {23314D99-1240-4d4f-A25C-17E44823D048} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {CE22ABA3-B540-4D26-9BE2-425AF0F411E8} - D:\WINDOWS\system32\gebbbxv.dll
O2 - BHO: (no name) - {F468E8AE-B6DA-4C6C-9FFA-D221FEE3469E} - D:\WINDOWS\system32\geedd.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [Picasa Media Detector] D:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Google Desktop Search] "D:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Printer] D:\WINDOWS\system32\printer.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Aim6] "D:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Spoolsv] D:\WINDOWS\system32\spoolvs.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Kodak EasyShare software.lnk = D:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = D:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Picture Package Menu.lnk = D:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = D:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///D:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O20 - AppInit_DLLs: D:\WINDOWS\system32\wowfx.dll D:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: gebbbxv - D:\WINDOWS\SYSTEM32\gebbbxv.dll
O20 - Winlogon Notify: winzlo32 - winzlo32.dll (file missing)
O21 - SSODL: CDService - {b516a86f-2406-4678-9ec0-eea54b88900d} - D:\WINDOWS\Installer\{b516a86f-2406-4678-9ec0-eea54b88900d}\CDService.dll (file missing)
O21 - SSODL: zip - {67d8aa12-5d27-4999-9e8f-9fa1fe1777b5} - D:\WINDOWS\Installer\{67d8aa12-5d27-4999-9e8f-9fa1fe1777b5}\zip.dll (file missing)
O21 - SSODL: SetupUnknown - {38f13f00-a8e5-4a96-aa5a-0c9a208b5810} - D:\WINDOWS\Installer\{38f13f00-a8e5-4a96-aa5a-0c9a208b5810}\SetupUnknown.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - D:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8900 bytes
 

·
Administrator
Joined
·
123,536 Posts
Please visit Combofix Guide & Instructions for instructions for downloading and running ComboFix:

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Combofix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know.

Note: During this process, it would help a great deal and be very much appreciated if you would refrain from installing any new software or hardware on this machine, unless absolutely necessary, until the clean up process is finished as it makes our job more tedious, with additional new files that may have to be researched, which is very time consuming.

Also, please do not run any security programs or fixes on your own as doing so may compromise what we will be doing. It is important that you wait for instructions.
 

·
Registered
Joined
·
5 Posts
Discussion Starter · #3 ·
ComboFix 08-03-03.17 - Iskah 2008-03-03 19:28:48.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1546 [GMT -6:00]
Running from: D:\Documents and Settings\Iskah\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Program Files\SystemDefender
D:\WINDOWS\system32\ddccawu.dll
D:\WINDOWS\system32\ddeeg.ini
D:\WINDOWS\system32\ddeeg.ini2
D:\WINDOWS\system32\ipv6monk.dll
D:\WINDOWS\system32\mcrh.tmp
D:\WINDOWS\system32\wscmp.dll
D:\WINDOWS\system32\yayyxyy.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NTLOAD
-------\ntload

((((((((((((((((((((((((( Files Created from 2008-02-04 to 2008-03-04 )))))))))))))))))))))))))))))))
.

2008-03-03 18:43 . 2008-03-03 18:43 d-------- D:\Program Files\iPod
2008-03-02 13:02 . 2008-03-03 19:40 54,156 --ah----- D:\WINDOWS\QTFont.qfn
2008-03-02 13:02 . 2008-03-02 13:02 1,409 --a------ D:\WINDOWS\QTFont.for
2008-03-02 02:54 . 2008-03-03 18:42 d-------- D:\Program Files\QuickTime
2008-03-02 02:54 . 2008-03-02 02:54 d-------- D:\Program Files\MSXML 6.0
2008-03-01 09:26 . 2008-03-01 09:26 d----c--- D:\WINDOWS\system32\DRVSTORE
2008-03-01 09:26 . 2008-03-01 09:26 d-------- D:\Documents and Settings\Other Administrator\Application Data\Talkback
2008-03-01 09:18 . 2008-03-01 09:18 d-------- D:\Documents and Settings\Other Administrator\Application Data\Apple Computer
2008-02-29 11:44 . 2008-03-01 09:17 d-------- D:\Documents and Settings\Other Administrator\Application Data\AVG7
2008-02-28 22:01 . 2008-03-03 12:58 d-------- D:\Documents and Settings\Iskah\Application Data\AVG7
2008-02-28 22:00 . 2008-02-28 22:00 d-------- D:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-28 22:00 . 2008-02-28 22:00 d-------- D:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-28 22:00 . 2008-02-28 22:05 d-------- D:\Documents and Settings\All Users\Application Data\avg7
2008-02-28 22:00 . 2008-02-28 22:00 499,712 --a------ D:\WINDOWS\system32\msvcp71.dll
2008-02-28 22:00 . 2008-02-28 22:00 348,160 --a------ D:\WINDOWS\system32\msvcr71.dll
2008-02-28 21:45 . 2008-02-28 21:45 9,773 --a------ D:\Documents and Settings\Iskah\spoolsv.bin
2008-02-28 21:44 . 2008-02-28 21:44 4,608 --a------ D:\Program Files\tmp147062.exe
2008-02-28 21:32 . 2008-02-28 21:32 d-------- D:\Program Files\SysCleaner
2008-02-28 21:21 . 2008-02-28 21:21 4,608 --a------ D:\Program Files\tmp2819843.exe
2008-02-28 21:21 . 2008-02-28 21:21 4,608 --a------ D:\Program Files\tmp2803296.exe
2008-02-28 21:20 . 2008-02-28 21:20 16,524 --a------ D:\Program Files\tmp2734890.exe
2008-02-28 21:20 . 2008-02-28 21:20 4,608 --a------ D:\Program Files\tmp2790125.exe
2008-02-28 21:20 . 2008-02-28 21:20 4,608 --a------ D:\Program Files\tmp2778890.exe
2008-02-28 21:18 . 2008-02-28 21:18 16,608 --a------ D:\Program Files\tmp2618140.exe
2008-02-28 21:18 . 2008-02-28 21:18 16,608 --a------ D:\Program Files\tmp2613187.exe
2008-02-28 21:17 . 2008-02-28 21:17 16,608 --a------ D:\Program Files\tmp2603328.exe
2008-02-28 21:17 . 2008-02-28 21:17 16,608 --a------ D:\Program Files\tmp2598796.exe
2008-02-28 21:17 . 2008-02-28 21:17 16,608 --a------ D:\Program Files\tmp2597109.exe
2008-02-28 21:17 . 2008-02-28 21:17 16,556 --a------ D:\Program Files\tmp2597093.exe
2008-02-28 15:39 . 2008-02-28 15:39 d-------- D:\Documents and Settings\Iskah\Application Data\PlayFirst
2008-02-28 15:21 . 2008-02-28 15:21 d-------- D:\Program Files\ReflexiveArcade
2008-02-28 15:21 . 2008-02-28 20:52 d-------- D:\Program Files\Diner Dash

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-04 00:43 --------- d-----w D:\Program Files\iTunes
2008-03-03 20:44 --------- d-----w D:\Program Files\Steam
2008-02-28 03:57 --------- d-----w D:\Documents and Settings\Iskah\Application Data\OpenOffice.org2
2008-02-28 01:48 --------- d-----w D:\Program Files\Starcraft
2008-02-17 21:26 --------- d-----w D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-29 04:44 --------- d-----w D:\Program Files\Disaffected
2008-01-25 01:11 --------- d-----w D:\Program Files\Warcraft III
2008-01-24 01:56 --------- d-----w D:\Program Files\World of Warcraft
2008-01-10 01:51 --------- d-----w D:\Program Files\SpeedFan
2008-01-05 04:29 --------- d-----w D:\Documents and Settings\All Users\Application Data\Age of Empires 3
2007-12-07 00:44 666,112 ----a-w D:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w D:\WINDOWS\system32\oleaut32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C92A3751-A8B9-4EBF-B8C8-9DD5C40EAEA5}]
D:\WINDOWS\system32\geedd.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="D:\Program Files\AIM6\aim6.exe" [2007-04-27 15:17 50736]
"Yahoo! Pager"="D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-01-19 12:49 4670968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2006-12-19 00:53 53248 D:\WINDOWS\system32\VTTimer.exe]
"P17Helper"="P17.dll" [2005-05-03 19:38 64512 D:\WINDOWS\system32\P17.dll]
"Picasa Media Detector"="D:\Program Files\Picasa2\PicasaMediaDetector.exe" [2006-12-11 18:36 366400]
"Google Desktop Search"="D:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-01-03 14:46 227328]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 02:43 83608]
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"NvCplDaemon"="D:\WINDOWS\system32\NvCpl.dll" [2007-09-17 00:07 8491008]
"nwiz"="nwiz.exe" [2007-09-17 00:07 1626112 D:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="D:\WINDOWS\system32\NvMcTray.dll" [2007-09-17 00:07 81920]
"AVG7_CC"="D:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-28 22:02 579072]
"QuickTime Task"="D:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="D:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="D:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-28 22:00 219136]

D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - D:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2004-08-11 02:22:40 757760]
Kodak software updater.lnk - D:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 14:12:08 16423]
Picture Package Menu.lnk - D:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2006-12-20 21:44:00 151552]
Picture Package VCD Maker.lnk - D:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2006-12-20 21:43:53 106496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"CDService"= {b516a86f-2406-4678-9ec0-eea54b88900d} - D:\WINDOWS\Installer\{b516a86f-2406-4678-9ec0-eea54b88900d}\CDService.dll [ ]
"zip"= {67d8aa12-5d27-4999-9e8f-9fa1fe1777b5} - D:\WINDOWS\Installer\{67d8aa12-5d27-4999-9e8f-9fa1fe1777b5}\zip.dll [ ]
"SetupUnknown"= {38f13f00-a8e5-4a96-aa5a-0c9a208b5810} - D:\WINDOWS\Installer\{38f13f00-a8e5-4a96-aa5a-0c9a208b5810}\SetupUnknown.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebbbxv]
gebbbxv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winzlo32]
winzlo32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, wowfx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"D:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"D:\\Program Files\\Maxis\\SimCity 3000 Unlimited\\Apps\\Updater\\UPDATER.EXE"=
"D:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"D:\\Program Files\\Steam\\steamapps\\lemmiewinks289\\counter-strike\\hl.exe"=
"D:\\Program Files\\Steam\\steamapps\\lemmiewinks289\\day of defeat\\hl.exe"=
"D:\\Program Files\\Steam\\steamapps\\lemmiewinks289\\half-life\\hl.exe"=
"D:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"D:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"D:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"D:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"D:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=
"D:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.5.6320-enUS-downloader.exe"=
"D:\\Program Files\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"=
"D:\\Program Files\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"=
"D:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"=
"D:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"D:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"D:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"=
"D:\\Program Files\\World of Warcraft\\Repair.exe"=
"D:\\Program Files\\Starcraft\\StarCraft.exe"=
"D:\\Program Files\\Microsoft Games\\Age of Mythology\\aom.exe"=
"D:\\Program Files\\AIM6\\aim6.exe"=
"D:\\Program Files\\Steam\\steam.exe"=
"D:\\Program Files\\Steam\\steamapps\\lemmiewinks289\\half-life 2 deathmatch\\hl2.exe"=
"D:\\Program Files\\Steam\\steamapps\\lemmiewinks289\\counter-strike source\\hl2.exe"=
"D:\\Program Files\\Steam\\steamapps\\lemmiewinks289\\team fortress 2\\hl2.exe"=
"D:\\Program Files\\Steam\\steamapps\\lemmiewinks289\\day of defeat source\\hl2.exe"=
"D:\\Program Files\\Steam\\steamapps\\lemmiewinks289\\source sdk base\\hl2.exe"=
"D:\\Program Files\\Turbine\\The Lord of the Rings Online\\lotroclient.exe"=
"%windir%\\system32\\winav.exe"=
"D:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"D:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"D:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"D:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"D:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

.
Contents of the 'Scheduled Tasks' folder
"2008-02-01 18:46:01 D:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- D:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-03 19:40:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\Program Files\Canon\CAL\CALMAIN.exe
D:\WINDOWS\system32\Rundll32.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\AIM6\aolsoftware.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2008-03-03 19:49:11 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-04 01:49:08
.
2008-03-02 08:56:46 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:52:53 PM, on 3/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Canon\CAL\CALMAIN.exe
D:\WINDOWS\system32\VTTimer.exe
D:\WINDOWS\system32\Rundll32.exe
D:\Program Files\Picasa2\PicasaMediaDetector.exe
D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\PROGRA~1\Grisoft\AVG7\avgcc.exe
D:\Program Files\QuickTime\QTTask.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\AIM6\aim6.exe
D:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
D:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
D:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
D:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
D:\Program Files\AIM6\aolsoftware.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\WINDOWS\explorer.exe
D:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\notepad.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\Iskah\Desktop\Anti Spyware and Anti Virus\HiJackThis_v2.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {C92A3751-A8B9-4EBF-B8C8-9DD5C40EAEA5} - D:\WINDOWS\system32\geedd.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [Picasa Media Detector] D:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Google Desktop Search] "D:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Aim6] "D:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Kodak EasyShare software.lnk = D:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = D:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Picture Package Menu.lnk = D:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = D:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///D:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O20 - Winlogon Notify: gebbbxv - gebbbxv.dll (file missing)
O20 - Winlogon Notify: winzlo32 - winzlo32.dll (file missing)
O21 - SSODL: CDService - {b516a86f-2406-4678-9ec0-eea54b88900d} - D:\WINDOWS\Installer\{b516a86f-2406-4678-9ec0-eea54b88900d}\CDService.dll (file missing)
O21 - SSODL: zip - {67d8aa12-5d27-4999-9e8f-9fa1fe1777b5} - D:\WINDOWS\Installer\{67d8aa12-5d27-4999-9e8f-9fa1fe1777b5}\zip.dll (file missing)
O21 - SSODL: SetupUnknown - {38f13f00-a8e5-4a96-aa5a-0c9a208b5810} - D:\WINDOWS\Installer\{38f13f00-a8e5-4a96-aa5a-0c9a208b5810}\SetupUnknown.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - D:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8809 bytes
 

·
Administrator
Joined
·
123,536 Posts
Open Notepad and copy and paste the text in the code box below into it:

Code:
File::
D:\Documents and Settings\Iskah\spoolsv.bin
D:\Program Files\tmp147062.exe
D:\Program Files\tmp2819843.exe
D:\Program Files\tmp2803296.exe
D:\Program Files\tmp2734890.exe
D:\Program Files\tmp2790125.exe
D:\Program Files\tmp2778890.exe
D:\Program Files\tmp2618140.exe
D:\Program Files\tmp2613187.exe
D:\Program Files\tmp2603328.exe
D:\Program Files\tmp2598796.exe
D:\Program Files\tmp2597109.exe
D:\Program Files\tmp2597093.exe

Folder::
D:\Program Files\SysCleaner

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C92A3751-A8B9-4EBF-B8C8-9DD5C40EAEA5}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebbbxv]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winzlo32]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
D:\\WINDOWS\\system32\\winav.exe"=-
Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.



This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.
 

·
Registered
Joined
·
5 Posts
Discussion Starter · #5 ·
ComboFix 08-03-03.17 - Iskah 2008-03-04 21:01:02.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1612 [GMT -6:00]
Running from: D:\Documents and Settings\Iskah\Desktop\ComboFix.exe
Command switches used :: D:\Documents and Settings\Iskah\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
D:\Documents and Settings\Iskah\spoolsv.bin
D:\Program Files\tmp147062.exe
D:\Program Files\tmp2597093.exe
D:\Program Files\tmp2597109.exe
D:\Program Files\tmp2598796.exe
D:\Program Files\tmp2603328.exe
D:\Program Files\tmp2613187.exe
D:\Program Files\tmp2618140.exe
D:\Program Files\tmp2734890.exe
D:\Program Files\tmp2778890.exe
D:\Program Files\tmp2790125.exe
D:\Program Files\tmp2803296.exe
D:\Program Files\tmp2819843.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Documents and Settings\Iskah\spoolsv.bin
D:\Program Files\SysCleaner
D:\Program Files\tmp147062.exe
D:\Program Files\tmp2597093.exe
D:\Program Files\tmp2597109.exe
D:\Program Files\tmp2598796.exe
D:\Program Files\tmp2603328.exe
D:\Program Files\tmp2613187.exe
D:\Program Files\tmp2618140.exe
D:\Program Files\tmp2734890.exe
D:\Program Files\tmp2778890.exe
D:\Program Files\tmp2790125.exe
D:\Program Files\tmp2803296.exe
D:\Program Files\tmp2819843.exe

.
((((((((((((((((((((((((( Files Created from 2008-02-05 to 2008-03-05 )))))))))))))))))))))))))))))))
.

2008-03-03 18:43 . 2008-03-03 18:43 d-------- D:\Program Files\iPod
2008-03-02 13:02 . 2008-03-04 20:57 54,156 --ah----- D:\WINDOWS\QTFont.qfn
2008-03-02 13:02 . 2008-03-02 13:02 1,409 --a------ D:\WINDOWS\QTFont.for
2008-03-02 02:54 . 2008-03-03 18:42 d-------- D:\Program Files\QuickTime
2008-03-02 02:54 . 2008-03-02 02:54 d-------- D:\Program Files\MSXML 6.0
2008-03-01 09:26 . 2008-03-01 09:26 d----c--- D:\WINDOWS\system32\DRVSTORE
2008-02-28 22:01 . 2008-03-04 10:34 d-------- D:\Documents and Settings\Iskah\Application Data\AVG7
2008-02-28 22:00 . 2008-02-28 22:00 d-------- D:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-28 22:00 . 2008-02-28 22:00 d-------- D:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-28 22:00 . 2008-02-28 22:05 d-------- D:\Documents and Settings\All Users\Application Data\avg7
2008-02-28 22:00 . 2008-02-28 22:00 499,712 --a------ D:\WINDOWS\system32\msvcp71.dll
2008-02-28 22:00 . 2008-02-28 22:00 348,160 --a------ D:\WINDOWS\system32\msvcr71.dll
2008-02-28 15:39 . 2008-02-28 15:39 d-------- D:\Documents and Settings\Iskah\Application Data\PlayFirst
2008-02-28 15:21 . 2008-02-28 15:21 d-------- D:\Program Files\ReflexiveArcade
2008-02-28 15:21 . 2008-02-28 20:52 d-------- D:\Program Files\Diner Dash

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-04 03:13 --------- d-----w D:\Program Files\Steam
2008-03-04 00:43 --------- d-----w D:\Program Files\iTunes
2008-02-28 03:57 --------- d-----w D:\Documents and Settings\Iskah\Application Data\OpenOffice.org2
2008-02-28 01:48 --------- d-----w D:\Program Files\Starcraft
2008-02-17 21:26 --------- d-----w D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-29 04:44 --------- d-----w D:\Program Files\Disaffected
2008-01-25 01:11 --------- d-----w D:\Program Files\Warcraft III
2008-01-24 01:56 --------- d-----w D:\Program Files\World of Warcraft
2008-01-10 01:51 --------- d-----w D:\Program Files\SpeedFan
2008-01-05 04:29 --------- d-----w D:\Documents and Settings\All Users\Application Data\Age of Empires 3
2007-12-07 00:44 666,112 ----a-w D:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="D:\Program Files\AIM6\aim6.exe" [2007-04-27 15:17 50736]
"Yahoo! Pager"="D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-01-19 12:49 4670968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2006-12-19 00:53 53248 D:\WINDOWS\system32\VTTimer.exe]
"P17Helper"="P17.dll" [2005-05-03 19:38 64512 D:\WINDOWS\system32\P17.dll]
"Picasa Media Detector"="D:\Program Files\Picasa2\PicasaMediaDetector.exe" [2006-12-11 18:36 366400]
"Google Desktop Search"="D:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-01-03 14:46 227328]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 02:43 83608]
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"NvCplDaemon"="D:\WINDOWS\system32\NvCpl.dll" [2007-09-17 00:07 8491008]
"nwiz"="nwiz.exe" [2007-09-17 00:07 1626112 D:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="D:\WINDOWS\system32\NvMcTray.dll" [2007-09-17 00:07 81920]
"AVG7_CC"="D:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-28 22:02 579072]
"QuickTime Task"="D:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="D:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="D:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-28 22:00 219136]

D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - D:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2004-08-11 02:22:40 757760]
Kodak software updater.lnk - D:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 14:12:08 16423]
Picture Package Menu.lnk - D:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2006-12-20 21:44:00 151552]
Picture Package VCD Maker.lnk - D:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2006-12-20 21:43:53 106496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"CDService"= {b516a86f-2406-4678-9ec0-eea54b88900d} - D:\WINDOWS\Installer\{b516a86f-2406-4678-9ec0-eea54b88900d}\CDService.dll [ ]
"zip"= {67d8aa12-5d27-4999-9e8f-9fa1fe1777b5} - D:\WINDOWS\Installer\{67d8aa12-5d27-4999-9e8f-9fa1fe1777b5}\zip.dll [ ]
"SetupUnknown"= {38f13f00-a8e5-4a96-aa5a-0c9a208b5810} - D:\WINDOWS\Installer\{38f13f00-a8e5-4a96-aa5a-0c9a208b5810}\SetupUnknown.dll [ ]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, wowfx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"D:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"D:\\Program Files\\Maxis\\SimCity 3000 Unlimited\\Apps\\Updater\\UPDATER.EXE"=
"D:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"D:\\Program Files\\Steam\\steamapps\\lemmiewinks289\\counter-strike\\hl.exe"=
"D:\\Program Files\\Steam\\steamapps\\lemmiewinks289\\day of defeat\\hl.exe"=
"D:\\Program Files\\Steam\\steamapps\\lemmiewinks289\\half-life\\hl.exe"=
"D:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"D:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"D:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"D:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"D:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=
"D:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.5.6320-enUS-downloader.exe"=
"D:\\Program Files\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"=
"D:\\Program Files\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"=
"D:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"=
"D:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"D:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"D:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"=
"D:\\Program Files\\World of Warcraft\\Repair.exe"=
"D:\\Program Files\\Starcraft\\StarCraft.exe"=
"D:\\Program Files\\Microsoft Games\\Age of Mythology\\aom.exe"=
"D:\\Program Files\\AIM6\\aim6.exe"=
"D:\\Program Files\\Steam\\steam.exe"=
"D:\\Program Files\\Steam\\steamapps\\lemmiewinks289\\half-life 2 deathmatch\\hl2.exe"=
"D:\\Program Files\\Steam\\steamapps\\lemmiewinks289\\counter-strike source\\hl2.exe"=
"D:\\Program Files\\Steam\\steamapps\\lemmiewinks289\\team fortress 2\\hl2.exe"=
"D:\\Program Files\\Steam\\steamapps\\lemmiewinks289\\day of defeat source\\hl2.exe"=
"D:\\Program Files\\Steam\\steamapps\\lemmiewinks289\\source sdk base\\hl2.exe"=
"D:\\Program Files\\Turbine\\The Lord of the Rings Online\\lotroclient.exe"=
"%windir%\\system32\\winav.exe"=
"D:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"D:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"D:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"D:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"D:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

.
Contents of the 'Scheduled Tasks' folder
"2008-02-01 18:46:01 D:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- D:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-04 21:06:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-04 21:07:39
ComboFix-quarantined-files.txt 2008-03-05 03:07:19
ComboFix2.txt 2008-03-04 01:49:12
.
2008-03-02 08:56:46 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 9:55:50 PM, on 3/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\VTTimer.exe
D:\Program Files\Picasa2\PicasaMediaDetector.exe
D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
D:\Program Files\QuickTime\QTTask.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\AIM6\aim6.exe
D:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
D:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
D:\Program Files\AIM6\aolsoftware.exe
D:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
D:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Canon\CAL\CALMAIN.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\explorer.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\Iskah\Desktop\Anti Spyware and Anti Virus\HiJackThis_v2.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [Picasa Media Detector] D:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Google Desktop Search] "D:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Aim6] "D:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Kodak EasyShare software.lnk = D:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = D:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Picture Package Menu.lnk = D:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = D:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///D:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O21 - SSODL: CDService - {b516a86f-2406-4678-9ec0-eea54b88900d} - D:\WINDOWS\Installer\{b516a86f-2406-4678-9ec0-eea54b88900d}\CDService.dll (file missing)
O21 - SSODL: zip - {67d8aa12-5d27-4999-9e8f-9fa1fe1777b5} - D:\WINDOWS\Installer\{67d8aa12-5d27-4999-9e8f-9fa1fe1777b5}\zip.dll (file missing)
O21 - SSODL: SetupUnknown - {38f13f00-a8e5-4a96-aa5a-0c9a208b5810} - D:\WINDOWS\Installer\{38f13f00-a8e5-4a96-aa5a-0c9a208b5810}\SetupUnknown.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - D:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8355 bytes
 

·
Administrator
Joined
·
123,536 Posts
Open Notepad and copy and paste the text in the code box below into it:

Code:
File::
C:\Windows\system32\wowfx.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"CDService"=-
"zip"=-
"SetupUnknown"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\winav.exe"=-
Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.



This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.
 

·
Registered
Joined
·
5 Posts
Discussion Starter · #7 ·
ComboFix 08-03-03.17 - Iskah 2008-03-05 20:42:55.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1604 [GMT -6:00]
Running from: D:\Documents and Settings\Iskah\Desktop\ComboFix.exe
Command switches used :: D:\Documents and Settings\Iskah\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Windows\system32\wowfx.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-02-06 to 2008-03-06 )))))))))))))))))))))))))))))))
.

2008-03-03 18:43 . 2008-03-03 18:43 d-------- D:\Program Files\iPod
2008-03-02 13:02 . 2008-03-05 20:39 54,156 --ah----- D:\WINDOWS\QTFont.qfn
2008-03-02 13:02 . 2008-03-02 13:02 1,409 --a------ D:\WINDOWS\QTFont.for
2008-03-02 02:54 . 2008-03-03 18:42 d-------- D:\Program Files\QuickTime
2008-03-02 02:54 . 2008-03-02 02:54 d-------- D:\Program Files\MSXML 6.0
2008-03-01 09:26 . 2008-03-01 09:26 d----c--- D:\WINDOWS\system32\DRVSTORE
2008-02-28 22:01 . 2008-03-05 08:00 d-------- D:\Documents and Settings\Iskah\Application Data\AVG7
2008-02-28 22:00 . 2008-02-28 22:00 d-------- D:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-28 22:00 . 2008-02-28 22:00 d-------- D:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-28 22:00 . 2008-02-28 22:05 d-------- D:\Documents and Settings\All Users\Application Data\avg7
2008-02-28 22:00 . 2008-02-28 22:00 499,712 --a------ D:\WINDOWS\system32\msvcp71.dll
2008-02-28 22:00 . 2008-02-28 22:00 348,160 --a------ D:\WINDOWS\system32\msvcr71.dll
2008-02-28 15:39 . 2008-02-28 15:39 d-------- D:\Documents and Settings\Iskah\Application Data\PlayFirst
2008-02-28 15:21 . 2008-02-28 15:21 d-------- D:\Program Files\ReflexiveArcade
2008-02-28 15:21 . 2008-02-28 20:52 d-------- D:\Program Files\Diner Dash

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-06 02:41 --------- d-----w D:\Program Files\Steam
2008-03-04 00:43 --------- d-----w D:\Program Files\iTunes
2008-02-28 03:57 --------- d-----w D:\Documents and Settings\Iskah\Application Data\OpenOffice.org2
2008-02-28 01:48 --------- d-----w D:\Program Files\Starcraft
2008-02-17 21:26 --------- d-----w D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-29 04:44 --------- d-----w D:\Program Files\Disaffected
2008-01-25 01:11 --------- d-----w D:\Program Files\Warcraft III
2008-01-24 01:56 --------- d-----w D:\Program Files\World of Warcraft
2008-01-10 01:51 --------- d-----w D:\Program Files\SpeedFan
2007-12-07 00:44 666,112 ----a-w D:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="D:\Program Files\AIM6\aim6.exe" [2007-04-27 15:17 50736]
"Yahoo! Pager"="D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-01-19 12:49 4670968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2006-12-19 00:53 53248 D:\WINDOWS\system32\VTTimer.exe]
"P17Helper"="P17.dll" [2005-05-03 19:38 64512 D:\WINDOWS\system32\P17.dll]
"Picasa Media Detector"="D:\Program Files\Picasa2\PicasaMediaDetector.exe" [2006-12-11 18:36 366400]
"Google Desktop Search"="D:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-01-03 14:46 227328]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 02:43 83608]
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"NvCplDaemon"="D:\WINDOWS\system32\NvCpl.dll" [2007-09-17 00:07 8491008]
"nwiz"="nwiz.exe" [2007-09-17 00:07 1626112 D:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="D:\WINDOWS\system32\NvMcTray.dll" [2007-09-17 00:07 81920]
"AVG7_CC"="D:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-28 22:02 579072]
"QuickTime Task"="D:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="D:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="D:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-28 22:00 219136]

D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - D:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2004-08-11 02:22:40 757760]
Kodak software updater.lnk - D:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 14:12:08 16423]
Picture Package Menu.lnk - D:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2006-12-20 21:44:00 151552]
Picture Package VCD Maker.lnk - D:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2006-12-20 21:43:53 106496]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, wowfx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"D:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"D:\\Program Files\\Maxis\\SimCity 3000 Unlimited\\Apps\\Updater\\UPDATER.EXE"=
"D:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"D:\\Program Files\\Steam\\steamapps\\lemmiewinks289\\counter-strike\\hl.exe"=
"D:\\Program Files\\Steam\\steamapps\\lemmiewinks289\\day of defeat\\hl.exe"=
"D:\\Program Files\\Steam\\steamapps\\lemmiewinks289\\half-life\\hl.exe"=
"D:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"D:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"D:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"D:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"D:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=
"D:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.5.6320-enUS-downloader.exe"=
"D:\\Program Files\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"=
"D:\\Program Files\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"=
"D:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"=
"D:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"D:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"D:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"=
"D:\\Program Files\\World of Warcraft\\Repair.exe"=
"D:\\Program Files\\Starcraft\\StarCraft.exe"=
"D:\\Program Files\\Microsoft Games\\Age of Mythology\\aom.exe"=
"D:\\Program Files\\AIM6\\aim6.exe"=
"D:\\Program Files\\Steam\\steam.exe"=
"D:\\Program Files\\Steam\\steamapps\\lemmiewinks289\\half-life 2 deathmatch\\hl2.exe"=
"D:\\Program Files\\Steam\\steamapps\\lemmiewinks289\\counter-strike source\\hl2.exe"=
"D:\\Program Files\\Steam\\steamapps\\lemmiewinks289\\team fortress 2\\hl2.exe"=
"D:\\Program Files\\Steam\\steamapps\\lemmiewinks289\\day of defeat source\\hl2.exe"=
"D:\\Program Files\\Steam\\steamapps\\lemmiewinks289\\source sdk base\\hl2.exe"=
"D:\\Program Files\\Turbine\\The Lord of the Rings Online\\lotroclient.exe"=
"D:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"D:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"D:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"D:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"D:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

.
Contents of the 'Scheduled Tasks' folder
"2008-02-01 18:46:01 D:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- D:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-05 20:47:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-05 20:52:18
ComboFix-quarantined-files.txt 2008-03-06 02:52:17
ComboFix2.txt 2008-03-05 03:07:39
ComboFix3.txt 2008-03-04 01:49:12
.
2008-03-02 08:56:46 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 9:08:25 PM, on 3/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\VTTimer.exe
D:\WINDOWS\system32\Rundll32.exe
D:\Program Files\Picasa2\PicasaMediaDetector.exe
D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\QuickTime\QTTask.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\AIM6\aim6.exe
D:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
D:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
D:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
D:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
D:\Program Files\AIM6\aolsoftware.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Canon\CAL\CALMAIN.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
D:\WINDOWS\explorer.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\Iskah\Desktop\Anti Spyware and Anti Virus\HiJackThis_v2.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [Picasa Media Detector] D:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Google Desktop Search] "D:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Aim6] "D:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Kodak EasyShare software.lnk = D:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = D:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Picture Package Menu.lnk = D:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = D:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///D:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - D:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8012 bytes
 

·
Administrator
Joined
·
123,536 Posts
Download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
  • In the Processes group click ALL
  • In the Win32 Services group click ALL
  • In the Driver Services group click ALL
  • In the Registry group click ALL
  • In the Files Created Within group click 60 days Make sure Non-Microsoft only is UNCHECKED
  • In the Files Modified Within group select 30 days Make sure Non-Microsoft only is UNCHECKED
  • In the File String Search group click SELECT ALL
  • in the Additional Scans sections please press select ALL and make sure Non-Microsoft only is UNCHECKED.
  • Now click the Run Scan button on the toolbar.
  • The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Save that notepad file but click on the "Format" menu and make sure that "word wrap" is not checked. If it is then click on it to uncheck it.
Please upload the resulting log here as an attachment. To do that, open a reply dialogue box and click on "manage attachments" then click on "browse" to locate the file on your computer, open it, click on "upload" to upload it and then submit your reply.
 

·
Administrator
Joined
·
123,536 Posts
Disconnect from the Internet and disable your anti-virus and firewall programs. Be sure to remember to re-start them before going on-line again.

Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program. Copy and paste the information in the box below into the pane where it says "Paste fix here" and then click the Run Fix button. The fix should only take a very short time and then you will be asked if you want to reboot. Choose Yes.

Post the latest .log file from the WinPFind3u folder (it will have a name in the format mmddyyyy_hhmmss.log) back here along with a new HijackThis log please.

Code:
[Kill Explorer]
[Unregister Dlls]
[Registry - All]
*SecurityProviders* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders
YN -> wowfx.dll -> wowfx.dll
[Registry - Additional Scans - All]
< BotCheck > -> 
YY -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\D:\Documents and Settings\Iskah\Application Data\printer.exe -> D:\Documents and Settings\Iskah\Application Data\printer.exe:*:Enabled:@xpsp2res.dll,-22019
YY -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\D:\WINDOWS\system32\printer.exe -> D:\WINDOWS\system32\printer.exe:*:Enabled:@xpsp2res.dll,-22019
YY -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\D:\WINDOWS\system32\spoolvs.exe -> D:\WINDOWS\system32\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019
YY -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\D:\WINDOWS\shell.exe -> D:\WINDOWS\shell.exe:*:Enabled:@xpsp2res.dll,-22019
YY -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\D:\Documents and Settings\Iskah\Start Menu\Programs\Startup\findfast.exe -> D:\Documents and Settings\Iskah\Start Menu\Programs\Startup\findfast.exe:*:Enabled:@xpsp2res.dll,-22019
YY -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\D:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe -> D:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe:*:Enabled:@xpsp2res.dll,-22019
YY -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\%windir%\system32\winav.exe -> %windir%\system32\winav.exe:*:Enabled:@xpsp2res.dll,-22019
YY -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\D:\Documents and Settings\Iskah\Application Data\sysdefender.exe -> D:\Documents and Settings\Iskah\Application Data\sysdefender.exe:*:Enabled:@xpsp2res.dll,-22019
< Security Settings > -> 
YY -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\D:\WINDOWS\system32\printer.exe -> D:\WINDOWS\system32\printer.exe:*:Enabled:@xpsp2res.dll,-22019
YY -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\D:\WINDOWS\system32\spoolvs.exe -> D:\WINDOWS\system32\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019
YY -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\D:\WINDOWS\shell.exe -> D:\WINDOWS\shell.exe:*:Enabled:@xpsp2res.dll,-22019
YY -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\D:\Documents and Settings\Iskah\Start Menu\Programs\Startup\findfast.exe -> D:\Documents and Settings\Iskah\Start Menu\Programs\Startup\findfast.exe:*:Enabled:@xpsp2res.dll,-22019
YY -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\D:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe -> D:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe:*:Enabled:@xpsp2res.dll,-22019
YY -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\%windir%\system32\winav.exe -> %windir%\system32\winav.exe:*:Enabled:@xpsp2res.dll,-22019
YY -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\D:\Documents and Settings\Iskah\Application Data\sysdefender.exe -> D:\Documents and Settings\Iskah\Application Data\sysdefender.exe:*:Enabled:@xpsp2res.dll,-22019
[Files/Folders - Created Within 60 days]
NY -> popcinfot.dat -> %SystemRoot%\popcinfot.dat
[File String Scan - All]
NY -> USERTRUST , -> %System32%\SpoonUninstall.exe
[Empty Temp Folders]
[Start Explorer]
[Reboot
]
 
1 - 11 of 11 Posts
Status
Not open for further replies.
Top