Help needed!!!!
-
Help needed!!!!
Hi guys am in desperate need of some guidance having BIG problems with pop-ups etc tried all the usual fixes but nothing is doing the trick.
Hijack log looks as follows-
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:29:39, on 08/07/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.ex e
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Yahoo! SearchBar Home Page
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = Yahoo! SearchBar Home Page
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = Google
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {72C76A27-7A32-41D3-A582-BB9861691326} - C:\WINDOWS\system32\awtsSIaB.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [InstantTray] C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
O4 - HKCU\..\Run: [IW_Drop_Icon] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.ex e /DropDisc
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: BT Yahoo! Services - -{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1207848091879
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1207848084441
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD40/JSCDL/...ws-i586-jc.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Unknown owner - C:\Program Files\Spyware Terminator\sp_rsser.exe (file missing)
--
End of file - 8303 bytes
Any help appreciated
cheers
-
Welcome
Did you run a scan with super antispyware program you have? very good program there.
Don't see a cause for popups in your log.
What do the popups read?
Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Did you set these restrictions yourself:
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
Visit this page below to familiarize yourself to the tool below:
A guide and tutorial on using ComboFix
If you have previously downloaded ComboFix,please delete that version now.
Now download ComboFix and save to your desktop:
Note:
It is IMPORTANT that it is saved directly to your desktop
Close any open browsers.
Disconnect from the Internet.
Please do not re-connect your machine back to the Internet until Combofix has completely finished.
Disable your antivirus program and any realtime malware scanners and script blockers now
How To Disable
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.
Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Re-enable your anti-virus and re-connect back to the internet and post the combofix log.
*Note*
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.
ComboFix SHOULD NOT be used unless requested by a forum helper.
New hijackthis log, combofix log and uninstall list is what I need, thanks.
-
Well thanks to superantispy i seem to be alright now... hope so anyway!!!
But here is the reports you asked for just to be on the safe side
New hijack log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:08:54, on 12/07/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.ex e
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = Yahoo! SearchBar Home Page
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = Customize Your Settings
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [InstantTray] C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
O4 - HKCU\..\Run: [IW_Drop_Icon] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.ex e /DropDisc
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O9 - Extra button: BT Yahoo! Services - -{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1207848091879
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1207848084441
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 7353 bytes
Hijack uninstall:
Ad-Aware 2007
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
Adobe Shockwave Player
Advanced System Optimizer 2.01.4
Adventure Inlay
Adventure Inlay Safari Edition
Apple Mobile Device Support
Apple Software Update
Avira AntiVir Personal – Free Antivirus
Big Fish Games Client
BitComet 1.02
Bonjour
BT Broadband Desktop Help
BT Home Hub
CCleaner (remove only)
CLUE Classic
ConvertXtoDVD 3.1.1.32
Crystal Path
Eye for Design
Fresco Wizard
GD WinTools.net 8.7.0 Home
HijackThis 2.0.2
Home Sweet Home
Hotfix for Windows Internet Explorer 7 (KB947864)
Inspector Parker
Intel(R) 536EP Modem
iTunes
Java(TM) 6 Update 5
Java(TM) 6 Update 7
K-Lite Mega Codec Pack 3.9.5
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Monopoly by Parker Brothers
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
NVIDIA Drivers
PC Health Optimizer 2.5
Pretty Good Solitaire version 12.0.0
QuickTime
Real Estate Empire
Realtek AC'97 Audio
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Shareaza 2.3.1.0
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
System Requirements Lab
Update for Windows XP (KB951978)
User Profile Hive Cleanup Service
VIA Platform Device Manager
VIA Rhine-Family Fast-Ethernet Adapter
Windows Communication Foundation
Windows Live installer
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Service Pack 3
WinRAR
Wise Registry Cleaner 3 Free 3.52
Zuma Deluxe RA
Combofix log:
ComboFix 08-07-10.1 - tracy 2008-07-12 17:46:34.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.99 [GMT 1:00]
Running from: C:\Documents and Settings\tracy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\tracy\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\hiQsvyxx.ini
C:\WINDOWS\system32\hiQsvyxx.ini2
C:\WINDOWS\system32\oeminfo.ini
.
((((((((((((((((((((((((( Files Created from 2008-06-12 to 2008-07-12 )))))))))))))))))))))))))))))))
.
2008-07-12 02:15 . 2008-07-12 02:15 <DIR> d-------- C:\Documents and Settings\tracy\Application Data\DivX
2008-07-11 23:50 . 2008-07-11 23:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-07-11 18:27 . 2008-07-11 18:27 <DIR> d-------- C:\Program Files\iTunes
2008-07-11 18:27 . 2008-07-11 18:27 <DIR> d-------- C:\Program Files\iPod
2008-07-11 18:23 . 2008-07-11 18:24 <DIR> d-------- C:\Program Files\QuickTime
2008-07-10 22:01 . 2008-07-11 00:37 <DIR> d-------- C:\Program Files\RegToy
2008-07-10 00:45 . 2008-07-10 00:45 <DIR> d-------- C:\Program Files\Real E$tate Empire
2008-07-09 23:58 . 2008-07-10 01:32 <DIR> d-------- C:\Program Files\Soda Pipes
2008-07-09 23:47 . 2008-07-10 01:25 406 --a------ C:\WINDOWS\system32\ioloBootDefrag.cfg
2008-07-09 23:45 . 2008-07-09 23:45 <DIR> d-------- C:\Program Files\iolo
2008-07-09 23:45 . 2008-07-09 23:45 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\iolo
2008-07-09 23:45 . 2008-06-19 17:15 918,368 --a------ C:\WINDOWS\system32\Incinerator.dll
2008-07-09 23:45 . 2008-06-16 19:21 29,696 --a------ C:\WINDOWS\system32\iolobtdfg.exe
2008-07-09 23:45 . 2008-06-06 16:55 8,704 --a------ C:\WINDOWS\system32\smrgdf.exe
2008-07-09 23:42 . 2008-07-09 23:42 74,703 --a------ C:\WINDOWS\system32\mfc45.dll
2008-07-09 22:51 . 2008-07-09 23:47 <DIR> d-------- C:\Documents and Settings\tracy\Application Data\iolo
2008-07-09 22:51 . 2008-07-09 23:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\iolo
2008-07-09 18:50 . 2008-07-09 19:45 <DIR> d-------- C:\UBCD4Win
2008-07-09 00:13 . 2008-07-11 22:39 <DIR> d-------- C:\Documents and Settings\tracy\Application Data\TweakNow WinSecret
2008-07-08 22:59 . 2008-07-10 00:29 <DIR> d-------- C:\Program Files\Real Estate Empire
2008-07-08 22:27 . 2008-07-08 22:27 <DIR> d-------- C:\Documents and Settings\tracy\Application Data\Home Sweet Home
2008-07-08 22:16 . 2008-07-08 22:19 <DIR> d-------- C:\Program Files\Home Sweet Home
2008-07-08 22:02 . 2008-07-08 22:02 92,728 --a------ C:\WINDOWS\system32\Bass.dll
2008-07-08 02:46 . 2008-07-08 02:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-08 02:37 . 2008-07-10 19:10 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-08 02:36 . 2008-07-08 02:37 <DIR> d-------- C:\Documents and Settings\tracy\Application Data\SUPERAntiSpyware.com
2008-07-08 01:06 . 2008-07-08 01:06 95 --a------ C:\WINDOWS\wininit.ini
2008-07-07 19:34 . 2008-07-07 19:34 <DIR> d-------- C:\Program Files\Avira
2008-07-07 19:34 . 2008-07-07 19:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-07-07 18:53 . 2008-07-07 19:29 110,428 --a------ C:\WINDOWS\BMb7e622e2.xml
2008-07-05 12:28 . 2008-07-05 12:28 0 --a------ C:\WINDOWS\hlistHMFAxCore55688327e8f59cf41f6f99d9c 88a251d
2008-07-03 00:06 . 2008-07-03 00:06 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-07-02 02:20 . 2008-07-02 02:20 <DIR> d-------- C:\Program Files\Godlike Developers
2008-07-02 02:20 . 2008-07-02 02:20 <DIR> d-------- C:\Documents and Settings\tracy\Application Data\Godlike
2008-06-22 03:15 . 2008-06-22 03:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd
2008-06-21 04:42 . 2008-06-21 04:42 <DIR> d-------- C:\Documents and Settings\tracy\Application Data\SeriousBit
2008-06-20 23:27 . 2008-06-20 23:27 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-06-20 23:13 . 2008-06-21 04:46 <DIR> d-------- C:\Program Files\EnhanceMyXP
2008-06-20 18:46 . 2008-06-20 18:46 245,248 -----c--- C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 18:46 . 2008-06-20 18:46 147,968 -----c--- C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 12:40 . 2008-06-20 12:40 138,496 -----c--- C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 12:08 . 2008-06-20 12:08 225,856 -----c--- C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-15 21:07 . 2008-06-15 21:07 <DIR> d-------- C:\Program Files\Tower Bloxx Deluxe
2008-06-15 20:55 . 2008-06-15 20:55 <DIR> d-------- C:\WINDOWS\Tower Bloxx Deluxe
2008-06-13 15:16 . 2008-06-13 15:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DigitalChocolate
2008-06-12 23:15 . 2008-07-02 02:35 <DIR> d-------- C:\Program Files\Pipeline
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-07-12 01:13 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-12 00:50 0 ----a-w C:\Program Files\temp01
2008-07-11 22:49 --------- d-----w C:\Documents and Settings\tracy\Application Data\Apple Computer
2008-07-10 21:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-10 18:10 --------- d-----w C:\Program Files\PC Health Optimizer2.5
2008-07-10 18:10 --------- d-----w C:\Program Files\Advanced System Optimizer
2008-07-10 00:18 361,600 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL
2008-07-10 00:18 361,600 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS
2008-07-09 18:47 --------- d-----w C:\Program Files\Ashampoo
2008-07-09 00:42 --------- d-----w C:\Documents and Settings\tracy\Application Data\Ashampoo
2008-07-08 23:52 --------- d-----w C:\Program Files\Java
2008-07-08 01:26 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-07 17:48 --------- d-----w C:\Documents and Settings\tracy\Application Data\Vso
2008-07-07 06:29 --------- d-----w C:\Program Files\BitComet
2008-07-05 22:43 --------- d-----w C:\Program Files\TuneXP
2008-07-05 22:36 --------- d-----w C:\Program Files\Natalie Brooks Secrets Of Treasure House
2008-07-04 22:51 --------- d-----w C:\Documents and Settings\tracy\Application Data\RetinaX
2008-07-02 01:20 --------- d-----w C:\Program Files\Wise Registry Cleaner 3
2008-06-30 00:35 --------- d-----w C:\Program Files\GameHouse
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 02:17 --------- d-----w C:\Documents and Settings\tracy\Application Data\GameHouse
2008-06-12 23:54 --------- d-----w C:\Program Files\bfgclient
2008-06-11 01:39 --------- d-----w C:\Documents and Settings\tracy\Application Data\Smart PC Solutions
2008-06-10 21:29 --------- d-----w C:\Program Files\BT Broadband Desktop Help
2008-06-08 14:48 --------- d-----w C:\Documents and Settings\tracy\Application Data\UpdateStar
2008-06-08 14:41 --------- d-----w C:\Program Files\Death On The Nile
2008-06-08 00:45 --------- d-----w C:\Documents and Settings\tracy\Application Data\PlayFirst
2008-06-08 00:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-06-06 17:56 --------- d-----w C:\Program Files\Adventure Inlay Safari Edition
2008-06-05 00:00 --------- d-----w C:\Program Files\Realtek AC97
2008-06-04 18:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-04 18:25 --------- d-----w C:\Program Files\Razer
2008-06-04 01:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
2008-06-03 03:20 --------- d-----w C:\Program Files\CLUE Classic
2008-06-02 22:22 65,536 ----a-w C:\WINDOWS\NCLAUNCH.EXe
2008-06-02 22:22 45,056 ----a-w C:\WINDOWS\NCUNINST.EXe
2008-06-01 03:38 --------- d-----w C:\Program Files\Shareaza
2008-05-31 15:08 --------- d-----w C:\Program Files\Windows Live
2008-05-31 02:29 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2008-05-31 02:15 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-05-31 02:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-05-30 23:42 --------- d-----w C:\Program Files\Fresco Wizard2
2008-05-30 23:23 --------- d-----w C:\Program Files\VIA
2008-05-30 20:52 22,304 ----a-w C:\WINDOWS\system32\drivers\HMFAxCore55688327e8f59 cf41f6f99d9c88a251d.sys
2008-05-20 16:03 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-17 22:15 --------- d-----w C:\Program Files\Crystal Path
2008-05-17 22:06 --------- d-----w C:\Program Files\Yahoo!
2008-05-17 22:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\iWin Games
2008-05-17 00:28 --------- d-----w C:\Documents and Settings\tracy\Application Data\Incredible Ink
2008-05-13 22:18 --------- d-----w C:\Program Files\Mystery of Shark Island
2008-05-13 19:45 --------- d-----w C:\Program Files\Oberon Media
2008-05-13 19:10 --------- d-----w C:\Documents and Settings\tracy\Application Data\GamesCafe
2008-05-13 13:39 --------- d-----w C:\Program Files\ToGo Game
2008-05-13 13:32 --------- d-----w C:\Program Files\Lavasoft
2008-05-13 13:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-12 10:10 --------- d-----w C:\Program Files\Apple Software Update
2008-05-09 17:09 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2008-05-06 19:35 4 ----a-w C:\WINDOWSRegDefrag.dat
2008-05-06 19:05 24 ----a-w C:\Documents and Settings\tracy\mylist.dat
2008-05-04 19:54 720,896 ----a-w C:\WINDOWS\iun6002.exe
2008-05-03 20:07 2,423 ----a-w C:\WINDOWS\NewRecorder.reg
2008-05-03 20:07 1,867,373 ----a-w C:\WINDOWS\Recorder.reg
2008-04-25 07:00 12,291,535 ------w C:\avg7qt.dat
2008-04-18 20:19 87,608 ----a-w C:\Documents and Settings\tracy\Application Data\inst.exe
2008-04-18 20:19 47,360 ----a-w C:\Documents and Settings\tracy\Application Data\pcouffin.sys
2008-04-14 00:12 69,120 ----a-w C:\WINDOWS\notepad.exe
2008-04-14 00:12 50,688 ----a-w C:\WINDOWS\twain_32.dll
2008-04-14 00:12 32,866 ------w C:\WINDOWS\slrundll.exe
2008-04-14 00:12 283,648 ----a-w C:\WINDOWS\winhlp32.exe
2008-04-14 00:12 146,432 ----a-w C:\WINDOWS\regedit.exe
2008-04-14 00:12 10,752 ----a-w C:\WINDOWS\hh.exe
2008-04-14 00:12 1,033,728 ----a-w C:\WINDOWS\explorer.exe
.
------- Sigcheck -------
2007-10-30 17:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 12:59 361600 ad978a1b783b5719720cff204b666c8e C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-04-10 22:26 360064 3f89432724dc5d72689e16f3354bccfc C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2008-05-12 17:41 361344 22a389083780c053b52519af28201a96 C:\WINDOWS\$NtUninstallKB951748$\tcpip.sys
2008-04-13 20:20 361344 93ea8d04ec73a85db02eb8805988f733 C:\WINDOWS\ServicePackFiles\i386\TCPIP.SYS
2008-06-20 12:51 361600 9aefa14bd6b182d61e3119fa5f436d3d C:\WINDOWS\SoftwareDistribution\Download\663e7188b bb3d768555f5280d384ddab\sp3gdr\tcpip.sys
2008-06-20 12:59 361600 ad978a1b783b5719720cff204b666c8e C:\WINDOWS\SoftwareDistribution\Download\663e7188b bb3d768555f5280d384ddab\sp3qfe\tcpip.sys
2008-07-10 01:18 361600 cd00787894008369f56153b91fc28847 C:\WINDOWS\system32\dllcache\TCPIP.SYS
2008-07-10 01:18 361600 cd00787894008369f56153b91fc28847 C:\WINDOWS\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 01:12 15360]
"InstantTray"="C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe" [2004-09-02 10:37 770048]
"IW_Drop_Icon"="C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.ex e" [2004-07-30 15:10 1123840]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]
"FreeRAM XP"="C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-23 00:13 1591808]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCh eck.exe" [2003-11-10 16:06 406016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray. dll" [2007-12-05 01:41 81920]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
"nwiz"="nwiz.exe" [2008-05-02 22:46 1630208 C:\WINDOWS\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-06-18 09:31 67584 C:\WINDOWS\SOUNDMAN.EXE]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system]
"NoThemesTab"= 0 (0x0)
"NoSecCpl"= 0 (0x0)
"DisableChangePassword"= 0 (0x0)
"DisableLockWorkstation"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoFileAssociate"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
"MaxRecentDocs"= 15 (0xf)
"NoRecentDocsNetHood"= 1 (0x1)
"NoUserFolderInStartMenu"= 0 (0x0)
"NoStartMenuMFUprogramsList"= 0 (0x0)
"NoCloseDragDropBands"= 0 (0x0)
"NoStartMenuPinnedList"= 0 (0x0)
"NoUserNameInStartMenu"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"NoPrinterTabs"= 0 (0x0)
"NoDeletePrinter"= 0 (0x0)
"NoAddPrinter"= 0 (0x0)
"NoPrinters"= 0 (0x0)
"NoFavoritesMenu"= 0 (0x0)
"NoChangeAnimation"= 0 (0x0)
"NoChangeKeyboardNavigationIndicators"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= vdrcodec.dll
"VIDC.YV12"= yv12vfw.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VersionTrackerPro.lnk]
[HKLM\~\startupfolder\C:^Documents and Settings^tracy^Start Menu^Programs^Startup^iWin Desktop Alerts.lnk]
backup=C:\WINDOWS\pss\iWin Desktop Alerts.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"YPCService"=3 (0x3)
"ANIWZCSdService"=2 (0x2)
"aawservice"=2 (0x2)
"iWinGamesInstaller"=2 (0x2)
"sp_rssrv"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run-]
"MSConfig"=C:\WINDOWS\PCHealth\HelpCtr\Binaries\MS Config.exe /auto
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Shareaza\\Shareaza.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"6881:TCP"= 6881:TCP:BitComet 6881 TCP
"6881:UDP"= 6881:UDP:BitComet 6881 UDP
"10141:TCP"= 10141:TCP:BitComet 10141 TCP(ED2K)
"10141:UDP"= 10141:UDP:BitComet 10141 UDP(ED2K)
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowRedirect"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)
R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX3 2.sys [2007-09-21 17:49]
R0 VOBID;VOBID;C:\WINDOWS\system32\DRIVERS\vobid.sys [2003-08-01 14:47]
R1 vobiw;vobiw;C:\WINDOWS\system32\drivers\vobiw.sys [2004-07-06 17:06]
R2 ioloFileInfoList;iolo FileInfoList Service;C:\Program Files\iolo\common\lib\ioloServiceManager.exe [2008-06-19 16:59]
R2 ioloSystemService;iolo System Service;C:\Program Files\iolo\common\lib\ioloServiceManager.exe [2008-06-19 16:59]
R2 NwSapAgent;SAP Agent;C:\WINDOWS\system32\svchost.exe [2008-04-14 01:12]
R3 cdrdrv;Cdrdrv;C:\WINDOWS\system32\Drivers\Cdrdrv.s ys [2004-08-03 11:10]
S1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys []
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder
"2008-07-11 07:34:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-12 16:52:45 C:\WINDOWS\Tasks\SpeedOptimizer Startup.job"
- c:\progra~1\speedoptimizer\SPO.exe
.
************************************************** ************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-12 17:53:01
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\nview.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
.
************************************************** ************************
.
Completion time: 2008-07-12 17:59:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-12 16:58:53
Pre-Run: 26,433,654,784 bytes free
Post-Run: 26,478,882,816 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
301 --- E O F --- 2008-07-09 17:46:22
Just wanted to add thank you think you all do a great job helping out the likes of myself who are in need of guidance keep up the great work
-
Well thanks to superantispy i seem to be alright now... hope so anyway!!!
But here is the reports you asked for just to be on the safe side
New hijack log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:08:54, on 12/07/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.ex e
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = Yahoo! SearchBar Home Page
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = Customize Your Settings
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [InstantTray] C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
O4 - HKCU\..\Run: [IW_Drop_Icon] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.ex e /DropDisc
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O9 - Extra button: BT Yahoo! Services - -{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1207848091879
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1207848084441
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 7353 bytes
Hijack uninstall:
Ad-Aware 2007
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
Adobe Shockwave Player
Advanced System Optimizer 2.01.4
Adventure Inlay
Adventure Inlay Safari Edition
Apple Mobile Device Support
Apple Software Update
Avira AntiVir Personal – Free Antivirus
Big Fish Games Client
BitComet 1.02
Bonjour
BT Broadband Desktop Help
BT Home Hub
CCleaner (remove only)
CLUE Classic
ConvertXtoDVD 3.1.1.32
Crystal Path
Eye for Design
Fresco Wizard
GD WinTools.net 8.7.0 Home
HijackThis 2.0.2
Home Sweet Home
Hotfix for Windows Internet Explorer 7 (KB947864)
Inspector Parker
Intel(R) 536EP Modem
iTunes
Java(TM) 6 Update 5
Java(TM) 6 Update 7
K-Lite Mega Codec Pack 3.9.5
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Monopoly by Parker Brothers
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
NVIDIA Drivers
PC Health Optimizer 2.5
Pretty Good Solitaire version 12.0.0
QuickTime
Real Estate Empire
Realtek AC'97 Audio
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Shareaza 2.3.1.0
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
System Requirements Lab
Update for Windows XP (KB951978)
User Profile Hive Cleanup Service
VIA Platform Device Manager
VIA Rhine-Family Fast-Ethernet Adapter
Windows Communication Foundation
Windows Live installer
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Service Pack 3
WinRAR
Wise Registry Cleaner 3 Free 3.52
Zuma Deluxe RA
Combofix log:
ComboFix 08-07-10.1 - tracy 2008-07-12 17:46:34.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.99 [GMT 1:00]
Running from: C:\Documents and Settings\tracy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\tracy\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\hiQsvyxx.ini
C:\WINDOWS\system32\hiQsvyxx.ini2
C:\WINDOWS\system32\oeminfo.ini
.
((((((((((((((((((((((((( Files Created from 2008-06-12 to 2008-07-12 )))))))))))))))))))))))))))))))
.
2008-07-12 02:15 . 2008-07-12 02:15 <DIR> d-------- C:\Documents and Settings\tracy\Application Data\DivX
2008-07-11 23:50 . 2008-07-11 23:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-07-11 18:27 . 2008-07-11 18:27 <DIR> d-------- C:\Program Files\iTunes
2008-07-11 18:27 . 2008-07-11 18:27 <DIR> d-------- C:\Program Files\iPod
2008-07-11 18:23 . 2008-07-11 18:24 <DIR> d-------- C:\Program Files\QuickTime
2008-07-10 22:01 . 2008-07-11 00:37 <DIR> d-------- C:\Program Files\RegToy
2008-07-10 00:45 . 2008-07-10 00:45 <DIR> d-------- C:\Program Files\Real E$tate Empire
2008-07-09 23:58 . 2008-07-10 01:32 <DIR> d-------- C:\Program Files\Soda Pipes
2008-07-09 23:47 . 2008-07-10 01:25 406 --a------ C:\WINDOWS\system32\ioloBootDefrag.cfg
2008-07-09 23:45 . 2008-07-09 23:45 <DIR> d-------- C:\Program Files\iolo
2008-07-09 23:45 . 2008-07-09 23:45 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\iolo
2008-07-09 23:45 . 2008-06-19 17:15 918,368 --a------ C:\WINDOWS\system32\Incinerator.dll
2008-07-09 23:45 . 2008-06-16 19:21 29,696 --a------ C:\WINDOWS\system32\iolobtdfg.exe
2008-07-09 23:45 . 2008-06-06 16:55 8,704 --a------ C:\WINDOWS\system32\smrgdf.exe
2008-07-09 23:42 . 2008-07-09 23:42 74,703 --a------ C:\WINDOWS\system32\mfc45.dll
2008-07-09 22:51 . 2008-07-09 23:47 <DIR> d-------- C:\Documents and Settings\tracy\Application Data\iolo
2008-07-09 22:51 . 2008-07-09 23:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\iolo
2008-07-09 18:50 . 2008-07-09 19:45 <DIR> d-------- C:\UBCD4Win
2008-07-09 00:13 . 2008-07-11 22:39 <DIR> d-------- C:\Documents and Settings\tracy\Application Data\TweakNow WinSecret
2008-07-08 22:59 . 2008-07-10 00:29 <DIR> d-------- C:\Program Files\Real Estate Empire
2008-07-08 22:27 . 2008-07-08 22:27 <DIR> d-------- C:\Documents and Settings\tracy\Application Data\Home Sweet Home
2008-07-08 22:16 . 2008-07-08 22:19 <DIR> d-------- C:\Program Files\Home Sweet Home
2008-07-08 22:02 . 2008-07-08 22:02 92,728 --a------ C:\WINDOWS\system32\Bass.dll
2008-07-08 02:46 . 2008-07-08 02:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-08 02:37 . 2008-07-10 19:10 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-08 02:36 . 2008-07-08 02:37 <DIR> d-------- C:\Documents and Settings\tracy\Application Data\SUPERAntiSpyware.com
2008-07-08 01:06 . 2008-07-08 01:06 95 --a------ C:\WINDOWS\wininit.ini
2008-07-07 19:34 . 2008-07-07 19:34 <DIR> d-------- C:\Program Files\Avira
2008-07-07 19:34 . 2008-07-07 19:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-07-07 18:53 . 2008-07-07 19:29 110,428 --a------ C:\WINDOWS\BMb7e622e2.xml
2008-07-05 12:28 . 2008-07-05 12:28 0 --a------ C:\WINDOWS\hlistHMFAxCore55688327e8f59cf41f6f99d9c 88a251d
2008-07-03 00:06 . 2008-07-03 00:06 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-07-02 02:20 . 2008-07-02 02:20 <DIR> d-------- C:\Program Files\Godlike Developers
2008-07-02 02:20 . 2008-07-02 02:20 <DIR> d-------- C:\Documents and Settings\tracy\Application Data\Godlike
2008-06-22 03:15 . 2008-06-22 03:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd
2008-06-21 04:42 . 2008-06-21 04:42 <DIR> d-------- C:\Documents and Settings\tracy\Application Data\SeriousBit
2008-06-20 23:27 . 2008-06-20 23:27 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-06-20 23:13 . 2008-06-21 04:46 <DIR> d-------- C:\Program Files\EnhanceMyXP
2008-06-20 18:46 . 2008-06-20 18:46 245,248 -----c--- C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 18:46 . 2008-06-20 18:46 147,968 -----c--- C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 12:40 . 2008-06-20 12:40 138,496 -----c--- C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 12:08 . 2008-06-20 12:08 225,856 -----c--- C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-15 21:07 . 2008-06-15 21:07 <DIR> d-------- C:\Program Files\Tower Bloxx Deluxe
2008-06-15 20:55 . 2008-06-15 20:55 <DIR> d-------- C:\WINDOWS\Tower Bloxx Deluxe
2008-06-13 15:16 . 2008-06-13 15:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DigitalChocolate
2008-06-12 23:15 . 2008-07-02 02:35 <DIR> d-------- C:\Program Files\Pipeline
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-07-12 01:13 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-12 00:50 0 ----a-w C:\Program Files\temp01
2008-07-11 22:49 --------- d-----w C:\Documents and Settings\tracy\Application Data\Apple Computer
2008-07-10 21:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-10 18:10 --------- d-----w C:\Program Files\PC Health Optimizer2.5
2008-07-10 18:10 --------- d-----w C:\Program Files\Advanced System Optimizer
2008-07-10 00:18 361,600 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL
2008-07-10 00:18 361,600 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS
2008-07-09 18:47 --------- d-----w C:\Program Files\Ashampoo
2008-07-09 00:42 --------- d-----w C:\Documents and Settings\tracy\Application Data\Ashampoo
2008-07-08 23:52 --------- d-----w C:\Program Files\Java
2008-07-08 01:26 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-07 17:48 --------- d-----w C:\Documents and Settings\tracy\Application Data\Vso
2008-07-07 06:29 --------- d-----w C:\Program Files\BitComet
2008-07-05 22:43 --------- d-----w C:\Program Files\TuneXP
2008-07-05 22:36 --------- d-----w C:\Program Files\Natalie Brooks Secrets Of Treasure House
2008-07-04 22:51 --------- d-----w C:\Documents and Settings\tracy\Application Data\RetinaX
2008-07-02 01:20 --------- d-----w C:\Program Files\Wise Registry Cleaner 3
2008-06-30 00:35 --------- d-----w C:\Program Files\GameHouse
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 02:17 --------- d-----w C:\Documents and Settings\tracy\Application Data\GameHouse
2008-06-12 23:54 --------- d-----w C:\Program Files\bfgclient
2008-06-11 01:39 --------- d-----w C:\Documents and Settings\tracy\Application Data\Smart PC Solutions
2008-06-10 21:29 --------- d-----w C:\Program Files\BT Broadband Desktop Help
2008-06-08 14:48 --------- d-----w C:\Documents and Settings\tracy\Application Data\UpdateStar
2008-06-08 14:41 --------- d-----w C:\Program Files\Death On The Nile
2008-06-08 00:45 --------- d-----w C:\Documents and Settings\tracy\Application Data\PlayFirst
2008-06-08 00:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-06-06 17:56 --------- d-----w C:\Program Files\Adventure Inlay Safari Edition
2008-06-05 00:00 --------- d-----w C:\Program Files\Realtek AC97
2008-06-04 18:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-04 18:25 --------- d-----w C:\Program Files\Razer
2008-06-04 01:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
2008-06-03 03:20 --------- d-----w C:\Program Files\CLUE Classic
2008-06-02 22:22 65,536 ----a-w C:\WINDOWS\NCLAUNCH.EXe
2008-06-02 22:22 45,056 ----a-w C:\WINDOWS\NCUNINST.EXe
2008-06-01 03:38 --------- d-----w C:\Program Files\Shareaza
2008-05-31 15:08 --------- d-----w C:\Program Files\Windows Live
2008-05-31 02:29 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2008-05-31 02:15 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-05-31 02:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-05-30 23:42 --------- d-----w C:\Program Files\Fresco Wizard2
2008-05-30 23:23 --------- d-----w C:\Program Files\VIA
2008-05-30 20:52 22,304 ----a-w C:\WINDOWS\system32\drivers\HMFAxCore55688327e8f59 cf41f6f99d9c88a251d.sys
2008-05-20 16:03 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-17 22:15 --------- d-----w C:\Program Files\Crystal Path
2008-05-17 22:06 --------- d-----w C:\Program Files\Yahoo!
2008-05-17 22:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\iWin Games
2008-05-17 00:28 --------- d-----w C:\Documents and Settings\tracy\Application Data\Incredible Ink
2008-05-13 22:18 --------- d-----w C:\Program Files\Mystery of Shark Island
2008-05-13 19:45 --------- d-----w C:\Program Files\Oberon Media
2008-05-13 19:10 --------- d-----w C:\Documents and Settings\tracy\Application Data\GamesCafe
2008-05-13 13:39 --------- d-----w C:\Program Files\ToGo Game
2008-05-13 13:32 --------- d-----w C:\Program Files\Lavasoft
2008-05-13 13:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-12 10:10 --------- d-----w C:\Program Files\Apple Software Update
2008-05-09 17:09 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2008-05-06 19:35 4 ----a-w C:\WINDOWSRegDefrag.dat
2008-05-06 19:05 24 ----a-w C:\Documents and Settings\tracy\mylist.dat
2008-05-04 19:54 720,896 ----a-w C:\WINDOWS\iun6002.exe
2008-05-03 20:07 2,423 ----a-w C:\WINDOWS\NewRecorder.reg
2008-05-03 20:07 1,867,373 ----a-w C:\WINDOWS\Recorder.reg
2008-04-25 07:00 12,291,535 ------w C:\avg7qt.dat
2008-04-18 20:19 87,608 ----a-w C:\Documents and Settings\tracy\Application Data\inst.exe
2008-04-18 20:19 47,360 ----a-w C:\Documents and Settings\tracy\Application Data\pcouffin.sys
2008-04-14 00:12 69,120 ----a-w C:\WINDOWS\notepad.exe
2008-04-14 00:12 50,688 ----a-w C:\WINDOWS\twain_32.dll
2008-04-14 00:12 32,866 ------w C:\WINDOWS\slrundll.exe
2008-04-14 00:12 283,648 ----a-w C:\WINDOWS\winhlp32.exe
2008-04-14 00:12 146,432 ----a-w C:\WINDOWS\regedit.exe
2008-04-14 00:12 10,752 ----a-w C:\WINDOWS\hh.exe
2008-04-14 00:12 1,033,728 ----a-w C:\WINDOWS\explorer.exe
.
------- Sigcheck -------
2007-10-30 17:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 12:59 361600 ad978a1b783b5719720cff204b666c8e C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-04-10 22:26 360064 3f89432724dc5d72689e16f3354bccfc C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2008-05-12 17:41 361344 22a389083780c053b52519af28201a96 C:\WINDOWS\$NtUninstallKB951748$\tcpip.sys
2008-04-13 20:20 361344 93ea8d04ec73a85db02eb8805988f733 C:\WINDOWS\ServicePackFiles\i386\TCPIP.SYS
2008-06-20 12:51 361600 9aefa14bd6b182d61e3119fa5f436d3d C:\WINDOWS\SoftwareDistribution\Download\663e7188b bb3d768555f5280d384ddab\sp3gdr\tcpip.sys
2008-06-20 12:59 361600 ad978a1b783b5719720cff204b666c8e C:\WINDOWS\SoftwareDistribution\Download\663e7188b bb3d768555f5280d384ddab\sp3qfe\tcpip.sys
2008-07-10 01:18 361600 cd00787894008369f56153b91fc28847 C:\WINDOWS\system32\dllcache\TCPIP.SYS
2008-07-10 01:18 361600 cd00787894008369f56153b91fc28847 C:\WINDOWS\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 01:12 15360]
"InstantTray"="C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe" [2004-09-02 10:37 770048]
"IW_Drop_Icon"="C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.ex e" [2004-07-30 15:10 1123840]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]
"FreeRAM XP"="C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-23 00:13 1591808]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCh eck.exe" [2003-11-10 16:06 406016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray. dll" [2007-12-05 01:41 81920]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
"nwiz"="nwiz.exe" [2008-05-02 22:46 1630208 C:\WINDOWS\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-06-18 09:31 67584 C:\WINDOWS\SOUNDMAN.EXE]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system]
"NoThemesTab"= 0 (0x0)
"NoSecCpl"= 0 (0x0)
"DisableChangePassword"= 0 (0x0)
"DisableLockWorkstation"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoFileAssociate"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
"MaxRecentDocs"= 15 (0xf)
"NoRecentDocsNetHood"= 1 (0x1)
"NoUserFolderInStartMenu"= 0 (0x0)
"NoStartMenuMFUprogramsList"= 0 (0x0)
"NoCloseDragDropBands"= 0 (0x0)
"NoStartMenuPinnedList"= 0 (0x0)
"NoUserNameInStartMenu"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"NoPrinterTabs"= 0 (0x0)
"NoDeletePrinter"= 0 (0x0)
"NoAddPrinter"= 0 (0x0)
"NoPrinters"= 0 (0x0)
"NoFavoritesMenu"= 0 (0x0)
"NoChangeAnimation"= 0 (0x0)
"NoChangeKeyboardNavigationIndicators"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= vdrcodec.dll
"VIDC.YV12"= yv12vfw.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VersionTrackerPro.lnk]
[HKLM\~\startupfolder\C:^Documents and Settings^tracy^Start Menu^Programs^Startup^iWin Desktop Alerts.lnk]
backup=C:\WINDOWS\pss\iWin Desktop Alerts.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"YPCService"=3 (0x3)
"ANIWZCSdService"=2 (0x2)
"aawservice"=2 (0x2)
"iWinGamesInstaller"=2 (0x2)
"sp_rssrv"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run-]
"MSConfig"=C:\WINDOWS\PCHealth\HelpCtr\Binaries\MS Config.exe /auto
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Shareaza\\Shareaza.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"6881:TCP"= 6881:TCP:BitComet 6881 TCP
"6881:UDP"= 6881:UDP:BitComet 6881 UDP
"10141:TCP"= 10141:TCP:BitComet 10141 TCP(ED2K)
"10141:UDP"= 10141:UDP:BitComet 10141 UDP(ED2K)
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowRedirect"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)
R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX3 2.sys [2007-09-21 17:49]
R0 VOBID;VOBID;C:\WINDOWS\system32\DRIVERS\vobid.sys [2003-08-01 14:47]
R1 vobiw;vobiw;C:\WINDOWS\system32\drivers\vobiw.sys [2004-07-06 17:06]
R2 ioloFileInfoList;iolo FileInfoList Service;C:\Program Files\iolo\common\lib\ioloServiceManager.exe [2008-06-19 16:59]
R2 ioloSystemService;iolo System Service;C:\Program Files\iolo\common\lib\ioloServiceManager.exe [2008-06-19 16:59]
R2 NwSapAgent;SAP Agent;C:\WINDOWS\system32\svchost.exe [2008-04-14 01:12]
R3 cdrdrv;Cdrdrv;C:\WINDOWS\system32\Drivers\Cdrdrv.s ys [2004-08-03 11:10]
S1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys []
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder
"2008-07-11 07:34:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-12 16:52:45 C:\WINDOWS\Tasks\SpeedOptimizer Startup.job"
- c:\progra~1\speedoptimizer\SPO.exe
.
************************************************** ************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-12 17:53:01
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\nview.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
.
************************************************** ************************
.
Completion time: 2008-07-12 17:59:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-12 16:58:53
Pre-Run: 26,433,654,784 bytes free
Post-Run: 26,478,882,816 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
301 --- E O F --- 2008-07-09 17:46:22
Just wanted to add thank you think you all do a great job helping out the likes of myself who are in need of guidance keep up the great work
-
Run hijackthis and click on "scan system only" button and put checks next to these:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
Please close ALL browser windows (including this one).
Everything closed out but hijackthis and click on "fix checked"
Reboot your PC
You should uninstall this old java update:
Java(TM) 6 Update 5
SCan this:
C:\WINDOWS\BMb7e622e2.xml
Go to next site:
VirusTotal - Free Online Virus and Malware Scan
On top you'll find 'Browse'
Click the browse button and browse to next file:
C:\WINDOWS\BMb7e622e2.xml
Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.
If that one is to busy here is another option:
Online malware scan
And
Virus File Scanner
Newbie
