Help again please

hockey05 · September 2007

AVG antispyware says it can't update/run

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:32:01 PM, on 9/20/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
Uhh Ohh ---->C:\WINDOWS\shell.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HJT.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\System32\printer.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\System32\spoolvs.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKUS\S-1-5-18\..\Run: [LDM] \Program\BackWeb-8876480.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [LDM] \Program\BackWeb-8876480.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: findfast.exe
O4 - Global Startup: autorun.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - http://www.disney.go.com/games/downloads/gamemanager/DIGGameManager.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 6230 bytes

Veka · September 2007

Hi hockey05, and welcome to Icrontic. I'll check your log and answer ASAP.

Veka · September 2007

[SIZE=-1]Print out these instruction, or [/SIZE][SIZE=-1]copy and paste into Notepad.

[/SIZE] Step 1

Download following tools to your dekstop

Step 2

Run VundoFix.exe

Double-click VundoFix.exe to run it.
When VundoFix re-opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Step 3

Reboot into Safe Mode

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually
Instead of Windows loading as normal, a menu with options should appear
Select the first option, to run Windows in Safe Mode, then press Enter
Choose your usual account

Step 4

Run SDFix

In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum). I will ask for it later.

Step 5

Run SmitFraudFix

Double-click SmitfraudFix.exe
Select option "#1 - Search" by typing 1 and press Enter; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

IMPORTANT: Do NOT run any other options except for Option # 1.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Step 6

On your next reply, please include

Fresh HijackThis log
VundoFix log.
SDFix log.
Smitfraudfix log.

hockey05 · September 2007

Vundo didn't find anything

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:38:11 PM, on 9/22/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Nick\Start Menu\Programs\Startup\findfast.exe
C:\Program Files\Trend Micro\HijackThis\HJT.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\System32\printer.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\System32\spoolvs.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKUS\S-1-5-18\..\Run: [LDM] \Program\BackWeb-8876480.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [LDM] \Program\BackWeb-8876480.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: findfast.exe
O4 - Global Startup: autorun.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - http://www.disney.go.com/games/downloads/gamemanager/DIGGameManager.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 6281 bytes

SDFix: Version 1.106

Run by Administrator on Sat 09/22/2007 at 12:33 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Killing PID 844 'shell.exe'

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\SYSTEM32\EEWYBXU2.XML - Deleted
C:\WINDOWS\SYSTEM32\LXJBAGK.XML - Deleted
C:\WINDOWS\SYSTEM32\LXJBAGK1.XML - Deleted
C:\WINDOWS\SYSTEM32\LXJBAGK2.XML - Deleted
C:\WINDOWS\SYSTEM32\LXJBAGU.XML - Deleted
C:\WINDOWS\SYSTEM32\LXJBAGU1.XML - Deleted
C:\WINDOWS\SYSTEM32\LXJBAGU2.XML - Deleted
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe - Deleted
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\findfast.exe - Deleted
C:\WINDOWS\shell.exe - Deleted
C:\WINDOWS\system32\printer.exe - Deleted
C:\WINDOWS\system32\spoolvs.exe - Deleted

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.

Final Check:

Remaining Services:

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\SmartFTP\\SmartFTP.exe"="C:\\Program Files\\SmartFTP\\SmartFTP.exe:*:Enabled:SmartFTP"
"C:\\DOCUME~1\\Nick\\LOCALS~1\\Templx10041.exe"="C:\\DOCUME~1\\Nick\\LOCALS~1\\Templx10041.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\System32\\printer.exe"="C:\\WINDOWS\\System32\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\System32\\spoolvs.exe"="C:\\WINDOWS\\System32\\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\shell.exe"="C:\\WINDOWS\\shell.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Nick\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\Nick\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe:*:Enabled:@xpsp2res.dll,-22019"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Joanne\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\Joanne\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"C:\\DOCUME~1\\Nick\\LOCALS~1\\Templx10041.exe"="C:\\DOCUME~1\\Nick\\LOCALS~1\\Templx10041.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\System32\\printer.exe"="C:\\WINDOWS\\System32\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\System32\\spoolvs.exe"="C:\\WINDOWS\\System32\\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\shell.exe"="C:\\WINDOWS\\shell.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Nick\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\Nick\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe:*:Enabled:@xpsp2res.dll,-22019"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Joanne\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\Joanne\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"

Remaining Files:

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\Program Files\Autodesk\Autodesk DWF Viewer\_Setupx.dll
C:\Program Files\Common Files\aolshare\shell\us\shellext.dll
C:\Program Files\America Online 8.0\aolphx.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\America Online 8.0\RBM.exe
C:\Program Files\America Online 8.0\waol.exe
C:\Program Files\America Online 8.0\COMIT\cswitch.exe
C:\Program Files\Autodesk\Autodesk DWF Viewer\Setup.exe
C:\Documents and Settings\Joanne\Application Data\Microsoft\Templates\~WRL0674.tmp
C:\Documents and Settings\Joanne\Application Data\Microsoft\Templates\~WRL0772.tmp
C:\Documents and Settings\Joanne\Application Data\Microsoft\Templates\~WRL1698.tmp
C:\Documents and Settings\Joanne\Application Data\Microsoft\Templates\~WRL1895.tmp
C:\Documents and Settings\Joanne\Application Data\Microsoft\Templates\~WRL2129.tmp
C:\Documents and Settings\Joanne\Application Data\Microsoft\Templates\~WRL2739.tmp
C:\Documents and Settings\Joanne\Application Data\Microsoft\Templates\~WRL2973.tmp
C:\Documents and Settings\Joanne\Application Data\Microsoft\Templates\~WRL2991.tmp
C:\Documents and Settings\Joanne\Application Data\Microsoft\Templates\~WRL3745.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL0005.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL0279.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL0284.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL0289.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL0299.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL0437.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL0614.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL0711.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL0733.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL0780.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL0834.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL0902.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL0990.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL1108.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL1292.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL1442.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL1456.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL1630.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL1941.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL2064.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL2108.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL2416.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL2725.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL2797.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL2918.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL3227.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL3269.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL3292.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL3710.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL3764.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL3863.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL3876.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL3911.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL3913.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL4003.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL4070.tmp
C:\Documents and Settings\Joanne\My Documents\Flairs 06-07\~WRL0370.tmp
C:\Documents and Settings\Joanne\My Documents\Flairs 06-07\~WRL1217.tmp
C:\Documents and Settings\Joanne\My Documents\Flairs 06-07\~WRL1309.tmp
C:\Documents and Settings\Joanne\My Documents\Flairs 06-07\~WRL1680.tmp
C:\Documents and Settings\Joanne\My Documents\Flairs 06-07\~WRL2262.tmp
C:\Documents and Settings\Joanne\My Documents\Flairs 06-07\~WRL2674.tmp
C:\Documents and Settings\Joanne\My Documents\Flairs 06-07\~WRL3727.tmp
C:\Documents and Settings\Joanne\My Documents\Flairs 06-07\~WRL3956.tmp
C:\Documents and Settings\Nick\Application Data\Microsoft\Templates\~WRL0004.tmp
C:\Documents and Settings\Nick\Application Data\Microsoft\Templates\~WRL0870.tmp
C:\Documents and Settings\Nick\Application Data\Microsoft\Word\~WRL3427.tmp

Finished!

SmitFraudFix v2.227

Scan done at 13:37:37.09, Sat 09/22/2007
Run from C:\Documents and Settings\Nick\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Nick\Start Menu\Programs\Startup\findfast.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

hosts file corrupted !

10.18.250.4 download.microsoft.com
10.18.250.4 downloads.microsoft.com
10.18.250.4 go.microsoft.com
10.18.250.4 microsoft.com
10.18.250.4 msdn.microsoft.com
10.18.250.4 office.microsoft.com
10.18.250.4 support.microsoft.com
10.18.250.4 windowsupdate.microsoft.com
10.18.250.4 www.microsoft.com
10.18.250.4 pandasoftware.com
10.18.250.4 www.pandasoftware.com

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\shell.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\printer.exe FOUND !
C:\WINDOWS\system32\spoolvs.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Nick

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Nick\Application Data

C:\Documents and Settings\Nick\Application Data\Install.dat FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\Nick\STARTM~1\Programs\Startup\findfast.exe FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\autorun.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Nick\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Broadcom 440x 10/100 Integrated Controller - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{C04F7810-7019-4093-BFB0-87606ADBBABE}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{C04F7810-7019-4093-BFB0-87606ADBBABE}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{C04F7810-7019-4093-BFB0-87606ADBBABE}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

Veka · September 2007

[SIZE=-1]Print out these instructions, or [/SIZE][SIZE=-1]copy and paste into Notepad.[/SIZE]

Step 1

Please download to your desktop

Step 2

Run HostXpert

Unzip HostXpert to your desktop
Open up the HostXpert program.
Make sure that the "Make Hosts Writable?" button in the upper right corner is enabled.
Click Create Back Up
Then click on Restore Microsoft's Host Files
Close the HostXpert program

Step 3

Run ATF Cleaner

Note: this program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

lick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Step 4

Run AVG Anti-Spyware

Install and start AVG Anti-Spyware
Click the Update icon
Click Start update
Wait until updates are downloaded
Click the Scanner icon
Open the Settings tab
- Make sure that under "How to act?" read Quarantine (If not, click the text and choose Quarantine)
- Under "How to scan?" all checkboxes should be ticked
- Under "Reports" deselect (uncheck) Automatically generate report after every scan and Only if threats were found
- Under "What to scan?" select Scan every file

Click the Shield icon
Under the "Resident shield is" click active to make it inactive
Close AVG Anti-Spyware

Step 5

Reboot into Safe Mode

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually
Instead of Windows loading as normal, a menu with options should appear
Select the first option, to run Windows in Safe Mode, then press Enter
Choose your usual account

Step 6

Run SmitfraudFix

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd. Select option "#2 - Clean" by typing 2 and press Enter to delete infected files.

Step 7

Run AVG Anti-Spyware

Close all open windows / programs / folders
Start AVG Anti-Spyware
Click the Scanner icon
Click Complete System Scan
Let the program scan the machine
(do NOT use your computer while sanning)
When the scan has finished, follow the instructions below
- Make sure that under "Set all elements to" read Quarantine (If not, click the text and choose Quarantine)
- Click Apply all actions
- Click Save Report
- Click Save reports as
- Save report to your Desktop

Step 8

Reboot your computer into Normal Mode

Step 9

Get uninstall list

Start HijackThis
Click "Open the Misc Tools section" button.
Click "Open Uninstall Manager".
Click "Save list"
Save it to your Desktop.
Copy the contents of the file to your next reply.

Step 10

On your next reply, please include

Fresh HijackThis log
AVG Anti-Spyware report.
HJT uninstall list.

hockey05 · September 2007

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:53:44 PM, on 9/26/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Nick\Start Menu\Programs\Startup\findfast.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HJT.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\System32\printer.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\System32\spoolvs.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKUS\S-1-5-18\..\Run: [LDM] \Program\BackWeb-8876480.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [LDM] \Program\BackWeb-8876480.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: findfast.exe
O4 - Global Startup: autorun.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - http://www.disney.go.com/games/downloads/gamemanager/DIGGameManager.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 6316 bytes

3ds max 7
AC-3 ACM Codec
Ad-Aware SE Personal
Adobe Acrobat 4.0
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 9 ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Stock Photos 1.0
America Online
AOL Coach Version 1.0(Build:20020823.1)
AOL Instant Messenger
Autodesk 3ds Max 8
Autodesk DWF Viewer
Avery Media Software 32 bit
AVG Anti-Spyware 7.5
Backburner
BCM V.92 56K Modem
Blackhawk Striker
Blasterball 2
Bodog Poker Version 2.8.5.2
Broadcom Management Programs
Call of Duty
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DS for ZoomBrowser EX
Canon Camera Window MC 5 for ZoomBrowser EX
Canon Digital Camera USB WIA Driver
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities PhotoStitch 3.1
Canon Utilities RAW Image Converter
Canon Utilities RemoteCapture 2.2
Canon ZoomBrowser EX
CleanUp!
COMODO Firewall Pro
Coolbuddy Screensaver nemo02
DAO
Dell Digital Jukebox Driver
Dell Picture Studio - Dell Image Expert
Dell ResourceCD
Dell Solution Center
Desktop Screen Record 5
DVDSentry
Earthlink Installer - uninstall 'Earthlink 5.0' entry first if present
Easy CD Creator 5 Basic
Encarta Research Organizer
Family Feud (remove only)
Finding Nemo by TraceMaes Themeland
GameSpy Arcade
Gem Master 2
gmax
Google Toolbar for Internet Explorer
GrabIt 1.4.6 Beta
GtkRadiant 1.5.0
Half-Life(R) 2
Halo Editing Kit
Hex Workshop v4.23
Hijackthis 1.99.1
HijackThis 2.0.2
hp instant support
HP Memories Disc
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
HP Photo and Imaging 2.0 - hp psc 2100 series
hp psc 2100 series
hp psc 2100 series
IMG 1.1
Intel(R) Extreme Graphics Driver
J2SE Runtime Environment 5.0
Kaspersky Online Scanner
Logitech Desktop Messenger
Logitech MouseWare 9.79.1
Logitech Resource Center
Macromedia Shockwave Player
McAfee SecurityCenter
McAfee VirusScan Online
Microsoft .NET Framework 1.1
Microsoft Data Access Components KB870669
Microsoft Encarta Encyclopedia Standard 2003
Microsoft Encarta Interactive World Atlas 2000
Microsoft Halo
Microsoft Halo Custom Edition
Microsoft Money 2003
Microsoft Money 2003 System Pack
Microsoft Office 2000 Professional
Microsoft Picture It! Photo 7.0
Microsoft Streets and Trips 2002
Microsoft Word 2002
Microsoft Works 2003 Setup Launcher
Microsoft Works 7.0
Microsoft Works Suite Add-in for Microsoft Word
MilkShape 3D 1.7.0
mIRC
Modem Helper
Mouse Magic CS
Mozilla Firefox (2.0.0.7)
MSN Messenger 7.5
MSN Toolbar
MSXML 4.0 SP2 Parser and SDK
NVIDIA Drivers
Pacific Poker
Paint Shop Pro 7
Panda ActiveScan
PartyPoker
Pig Pen
PowerDVD
Presto! PageManager
Presto! PageType
Pretty Tinkerbell Theme
PrintMaster Platinum 4.00
QuickTime
RD1021/1071 Lyra Personal Audio Player Applications
RealPlayer
Search Assistant - My Search
Shockwave
SmartFTP
Space Rocks
Spyware Doctor 3.2
SpywareBlaster v3.2
Steam
Sysnet
TeamSpeak 2 RC2
Ventrilo Client
Viewpoint Media Player
Virtual Warfare
Visio Technical
VistaShuttle
WildTangent Channel Manager
Windows Media Format Runtime
Windows Media Player 10
Windows Overlay Components
Windows VisFx Components
Windows XP Winter Fun Pack for Windows Movie Maker 2
WinMX
WinRAR archiver
XviD MPEG-4 Video Codec
Yahoo! Messenger

SmitFraudFix v2.227

Scan done at 10:53:50.96, Wed 09/26/2007
Run from C:\Documents and Settings\Nick\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

10.18.250.4 ad.doubleclick.net
10.18.250.4 ad.fastclick.net
10.18.250.4 ads.fastclick.net
10.18.250.4 ar.atwola.com
10.18.250.4 atdmt.com
10.18.250.4 avp.ch
10.18.250.4 avp.com
10.18.250.4 avp.ru
10.18.250.4 awaps.net
10.18.250.4 banner.fastclick.net
10.18.250.4 banners.fastclick.net
10.18.250.4 ca.com
10.18.250.4 click.atdmt.com
10.18.250.4 clicks.atdmt.com
10.18.250.4 customer.symantec.com
10.18.250.4 dispatch.mcafee.com
10.18.250.4 download.mcafee.com
10.18.250.4 downloads-us1.kaspersky-labs.com
10.18.250.4 downloads-us2.kaspersky-labs.com
10.18.250.4 downloads-us3.kaspersky-labs.com
10.18.250.4 downloads1.kaspersky-labs.com
10.18.250.4 downloads2.kaspersky-labs.com
10.18.250.4 downloads3.kaspersky-labs.com
10.18.250.4 downloads4.kaspersky-labs.com
10.18.250.4 engine.awaps.net
10.18.250.4 f-secure.com
10.18.250.4 fastclick.net
10.18.250.4 ftp.avp.ch
10.18.250.4 ftp.downloads1.kaspersky-labs.com
10.18.250.4 ftp.downloads2.kaspersky-labs.com
10.18.250.4 ftp.downloads3.kaspersky-labs.com
10.18.250.4 ftp.f-secure.com
10.18.250.4 ftp.kasperskylab.ru
10.18.250.4 ftp.sophos.com
10.18.250.4 ids.kaspersky-labs.com
10.18.250.4 kaspersky-labs.com
10.18.250.4 kaspersky.com
10.18.250.4 liveupdate.symantec.com
10.18.250.4 liveupdate.symantecliveupdate.com
10.18.250.4 mast.mcafee.com
10.18.250.4 mcafee.com
10.18.250.4 media.fastclick.net
10.18.250.4 my-etrust.com
10.18.250.4 nai.com
10.18.250.4 networkassociates.com
10.18.250.4 norton.com
10.18.250.4 phx.corporate-ir.net
10.18.250.4 rads.mcafee.com
10.18.250.4 secure.nai.com
10.18.250.4 securityresponse.symantec.com
10.18.250.4 service1.symantec.com
10.18.250.4 sophos.com
10.18.250.4 spd.atdmt.com
10.18.250.4 symantec.com
10.18.250.4 trendmicro.com
10.18.250.4 update.symantec.com
10.18.250.4 updates.symantec.com
10.18.250.4 updates1.kaspersky-labs.com
10.18.250.4 updates2.kaspersky-labs.com
10.18.250.4 updates3.kaspersky-labs.com
10.18.250.4 updates4.kaspersky-labs.com
10.18.250.4 updates5.kaspersky-labs.com
10.18.250.4 us.mcafee.com
10.18.250.4 vil.nai.com
10.18.250.4 viruslist.com
10.18.250.4 viruslist.ru
10.18.250.4 virusscan.jotti.org
10.18.250.4 virustotal.com
10.18.250.4 www.avp.ch
10.18.250.4 www.avp.com
10.18.250.4 www.avp.ru
10.18.250.4 www.awaps.net
10.18.250.4 www.ca.com
10.18.250.4 www.f-secure.com
10.18.250.4 www.fastclick.net
10.18.250.4 www.grisoft.com
10.18.250.4 www.kaspersky-labs.com
10.18.250.4 www.kaspersky.com
10.18.250.4 www.kaspersky.ru
10.18.250.4 www.mcafee.com
10.18.250.4 www.my-etrust.com
10.18.250.4 www.nai.com
10.18.250.4 www.networkassociates.com
10.18.250.4 www.sophos.com
10.18.250.4 www.symantec.com
10.18.250.4 www.trendmicro.com
10.18.250.4 www.viruslist.com
10.18.250.4 www.viruslist.ru
10.18.250.4 www.virustotal.com

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\shell.exe Deleted
C:\WINDOWS\system32\printer.exe Deleted
C:\WINDOWS\system32\spoolvs.exe Deleted
C:\DOCUME~1\ADMINI~1\STARTM~1\Programs\Startup\findfast.exe Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\autorun.exe Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{C04F7810-7019-4093-BFB0-87606ADBBABE}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{C04F7810-7019-4093-BFB0-87606ADBBABE}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

it wouldn't let me click the "save report" for AVG

Veka · September 2007

Run HijackThis and click the Do system scan only button. [SIZE=-1]When the Scan is complete, Check the following entries:

[/SIZE] F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\System32\printer.exe
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\System32\spoolvs.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1

After that, close web browsers, and all other open windows / programs. Click Fix Checked.

It seems that you don't use an anti-virus scanner or your scanner is not active. Only an anti-virus scanner can protect you against new viruses.

Please download and install one below:

AntiVir
AVG
AVAST

When done, update your Windows XP. A newer version of service pack is available. Service packs increase the safety of your system.

http://windowsupdate.microsoft.com/ ( Internet Explorer only )

How is your computer running now?

hockey05 · September 2007

vekarppe wrote:

Run HijackThis and click the Do system scan only button. [SIZE=-1]When the Scan is complete, Check the following entries:

[/SIZE] F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\System32\printer.exe
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\System32\spoolvs.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1

After that, close web browsers, and all other open windows / programs. Click Fix Checked.

It seems that you don't use an anti-virus scanner or your scanner is not active. Only an anti-virus scanner can protect you against new viruses.

How is your computer running now?

that didn't do anything. those same entries are on there after i fixed em in normal mode and tried again in safemode. also ran AVG in safemode, didn't do anything.

Veka · September 2007

Hi,

Disable AVG Anti-Spyware resident shield.

Open AVG Anti-Spyware by double-clicking the multi-colored box emblazoned with an 'S' in the system tray.
In the 'Resident Shield' section, toggle the AVG Anti-Spyware active protection 'off' by clicking 'Change state' which will then change the protection status to 'inactive'.
If you are instructed to reboot at any time during your cleanup, AVG Anti-Spyware will prompt you as to whether you would like to "Restart the Resident Shield".
Reply 'no' and set it to 'inactive' for the duration of your cleanup.

Now, run HijackThis again and try to fix these

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\System32\printer.exe
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\System32\spoolvs.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1

Please let me know if you are still facing problems.

hockey05 · September 2007

vekarppe wrote:

Disable AVG Anti-Spyware resident shield.

i have the free version of AVG. resident shield is not available for the free version.

Veka · September 2007

Ok. I will give new instructions soon.

Veka · September 2007

Please download ComboFix from here or here

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you.
Save the log to your desktop.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

Send ComboFix log along with fresh HijackTHis log.

hockey05 · September 2007

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:24:01 AM, on 9/30/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\WINDOWS\shell.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HJT.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\System32\printer.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\System32\spoolvs.exe
O4 - HKUS\S-1-5-18\..\Run: [LDM] \Program\BackWeb-8876480.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [LDM] \Program\BackWeb-8876480.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: findfast.exe
O4 - Global Startup: autorun.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - http://www.disney.go.com/games/downloads/gamemanager/DIGGameManager.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe

--
End of file - 6665 bytes

ComboFix 07-09-21.2 - "Nick" 2007-09-30 1:19:10.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.429 [GMT -5:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup.\autorun.exe
C:\DOCUME~1\Nick\APPLIC~1\install.dat
C:\WINDOWS\system32\printer.exe

.
((((((((((((((((((((((((( Files Created from 2007-08-28 to 2007-09-30 )))))))))))))))))))))))))))))))
.

2007-09-28 13:36 42,912 --a

C:\WINDOWS\SYSTEM32\DRIVERS\aswTdi.sys
2007-09-28 13:35 94,416 --a

C:\WINDOWS\SYSTEM32\DRIVERS\aswmon2.sys
2007-09-28 13:35 92,848 --a

C:\WINDOWS\SYSTEM32\DRIVERS\aswmon.sys
2007-09-28 13:35 26,624 --a

C:\WINDOWS\SYSTEM32\DRIVERS\aavmker4.sys
2007-09-26 17:57 22,328 --a

C:\WINDOWS\SYSTEM32\DRIVERS\PnkBstrK.sys
2007-09-26 17:56 66,872 --a

C:\WINDOWS\SYSTEM32\PnkBstrA.exe
2007-09-26 17:56 103,736 --a

C:\WINDOWS\SYSTEM32\PnkBstrB.exe
2007-09-26 12:51 10,240 --a

C:\WINDOWS\SYSTEM32\spoolvs.exe
2007-09-26 12:51 10,240 --a

C:\WINDOWS\shell.exe
2007-09-22 13:37 53,248 --a

C:\WINDOWS\SYSTEM32\Process.exe
2007-09-22 13:37 51,200 --a

C:\WINDOWS\SYSTEM32\dumphive.exe
2007-09-22 13:37 289,144 --a

C:\WINDOWS\SYSTEM32\VCCLSID.exe
2007-09-22 13:37 288,417 --a

C:\WINDOWS\SYSTEM32\SrchSTS.exe
2007-09-22 12:01 <DIR> d

C:\VundoFix Backups
2007-09-18 14:58 10,240 --a

C:\us10041.exe
2007-08-28 14:42 <DIR> d

C:\Program Files\Galactic Magnate
2007-08-13 20:59 <DIR> d

C:\DOCUME~1\Nick\DoctorWeb
2007-08-12 18:55 <DIR> d

C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-12 18:54 <DIR> d

C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-08-10 17:23 51,200 --a

C:\WINDOWS\nircmd.exe
2007-08-10 17:08 <DIR> d

C:\WINDOWS\ERUNT
2007-08-10 16:54 4,974 --a

C:\dnsbak.reg
2007-08-10 16:53 3,634 --a

C:\WINDOWS\SYSTEM32\tmp.reg
2007-08-08 22:02 <DIR> d

C:\Program Files\PokerStars
2007-08-08 14:02 <DIR> d

C:\Program Files\Trend Micro
2007-08-08 13:45 <DIR> d

C:\DOCUME~1\Nick\APPLIC~1\Uniblue
2007-08-07 07:23 <DIR> d

C:\DOCUME~1\Joanne\APPLIC~1\Comodo
2007-08-06 22:14 <DIR> d

C:\DOCUME~1\Amy\APPLIC~1\Comodo
2007-08-06 16:16 <DIR> d

C:\DOCUME~1\Nick\APPLIC~1\Comodo
2007-08-06 16:16 <DIR> d

C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-08-06 16:13 <DIR> d

C:\Program Files\Comodo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-29 20:22

d

C:\Program Files\mIRC
2007-09-26 18:22

d

C:\Program Files\Call of Duty
2007-09-06 05:09 801144 --a

C:\WINDOWS\SYSTEM32\aswBoot.exe
2007-09-06 05:03 23152 --a

C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 05:00 95608 --a

C:\WINDOWS\SYSTEM32\AVASTSS.scr
2007-08-31 16:15

d

C:\DOCUME~1\Nick\APPLIC~1\uTorrent
2007-08-28 15:37

d

C:\Program Files\Yahoo! Games
2007-08-20 17:27

d

C:\Program Files\Alibre Design
2007-08-20 17:26

d

C:\Program Files\DivX
2007-08-18 15:32

d

C:\Program Files\Bodog Poker
2007-07-31 11:46

d

C:\DOCUME~1\Nick\APPLIC~1\Walgreens
2007-07-31 11:43

d

C:\DOCUME~1\Nick\APPLIC~1\Snapfish
2007-07-30 12:43

d

C:\DOCUME~1\Joanne\APPLIC~1\Viewpoint
2007-07-30 12:43

d

C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
2007-06-23 20:40 516608

C:\WINDOWS\SYSTEM32\winlogon.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2005-12-10 04:06]
"nwiz"="nwiz.exe" [2005-12-10 04:06 C:\WINDOWS\SYSTEM32\nwiz.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-05-12 16:18]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-21 12:05]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2002-09-03 11:25]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2002-08-29 05:00]
"MSPY2002"="C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" [2002-09-03 11:25]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-09-03 11:26]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-09-03 11:26]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-07 01:19]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 01:07]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 05:59 C:\WINDOWS\BCMSMMSG.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2005-12-10 04:06]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 09:50 C:\WINDOWS\LOGI_MWX.EXE]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-08-06 16:13]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 05:06]
"Printer"="C:\WINDOWS\System32\printer.exe" [2005-01-27 16:58]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2002-07-17 11:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 02:56]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []
"Spoolsv"="C:\WINDOWS\System32\spoolvs.exe" [2005-01-27 17:05]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"LDM"=\Program\BackWeb-8876480.exe

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
autorun.exe [2005-01-27 17:20:09]
DESKTOP.INI [2006-11-01 20:18:09]

C:\DOCUME~1\ADMINI~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 09:00:00]
findfast.exe [2005-02-01 20:44:12]

C:\DOCUME~1\Amy\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 09:00:00]
findfast.exe [2005-01-28 14:09:11]

C:\DOCUME~1\Joanne\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 09:00:00]
findfast.exe [2005-01-25 04:56:51]

C:\DOCUME~1\Kim\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 09:00:00]

C:\DOCUME~1\Nick\STARTM~1\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-01-18 16:05:28]
DESKTOP.INI [2002-09-03 09:00:00]
findfast.exe [2005-01-27 17:20:09]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe C:\WINDOWS\shell.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 8.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 8.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 8.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk
backup=C:\WINDOWS\pss\hp psc 2000 Series.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Steve^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\Steve\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Steve^Start Menu^Programs^Startup^UMAX VistaAccess.lnk]
path=C:\Documents and Settings\Steve\Start Menu\Programs\Startup\UMAX VistaAccess.lnk
backup=C:\WINDOWS\pss\UMAX VistaAccess.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_EMC]
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
C:\WINDOWS\System32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IncrediMail]
C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
\Program\BackWeb-8876480.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
Logi_MwX.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
"C:\Program Files\Microsoft Money\System\mnyexpr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnappau]
"C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
????

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"c:\progra~1\valve\steam\steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
"c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
"c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMC_AutoUpdate]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WinToolsSvc"=2 (0x2)
"WANMiniportService"=2 (0x2)
"Pml Driver HPZ12"=3 (0x3)
"MCVSRte"=2 (0x2)
"mcupdmgr.exe"=3 (0x3)
"McShield"=3 (0x3)

R1 cdudf_xp;cdudf_xp;C:\WINDOWS\System32\drivers\cdudf_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\System32\drivers\pwd_2k.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\System32\drivers\UdfReadr_xp.sys
R3 BCMModem;BCM V.92 56K Modem;C:\WINDOWS\System32\DRIVERS\BCMSM.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\System32\drivers\mmc_2K.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\System32\drivers\dvd_2K.sys
S3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\System32\Drivers\LCcFltr.Sys
S3 NaiFiltr;NaiFiltr;C:\WINDOWS\System32\DRIVERS\NaiFiltr.sys
S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\System32\Drivers\StMp3Rec.sys
S3 UltraMonMirror;UltraMonMirror;C:\WINDOWS\System32\DRIVERS\UltraMonMirror.sys
S4 Windows VisFx Components;Windows VisFx Components;C:\WINDOWS\xmjdsvc.exe

.
Contents of the 'Scheduled Tasks' folder
"2003-12-12 04:36:05 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1059795327.job"
"2007-09-30 06:20:00 C:\WINDOWS\Tasks\McAfee.com Update Check (D6C4V331-Owner).job"
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
"2007-09-30 06:19:00 C:\WINDOWS\Tasks\McAfee.com Update Check (OFFICESTUDY-Amy).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
"2007-09-30 06:21:00 C:\WINDOWS\Tasks\McAfee.com Update Check (OFFICESTUDY-Joanne).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
"2007-09-30 06:22:00 C:\WINDOWS\Tasks\McAfee.com Update Check (OFFICESTUDY-Kim).job"
"2007-09-30 06:20:00 C:\WINDOWS\Tasks\McAfee.com Update Check (OFFICESTUDY-Nick).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
"2007-09-30 06:18:00 C:\WINDOWS\Tasks\McAfee.com Update Check (OFFICESTUDY-Steve).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
"2007-09-30 06:22:00 C:\WINDOWS\Tasks\McAfee.com Update Check (UPSTAIRSCOMPUTE-Amy).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
"2007-09-30 06:18:00 C:\WINDOWS\Tasks\McAfee.com Update Check (UPSTAIRSCOMPUTE-Joanne).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
"2007-09-30 06:22:00 C:\WINDOWS\Tasks\McAfee.com Update Check (UPSTAIRSCOMPUTE-Kim).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
"2007-09-30 06:18:00 C:\WINDOWS\Tasks\McAfee.com Update Check (UPSTAIRSCOMPUTE-Nick).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
"2003-12-12 04:37:11 C:\WINDOWS\Tasks\WebReg 20031211223711.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-30 01:22:02
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-09-30 1:23:21
C:\ComboFix-quarantined-files.txt ... 2007-09-30 01:22
C:\ComboFix2.txt ... 2007-08-13 18:58
C:\ComboFix3.txt ... 2007-08-12 17:18
.
--- E O F ---

Veka · September 2007

Hi,

Stop shell.exe process.

[SIZE=-1]Open Task Manager by pressing Ctrl + Alt + Delete and select Processes tab.
Find and select [/SIZE]shell.exe and click the End Process button.

After that, run HijackThis and click Do system scan only. [SIZE=-1]
When the Scan is complete, Check the following entries:
[/SIZE]
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\System32\printer.exe
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\System32\spoolvs.exe
O4 - Startup: findfast.exe
O4 - Global Startup: autorun.exe

Close web browsers, and all other open windows/programs. Click Fix Checked.

Now open notepad and copy/paste the text in the codebox below into it:

File:: 
C:\WINDOWS\System32\printer.exe 
C:\WINDOWS\System32\spoolvs.exe 
C:\WINDOWS\shell.exe

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

hockey05 · September 2007

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:01:07 PM, on 9/30/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HJT.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-18\..\Run: [LDM] \Program\BackWeb-8876480.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [LDM] \Program\BackWeb-8876480.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - http://www.disney.go.com/games/downloads/gamemanager/DIGGameManager.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe

--
End of file - 6518 bytes

ComboFix 07-09-21.2 - "Nick" 2007-09-30 20:54:23.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.441 [GMT -5:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\printer.exe

.
((((((((((((((((((((((((( Files Created from 2007-09-01 to 2007-10-01 )))))))))))))))))))))))))))))))
.

2007-09-28 13:36 42,912 --a

C:\WINDOWS\SYSTEM32\DRIVERS\aswTdi.sys
2007-09-28 13:35 94,416 --a

C:\WINDOWS\SYSTEM32\DRIVERS\aswmon2.sys
2007-09-28 13:35 92,848 --a

C:\WINDOWS\SYSTEM32\DRIVERS\aswmon.sys
2007-09-28 13:35 26,624 --a

C:\WINDOWS\SYSTEM32\DRIVERS\aavmker4.sys
2007-09-26 17:57 22,328 --a

C:\WINDOWS\SYSTEM32\DRIVERS\PnkBstrK.sys
2007-09-26 17:56 66,872 --a

C:\WINDOWS\SYSTEM32\PnkBstrA.exe
2007-09-26 17:56 103,736 --a

C:\WINDOWS\SYSTEM32\PnkBstrB.exe
2007-09-26 12:51 10,240 --a

C:\WINDOWS\SYSTEM32\spoolvs.exe
2007-09-26 12:51 10,240 --a

C:\WINDOWS\shell.exe
2007-09-22 13:37 53,248 --a

C:\WINDOWS\SYSTEM32\Process.exe
2007-09-22 13:37 51,200 --a

C:\WINDOWS\SYSTEM32\dumphive.exe
2007-09-22 13:37 289,144 --a

C:\WINDOWS\SYSTEM32\VCCLSID.exe
2007-09-22 13:37 288,417 --a

C:\WINDOWS\SYSTEM32\SrchSTS.exe
2007-09-22 12:01 <DIR> d

C:\VundoFix Backups
2007-09-18 14:58 10,240 --a

C:\us10041.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-29 20:22

d

C:\Program Files\mIRC
2007-09-26 18:22

d

C:\Program Files\Call of Duty
2007-09-26 10:53 3634 --a

C:\WINDOWS\SYSTEM32\tmp.reg
2007-09-06 05:09 801144 --a

C:\WINDOWS\SYSTEM32\aswBoot.exe
2007-09-06 05:03 23152 --a

C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 05:00 95608 --a

C:\WINDOWS\SYSTEM32\AVASTSS.scr
2007-08-31 16:15

d

C:\DOCUME~1\Nick\APPLIC~1\uTorrent
2007-08-28 15:37

d

C:\Program Files\Yahoo! Games
2007-08-28 15:15

d

C:\Program Files\Galactic Magnate
2007-08-20 17:28

d

C:\Program Files\PokerStars
2007-08-20 17:27

d

C:\Program Files\Alibre Design
2007-08-20 17:26

d

C:\Program Files\DivX
2007-08-18 15:32

d

C:\Program Files\Bodog Poker
2007-08-12 18:55

d

C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-10 16:54 4974 --a

C:\dnsbak.reg
2007-08-08 14:02

d

C:\Program Files\Trend Micro
2007-08-08 13:45

d

C:\DOCUME~1\Nick\APPLIC~1\Uniblue
2007-08-07 07:23

d

C:\DOCUME~1\Joanne\APPLIC~1\Comodo
2007-08-06 22:14

d

C:\DOCUME~1\Amy\APPLIC~1\Comodo
2007-08-06 16:16

d

C:\DOCUME~1\Nick\APPLIC~1\Comodo
2007-08-06 16:16

d

C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-08-06 16:13

d

C:\Program Files\Comodo
.

((((((((((((((((((((((((((((( snapshot_2007-09-30_ 12225.62 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 262,144 2007-10-01 01:53:40 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\ntuser.dat
----atw 16,384 2007-09-30 23:25:32 C:\WINDOWS\temp\Perflib_Perfdata_570.dat
.
----a-w 262,144 2007-09-30 06:18:44 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2005-12-10 04:06]
"nwiz"="nwiz.exe" [2005-12-10 04:06 C:\WINDOWS\SYSTEM32\nwiz.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-05-12 16:18]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-21 12:05]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2002-09-03 11:25]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2002-08-29 05:00]
"MSPY2002"="C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" [2002-09-03 11:25]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-09-03 11:26]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-09-03 11:26]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-07 01:19]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 01:07]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 05:59 C:\WINDOWS\BCMSMMSG.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2005-12-10 04:06]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 09:50 C:\WINDOWS\LOGI_MWX.EXE]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-08-06 16:13]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 05:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2002-07-17 11:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 02:56]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"LDM"=\Program\BackWeb-8876480.exe

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2006-11-01 20:18:09]

C:\DOCUME~1\ADMINI~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 09:00:00]
findfast.exe [2005-02-01 20:44:12]

C:\DOCUME~1\Amy\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 09:00:00]
findfast.exe [2005-01-28 14:09:11]

C:\DOCUME~1\Joanne\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 09:00:00]
findfast.exe [2005-01-27 16:31:38]

C:\DOCUME~1\Kim\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 09:00:00]

C:\DOCUME~1\Nick\STARTM~1\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-01-18 16:05:28]
DESKTOP.INI [2002-09-03 09:00:00]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 8.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 8.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 8.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk
backup=C:\WINDOWS\pss\hp psc 2000 Series.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Steve^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\Steve\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Steve^Start Menu^Programs^Startup^UMAX VistaAccess.lnk]
path=C:\Documents and Settings\Steve\Start Menu\Programs\Startup\UMAX VistaAccess.lnk
backup=C:\WINDOWS\pss\UMAX VistaAccess.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_EMC]
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
C:\WINDOWS\System32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IncrediMail]
C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
\Program\BackWeb-8876480.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
Logi_MwX.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
"C:\Program Files\Microsoft Money\System\mnyexpr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnappau]
"C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
????

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"c:\progra~1\valve\steam\steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
"c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
"c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMC_AutoUpdate]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WinToolsSvc"=2 (0x2)
"WANMiniportService"=2 (0x2)
"Pml Driver HPZ12"=3 (0x3)
"MCVSRte"=2 (0x2)
"mcupdmgr.exe"=3 (0x3)
"McShield"=3 (0x3)

R1 cdudf_xp;cdudf_xp;C:\WINDOWS\System32\drivers\cdudf_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\System32\drivers\pwd_2k.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\System32\drivers\UdfReadr_xp.sys
R3 BCMModem;BCM V.92 56K Modem;C:\WINDOWS\System32\DRIVERS\BCMSM.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\System32\drivers\mmc_2K.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\System32\drivers\dvd_2K.sys
S3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\System32\Drivers\LCcFltr.Sys
S3 NaiFiltr;NaiFiltr;C:\WINDOWS\System32\DRIVERS\NaiFiltr.sys
S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\System32\Drivers\StMp3Rec.sys
S3 UltraMonMirror;UltraMonMirror;C:\WINDOWS\System32\DRIVERS\UltraMonMirror.sys
S4 Windows VisFx Components;Windows VisFx Components;C:\WINDOWS\xmjdsvc.exe

.
Contents of the 'Scheduled Tasks' folder
"2003-12-12 04:36:05 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1059795327.job"
"2007-10-01 01:55:00 C:\WINDOWS\Tasks\McAfee.com Update Check (D6C4V331-Owner).job"
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
"2007-10-01 01:54:00 C:\WINDOWS\Tasks\McAfee.com Update Check (OFFICESTUDY-Amy).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
"2007-10-01 01:56:00 C:\WINDOWS\Tasks\McAfee.com Update Check (OFFICESTUDY-Joanne).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
"2007-10-01 01:57:00 C:\WINDOWS\Tasks\McAfee.com Update Check (OFFICESTUDY-Kim).job"
"2007-10-01 01:55:00 C:\WINDOWS\Tasks\McAfee.com Update Check (OFFICESTUDY-Nick).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
"2007-10-01 01:53:00 C:\WINDOWS\Tasks\McAfee.com Update Check (OFFICESTUDY-Steve).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
"2007-10-01 01:57:00 C:\WINDOWS\Tasks\McAfee.com Update Check (UPSTAIRSCOMPUTE-Amy).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
"2007-10-01 01:53:00 C:\WINDOWS\Tasks\McAfee.com Update Check (UPSTAIRSCOMPUTE-Joanne).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
"2007-10-01 01:57:00 C:\WINDOWS\Tasks\McAfee.com Update Check (UPSTAIRSCOMPUTE-Kim).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
"2007-10-01 01:53:00 C:\WINDOWS\Tasks\McAfee.com Update Check (UPSTAIRSCOMPUTE-Nick).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
"2003-12-12 04:37:11 C:\WINDOWS\Tasks\WebReg 20031211223711.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-30 20:57:28
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-09-30 20:58:44
C:\ComboFix-quarantined-files.txt ... 2007-09-30 20:58
C:\ComboFix2.txt ... 2007-09-30 01:23
C:\ComboFix3.txt ... 2007-08-13 18:58
.
--- E O F ---

Veka · October 2007

Good job!

Please do the following:

Go to www.virustotal.com.
Upload this file by copy and pasting the file path in to the file box

C:\us10041.exe
Submit the file and copy and paste the results back into this thread.

After that,

Start AVG Anti-Spyware
Click the Update icon
Click Start update
Wait until updates are downloaded
Click the Scanner icon
Open the Settings tab
- Make sure that under "How to act?" read Quarantine (If not, click the text and choose Quarantine)
- Under "How to scan?" all checkboxes should be ticked
- Under "Reports" dUnselect Automatically generate report after every scan and uncheck Only if threats were found.
- Under "What to scan?" select Scan every file

Click the Shield icon
Under the "Resident shield is" click active to make it inactive
Close AVG Anti-Spyware

Reboot into Safe Mode

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually
Instead of Windows loading as normal, a menu with options should appear
Select the first option, to run Windows in Safe Mode, then press Enter
Choose your usual account.

Run AVG Anti-Spyware

Close all open windows / programs / folders
Start AVG Anti-Spyware
Click the Scanner icon
Click Complete System Scan
Let the program scan the machine
(do NOT use your computer while sanning)
When the scan has finished, follow the instructions below
- Make sure that under "Set all elements to" read Quarantine (If not, click the text and choose Quarantine)
- Click Apply all actions
- Click Save Report
- Click Save reports as
- Save report to your Desktop

Reboot your computer and post AVG Anti-Spyware report along with fresh HijackThis log.

hockey05 · October 2007

vekarppe wrote:

Good job!

Please do the following:
Go to www.virustotal.com.

Upload this file by copy and pasting the file path in to the file box

C:\us10041.exe

Submit the file and copy and paste the results back into this thread.

that page wouldn't load for me but i did the other stuff.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:50:30 PM, on 10/2/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\shell.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Comodo\Firewall\CPF.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HJT.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\System32\printer.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\System32\spoolvs.exe
O4 - HKUS\S-1-5-18\..\Run: [LDM] \Program\BackWeb-8876480.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [LDM] \Program\BackWeb-8876480.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: findfast.exe
O4 - Global Startup: autorun.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - http://www.disney.go.com/games/downloads/gamemanager/DIGGameManager.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe

--
End of file - 6897 bytes

AVG Anti-Spyware - Scan Report

+ Created at: 6:45:21 PM 10/2/2007

+ Scan result:

:mozilla.168:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.245:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.48:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.49:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.50:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.51:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.52:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.53:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.54:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.187:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.188:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.252:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.253:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.254:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.255:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.256:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.257:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.258:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.100:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.101:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.102:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.98:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.99:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.135:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.134:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned.
:mozilla.124:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.125:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.126:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.34:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.106:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.107:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.108:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.109:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.110:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.111:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.112:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.113:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.122:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.123:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.227:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.228:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.90:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Paypal : Cleaned.
:mozilla.213:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.214:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.215:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.216:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.217:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.218:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.219:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.220:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.221:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.116:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.117:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.118:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.6:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.8:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.239:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.240:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.241:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.242:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.243:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.181:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.105:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.169:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.170:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.171:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.172:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.157:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.158:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.159:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.160:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.161:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\vvfah0y9.Default User\cookies.txt -> TrackingCookie.Zedo : Cleaned.

::Report end

Veka · October 2007

Hi, it's me again.

Did you run ComboFix as I asked?

Do NOT start ComboFix like usually but drag CFScript into ComboFix.exe. Make sure you did exactly so. Thank you.

hockey05 · October 2007

vekarppe wrote:

Hi, it's me again.

Did you run ComboFix as I asked?

Do NOT start ComboFix like usually but drag CFScript into ComboFix.exe. Make sure you did exactly so. Thank you.

i did, it keeps coming back.
i just did it again in safemode... killed the process before i did it and still came back when i rebooted into normal mode.

Veka · October 2007

Ok. Good.

Please do followings...

Download Killbox and save it to your desktop.
Double-click Killbox.exe to run it.
Select "Delete on reboot" and then All Files.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\us10041.exe
C:\WINDOWS\System32\printer.exe
C:\WINDOWS\System32\spoolvs.exe
C:\WINDOWS\shell.exe

Return to Killbox, go to the File menu, and choose Paste from Clipboard.
Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, Click here.to download and run missingfilesetup.exe. Then try Killbox again.

hockey05 · October 2007

ok... did it

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:10:10 PM, on 10/4/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
C:\Program Files\Trend Micro\HijackThis\HJT.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\System32\printer.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\System32\spoolvs.exe
O4 - HKUS\S-1-5-18\..\Run: [LDM] \Program\BackWeb-8876480.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [LDM] \Program\BackWeb-8876480.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: findfast.exe
O4 - Global Startup: autorun.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - http://www.disney.go.com/games/downloads/gamemanager/DIGGameManager.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe

--
End of file - 6952 bytes

Veka · October 2007

Let's try...

Stop autorun.exe process

Press Ctrl + Alt + Delete.
Select Processes tab
Find and select autorun.exe
Click the End Process button.

Next, run HijackThis and click Do system scan only. When the scan is complete, check the following entries:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\System32\printer.exe
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\System32\spoolvs.exe
O4 - Global Startup: autorun.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1

After that,

Double-click Killbox.exe to run it.
Select "Delete on reboot" and then Single File.
Copy the file path below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe

Return to Killbox, and paste the file path in to "Full Path of File to Delete" box.
Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

Send fresh HijackTHis log.

hockey05 · October 2007

vekarppe wrote:

Let's try...

Stop autorun.exe process
Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

Send fresh HijackTHis log.

autorun.exe wasnt there. and that prompt did popup but it didn't automatically reboot so i did it from the start menu.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:08:36 PM, on 10/6/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Nick\Start Menu\Programs\Startup\findfast.exe
C:\Program Files\Trend Micro\HijackThis\HJT.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\System32\printer.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\System32\spoolvs.exe
O4 - HKUS\S-1-5-18\..\Run: [LDM] \Program\BackWeb-8876480.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [LDM] \Program\BackWeb-8876480.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: findfast.exe
O4 - Global Startup: autorun.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - http://www.disney.go.com/games/downloads/gamemanager/DIGGameManager.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe

--
End of file - 6948 bytes

Veka · October 2007

Dang! They are back.

Please do the following:

Go to www.virustotal.com.
Upload this file by copy and pasting the file path in to the file box

C:\Documents and Settings\Nick\Start Menu\Programs\Startup\findfast.exe
Submit the file and copy and paste the results back into this thread.

hockey05 · October 2007

vekarppe wrote:

Dang! They are back.

Please do the following:
Go to www.virustotal.com.

Upload this file by copy and pasting the file path in to the file box

C:\Documents and Settings\Nick\Start Menu\Programs\Startup\findfast.exe

Submit the file and copy and paste the results back into this thread.

told you that site doesn't load.

Veka · October 2007

Oh, well please try this site

http://virusscan.jotti.org/

hockey05 · October 2007

vekarppe wrote:

Oh, well please try this site

http://virusscan.jotti.org/

sorry, doesnt work either.

Veka · October 2007

No panic. It seems that the problem is in the HOSTS file.
Let's try this...

Open the following file using NOTEPAD:

C:\Windows\system32\drivers\etc\HOSTS
Delete all entries under 127.0.0.1 localhost.
Click File and Save As.
Choose Save as Type "All files".
Save file as hosts (without any file extension).
Click Save.

After that,

Go to www.virustotal.com.
Upload this file by copy and pasting the file path in to the file box

C:\Documents and Settings\Nick\Start Menu\Programs\Startup\findfast.exe
Submit the file and copy and paste the results back into this thread.

Please let me know if there is still problems.

hockey05 · October 2007

vekarppe wrote:

[*]Delete all entries under 127.0.0.1 localhost.

the only IP listed is 10.18.250.4

Veka · October 2007

Please, download SDFix.exe and save it to your desktop.
Double click SDFix.exe and choose Install to extract it to its own folder.

Step 1

Reboot computer in Safe Mode

Restart your computer.
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually.
Instead of Windows loading as normal, a menu with options should appear.
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Step 2

Run SDFix in Safe Mode

Open the extracted SDFix folder ( C:\SDFix ) and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log.

Step 3

Run Combofix

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you.
Save the log to your desktop.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

Step 4

Please copy the whole content of your HOSTS file, and post (paste) it to me along with a fresh HijackThis log, SDfix log, and combofix log.

hockey05 · October 2007

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:18:29 PM, on 10/18/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Nick\Start Menu\Programs\Startup\findfast.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HJT.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\System32\printer.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\System32\spoolvs.exe
O4 - HKUS\S-1-5-18\..\Run: [LDM] \Program\BackWeb-8876480.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [LDM] \Program\BackWeb-8876480.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: findfast.exe
O4 - Global Startup: autorun.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - http://www.disney.go.com/games/downloads/gamemanager/DIGGameManager.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe

--
End of file - 6854 bytes

Hosts:

10.18.250.4 ad.doubleclick.net
10.18.250.4 ad.fastclick.net
10.18.250.4 ads.fastclick.net
10.18.250.4 ar.atwola.com
10.18.250.4 atdmt.com
10.18.250.4 avp.ch
10.18.250.4 avp.com
10.18.250.4 avp.ru
10.18.250.4 awaps.net
10.18.250.4 banner.fastclick.net
10.18.250.4 banners.fastclick.net
10.18.250.4 ca.com
10.18.250.4 click.atdmt.com
10.18.250.4 clicks.atdmt.com
10.18.250.4 customer.symantec.com
10.18.250.4 dispatch.mcafee.com
10.18.250.4 download.mcafee.com
10.18.250.4 download.microsoft.com
10.18.250.4 downloads-us1.kaspersky-labs.com
10.18.250.4 downloads-us2.kaspersky-labs.com
10.18.250.4 downloads-us3.kaspersky-labs.com
10.18.250.4 downloads.microsoft.com
10.18.250.4 downloads1.kaspersky-labs.com
10.18.250.4 downloads2.kaspersky-labs.com
10.18.250.4 downloads3.kaspersky-labs.com
10.18.250.4 downloads4.kaspersky-labs.com
10.18.250.4 engine.awaps.net
10.18.250.4 f-secure.com
10.18.250.4 fastclick.net
10.18.250.4 ftp.avp.ch
10.18.250.4 ftp.downloads1.kaspersky-labs.com
10.18.250.4 ftp.downloads2.kaspersky-labs.com
10.18.250.4 ftp.downloads3.kaspersky-labs.com
10.18.250.4 ftp.f-secure.com
10.18.250.4 ftp.kasperskylab.ru
10.18.250.4 ftp.sophos.com
10.18.250.4 go.microsoft.com
10.18.250.4 ids.kaspersky-labs.com
10.18.250.4 kaspersky-labs.com
10.18.250.4 kaspersky.com
10.18.250.4 liveupdate.symantec.com
10.18.250.4 liveupdate.symantecliveupdate.com
10.18.250.4 mast.mcafee.com
10.18.250.4 mcafee.com
10.18.250.4 media.fastclick.net
10.18.250.4 microsoft.com
10.18.250.4 msdn.microsoft.com
10.18.250.4 my-etrust.com
10.18.250.4 nai.com
10.18.250.4 networkassociates.com
10.18.250.4 norton.com
10.18.250.4 office.microsoft.com
10.18.250.4 pandasoftware.com
10.18.250.4 phx.corporate-ir.net
10.18.250.4 rads.mcafee.com
10.18.250.4 secure.nai.com
10.18.250.4 securityresponse.symantec.com
10.18.250.4 service1.symantec.com
10.18.250.4 sophos.com
10.18.250.4 spd.atdmt.com
10.18.250.4 support.microsoft.com
10.18.250.4 symantec.com
10.18.250.4 trendmicro.com
10.18.250.4 update.symantec.com
10.18.250.4 updates.symantec.com
10.18.250.4 updates1.kaspersky-labs.com
10.18.250.4 updates2.kaspersky-labs.com
10.18.250.4 updates3.kaspersky-labs.com
10.18.250.4 updates4.kaspersky-labs.com
10.18.250.4 updates5.kaspersky-labs.com
10.18.250.4 us.mcafee.com
10.18.250.4 vil.nai.com
10.18.250.4 viruslist.com
10.18.250.4 viruslist.ru
10.18.250.4 virusscan.jotti.org
10.18.250.4 virustotal.com
10.18.250.4 windowsupdate.microsoft.com
10.18.250.4 www.avp.ch
10.18.250.4 www.avp.com
10.18.250.4 www.avp.ru
10.18.250.4 www.awaps.net
10.18.250.4 www.ca.com
10.18.250.4 www.f-secure.com
10.18.250.4 www.fastclick.net
10.18.250.4 www.grisoft.com
10.18.250.4 www.kaspersky-labs.com
10.18.250.4 www.kaspersky.com
10.18.250.4 www.kaspersky.ru
10.18.250.4 www.mcafee.com
10.18.250.4 www.microsoft.com
10.18.250.4 www.my-etrust.com
10.18.250.4 www.nai.com
10.18.250.4 www.networkassociates.com
10.18.250.4 www.pandasoftware.com
10.18.250.4 www.sophos.com
10.18.250.4 www.symantec.com
10.18.250.4 www.trendmicro.com
10.18.250.4 www.viruslist.com
10.18.250.4 www.viruslist.ru
10.18.250.4 www.virustotal.com

SDFix: Version 1.106

Run by Administrator on Thu 10/18/2007 at 04:52 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Killing PID 868 'shell.exe'

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Trojan Files Found:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe - Deleted
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\findfast.exe - Deleted
C:\WINDOWS\shell.exe - Deleted
C:\WINDOWS\system32\printer.exe - Deleted
C:\WINDOWS\system32\spoolvs.exe - Deleted

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.

Final Check:

Remaining Services:

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINDOWS\\System32\\spoolvs.exe"="C:\\WINDOWS\\System32\\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\System32\\printer.exe"="C:\\WINDOWS\\System32\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\shell.exe"="C:\\WINDOWS\\shell.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Joanne\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\Joanne\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe:*:Enabled:@xpsp2res.dll,-22019"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Amy\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\Amy\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Nick\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\Nick\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"C:\\WINDOWS\\System32\\spoolvs.exe"="C:\\WINDOWS\\System32\\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\System32\\printer.exe"="C:\\WINDOWS\\System32\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\shell.exe"="C:\\WINDOWS\\shell.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Joanne\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\Joanne\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe:*:Enabled:@xpsp2res.dll,-22019"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Amy\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\Amy\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Nick\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\Nick\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"

Remaining Files:

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\Program Files\Autodesk\Autodesk DWF Viewer\_Setupx.dll
C:\Program Files\Common Files\aolshare\shell\us\shellext.dll
C:\Program Files\America Online 8.0\aolphx.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\America Online 8.0\RBM.exe
C:\Program Files\America Online 8.0\waol.exe
C:\Program Files\America Online 8.0\COMIT\cswitch.exe
C:\Program Files\Autodesk\Autodesk DWF Viewer\Setup.exe
C:\Documents and Settings\Joanne\Application Data\Microsoft\Templates\~WRL0674.tmp
C:\Documents and Settings\Joanne\Application Data\Microsoft\Templates\~WRL0772.tmp
C:\Documents and Settings\Joanne\Application Data\Microsoft\Templates\~WRL1698.tmp
C:\Documents and Settings\Joanne\Application Data\Microsoft\Templates\~WRL1895.tmp
C:\Documents and Settings\Joanne\Application Data\Microsoft\Templates\~WRL2129.tmp
C:\Documents and Settings\Joanne\Application Data\Microsoft\Templates\~WRL2739.tmp
C:\Documents and Settings\Joanne\Application Data\Microsoft\Templates\~WRL2973.tmp
C:\Documents and Settings\Joanne\Application Data\Microsoft\Templates\~WRL2991.tmp
C:\Documents and Settings\Joanne\Application Data\Microsoft\Templates\~WRL3745.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL0005.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL0279.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL0284.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL0289.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL0299.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL0437.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL0614.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL0711.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL0733.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL0780.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL0834.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL0902.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL0990.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL1108.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL1292.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL1442.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL1456.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL1630.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL1941.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL2064.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL2108.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL2416.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL2725.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL2797.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL2918.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL3227.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL3269.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL3292.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL3710.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL3764.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL3863.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL3876.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL3911.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL3913.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL4003.tmp
C:\Documents and Settings\Joanne\My Documents\~WRL4070.tmp
C:\Documents and Settings\Joanne\My Documents\Flairs 06-07\~WRL0370.tmp
C:\Documents and Settings\Joanne\My Documents\Flairs 06-07\~WRL1217.tmp
C:\Documents and Settings\Joanne\My Documents\Flairs 06-07\~WRL1309.tmp
C:\Documents and Settings\Joanne\My Documents\Flairs 06-07\~WRL1680.tmp
C:\Documents and Settings\Joanne\My Documents\Flairs 06-07\~WRL2262.tmp
C:\Documents and Settings\Joanne\My Documents\Flairs 06-07\~WRL2674.tmp
C:\Documents and Settings\Joanne\My Documents\Flairs 06-07\~WRL3727.tmp
C:\Documents and Settings\Joanne\My Documents\Flairs 06-07\~WRL3956.tmp
C:\Documents and Settings\Nick\Application Data\Microsoft\Templates\~WRL0004.tmp
C:\Documents and Settings\Nick\Application Data\Microsoft\Templates\~WRL0870.tmp
C:\Documents and Settings\Nick\Application Data\Microsoft\Word\~WRL3427.tmp

Finished!

ComboFix 07-10-17.8@ - Nick 2007-10-18 17:11:40.10 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.409 [GMT -5:00]
Running from: C:\Documents and Settings\Nick\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
C:\WINDOWS\shell.exe
C:\WINDOWS\shell.exe
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\spoolvs.exe
C:\WINDOWS\system32\spoolvs.exe

.
((((((((((((((((((((((((( Files Created from 2007-09-18 to 2007-10-18 )))))))))))))))))))))))))))))))
.

2007-10-18 17:08 10,240 --a

C:\WINDOWS\SYSTEM32\spoolvs.exe
2007-10-18 17:08 10,240 --a

C:\WINDOWS\SYSTEM32\printer.exe
2007-10-18 17:08 10,240 --a

C:\WINDOWS\shell.exe
2007-10-10 21:14 <DIR> d

C:\Documents and Settings\Nick\Application Data\U3
2007-09-28 13:36 42,912 --a

C:\WINDOWS\SYSTEM32\DRIVERS\aswTdi.sys
2007-09-28 13:35 94,416 --a

C:\WINDOWS\SYSTEM32\DRIVERS\aswmon2.sys
2007-09-28 13:35 92,848 --a

C:\WINDOWS\SYSTEM32\DRIVERS\aswmon.sys
2007-09-28 13:35 26,624 --a

C:\WINDOWS\SYSTEM32\DRIVERS\aavmker4.sys
2007-09-26 17:57 22,328 --a

C:\WINDOWS\SYSTEM32\DRIVERS\PnkBstrK.sys
2007-09-26 17:56 103,736 --a

C:\WINDOWS\SYSTEM32\PnkBstrB.exe
2007-09-26 17:56 66,872 --a

C:\WINDOWS\SYSTEM32\PnkBstrA.exe
2007-09-22 13:37 289,144 --a

C:\WINDOWS\SYSTEM32\VCCLSID.exe
2007-09-22 13:37 288,417 --a

C:\WINDOWS\SYSTEM32\SrchSTS.exe
2007-09-22 13:37 53,248 --a

C:\WINDOWS\SYSTEM32\Process.exe
2007-09-22 13:37 51,200 --a

C:\WINDOWS\SYSTEM32\dumphive.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-18 21:22

d

w C:\Program Files\mIRC
2007-10-18 20:40

d

w C:\Program Files\Call of Duty
2007-10-12 03:52

d

w C:\Program Files\Bodog Poker
2007-10-06 04:01

d

w C:\Documents and Settings\Nick\Application Data\uTorrent
2007-09-26 15:53 3,634 ----a-w C:\WINDOWS\SYSTEM32\tmp.reg
2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\SYSTEM32\aswBoot.exe
2007-09-06 10:03 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 10:00 95,608 ----a-w C:\WINDOWS\SYSTEM32\AVASTSS.scr
2007-08-28 20:37

d

w C:\Program Files\Yahoo! Games
2007-08-28 20:15

d

w C:\Program Files\Galactic Magnate
2007-08-20 22:28

d

w C:\Program Files\PokerStars
2007-08-20 22:27

d

w C:\Program Files\Alibre Design
2007-08-20 22:26

d

w C:\Program Files\DivX
2007-08-10 21:54 4,974 ----a-w C:\dnsbak.reg
2004-10-02 03:04:51 3,362 --sha-w C:\WINDOWS\ybpuh.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2005-12-10 04:06]
"nwiz"="nwiz.exe" [2005-12-10 04:06 C:\WINDOWS\SYSTEM32\nwiz.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-05-12 16:18]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-21 12:05]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2002-09-03 11:25]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2002-08-29 05:00]
"MSPY2002"="C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" [2002-09-03 11:25]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-09-03 11:26]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-09-03 11:26]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-07 01:19]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 01:07]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 05:59 C:\WINDOWS\BCMSMMSG.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2005-12-10 04:06]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 09:50 C:\WINDOWS\LOGI_MWX.EXE]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-08-06 16:13]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 05:06]
"Printer"="C:\WINDOWS\System32\printer.exe" [2005-02-14 12:26]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2002-07-17 11:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 02:56]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []
"Spoolsv"="C:\WINDOWS\System32\spoolvs.exe" [2005-02-14 12:26]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"LDM"=\Program\BackWeb-8876480.exe

C:\Documents and Settings\Amy\Start Menu\Programs\Startup\
findfast.exe [2005-02-14 19:29:46]

C:\Documents and Settings\Joanne\Start Menu\Programs\Startup\
findfast.exe [2005-02-20 00:33:58]

C:\Documents and Settings\Nick\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-01-18 16:05:28]
findfast.exe [2005-02-22 07:28:29]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 8.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 8.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 8.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk
backup=C:\WINDOWS\pss\hp psc 2000 Series.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Steve^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\Steve\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Steve^Start Menu^Programs^Startup^UMAX VistaAccess.lnk]
path=C:\Documents and Settings\Steve\Start Menu\Programs\Startup\UMAX VistaAccess.lnk
backup=C:\WINDOWS\pss\UMAX VistaAccess.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_EMC]
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
C:\WINDOWS\System32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IncrediMail]
C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
\Program\BackWeb-8876480.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
Logi_MwX.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
"C:\Program Files\Microsoft Money\System\mnyexpr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnappau]
"C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
????

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"c:\progra~1\valve\steam\steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
"c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
"c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMC_AutoUpdate]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WinToolsSvc"=2 (0x2)
"WANMiniportService"=2 (0x2)
"Pml Driver HPZ12"=3 (0x3)
"MCVSRte"=2 (0x2)
"mcupdmgr.exe"=3 (0x3)
"McShield"=3 (0x3)

R1 cdudf_xp;cdudf_xp;C:\WINDOWS\System32\drivers\cdudf_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\System32\drivers\pwd_2k.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\System32\drivers\UdfReadr_xp.sys
R3 BCMModem;BCM V.92 56K Modem;C:\WINDOWS\System32\DRIVERS\BCMSM.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\System32\drivers\mmc_2K.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\System32\drivers\dvd_2K.sys
S3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\System32\Drivers\LCcFltr.Sys
S3 NaiFiltr;NaiFiltr;C:\WINDOWS\System32\DRIVERS\NaiFiltr.sys
S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\System32\Drivers\StMp3Rec.sys
S3 UltraMonMirror;UltraMonMirror;C:\WINDOWS\System32\DRIVERS\UltraMonMirror.sys
S4 Windows VisFx Components;Windows VisFx Components;C:\WINDOWS\xmjdsvc.exe

.
Contents of the 'Scheduled Tasks' folder
"2003-12-12 04:36:05 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1059795327.job"
"2007-10-18 22:10:00 C:\WINDOWS\Tasks\McAfee.com Update Check (D6C4V331-Owner).job"
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
"2007-10-18 22:14:00 C:\WINDOWS\Tasks\McAfee.com Update Check (OFFICESTUDY-Amy).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
"2007-10-18 22:11:00 C:\WINDOWS\Tasks\McAfee.com Update Check (OFFICESTUDY-Joanne).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
"2007-10-18 22:12:00 C:\WINDOWS\Tasks\McAfee.com Update Check (OFFICESTUDY-Kim).job"
"2007-10-18 22:10:00 C:\WINDOWS\Tasks\McAfee.com Update Check (OFFICESTUDY-Nick).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
"2007-10-18 22:13:00 C:\WINDOWS\Tasks\McAfee.com Update Check (OFFICESTUDY-Steve).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
"2007-10-18 22:12:00 C:\WINDOWS\Tasks\McAfee.com Update Check (UPSTAIRSCOMPUTE-Amy).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
"2007-10-18 22:13:00 C:\WINDOWS\Tasks\McAfee.com Update Check (UPSTAIRSCOMPUTE-Joanne).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
"2007-10-18 22:12:00 C:\WINDOWS\Tasks\McAfee.com Update Check (UPSTAIRSCOMPUTE-Kim).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
"2007-10-18 22:13:00 C:\WINDOWS\Tasks\McAfee.com Update Check (UPSTAIRSCOMPUTE-Nick).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
"2003-12-12 04:37:11 C:\WINDOWS\Tasks\WebReg 20031211223711.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-18 17:14:40
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-10-18 17:15:50
C:\ComboFix-quarantined-files.txt ... 2007-10-10 15:12
C:\ComboFix2.txt ... 2007-10-10 15:13
C:\ComboFix3.txt ... 2007-10-03 13:43
.
--- E O F ---

Help again please

Comments