Internet and computer down!

Unknown

To start off, I have no anti-virus software on my computer and no firewall. I'm generally good at avoiding situations where it's needed at all, and went like this for years. I was browsing on Internet Explorer, just to remind myself why I hated it (I've used Firefox since its inception) and voila, got myself a platter of viruses.

I do have adawareSE and scanned a few times in safe mode, which got rid of a couple hundred things, but the problem is I can no longer connect to the internet at all on my computer. Also, whenever I try to get on without Safe Mode I can get to the desktop (usually), but Services.exe runs at 100% and I can't do ANYTHING (I've tried installing Norton, etc, to no avail). So I'm stuck in safe mode, without internet, and I can't think of any options at the moment. Any help would be greatly appreciated.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:00:29 PM, on 11/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Safe mode

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\Documents and Settings\Administrator\Application Data\U3\00001557D860B125\LaunchPad.exe
E:\Documents and Settings\Administrator\Desktop\HiJackThis_v2.exe
E:\WINDOWS\system32\ctfmon.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://htepo.com/cehpmoin/?cmp=hmr&lid=5_1&gai=hamm_h4_pop&gli=pop_1&affid=68089&nid=h4&uid=f8075f49
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: qiawpbjj.msdn_hlp - {026B5895-3E8E-49A9-8EEE-B52A326DA962} - E:\WINDOWS\system32\qiawpbjj.dll
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: 0 - {0DBC8C01-05C0-452B-58BE-CE96FE520B72} - (no file)
O2 - BHO: (no name) - {266f5bb8-aa10-454c-a021-7ea7c0712fe4} - E:\WINDOWS\system32\kaioesw.dll
O2 - BHO: (no name) - {2A8C2C57-93A7-0675-5A40-098909C6F6CC} - E:\Program Files\Nodrqkjo\iejnsqru.dll (file missing)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {37C39123-5ED3-472E-90C5-5A960BB4F182} - E:\Program Files\Internet Explorer\horeforec83122.dll (file missing)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {5D32219E-1571-40C9-9E64-2E0DEF408469} - E:\Program Files\Internet Explorer\horeforec4444.dll (file missing)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {6AE7F116-2E51-440D-BABB-9E7CCAEC881F} - E:\Program Files\Internet Explorer\horeforec555077.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04} - E:\WINDOWS\system32\yayxyxy.dll
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - E:\WINDOWS\system32\cwkovxiv.dll
O2 - BHO: BndDrive2 BHO Class - {8FB5B012-E8CB-46cd-B6D2-ED428FAE9043} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - E:\WINDOWS\system32\igotsovh.dll
O2 - BHO: (no name) - {B66A3361-38B4-4895-A5CD-E03AFEA50D7E} - E:\WINDOWS\system32\awvtt.dll
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {D27987B8-7244-4DE0-AE10-39B826B492F1} - E:\WINDOWS\system32\bronto.dll
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684BB} - E:\Program Files\E404 Helper\e404.v1.dll (file missing)
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - E:\WINDOWS\system32\igotsovh.dll
O4 - HKLM\..\Run: [MSConfig] E:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - E:\PROGRA~1\PACIFI~1\pacificpoker.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1127266059866
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C2AC9C1-313B-4D54-9740-178F7E21FD32}: NameServer = 85.255.115.68,85.255.112.171
O17 - HKLM\System\CCS\Services\Tcpip\..\{730AD8DC-9E50-4A6B-8ED4-6FFCFFCEFDB7}: NameServer = 85.255.115.68,85.255.112.171
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.68 85.255.112.171
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.68 85.255.112.171
O20 - AppInit_DLLs: E:\WINDOWS\system32\skuns.dat
O20 - Winlogon Notify: igotsovh - E:\WINDOWS\SYSTEM32\igotsovh.dll
O20 - Winlogon Notify: winrkp32 - E:\WINDOWS\SYSTEM32\winrkp32.dll
O20 - Winlogon Notify: yayxyxy - E:\WINDOWS\SYSTEM32\yayxyxy.dll
O20 - Winlogon Notify: __c007BCA1 - E:\WINDOWS\system32\__c007BCA1.dat
O21 - SSODL: VzBAB - {F8075F4A-52AD-F5E0-7426-BEB4C599B277} - (no file)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - E:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - E:\WINDOWS\System32\browseui.dll
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe

--
End of file - 6536 bytes


One thing I did notice is that I got the "antispyware" virus where it spams my computer with pop ups telling me I have a virus or trojan and to "click here" to get antivirus software... while it's mildly amusing, the fact that it runs during Safe Mode freaks me out.

I have windows XP with SP 2.

muuli

Hi ArbysOvenMitt and Welcome to Icrontic

Your log is very dirty

But start the cleaning!

Step 1

Download a newest version on HijackThis and delete your existing version because it's out of date. You can download newest version from here. Create a new folder named HijackThis to your Local drive (E), move HijackThis.exe into that folder.

Step 2

WAREOUT

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin;
follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

At the end of the fix, you may need to restart your computer again.

Post back the contents of the logfile C:\fixwareout\report.txt.

Now lets check some settings on your system.
(2000/XP) Only
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable on some systems.

Step 3

Please download SmitfraudFix (by S!Ri)

Double-click SmitfraudFix.exe.
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Step 4

1. Download combofix from one of these links:
Link1
Link2
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Step 5

Open HijackThis, press Do a system scan only, checkmark these lines:
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://htepo.com/cehpmoin/?cmp=hmr&l...4&uid=f8075f49
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: 0 - {0DBC8C01-05C0-452B-58BE-CE96FE520B72} - (no file)
O2 - BHO: (no name) - {2A8C2C57-93A7-0675-5A40-098909C6F6CC} - E:\Program Files\Nodrqkjo\iejnsqru.dll (file missing)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {37C39123-5ED3-472E-90C5-5A960BB4F182} - E:\Program Files\Internet Explorer\horeforec83122.dll (file missing)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {5D32219E-1571-40C9-9E64-2E0DEF408469} - E:\Program Files\Internet Explorer\horeforec4444.dll (file missing)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {6AE7F116-2E51-440D-BABB-9E7CCAEC881F} - E:\Program Files\Internet Explorer\horeforec555077.dll (file missing)
O2 - BHO: BndDrive2 BHO Class - {8FB5B012-E8CB-46cd-B6D2-ED428FAE9043} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684BB} - E:\Program Files\E404 Helper\e404.v1.dll (file missing)
Then close all windows and press Fix checked.

Step 6

Try to boot your computer to normal mode, and tell me how it working

And Please post a fresh HijackThis log, FixWareout log, Smitfraudfix log and Combofix log

Note. use newest version of Hijackthis, when scanning for.

ArbysOvenMitt

Hey, I did the steps and here are the logs of each runthrough for the first time.

Username "Administrator" - 11/03/2007 21:36:59 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.115.68 85.255.112.171" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{1C2AC9C1-313B-4D54-9740-178F7E21FD32}
"nameserver"="85.255.115.68,85.255.112.171" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{730AD8DC-9E50-4A6B-8ED4-6FFCFFCEFDB7}
"nameserver"="85.255.115.68,85.255.112.171" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{1AA3325F-78EF-4EC6-B7E8-D5D67CD015BA}
"DhcpNameServer"="85.255.115.68,85.255.112.171" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{1C2AC9C1-313B-4D54-9740-178F7E21FD32}
"DhcpNameServer"="85.255.115.68,85.255.112.171" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{730AD8DC-9E50-4A6B-8ED4-6FFCFFCEFDB7}
"DhcpNameServer"="85.255.115.68,85.255.112.171" <Value cleared.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "0mdm" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "1mdm" Deleted
E:\WINDOWS\System32\mzvzo.exe Deleted
....
~~~~~ Misc files.
E:\WINDOWS\System32\kernel32.exe Deleted
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="E:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="E:\\WINDOWS\\system32\\ctfmon.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~



SmitFraudFix v2.247

Scan done at 21:43:56.03, Sat 11/03/2007
Run from E:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» E:\


»»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS\system32

E:\WINDOWS\system32\bronto.dll FOUND !
E:\WINDOWS\system32\proper.exe FOUND !
E:\WINDOWS\system32\skuns.dat FOUND !
E:\WINDOWS\system32\winter.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» E:\Documents and Settings\Administrator


»»»»»»»»»»»»»»»»»»»»»»»» E:\Documents and Settings\Administrator\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» E:\DOCUME~1\ADMINI~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» E:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="E:\\WINDOWS\\system32\\skuns.dat"


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CS3\Services\Tcpip\..\{1AA3325F-78EF-4EC6-B7E8-D5D67CD015BA}: DhcpNameServer=85.255.115.68,85.255.112.171
HKLM\SYSTEM\CS3\Services\Tcpip\..\{1C2AC9C1-313B-4D54-9740-178F7E21FD32}: DhcpNameServer=85.255.115.68,85.255.112.171
HKLM\SYSTEM\CS3\Services\Tcpip\..\{1C2AC9C1-313B-4D54-9740-178F7E21FD32}: NameServer=85.255.115.68,85.255.112.171
HKLM\SYSTEM\CS3\Services\Tcpip\..\{730AD8DC-9E50-4A6B-8ED4-6FFCFFCEFDB7}: DhcpNameServer=85.255.115.68,85.255.112.171
HKLM\SYSTEM\CS3\Services\Tcpip\..\{730AD8DC-9E50-4A6B-8ED4-6FFCFFCEFDB7}: NameServer=85.255.115.68,85.255.112.171
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: NameServer=85.255.115.68 85.255.112.171


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End





ComboFix 07-11-01.1 - Administrator 2007-11-03 21:46:29.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.813 [GMT -5:00]
Running from: E:\Documents and Settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\Documents and Settings\Administrator\Desktop\Live Safety Center.lnk
E:\Documents and Settings\Administrator\Desktop\Online Security Guide.lnk
E:\Documents and Settings\Administrator\Favorites\Online Security Guide.lnk
E:\Documents and Settings\All Users.\documents\settings
E:\Documents and Settings\All Users.\documents\settings\desktop.ini
E:\Documents and Settings\All Users\Application Data.\mdqpituh.dll
E:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
E:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
E:\Documents and Settings\Freshly\Application Data\install.dat
E:\Documents and Settings\Freshly\Desktop\bravesentry.lnk
E:\Documents and Settings\Freshly\Desktop\Live Safety Center.lnk
E:\Documents and Settings\Freshly\Desktop\Online Security Guide.lnk
E:\Documents and Settings\Freshly\Favorites\Online Security Guide.lnk
E:\Documents and Settings\Freshly\Local Settings\Application Data\n.ini
E:\Documents and Settings\Freshly\Start Menu\Programs\Brave-Sentry
E:\Documents and Settings\Freshly\Start Menu\Programs\Brave-Sentry\BraveSentry.lnk
E:\Documents and Settings\Freshly\Start Menu\Programs\Brave-Sentry\Uninstall.lnk
E:\Documents and Settings\LocalService\Application Data\NetMon
E:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
E:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
E:\Documents and Settings\NetworkService\Application Data\NetMon
E:\Documents and Settings\NetworkService\Application Data\NetMon\domains.txt
E:\Documents and Settings\NetworkService\Application Data\NetMon\log.txt
E:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
E:\WINDOWS\b122.exe
E:\WINDOWS\racle~1
E:\WINDOWS\racle~1\?racle\
E:\WINDOWS\system32\__c007BCA1.dat
E:\WINDOWS\system32\__c00A4C63.dat
E:\WINDOWS\system32\__c00AD202.dat
E:\WINDOWS\system32\a13
E:\WINDOWS\system32\aspimgr.exe
E:\WINDOWS\system32\away.exe.exe
E:\WINDOWS\system32\awvtt.dll
E:\WINDOWS\system32\bicuoohm.ini
E:\WINDOWS\system32\cwkovxiv.dll
E:\WINDOWS\system32\dllh8jkd1q1.exe
E:\WINDOWS\system32\dllh8jkd1q2.exe
E:\WINDOWS\system32\dllh8jkd1q5.exe
E:\WINDOWS\system32\dllh8jkd1q6.exe
E:\WINDOWS\system32\dllh8jkd1q7.exe
E:\WINDOWS\system32\dllh8jkd1q8.exe
E:\WINDOWS\system32\drivers\4_stars.gif
E:\WINDOWS\system32\drivers\5_stars.gif
E:\WINDOWS\system32\drivers\alert_icon.gif
E:\WINDOWS\system32\drivers\arrow.gif
E:\WINDOWS\system32\drivers\asc3550p.sys
E:\WINDOWS\system32\drivers\buy_btn.gif
E:\WINDOWS\system32\drivers\close_icon.gif
E:\WINDOWS\system32\drivers\core.cache.dsk
E:\WINDOWS\system32\drivers\core.sys
E:\WINDOWS\system32\drivers\detect.htm
E:\WINDOWS\system32\drivers\download_btn.gif
E:\WINDOWS\system32\drivers\features.gif
E:\WINDOWS\system32\drivers\header_bg.gif
E:\WINDOWS\system32\drivers\icon_warning.gif
E:\WINDOWS\system32\drivers\Iwxa69.sys
E:\WINDOWS\system32\drivers\logo_bg.gif
E:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
E:\WINDOWS\system32\drivers\perfect_cleaner_box_small.jpg
E:\WINDOWS\system32\drivers\perfect_cleaner_header.gif
E:\WINDOWS\system32\drivers\perfect_cleaner_header_small.gif
E:\WINDOWS\system32\drivers\protect.gif
E:\WINDOWS\system32\drivers\pt.htm
E:\WINDOWS\system32\drivers\s_detect.htm
E:\WINDOWS\system32\drivers\secuity_center_logo.gif
E:\WINDOWS\system32\drivers\sfsync02.sys
E:\WINDOWS\system32\drivers\spy_away_box.jpg
E:\WINDOWS\system32\drivers\spy_away_box_small.jpg
E:\WINDOWS\system32\drivers\spy_away_header.gif
E:\WINDOWS\system32\drivers\spy_away_header_small.gif
E:\WINDOWS\system32\drivers\symavc32.sys
E:\WINDOWS\system32\drivers\users_rating.gif
E:\WINDOWS\system32\drivers\v.gif
E:\WINDOWS\system32\drivers\x.gif
E:\WINDOWS\system32\drvfarr.dll
E:\WINDOWS\system32\dwdsrngt.exe
E:\WINDOWS\system32\e2
E:\WINDOWS\system32\e2\caws83122.exe
E:\WINDOWS\system32\g1
E:\WINDOWS\system32\hrmfovhw.exe
E:\WINDOWS\system32\i8
E:\WINDOWS\system32\i8\taldrvr11.exe
E:\WINDOWS\system32\igotsovh.dllbox
E:\WINDOWS\system32\kaioesw.dll
E:\WINDOWS\system32\kernelwind32.exe
E:\WINDOWS\system32\ldcore.dll
E:\WINDOWS\system32\ldinfo.ldr
E:\WINDOWS\system32\max1d11643v.exe
E:\WINDOWS\system32\mhooucib.dll
E:\WINDOWS\system32\msnav32.ax
E:\WINDOWS\system32\newmaxxsv234.exe
E:\WINDOWS\system32\pac.txt
E:\WINDOWS\system32\rtnka.dat
E:\WINDOWS\system32\rtnka.dll
E:\WINDOWS\system32\RunOnce3.tmp
E:\WINDOWS\system32\SoUI.dll
E:\WINDOWS\system32\svfgnfny.exe
E:\WINDOWS\system32\ttvwa.bak1
E:\WINDOWS\system32\ttvwa.bak2
E:\WINDOWS\system32\ttvwa.ini
E:\WINDOWS\system32\vedxg4am1et2.exe
E:\WINDOWS\system32\vedxg6ame4.exe
E:\WINDOWS\system32\vedxga1me4t1.exe
E:\WINDOWS\system32\vedxga4me1.exe
E:\WINDOWS\system32\vedxga5me3.exe
E:\WINDOWS\system32\winpfz32.sys
E:\WINDOWS\system32\winrkp32.dll
E:\WINDOWS\system32\x22
E:\WINDOWS\system32\x22\c124wvr.exe
E:\WINDOWS\system32\zxdnt3d.cfg
E:\WINDOWS\tsitra1000106.exe
E:\WINDOWS\TTC-4444.exe
E:\WINDOWS\uninstall_nmon.vbs
E:\WINDOWS\winh32.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

---

\LEGACY_ASC3550P

---

\LEGACY_ASPIMGR

---

\LEGACY_CMDSERVICE

---

\LEGACY_CORE

---

\LEGACY_DOMAINSERVICE

---

\LEGACY_DRIVER

---

\LEGACY_NETWORK_MONITOR

---

\LEGACY_SFSYNC02

---

\asc3550p

---

\cmdService

---

\DomainService

---

\nm

---

\sfsync02


((((((((((((((((((((((((( Files Created from 2007-10-04 to 2007-11-04 )))))))))))))))))))))))))))))))
.

2007-11-03 21:45 51,200 --a

---

E:\WINDOWS\NirCmd.exe
2007-11-03 21:35 396,288 --a

---

E:\HijackThis.exe
2007-11-03 19:00 <DIR> d

---

E:\Documents and Settings\Administrator\Application Data\U3
2007-10-31 13:17 <DIR> d

---

E:\Program Files\Common Files\Symantec Shared
2007-10-31 13:06 1,290 --a

---

E:\WINDOWS\system32\tmp.reg
2007-10-31 13:04 289,144 --a

---

E:\WINDOWS\system32\VCCLSID.exe
2007-10-31 13:04 288,417 --a

---

E:\WINDOWS\system32\SrchSTS.exe
2007-10-31 13:04 53,248 --a

---

E:\WINDOWS\system32\Process.exe
2007-10-31 13:04 51,200 --a

---

E:\WINDOWS\system32\dumphive.exe
2007-10-31 13:04 25,600 --a

---

E:\WINDOWS\system32\WS2Fix.exe
2007-10-31 13:00 3,144 --a

---

E:\WINDOWS\system32\SProxy_tmp.dll
2007-10-30 23:20 <DIR> d

---

E:\Program Files\microsoft frontpage
2007-10-30 18:13 <DIR> d

---

E:\Documents and Settings\Administrator\Application Data\TuneUp Software
2007-10-30 17:45 <DIR> d

---

E:\WINDOWS\system32\fkmdvbtn
2007-10-30 17:45 104,960 --a

---

E:\WINDOWS\system32\drvfar.dll
2007-10-30 17:45 35,840 --a

---

E:\WINDOWS\system32\opnnnmm.dll
2007-10-30 17:43 <DIR> d

---

E:\Documents and Settings\Administrator\Application Data\Talkback
2007-10-30 17:36 57,368 --a

---

E:\WINDOWS\system32\dsrng.exe
2007-10-30 17:36 7,680 --a

---

E:\WINDOWS\system32\winter.exe
2007-10-30 17:00 <DIR> d

---

E:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-10-30 14:14 <DIR> d

---

E:\WINDOWS\system32\ehgvjcfi
2007-10-30 14:14 10,240 --a

---

E:\WINDOWS\system32\npdl.exe
2007-10-30 14:12 <DIR> d

---

E:\WINDOWS\system32\svcd
2007-10-30 13:50 196,681 --a

---

E:\WINDOWS\system32\mwinndq.exe
2007-10-30 13:48 <DIR> d

---

E:\WINDOWS\system32\Mz12r
2007-10-30 13:35 340,032 --a

---

E:\WINDOWS\system32\igotsovh.dll
2007-10-30 13:34 340,032 --a

---

E:\WINDOWS\system32\xgmnoltx.dll
2007-10-30 12:37 <DIR> d

---

E:\WINDOWS\system32\acespy
2007-10-30 12:16 <DIR> d

---

E:\Documents and Settings\Freshly\Application Data\Lavasoft
2007-10-30 12:16 552,960 --a

---

E:\WINDOWS\system32\GE.dll
2007-10-30 12:16 131,588 --a

---

E:\WINDOWS\system32\qiawpbjj.exe
2007-10-30 12:16 21,504 --a

---

E:\WINDOWS\system32\qiawpbjj.dll
2007-10-30 08:06 12,800 --a

---

E:\WINDOWS\system32\bronto.dll
2007-10-30 08:06 7,680 --a

---

E:\WINDOWS\system32\proper.exe
2007-10-30 08:06 6,144 --a

---

E:\WINDOWS\system32\skuns.dat
2007-10-30 01:31 34,816 --a

---

E:\WINDOWS\system32\rqrpnoo.dll
2007-10-30 01:30 34,816 --a

---

E:\WINDOWS\system32\xxyywut.dll
2007-10-30 01:28 34,816 --a

---

E:\WINDOWS\system32\hgghiij.dll
2007-10-30 01:27 <DIR> d

---

E:\WINDOWS\system32\Mz02r
2007-10-30 01:27 <DIR> d--hs---- E:\WINDOWS\RXZhbiBMb3ZlbHk
2007-10-30 01:27 294,668 --a

---

E:\WINDOWS\frexup2.exe
2007-10-30 01:27 34,816 --a

---

E:\WINDOWS\system32\yayxyxy.dll
2007-10-30 01:27 13,824 --a

---

E:\WINDOWS\plite731.exe
2007-10-30 01:27 41 --a

---

E:\WINDOWS\plite731_uninstaller_.bat
2007-10-23 00:22 <DIR> d

---

E:\Temp
2007-10-22 22:42 24,616 --ah

---

E:\WINDOWS\system32\mlfcache.dat
2007-10-22 22:40 <DIR> d

---

E:\Program Files\mIRC
2007-10-22 08:45 <DIR> d

---

E:\Program Files\Activision
2007-10-22 08:36 <DIR> d--hs---- E:\WINDOWS\ftpcache
2007-10-22 08:34 <DIR> d

---

E:\Program Files\MagicDisc
2007-10-22 08:34 92,544 --a

---

E:\WINDOWS\system32\drivers\mcdbus.sys
2007-10-09 12:10 442,368 -ra

---

E:\WINDOWS\system32\vp6vfw.dll
2007-10-07 16:00 <DIR> d

---

E:\Program Files\WinUHA
2007-10-04 15:20 <DIR> d

---

E:\Documents and Settings\Freshly\Application Data\atitray
2007-10-04 12:46 516,096

---

E:\WINDOWS\system32\ati2sgag.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-31 18:20 359,808 ----a-w E:\WINDOWS\system32\drivers\tcpip.sys
2007-10-22 20:08 139,264 ----a-w E:\WINDOWS\War3Unin.exe
2007-10-22 14:07

---

d--h--w E:\Program Files\InstallShield Installation Information
2007-10-04 20:12

---

d

---

w E:\Program Files\Radeon Omega Drivers
2007-10-04 17:33 451,072 ----a-w E:\WINDOWS\Radeon Omega Drivers v3.8.413 Uninstall.exe
2007-10-04 17:17

---

d

---

w E:\Program Files\Common Files\Adobe
2007-10-02 17:48 451,072 ----a-w E:\WINDOWS\Radeon Omega Drivers v3.8.360 Uninstall.exe
2007-10-02 17:34

---

d

---

w E:\Documents and Settings\All Users\Application Data\Viewpoint
2007-09-28 19:39

---

d

---

w E:\Program Files\Microsoft Games
2007-09-26 04:25

---

d

---

w E:\Program Files\iTunes
2007-09-26 04:25

---

d

---

w E:\Program Files\iPod
2007-09-15 13:39

---

d

---

w E:\Program Files\Apple Software Update
2005-07-29 21:24:26 472 --sha-r E:\WINDOWS\RXZhbiBMb3ZlbHk\lrt1v21gvat5vJ4.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000000-d9e3-4bc6-a0bd-3d0ca4be5271}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{026B5895-3E8E-49A9-8EEE-B52A326DA962}]
2007-10-30 17:43 21504 --a

---

E:\WINDOWS\system32\qiawpbjj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0DBC8C01-05C0-452B-58BE-CE96FE520B72}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2A8C2C57-93A7-0675-5A40-098909C6F6CC}]
E:\Program Files\Nodrqkjo\iejnsqru.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37C39123-5ED3-472E-90C5-5A960BB4F182}]
E:\Program Files\Internet Explorer\horeforec83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5D32219E-1571-40C9-9E64-2E0DEF408469}]
E:\Program Files\Internet Explorer\horeforec4444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{669695bc-a811-4a9d-8cdf-ba8c795f261e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6AE7F116-2E51-440D-BABB-9E7CCAEC881F}]
E:\Program Files\Internet Explorer\horeforec555077.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04}]
2007-10-30 01:27 34816 --a

---

E:\WINDOWS\system32\yayxyxy.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-10-30 13:35 340032 --a

---

E:\WINDOWS\system32\igotsovh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b8875bfe-b021-11d4-bfa8-00508b8e9bd3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ca1d1b05-9c66-11d5-a009-000103c1e50b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D27987B8-7244-4DE0-AE10-39B826B492F1}]
2007-10-30 08:06 12800 --a

---

E:\WINDOWS\system32\bronto.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F10587E9-0E47-4CBE-84AE-7DD20B8684BB}]
E:\Program Files\E404 Helper\e404.v1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= E:\WINDOWS\system32\igotsovh.dll [2007-10-30 13:35 340032]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="E:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 02:56]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="E:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04}"= E:\WINDOWS\system32\yayxyxy.dll [2007-10-30 01:27 34816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\igotsovh]
igotsovh.dll 2007-10-30 13:35 340032 E:\WINDOWS\system32\igotsovh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayxyxy]
yayxyxy.dll 2007-10-30 01:27 34816 E:\WINDOWS\system32\yayxyxy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c007BCA1]
E:\WINDOWS\system32\__c007BCA1.dat

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 E:\WINDOWS\system32\awvtt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Administrator^Start Menu^Programs^Startup^infos.exe]
path=E:\Documents and Settings\Administrator\Start Menu\Programs\Startup\infos.exe
backup=E:\WINDOWS\pss\infos.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=E:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^autos.exe]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\autos.exe
backup=E:\WINDOWS\pss\autos.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^MacName.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\MacName.lnk
backup=E:\WINDOWS\pss\MacName.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Evan^Start Menu^Programs^Startup^Folding@Home 5.03.lnk]
path=E:\Documents and Settings\Evan\Start Menu\Programs\Startup\Folding@Home 5.03.lnk
backup=E:\WINDOWS\pss\Folding@Home 5.03.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Evan^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=E:\Documents and Settings\Evan\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=E:\WINDOWS\pss\OpenOffice.org 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Evan^Start Menu^Programs^Startup^TrayIt!.lnk]
path=E:\Documents and Settings\Evan\Start Menu\Programs\Startup\TrayIt!.lnk
backup=E:\WINDOWS\pss\TrayIt!.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Freshly^Start Menu^Programs^Startup^infos.exe]
path=E:\Documents and Settings\Freshly\Start Menu\Programs\Startup\infos.exe
backup=E:\WINDOWS\pss\infos.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Freshly^Start Menu^Programs^Startup^TA_Start.lnk]
path=E:\Documents and Settings\Freshly\Start Menu\Programs\Startup\TA_Start.lnk
backup=E:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Freshly^Start Menu^Programs^Startup^Think-Adz.lnk]
path=E:\Documents and Settings\Freshly\Start Menu\Programs\Startup\Think-Adz.lnk
backup=E:\WINDOWS\pss\Think-Adz.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\A00F17CB8D8.exe]
E:\DOCUME~1\Freshly\LOCALS~1\Temp\_A00F17CB8D8.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"E:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA]
atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]
E:\WINDOWS\TEMP\win41.tmp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BootService]
rundll32.exe "E:\WINDOWS\system32\__c00AD202.dat",realset

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Brave-Sentry]
C:\Program Files\BraveSentry\BraveSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\csrss]
E:\WINDOWS\system32\wbem\csrss.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDrive]
rundll32.exe E:\WINDOWS\system32\drvfar.dll,startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
E:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\epyvqdqp]
rundll32.exe "E:\Program Files\epyvqdqp\wfslopkv.dll",Init

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
E:\WINDOWS\system32\mwinndq.exe CHD001

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\f8075fe6]
rundll32.exe "E:\WINDOWS\system32\mhooucib.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISMPack6]
"E:\Program Files\ISM2\ISMPack6.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"E:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MacLicense]
"E:\Program Files\MacOpener\MacLic.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mdqpituh]
regsvr32 /u "E:\Documents and Settings\All Users\Application Data\mdqpituh.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\noskrnl]
E:\WINDOWS\noskrnl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\plite731]
E:\WINDOWS\plite731.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
E:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack9]
"E:\Program Files\QdrPack\QdrPack9.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"E:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
E:\WINDOWS\tsitra1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBDrvDet]
E:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sc]
E:\Program Files\All-In-One Spy\run.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Service Pack 1]
E:\WINDOWS\system32\vedxg6ame4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShareSearcher]
c:\wsusupd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TuneUp MemOptimizer]
"C:\Program Files\TuneUp Utilities 2006\MemOptimizer.exe" autostart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tydwvmxi]
regsvr32 /u "E:\Documents and Settings\All Users\Application Data\tydwvmxi.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Undefined]
E:\WINDOWS\system32\winter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"E:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
E:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
E:\Program Files\Web Buying\v1.8.5\webbuying.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAble]
E:\Program Files\WinAble\winable.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows update loader]
C:\Windows\xpupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
C:\Program Files\Logitech\iTouch\iTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{75-5F-F4-49-ZN}]
e:\windows\system32\dsrng.exe CHD001

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TUWinStylerThemeSvc"=2 (0x2)
"SandraTheSrv"=3 (0x3)
"SandraDataSrv"=3 (0x3)
"RKKW"=2 (0x2)
"ose"=3 (0x3)
"Microsoft Internet Service"=2 (0x2)
"MacFormatService"=2 (0x2)
"lsass"=2 (0x2)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"FAH@E:+Program Files+Folding+FAH504-Console.exe"=2 (0x2)
"FAH@D:+FAH504-Console.exe"=2 (0x2)
"DomainService"=2 (0x2)
"cmdService"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"aspimgr"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"Adobe LM Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"nForce Tray Options"=sstray.exe /r
"AtiPTA"=atiptaxx.exe

R0 MacOpen;MacOpen;E:\WINDOWS\system32\drivers\MacOpen.sys
R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;E:\WINDOWS\system32\drivers\si3112r.sys
R0 SiWinAcc;SiWinAcc;E:\WINDOWS\system32\drivers\SiWinAcc.sys
R3 Tetris;Tetris driver;E:\WINDOWS\system32\Drivers\Tetris.sys
S1 atitray;atitray;\??\E:\Program Files\Ray Adams\ATI Tray Tools\atitray.sys
S2 aic78x5;aic78x5;E:\WINDOWS\system32\drivers\aic78x5.sys
S2 ithsgt;ithsgt;E:\WINDOWS\system32\DRIVERS\ithsgt.sys
S2 lilsgt;lilsgt;E:\WINDOWS\system32\DRIVERS\lilsgt.sys
S2 PfDetNT;PfDetNT;\??\E:\WINDOWS\system32\drivers\PfModNT.sys
S3 ASPI;Advanced SCSI Programming Interface Driver;\??\E:\WINDOWS\System32\DRIVERS\ASPI32.sys
S3 EraserUtilDrv10733;EraserUtilDrv10733;\??\E:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10733.sys
S3 jbridgep;jbridgep;\??\E:\DOCUME~1\Evan\LOCALS~1\Temp\jbridgep.sys
S4 [email]FAH@D:+FAH504-Console.exe;FAH@D:+FAH504-Console.exe;D:\FAH504-Console.exe[/email] -svcstart
S4 FAH@E:+Documents and Settings+Evan+Desktop+FAH504-Console.exe;FAH@E:+Documents and Settings+Evan+Desktop+FAH504-Console.exe;E:\Documents and Settings\Evan\Desktop\FAH504-Console.exe -svcstart
S4 FAH@E:+Program Files+Folding+FAH504-Console.exe;FAH@E:+Program Files+Folding+FAH504-Console.exe;E:\Program Files\Folding\FAH504-Console.exe -svcstart
S4 lsass;Local Security Authority Subsystem Service;"E:\WINDOWS\winlogon.exe"
S4 Microsoft Internet Service;Microsoft Internet Service;E:\WINDOWS\system32\_svchost.exe -A
S4 RKKW;Security Service;E:\WINDOWS\system32\svcd\svchost.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\OblivionLauncher.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\autoplay.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\Shell\AutoRun\command - J:\Setup\rsrc\autorun.exe
\Shell\dinstall\command - J:\Directx\dxsetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
\Shell\AutoRun\command - K:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-10-27 02:10:15 E:\WINDOWS\Tasks\1-Click Maintenance.job"
"2007-09-20 03:56:46 E:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- E:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-03 21:53:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
"ServiceDll"="E:\WINDOWS\System32\es.dll"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\FAH@D:+FAH504-Console.exe]
"ImagePath"="D:\FAH504-Console.exe -svcstart"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\FAH@E:+Documents and Settings+Evan+Desktop+FAH504-Console.exe]
"ImagePath"="E:\Documents and Settings\Evan\Desktop\FAH504-Console.exe -svcstart"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\FAH@E:+Program Files+Folding+FAH504-Console.exe]
.
Completion time: 2007-11-03 21:54:14 - machine was rebooted
.
--- E O F ---




Oops, apparently I forgot to grab the updated HijackThis log. I'll go grab and paste it in a second (have to run upstairs).

However, I did try out normal mode on both of my accounts to no avail, it generally hung up. I couldn't ctrl+alt+delete in one and things were typically failing to load. Be back with the log.

ArbysOvenMitt

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:27:04 PM, on 11/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Safe mode

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\HijackThis\HijackThis.exe

O2 - BHO: qiawpbjj.msdn_hlp - {026B5895-3E8E-49A9-8EEE-B52A326DA962} - E:\WINDOWS\system32\qiawpbjj.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04} - E:\WINDOWS\system32\yayxyxy.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - E:\WINDOWS\system32\igotsovh.dll
O2 - BHO: (no name) - {D27987B8-7244-4DE0-AE10-39B826B492F1} - E:\WINDOWS\system32\bronto.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - E:\WINDOWS\system32\igotsovh.dll
O4 - HKLM\..\Run: [MSConfig] E:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - E:\PROGRA~1\PACIFI~1\pacificpoker.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1127266059866
O20 - Winlogon Notify: igotsovh - E:\WINDOWS\SYSTEM32\igotsovh.dll
O20 - Winlogon Notify: yayxyxy - E:\WINDOWS\SYSTEM32\yayxyxy.dll
O20 - Winlogon Notify: __c007BCA1 - E:\WINDOWS\system32\__c007BCA1.dat (file missing)
O21 - SSODL: VzBAB - {F8075F4A-52AD-F5E0-7426-BEB4C599B277} - (no file)
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe

--
End of file - 3152 bytes

muuli

Hi,

Step 1

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter".
• Choose your usual account.

Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

Step 2

Open notepad and copy/paste the text in the quotebox below into it:

Driver::
lsass
Microsoft Internet Service
RKKW
File::
E:\WINDOWS\system32\drvfar.dll
E:\WINDOWS\system32\opnnnmm.dll
E:\WINDOWS\system32\dsrng.exe
E:\WINDOWS\system32\npdl.exe
E:\WINDOWS\system32\mwinndq.exe
E:\WINDOWS\system32\igotsovh.dll
E:\WINDOWS\system32\xgmnoltx.dll
E:\WINDOWS\system32\GE.dll
E:\WINDOWS\system32\qiawpbjj.dll
E:\WINDOWS\system32\rqrpnoo.dll
E:\WINDOWS\system32\xxyywut.dll
E:\WINDOWS\system32\hgghiij.dll
E:\WINDOWS\system32\qiawpbjj.exe
E:\WINDOWS\frexup2.exe
E:\WINDOWS\system32\yayxyxy.dll
E:\WINDOWS\plite731.exe
E:\WINDOWS\plite731_uninstaller_.bat
E:\WINDOWS\system32\mlfcache.dat
E:\Documents and Settings\Administrator\Start Menu\Programs\Startup\infos.exe
E:\WINDOWS\pss\infos.exe
E:\Documents and Settings\All Users\Start Menu\Programs\Startup\autos.exe
E:\WINDOWS\pss\autos.exe
E:\Documents and Settings\Freshly\Start Menu\Programs\Startup\infos.exe
E:\WINDOWS\pss\infos.exeStartup
E:\Documents and Settings\Freshly\Start Menu\Programs\Startup\TA_Start.lnk
E:\WINDOWS\pss\TA_Start.lnk
E:\Documents and Settings\Freshly\Start Menu\Programs\Startup\Think-Adz.lnk
E:\WINDOWS\pss\Think-Adz.lnk
E:\WINDOWS\system32\__c00AD202.dat
E:\WINDOWS\system32\wbem\csrss.exe
E:\WINDOWS\system32\mwinndq.exe
E:\Documents and Settings\All Users\Application Data\mdqpituh.dll
E:\WINDOWS\noskrnl.exe
E:\WINDOWS\tsitra1000106.exe
E:\WINDOWS\system32\vedxg6ame4.exe
c:\wsusupd.exe
E:\Documents and Settings\All Users\Application Data\tydwvmxi.dll
C:\Windows\xpupdate.exe
E:\WINDOWS\system32\_svchost.exe
E:\WINDOWS\winlogon.exe
E:\WINDOWS\system32\_svchost.exe
Folder::
E:\WINDOWS\system32\fkmdvbtn
E:\WINDOWS\system32\ehgvjcfi
E:\WINDOWS\system32\acespy
E:\WINDOWS\system32\svcd
E:\WINDOWS\RXZhbiBMb3ZlbHk
E:\WINDOWS\system32\Mz12r
E:\WINDOWS\system32\Mz02r
E:\Program Files\Nodrqkjo
E:\Program Files\E404 Helper
C:\Program Files\BraveSentry
E:\Program Files\epyvqdqp
E:\Program Files\ISM2
E:\Program Files\All-In-One Spy
E:\Program Files\Web Buying
E:\Program Files\WinAble
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000000-d9e3-4bc6-a0bd-3d0ca4be5271}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{026B5895-3E8E-49A9-8EEE-B52A326DA962}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0DBC8C01-05C0-452B-58BE-CE96FE520B72}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2A8C2C57-93A7-0675-5A40-098909C6F6CC}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37C39123-5ED3-472E-90C5-5A960BB4F182}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5D32219E-1571-40C9-9E64-2E0DEF408469}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{669695bc-a811-4a9d-8cdf-ba8c795f261e}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6AE7F116-2E51-440D-BABB-9E7CCAEC881F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b8875bfe-b021-11d4-bfa8-00508b8e9bd3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ca1d1b05-9c66-11d5-a009-000103c1e50b}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F10587E9-0E47-4CBE-84AE-7DD20B8684BB}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks]
"{820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayxyxy]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c007BCA1]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Administrator^Start Menu^Programs^Startup^infos.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^autos.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Freshly^Start Menu^Programs^Startup^infos.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Freshly^Start Menu^Programs^Startup^TA_Start.lnk]
[-KEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Freshly^Start Menu^Programs^Startup^Think-Adz.lnk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\A00F17CB8D8.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BootService]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Brave-Sentry]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDrive]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\epyvqdqp]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\f8075fe6]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISMPack6]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mdqpituh]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\noskrnl]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\plite731]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sc]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Service Pack 1]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShareSearcher]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tydwvmxi]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAble]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows update loader]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{75-5F-F4-49-ZN}]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RKKW"=-
"ose"=-
"Microsoft Internet Service"=-
"lsass"=-
"DomainService"=-
"cmdService"=-
"aspimgr"=-

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

Step 3

Try again boot your computer to normal mode and tell me how it working.

And please post a fresh HijackThis log, SmitfraudFix log and ComboFix log.

ArbysOvenMitt

Here's the logs I got. Unfortunately, I can't seem to get Smitfraudfix to run any more. It restarts my computer but never actually runs. Also, normal mode remains unchanged, regardless of all the progress.

ComboFix 07-11-01.1 - Administrator 2007-11-04 16:01:07.3 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.827 [GMT -5:00]
Running from: E:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: E:\Documents and Settings\Administrator\Desktop\CFScript.txt

FILE::
C:\Windows\xpupdate.exe
c:\wsusupd.exe
E:\Documents and Settings\Administrator\Start Menu\Programs\Startup\infos.exe
E:\Documents and Settings\All Users\Application Data\mdqpituh.dll
E:\Documents and Settings\All Users\Application Data\tydwvmxi.dll
E:\Documents and Settings\All Users\Start Menu\Programs\Startup\autos.exe
E:\Documents and Settings\Freshly\Start Menu\Programs\Startup\infos.exe
E:\Documents and Settings\Freshly\Start Menu\Programs\Startup\TA_Start.lnk
E:\Documents and Settings\Freshly\Start Menu\Programs\Startup\Think-Adz.lnk
E:\WINDOWS\frexup2.exe
E:\WINDOWS\noskrnl.exe
E:\WINDOWS\plite731.exe
E:\WINDOWS\plite731_uninstaller_.bat
E:\WINDOWS\pss\autos.exe
E:\WINDOWS\pss\infos.exe
E:\WINDOWS\pss\infos.exeStartup
E:\WINDOWS\pss\TA_Start.lnk
E:\WINDOWS\pss\Think-Adz.lnk
E:\WINDOWS\system32\__c00AD202.dat
E:\WINDOWS\system32\_svchost.exe
E:\WINDOWS\system32\drvfar.dll
E:\WINDOWS\system32\dsrng.exe
E:\WINDOWS\system32\GE.dll
E:\WINDOWS\system32\hgghiij.dll
E:\WINDOWS\system32\igotsovh.dll
E:\WINDOWS\system32\mlfcache.dat
E:\WINDOWS\system32\mwinndq.exe
E:\WINDOWS\system32\npdl.exe
E:\WINDOWS\system32\opnnnmm.dll
E:\WINDOWS\system32\qiawpbjj.dll
E:\WINDOWS\system32\qiawpbjj.exe
E:\WINDOWS\system32\rqrpnoo.dll
E:\WINDOWS\system32\vedxg6ame4.exe
E:\WINDOWS\system32\wbem\csrss.exe
E:\WINDOWS\system32\xgmnoltx.dll
E:\WINDOWS\system32\xxyywut.dll
E:\WINDOWS\system32\yayxyxy.dll
E:\WINDOWS\tsitra1000106.exe
E:\WINDOWS\winlogon.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\wsusupd.exe
E:\WINDOWS\frexup2.exe
E:\WINDOWS\plite731.exe
E:\WINDOWS\plite731_uninstaller_.bat
E:\WINDOWS\pss\infos.exeStartup
E:\WINDOWS\RXZhbiBMb3ZlbHk
E:\WINDOWS\RXZhbiBMb3ZlbHk\lrt1v21gvat5vJ4.vbs
E:\WINDOWS\system32\acespy
E:\WINDOWS\system32\drvfar.dll
E:\WINDOWS\system32\dsrng.exe
E:\WINDOWS\system32\ehgvjcfi
E:\WINDOWS\system32\ehgvjcfi\bg1.gif
E:\WINDOWS\system32\ehgvjcfi\bgtop.gif
E:\WINDOWS\system32\ehgvjcfi\bottom1.gif
E:\WINDOWS\system32\ehgvjcfi\essentials.gif
E:\WINDOWS\system32\ehgvjcfi\icon1.ico
E:\WINDOWS\system32\ehgvjcfi\install1.gif
E:\WINDOWS\system32\ehgvjcfi\left1.gif
E:\WINDOWS\system32\ehgvjcfi\li.gif
E:\WINDOWS\system32\ehgvjcfi\logo.gif
E:\WINDOWS\system32\ehgvjcfi\main.htm
E:\WINDOWS\system32\ehgvjcfi\mainframe.htm
E:\WINDOWS\system32\ehgvjcfi\reinstall1.gif
E:\WINDOWS\system32\ehgvjcfi\right1.gif
E:\WINDOWS\system32\ehgvjcfi\s1.htm
E:\WINDOWS\system32\ehgvjcfi\s2.htm
E:\WINDOWS\system32\ehgvjcfi\s3.htm
E:\WINDOWS\system32\ehgvjcfi\SMTop1.gif
E:\WINDOWS\system32\ehgvjcfi\SMTop2.gif
E:\WINDOWS\system32\ehgvjcfi\SMTop3.gif
E:\WINDOWS\system32\ehgvjcfi\SMTop4.gif
E:\WINDOWS\system32\ehgvjcfi\soft1_off.gif
E:\WINDOWS\system32\ehgvjcfi\soft1_off_ext.gif
E:\WINDOWS\system32\ehgvjcfi\soft1_on.gif
E:\WINDOWS\system32\ehgvjcfi\soft1_on_ext.gif
E:\WINDOWS\system32\ehgvjcfi\soft2_off.gif
E:\WINDOWS\system32\ehgvjcfi\soft2_off_ext.gif
E:\WINDOWS\system32\ehgvjcfi\soft2_on.gif
E:\WINDOWS\system32\ehgvjcfi\soft2_on_ext.gif
E:\WINDOWS\system32\ehgvjcfi\soft3_off.gif
E:\WINDOWS\system32\ehgvjcfi\soft3_off_ext.gif
E:\WINDOWS\system32\ehgvjcfi\soft3_on.gif
E:\WINDOWS\system32\ehgvjcfi\soft3_on_ext.gif
E:\WINDOWS\system32\ehgvjcfi\softbottom_off.gif
E:\WINDOWS\system32\ehgvjcfi\softbottom_on.gif
E:\WINDOWS\system32\ehgvjcfi\softleft_off.gif
E:\WINDOWS\system32\ehgvjcfi\softleft_on.gif
E:\WINDOWS\system32\ehgvjcfi\top1.gif
E:\WINDOWS\system32\ehgvjcfi\top2.gif
E:\WINDOWS\system32\ehgvjcfi\turnoff1.gif
E:\WINDOWS\system32\ehgvjcfi\turnon1.gif
E:\WINDOWS\system32\fkmdvbtn
E:\WINDOWS\system32\fkmdvbtn\bg1.gif
E:\WINDOWS\system32\fkmdvbtn\bgtop.gif
E:\WINDOWS\system32\fkmdvbtn\bottom1.gif
E:\WINDOWS\system32\fkmdvbtn\essentials.gif
E:\WINDOWS\system32\fkmdvbtn\icon1.ico
E:\WINDOWS\system32\fkmdvbtn\install1.gif
E:\WINDOWS\system32\fkmdvbtn\left1.gif
E:\WINDOWS\system32\fkmdvbtn\li.gif
E:\WINDOWS\system32\fkmdvbtn\logo.gif
E:\WINDOWS\system32\fkmdvbtn\main.htm
E:\WINDOWS\system32\fkmdvbtn\mainframe.htm
E:\WINDOWS\system32\fkmdvbtn\reinstall1.gif
E:\WINDOWS\system32\fkmdvbtn\right1.gif
E:\WINDOWS\system32\fkmdvbtn\s1.htm
E:\WINDOWS\system32\fkmdvbtn\s2.htm
E:\WINDOWS\system32\fkmdvbtn\s3.htm
E:\WINDOWS\system32\fkmdvbtn\SMTop1.gif
E:\WINDOWS\system32\fkmdvbtn\SMTop2.gif
E:\WINDOWS\system32\fkmdvbtn\SMTop3.gif
E:\WINDOWS\system32\fkmdvbtn\SMTop4.gif
E:\WINDOWS\system32\fkmdvbtn\soft1_off.gif
E:\WINDOWS\system32\fkmdvbtn\soft1_off_ext.gif
E:\WINDOWS\system32\fkmdvbtn\soft1_on.gif
E:\WINDOWS\system32\fkmdvbtn\soft1_on_ext.gif
E:\WINDOWS\system32\fkmdvbtn\soft2_off.gif
E:\WINDOWS\system32\fkmdvbtn\soft2_off_ext.gif
E:\WINDOWS\system32\fkmdvbtn\soft2_on.gif
E:\WINDOWS\system32\fkmdvbtn\soft2_on_ext.gif
E:\WINDOWS\system32\fkmdvbtn\soft3_off.gif
E:\WINDOWS\system32\fkmdvbtn\soft3_off_ext.gif
E:\WINDOWS\system32\fkmdvbtn\soft3_on.gif
E:\WINDOWS\system32\fkmdvbtn\soft3_on_ext.gif
E:\WINDOWS\system32\fkmdvbtn\softbottom_off.gif
E:\WINDOWS\system32\fkmdvbtn\softbottom_on.gif
E:\WINDOWS\system32\fkmdvbtn\softleft_off.gif
E:\WINDOWS\system32\fkmdvbtn\softleft_on.gif
E:\WINDOWS\system32\fkmdvbtn\top1.gif
E:\WINDOWS\system32\fkmdvbtn\top2.gif
E:\WINDOWS\system32\fkmdvbtn\turnoff1.gif
E:\WINDOWS\system32\fkmdvbtn\turnon1.gif
E:\WINDOWS\system32\GE.dll
E:\WINDOWS\system32\hgghiij.dll
E:\WINDOWS\system32\igotsovh.dll
E:\WINDOWS\system32\igotsovh.dllbox
E:\WINDOWS\system32\mlfcache.dat
E:\WINDOWS\system32\mwinndq.exe
E:\WINDOWS\system32\Mz02r
E:\WINDOWS\system32\Mz02r\Mz02r1065.exe
E:\WINDOWS\system32\Mz12r
E:\WINDOWS\system32\Mz12r\Mz12r2215.exe
E:\WINDOWS\system32\npdl.exe
E:\WINDOWS\system32\opnnnmm.dll
E:\WINDOWS\system32\qiawpbjj.dll
E:\WINDOWS\system32\qiawpbjj.exe
E:\WINDOWS\system32\rqrpnoo.dll
E:\WINDOWS\system32\svcd
E:\WINDOWS\system32\svcd\svchost.exe
E:\WINDOWS\system32\wbem\csrss.exe
E:\WINDOWS\system32\xgmnoltx.dll
E:\WINDOWS\system32\xxyywut.dll
E:\WINDOWS\system32\yayxyxy.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

---

\LEGACY_LSASS

---

\LEGACY_MICROSOFT_INTERNET_SERVICE

---

\LEGACY_RKKW

---

\lsass

---

\Microsoft Internet Service

---

\RKKW


((((((((((((((((((((((((( Files Created from 2007-10-04 to 2007-11-04 )))))))))))))))))))))))))))))))
.

2007-11-04 15:24 <DIR> d

---

E:\WINDOWS\LastGood.Tmp
2007-11-03 21:55 <DIR> d

---

E:\HijackThis
2007-11-03 21:45 51,200 --a

---

E:\WINDOWS\NirCmd.exe
2007-11-03 19:00 <DIR> d

---

E:\Documents and Settings\Administrator\Application Data\U3
2007-10-31 13:17 <DIR> d

---

E:\Program Files\Common Files\Symantec Shared
2007-10-31 13:06 1,194 --a

---

E:\WINDOWS\system32\tmp.reg
2007-10-31 13:04 289,144 --a

---

E:\WINDOWS\system32\VCCLSID.exe
2007-10-31 13:04 288,417 --a

---

E:\WINDOWS\system32\SrchSTS.exe
2007-10-31 13:04 53,248 --a

---

E:\WINDOWS\system32\Process.exe
2007-10-31 13:04 51,200 --a

---

E:\WINDOWS\system32\dumphive.exe
2007-10-31 13:04 25,600 --a

---

E:\WINDOWS\system32\WS2Fix.exe
2007-10-31 13:00 3,144 --a

---

E:\WINDOWS\system32\SProxy_tmp.dll
2007-10-30 23:20 <DIR> d

---

E:\Program Files\microsoft frontpage
2007-10-30 18:13 <DIR> d

---

E:\Documents and Settings\Administrator\Application Data\TuneUp Software
2007-10-30 17:43 <DIR> d

---

E:\Documents and Settings\Administrator\Application Data\Talkback
2007-10-30 17:00 <DIR> d

---

E:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-10-30 12:16 <DIR> d

---

E:\Documents and Settings\Freshly\Application Data\Lavasoft
2007-10-23 00:22 <DIR> d

---

E:\Temp
2007-10-22 22:40 <DIR> d

---

E:\Program Files\mIRC
2007-10-22 08:45 <DIR> d

---

E:\Program Files\Activision
2007-10-22 08:36 <DIR> d--hs---- E:\WINDOWS\ftpcache
2007-10-22 08:34 <DIR> d

---

E:\Program Files\MagicDisc
2007-10-22 08:34 92,544 --a

---

E:\WINDOWS\system32\drivers\mcdbus.sys
2007-10-09 12:10 442,368 -ra

---

E:\WINDOWS\system32\vp6vfw.dll
2007-10-07 16:00 <DIR> d

---

E:\Program Files\WinUHA
2007-10-04 15:20 <DIR> d

---

E:\Documents and Settings\Freshly\Application Data\atitray
2007-10-04 12:46 516,096

---

E:\WINDOWS\system32\ati2sgag.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-31 18:20 359,808 ----a-w E:\WINDOWS\system32\drivers\tcpip.sys
2007-10-22 20:08 139,264 ----a-w E:\WINDOWS\War3Unin.exe
2007-10-22 14:07

---

d--h--w E:\Program Files\InstallShield Installation Information
2007-10-04 20:12

---

d

---

w E:\Program Files\Radeon Omega Drivers
2007-10-04 17:33 451,072 ----a-w E:\WINDOWS\Radeon Omega Drivers v3.8.413 Uninstall.exe
2007-10-04 17:17

---

d

---

w E:\Program Files\Common Files\Adobe
2007-10-02 17:48 451,072 ----a-w E:\WINDOWS\Radeon Omega Drivers v3.8.360 Uninstall.exe
2007-10-02 17:34

---

d

---

w E:\Documents and Settings\All Users\Application Data\Viewpoint
2007-09-28 19:39

---

d

---

w E:\Program Files\Microsoft Games
2007-09-26 04:25

---

d

---

w E:\Program Files\iTunes
2007-09-26 04:25

---

d

---

w E:\Program Files\iPod
2007-09-15 13:39

---

d

---

w E:\Program Files\Apple Software Update
.

((((((((((((((((((((((((((((( snapshot@2007-11-03_21.53.51.25 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-02-25 00:35:06 14,048 ----a-w E:\WINDOWS\system32\spmsg.dll
+ 2005-05-03 17:58:20 13,536

---

w E:\WINDOWS\system32\spmsg.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [2003-10-06 01:57 E:\WINDOWS\system32\CTHELPER.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\igotsovh]
igotsovh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=E:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^MacName.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\MacName.lnk
backup=E:\WINDOWS\pss\MacName.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Evan^Start Menu^Programs^Startup^Folding@Home 5.03.lnk]
path=E:\Documents and Settings\Evan\Start Menu\Programs\Startup\Folding@Home 5.03.lnk
backup=E:\WINDOWS\pss\Folding@Home 5.03.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Evan^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=E:\Documents and Settings\Evan\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=E:\WINDOWS\pss\OpenOffice.org 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Evan^Start Menu^Programs^Startup^TrayIt!.lnk]
path=E:\Documents and Settings\Evan\Start Menu\Programs\Startup\TrayIt!.lnk
backup=E:\WINDOWS\pss\TrayIt!.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Freshly^Start Menu^Programs^Startup^Think-Adz.lnk]
path=E:\Documents and Settings\Freshly\Start Menu\Programs\Startup\Think-Adz.lnk
backup=E:\WINDOWS\pss\Think-Adz.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"E:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA]
atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\csrss]
E:\WINDOWS\system32\wbem\csrss.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
E:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
E:\WINDOWS\system32\mwinndq.exe CHD001

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"E:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MacLicense]
"E:\Program Files\MacOpener\MacLic.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
E:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack9]
"E:\Program Files\QdrPack\QdrPack9.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"E:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBDrvDet]
E:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TuneUp MemOptimizer]
"C:\Program Files\TuneUp Utilities 2006\MemOptimizer.exe" autostart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Undefined]
E:\WINDOWS\system32\winter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"E:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
E:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
C:\Program Files\Logitech\iTouch\iTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"nForce Tray Options"=sstray.exe /r
"AtiPTA"=atiptaxx.exe

S1 atitray;atitray;\??\E:\Program Files\Ray Adams\ATI Tray Tools\atitray.sys
S2 aic78x5;aic78x5;E:\WINDOWS\system32\drivers\aic78x5.sys
S3 ASPI;Advanced SCSI Programming Interface Driver;\??\E:\WINDOWS\System32\DRIVERS\ASPI32.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\OblivionLauncher.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\autoplay.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\Shell\AutoRun\command - J:\Setup\rsrc\autorun.exe
\Shell\dinstall\command - J:\Directx\dxsetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
\Shell\AutoRun\command - K:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-10-27 02:10:15 E:\WINDOWS\Tasks\1-Click Maintenance.job"
"2007-09-20 03:56:46 E:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- E:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-04 16:04:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
"ServiceDll"="E:\WINDOWS\System32\es.dll"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\FAH@D:+FAH504-Console.exe]
"ImagePath"="D:\FAH504-Console.exe -svcstart"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\FAH@E:+Documents and Settings+Evan+Desktop+FAH504-Console.exe]
"ImagePath"="E:\Documents and Settings\Evan\Desktop\FAH504-Console.exe -svcstart"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\FAH@E:+Program Files+Folding+FAH504-Console.exe]
.
Completion time: 2007-11-04 16:05:07 - machine was rebooted
E:\ComboFix2.txt ... 2007-11-04 15:54
E:\ComboFix3.txt ... 2007-11-03 21:54
.
--- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:17:10 PM, on 11/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Safe mode

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\explorer.exe
E:\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - E:\PROGRA~1\PACIFI~1\pacificpoker.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1127266059866
O20 - Winlogon Notify: igotsovh - igotsovh.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: [email]FAH@D:+FAH504-Console.exe[/email] - Unknown owner - D:\FAH504-Console.exe (file missing)
O23 - Service: FAH@E:+Program Files+Folding+FAH504-Console.exe - Unknown owner - E:\Program Files\Folding\FAH504-Console.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MacFormatService - DataViz Inc. - E:\Program Files\MacOpener\FORMATM.EXE
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - E:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005.SR2a\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - E:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005.SR2a\RpcSandraSrv.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

--
End of file - 3690 bytes



ComboFix 07-11-01.1 - Administrator 2007-11-04 16:01:07.3 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.827 [GMT -5:00]
Running from: E:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: E:\Documents and Settings\Administrator\Desktop\CFScript.txt

FILE::
C:\Windows\xpupdate.exe
c:\wsusupd.exe
E:\Documents and Settings\Administrator\Start Menu\Programs\Startup\infos.exe
E:\Documents and Settings\All Users\Application Data\mdqpituh.dll
E:\Documents and Settings\All Users\Application Data\tydwvmxi.dll
E:\Documents and Settings\All Users\Start Menu\Programs\Startup\autos.exe
E:\Documents and Settings\Freshly\Start Menu\Programs\Startup\infos.exe
E:\Documents and Settings\Freshly\Start Menu\Programs\Startup\TA_Start.lnk
E:\Documents and Settings\Freshly\Start Menu\Programs\Startup\Think-Adz.lnk
E:\WINDOWS\frexup2.exe
E:\WINDOWS\noskrnl.exe
E:\WINDOWS\plite731.exe
E:\WINDOWS\plite731_uninstaller_.bat
E:\WINDOWS\pss\autos.exe
E:\WINDOWS\pss\infos.exe
E:\WINDOWS\pss\infos.exeStartup
E:\WINDOWS\pss\TA_Start.lnk
E:\WINDOWS\pss\Think-Adz.lnk
E:\WINDOWS\system32\__c00AD202.dat
E:\WINDOWS\system32\_svchost.exe
E:\WINDOWS\system32\drvfar.dll
E:\WINDOWS\system32\dsrng.exe
E:\WINDOWS\system32\GE.dll
E:\WINDOWS\system32\hgghiij.dll
E:\WINDOWS\system32\igotsovh.dll
E:\WINDOWS\system32\mlfcache.dat
E:\WINDOWS\system32\mwinndq.exe
E:\WINDOWS\system32\npdl.exe
E:\WINDOWS\system32\opnnnmm.dll
E:\WINDOWS\system32\qiawpbjj.dll
E:\WINDOWS\system32\qiawpbjj.exe
E:\WINDOWS\system32\rqrpnoo.dll
E:\WINDOWS\system32\vedxg6ame4.exe
E:\WINDOWS\system32\wbem\csrss.exe
E:\WINDOWS\system32\xgmnoltx.dll
E:\WINDOWS\system32\xxyywut.dll
E:\WINDOWS\system32\yayxyxy.dll
E:\WINDOWS\tsitra1000106.exe
E:\WINDOWS\winlogon.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\wsusupd.exe
E:\WINDOWS\frexup2.exe
E:\WINDOWS\plite731.exe
E:\WINDOWS\plite731_uninstaller_.bat
E:\WINDOWS\pss\infos.exeStartup
E:\WINDOWS\RXZhbiBMb3ZlbHk
E:\WINDOWS\RXZhbiBMb3ZlbHk\lrt1v21gvat5vJ4.vbs
E:\WINDOWS\system32\acespy
E:\WINDOWS\system32\drvfar.dll
E:\WINDOWS\system32\dsrng.exe
E:\WINDOWS\system32\ehgvjcfi
E:\WINDOWS\system32\ehgvjcfi\bg1.gif
E:\WINDOWS\system32\ehgvjcfi\bgtop.gif
E:\WINDOWS\system32\ehgvjcfi\bottom1.gif
E:\WINDOWS\system32\ehgvjcfi\essentials.gif
E:\WINDOWS\system32\ehgvjcfi\icon1.ico
E:\WINDOWS\system32\ehgvjcfi\install1.gif
E:\WINDOWS\system32\ehgvjcfi\left1.gif
E:\WINDOWS\system32\ehgvjcfi\li.gif
E:\WINDOWS\system32\ehgvjcfi\logo.gif
E:\WINDOWS\system32\ehgvjcfi\main.htm
E:\WINDOWS\system32\ehgvjcfi\mainframe.htm
E:\WINDOWS\system32\ehgvjcfi\reinstall1.gif
E:\WINDOWS\system32\ehgvjcfi\right1.gif
E:\WINDOWS\system32\ehgvjcfi\s1.htm
E:\WINDOWS\system32\ehgvjcfi\s2.htm
E:\WINDOWS\system32\ehgvjcfi\s3.htm
E:\WINDOWS\system32\ehgvjcfi\SMTop1.gif
E:\WINDOWS\system32\ehgvjcfi\SMTop2.gif
E:\WINDOWS\system32\ehgvjcfi\SMTop3.gif
E:\WINDOWS\system32\ehgvjcfi\SMTop4.gif
E:\WINDOWS\system32\ehgvjcfi\soft1_off.gif
E:\WINDOWS\system32\ehgvjcfi\soft1_off_ext.gif
E:\WINDOWS\system32\ehgvjcfi\soft1_on.gif
E:\WINDOWS\system32\ehgvjcfi\soft1_on_ext.gif
E:\WINDOWS\system32\ehgvjcfi\soft2_off.gif
E:\WINDOWS\system32\ehgvjcfi\soft2_off_ext.gif
E:\WINDOWS\system32\ehgvjcfi\soft2_on.gif
E:\WINDOWS\system32\ehgvjcfi\soft2_on_ext.gif
E:\WINDOWS\system32\ehgvjcfi\soft3_off.gif
E:\WINDOWS\system32\ehgvjcfi\soft3_off_ext.gif
E:\WINDOWS\system32\ehgvjcfi\soft3_on.gif
E:\WINDOWS\system32\ehgvjcfi\soft3_on_ext.gif
E:\WINDOWS\system32\ehgvjcfi\softbottom_off.gif
E:\WINDOWS\system32\ehgvjcfi\softbottom_on.gif
E:\WINDOWS\system32\ehgvjcfi\softleft_off.gif
E:\WINDOWS\system32\ehgvjcfi\softleft_on.gif
E:\WINDOWS\system32\ehgvjcfi\top1.gif
E:\WINDOWS\system32\ehgvjcfi\top2.gif
E:\WINDOWS\system32\ehgvjcfi\turnoff1.gif
E:\WINDOWS\system32\ehgvjcfi\turnon1.gif
E:\WINDOWS\system32\fkmdvbtn
E:\WINDOWS\system32\fkmdvbtn\bg1.gif
E:\WINDOWS\system32\fkmdvbtn\bgtop.gif
E:\WINDOWS\system32\fkmdvbtn\bottom1.gif
E:\WINDOWS\system32\fkmdvbtn\essentials.gif
E:\WINDOWS\system32\fkmdvbtn\icon1.ico
E:\WINDOWS\system32\fkmdvbtn\install1.gif
E:\WINDOWS\system32\fkmdvbtn\left1.gif
E:\WINDOWS\system32\fkmdvbtn\li.gif
E:\WINDOWS\system32\fkmdvbtn\logo.gif
E:\WINDOWS\system32\fkmdvbtn\main.htm
E:\WINDOWS\system32\fkmdvbtn\mainframe.htm
E:\WINDOWS\system32\fkmdvbtn\reinstall1.gif
E:\WINDOWS\system32\fkmdvbtn\right1.gif
E:\WINDOWS\system32\fkmdvbtn\s1.htm
E:\WINDOWS\system32\fkmdvbtn\s2.htm
E:\WINDOWS\system32\fkmdvbtn\s3.htm
E:\WINDOWS\system32\fkmdvbtn\SMTop1.gif
E:\WINDOWS\system32\fkmdvbtn\SMTop2.gif
E:\WINDOWS\system32\fkmdvbtn\SMTop3.gif
E:\WINDOWS\system32\fkmdvbtn\SMTop4.gif
E:\WINDOWS\system32\fkmdvbtn\soft1_off.gif
E:\WINDOWS\system32\fkmdvbtn\soft1_off_ext.gif
E:\WINDOWS\system32\fkmdvbtn\soft1_on.gif
E:\WINDOWS\system32\fkmdvbtn\soft1_on_ext.gif
E:\WINDOWS\system32\fkmdvbtn\soft2_off.gif
E:\WINDOWS\system32\fkmdvbtn\soft2_off_ext.gif
E:\WINDOWS\system32\fkmdvbtn\soft2_on.gif
E:\WINDOWS\system32\fkmdvbtn\soft2_on_ext.gif
E:\WINDOWS\system32\fkmdvbtn\soft3_off.gif
E:\WINDOWS\system32\fkmdvbtn\soft3_off_ext.gif
E:\WINDOWS\system32\fkmdvbtn\soft3_on.gif
E:\WINDOWS\system32\fkmdvbtn\soft3_on_ext.gif
E:\WINDOWS\system32\fkmdvbtn\softbottom_off.gif
E:\WINDOWS\system32\fkmdvbtn\softbottom_on.gif
E:\WINDOWS\system32\fkmdvbtn\softleft_off.gif
E:\WINDOWS\system32\fkmdvbtn\softleft_on.gif
E:\WINDOWS\system32\fkmdvbtn\top1.gif
E:\WINDOWS\system32\fkmdvbtn\top2.gif
E:\WINDOWS\system32\fkmdvbtn\turnoff1.gif
E:\WINDOWS\system32\fkmdvbtn\turnon1.gif
E:\WINDOWS\system32\GE.dll
E:\WINDOWS\system32\hgghiij.dll
E:\WINDOWS\system32\igotsovh.dll
E:\WINDOWS\system32\igotsovh.dllbox
E:\WINDOWS\system32\mlfcache.dat
E:\WINDOWS\system32\mwinndq.exe
E:\WINDOWS\system32\Mz02r
E:\WINDOWS\system32\Mz02r\Mz02r1065.exe
E:\WINDOWS\system32\Mz12r
E:\WINDOWS\system32\Mz12r\Mz12r2215.exe
E:\WINDOWS\system32\npdl.exe
E:\WINDOWS\system32\opnnnmm.dll
E:\WINDOWS\system32\qiawpbjj.dll
E:\WINDOWS\system32\qiawpbjj.exe
E:\WINDOWS\system32\rqrpnoo.dll
E:\WINDOWS\system32\svcd
E:\WINDOWS\system32\svcd\svchost.exe
E:\WINDOWS\system32\wbem\csrss.exe
E:\WINDOWS\system32\xgmnoltx.dll
E:\WINDOWS\system32\xxyywut.dll
E:\WINDOWS\system32\yayxyxy.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

---

\LEGACY_LSASS

---

\LEGACY_MICROSOFT_INTERNET_SERVICE

---

\LEGACY_RKKW

---

\lsass

---

\Microsoft Internet Service

---

\RKKW


((((((((((((((((((((((((( Files Created from 2007-10-04 to 2007-11-04 )))))))))))))))))))))))))))))))
.

2007-11-04 15:24 <DIR> d

---

E:\WINDOWS\LastGood.Tmp
2007-11-03 21:55 <DIR> d

---

E:\HijackThis
2007-11-03 21:45 51,200 --a

---

E:\WINDOWS\NirCmd.exe
2007-11-03 19:00 <DIR> d

---

E:\Documents and Settings\Administrator\Application Data\U3
2007-10-31 13:17 <DIR> d

---

E:\Program Files\Common Files\Symantec Shared
2007-10-31 13:06 1,194 --a

---

E:\WINDOWS\system32\tmp.reg
2007-10-31 13:04 289,144 --a

---

E:\WINDOWS\system32\VCCLSID.exe
2007-10-31 13:04 288,417 --a

---

E:\WINDOWS\system32\SrchSTS.exe
2007-10-31 13:04 53,248 --a

---

E:\WINDOWS\system32\Process.exe
2007-10-31 13:04 51,200 --a

---

E:\WINDOWS\system32\dumphive.exe
2007-10-31 13:04 25,600 --a

---

E:\WINDOWS\system32\WS2Fix.exe
2007-10-31 13:00 3,144 --a

---

E:\WINDOWS\system32\SProxy_tmp.dll
2007-10-30 23:20 <DIR> d

---

E:\Program Files\microsoft frontpage
2007-10-30 18:13 <DIR> d

---

E:\Documents and Settings\Administrator\Application Data\TuneUp Software
2007-10-30 17:43 <DIR> d

---

E:\Documents and Settings\Administrator\Application Data\Talkback
2007-10-30 17:00 <DIR> d

---

E:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-10-30 12:16 <DIR> d

---

E:\Documents and Settings\Freshly\Application Data\Lavasoft
2007-10-23 00:22 <DIR> d

---

E:\Temp
2007-10-22 22:40 <DIR> d

---

E:\Program Files\mIRC
2007-10-22 08:45 <DIR> d

---

E:\Program Files\Activision
2007-10-22 08:36 <DIR> d--hs---- E:\WINDOWS\ftpcache
2007-10-22 08:34 <DIR> d

---

E:\Program Files\MagicDisc
2007-10-22 08:34 92,544 --a

---

E:\WINDOWS\system32\drivers\mcdbus.sys
2007-10-09 12:10 442,368 -ra

---

E:\WINDOWS\system32\vp6vfw.dll
2007-10-07 16:00 <DIR> d

---

E:\Program Files\WinUHA
2007-10-04 15:20 <DIR> d

---

E:\Documents and Settings\Freshly\Application Data\atitray
2007-10-04 12:46 516,096

---

E:\WINDOWS\system32\ati2sgag.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-31 18:20 359,808 ----a-w E:\WINDOWS\system32\drivers\tcpip.sys
2007-10-22 20:08 139,264 ----a-w E:\WINDOWS\War3Unin.exe
2007-10-22 14:07

---

d--h--w E:\Program Files\InstallShield Installation Information
2007-10-04 20:12

---

d

---

w E:\Program Files\Radeon Omega Drivers
2007-10-04 17:33 451,072 ----a-w E:\WINDOWS\Radeon Omega Drivers v3.8.413 Uninstall.exe
2007-10-04 17:17

---

d

---

w E:\Program Files\Common Files\Adobe
2007-10-02 17:48 451,072 ----a-w E:\WINDOWS\Radeon Omega Drivers v3.8.360 Uninstall.exe
2007-10-02 17:34

---

d

---

w E:\Documents and Settings\All Users\Application Data\Viewpoint
2007-09-28 19:39

---

d

---

w E:\Program Files\Microsoft Games
2007-09-26 04:25

---

d

---

w E:\Program Files\iTunes
2007-09-26 04:25

---

d

---

w E:\Program Files\iPod
2007-09-15 13:39

---

d

---

w E:\Program Files\Apple Software Update
.

((((((((((((((((((((((((((((( snapshot@2007-11-03_21.53.51.25 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-02-25 00:35:06 14,048 ----a-w E:\WINDOWS\system32\spmsg.dll
+ 2005-05-03 17:58:20 13,536

---

w E:\WINDOWS\system32\spmsg.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [2003-10-06 01:57 E:\WINDOWS\system32\CTHELPER.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\igotsovh]
igotsovh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=E:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^MacName.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\MacName.lnk
backup=E:\WINDOWS\pss\MacName.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Evan^Start Menu^Programs^Startup^Folding@Home 5.03.lnk]
path=E:\Documents and Settings\Evan\Start Menu\Programs\Startup\Folding@Home 5.03.lnk
backup=E:\WINDOWS\pss\Folding@Home 5.03.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Evan^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=E:\Documents and Settings\Evan\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=E:\WINDOWS\pss\OpenOffice.org 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Evan^Start Menu^Programs^Startup^TrayIt!.lnk]
path=E:\Documents and Settings\Evan\Start Menu\Programs\Startup\TrayIt!.lnk
backup=E:\WINDOWS\pss\TrayIt!.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Freshly^Start Menu^Programs^Startup^Think-Adz.lnk]
path=E:\Documents and Settings\Freshly\Start Menu\Programs\Startup\Think-Adz.lnk
backup=E:\WINDOWS\pss\Think-Adz.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"E:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA]
atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\csrss]
E:\WINDOWS\system32\wbem\csrss.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
E:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
E:\WINDOWS\system32\mwinndq.exe CHD001

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"E:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MacLicense]
"E:\Program Files\MacOpener\MacLic.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
E:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack9]
"E:\Program Files\QdrPack\QdrPack9.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"E:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBDrvDet]
E:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TuneUp MemOptimizer]
"C:\Program Files\TuneUp Utilities 2006\MemOptimizer.exe" autostart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Undefined]
E:\WINDOWS\system32\winter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"E:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
E:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
C:\Program Files\Logitech\iTouch\iTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"nForce Tray Options"=sstray.exe /r
"AtiPTA"=atiptaxx.exe

S1 atitray;atitray;\??\E:\Program Files\Ray Adams\ATI Tray Tools\atitray.sys
S2 aic78x5;aic78x5;E:\WINDOWS\system32\drivers\aic78x5.sys
S3 ASPI;Advanced SCSI Programming Interface Driver;\??\E:\WINDOWS\System32\DRIVERS\ASPI32.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\OblivionLauncher.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\autoplay.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\Shell\AutoRun\command - J:\Setup\rsrc\autorun.exe
\Shell\dinstall\command - J:\Directx\dxsetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
\Shell\AutoRun\command - K:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-10-27 02:10:15 E:\WINDOWS\Tasks\1-Click Maintenance.job"
"2007-09-20 03:56:46 E:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- E:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-04 16:04:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
"ServiceDll"="E:\WINDOWS\System32\es.dll"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\FAH@D:+FAH504-Console.exe]
"ImagePath"="D:\FAH504-Console.exe -svcstart"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\FAH@E:+Documents and Settings+Evan+Desktop+FAH504-Console.exe]
"ImagePath"="E:\Documents and Settings\Evan\Desktop\FAH504-Console.exe -svcstart"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\FAH@E:+Program Files+Folding+FAH504-Console.exe]
.
Completion time: 2007-11-04 16:05:07 - machine was rebooted
E:\ComboFix2.txt ... 2007-11-04 15:54
E:\ComboFix3.txt ... 2007-11-03 21:54
.
--- E O F ---



SmitFraudFix v2.247

Scan done at 16:15:03.07, Sun 11/04/2007
Run from E:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» DNS



»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

ArbysOvenMitt

Well after a long delay my computer finally loaded into normal mode. Internet wasn't working (couldn't find adapters), New Hardware Found kept popping up to install an 'Unknown' device, and when I attempted to install Norton 2008 I got the BSOD as it was scanning before the installation.

muuli

Hi,

Now you can opening you computer into normal mode, so please scanning HijackThis and ComboFix in normal mode and post the logs

ArbysOvenMitt

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:02:30 PM, on 11/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\csrss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\savedump.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\taskmgr.exe
E:\HijackThis\HijackThis.exe
E:\Program Files\MacOpener\FORMATM.EXE
E:\WINDOWS\System32\msiexec.exe
E:\WINDOWS\system32\wdfmgr.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\wuauclt.exe
E:\WINDOWS\System32\imapi.exe
E:\WINDOWS\System32\wbem\wmiprvse.exe
E:\WINDOWS\system32\rundll32.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - E:\PROGRA~1\PACIFI~1\pacificpoker.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe (file missing)
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1127266059866
O20 - Winlogon Notify: igotsovh - igotsovh.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: [email]FAH@D:+FAH504-Console.exe[/email] - Unknown owner - D:\FAH504-Console.exe (file missing)
O23 - Service: FAH@E:+Program Files+Folding+FAH504-Console.exe - Unknown owner - E:\Program Files\Folding\FAH504-Console.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MacFormatService - DataViz Inc. - E:\Program Files\MacOpener\FORMATM.EXE
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - E:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005.SR2a\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - E:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005.SR2a\RpcSandraSrv.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

--
End of file - 5039 bytes



ComboFix 07-11-01.1 - Evan 11/04/2007 18:04:34.4 - NTFSx86
Running from: E:\Documents and Settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\DOCUME~1\Evan\APPLIC~1\macromedia\Flash Player\#SharedObjects\P96U2CTK\www.broadcaster.com
E:\DOCUME~1\Evan\APPLIC~1\macromedia\Flash Player\#SharedObjects\P96U2CTK\www.broadcaster.com\played_list.sol
E:\DOCUME~1\Evan\APPLIC~1\macromedia\Flash Player\#SharedObjects\P96U2CTK\www.broadcaster.com\video_queue.sol
E:\DOCUME~1\Evan\APPLIC~1\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
E:\DOCUME~1\Evan\APPLIC~1\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
E:\DOCUME~1\Evan\Desktop\Go to Casino.lnk
E:\DOCUME~1\Evan\Desktop\Live Safety Center.lnk
E:\DOCUME~1\Evan\Desktop\Online Security Guide.lnk
E:\DOCUME~1\Evan\FAVORI~1\Online Security Guide.lnk

.
((((((((((((((((((((((((( Files Created from 2007-10-04 to 2007-11-04 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-04 21:36

---

d

---

w E:\Program Files\Common Files\Symantec Shared
2007-11-04 00:01

---

d

---

w E:\Documents and Settings\Administrator\Application Data\U3
2007-10-31 18:20 359,808 ----a-w E:\WINDOWS\system32\drivers\tcpip.sys
2007-10-31 04:20

---

d

---

w E:\Program Files\microsoft frontpage
2007-10-30 23:13

---

d

---

w E:\Documents and Settings\Administrator\Application Data\TuneUp Software
2007-10-30 22:43

---

d

---

w E:\Documents and Settings\Administrator\Application Data\Talkback
2007-10-30 22:00

---

d

---

w E:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-10-30 17:16

---

d

---

w E:\Documents and Settings\Freshly\Application Data\Lavasoft
2007-10-27 15:43

---

d

---

w E:\DOCUME~1\Evan\APPLIC~1\uTorrent
2007-10-23 05:27

---

d

---

w E:\DOCUME~1\Evan\APPLIC~1\mIRC
2007-10-23 03:49

---

d

---

w E:\Program Files\mIRC
2007-10-22 20:08 139,264 ----a-w E:\WINDOWS\War3Unin.exe
2007-10-22 14:07

---

d--h--w E:\Program Files\InstallShield Installation Information
2007-10-22 13:45

---

d

---

w E:\Program Files\Activision
2007-10-22 13:34

---

d

---

w E:\Program Files\MagicDisc
2007-10-16 03:25 3,144 ----a-w E:\WINDOWS\system32\SProxy_tmp.dll
2007-10-07 21:00

---

d

---

w E:\Program Files\WinUHA
2007-10-04 20:20

---

d

---

w E:\Documents and Settings\Freshly\Application Data\atitray
2007-10-04 20:12

---

d

---

w E:\Program Files\Radeon Omega Drivers
2007-10-04 17:33 451,072 ----a-w E:\WINDOWS\Radeon Omega Drivers v3.8.413 Uninstall.exe
2007-10-04 17:17

---

d

---

w E:\Program Files\Common Files\Adobe
2007-10-04 04:36 25,600 ----a-w E:\WINDOWS\system32\WS2Fix.exe
2007-10-02 17:48 451,072 ----a-w E:\WINDOWS\Radeon Omega Drivers v3.8.360 Uninstall.exe
2007-10-02 17:34

---

d

---

w E:\Documents and Settings\All Users\Application Data\Viewpoint
2007-09-28 19:39

---

d

---

w E:\Program Files\Microsoft Games
2007-09-26 04:25

---

d

---

w E:\Program Files\iTunes
2007-09-26 04:25

---

d

---

w E:\Program Files\iPod
2007-09-15 13:39

---

d

---

w E:\Program Files\Apple Software Update
2007-09-06 04:22 289,144 ----a-w E:\WINDOWS\system32\VCCLSID.exe
2007-09-05 05:46 92,544 ----a-w E:\WINDOWS\system32\drivers\mcdbus.sys
.

((((((((((((((((((((((((((((( snapshot@2007-11-03_21.53.51.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-04 06:14:10 73,472 ----a-w E:\WINDOWS\bck8.dat
- 2005-02-25 00:35:06 14,048 ----a-w E:\WINDOWS\system32\spmsg.dll
+ 2005-05-03 17:58:20 13,536

---

w E:\WINDOWS\system32\spmsg.dll
+ 2007-11-04 23:05:59 53,248 ----a-w E:\WINDOWS\TEMP\txsplnkcLS.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [10/06/2003 01:57 AM E:\WINDOWS\system32\CTHELPER.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\igotsovh]
igotsovh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=E:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^MacName.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\MacName.lnk
backup=E:\WINDOWS\pss\MacName.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Evan^Start Menu^Programs^Startup^Folding@Home 5.03.lnk]
path=E:\Documents and Settings\Evan\Start Menu\Programs\Startup\Folding@Home 5.03.lnk
backup=E:\WINDOWS\pss\Folding@Home 5.03.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Evan^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=E:\Documents and Settings\Evan\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=E:\WINDOWS\pss\OpenOffice.org 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Evan^Start Menu^Programs^Startup^TrayIt!.lnk]
path=E:\Documents and Settings\Evan\Start Menu\Programs\Startup\TrayIt!.lnk
backup=E:\WINDOWS\pss\TrayIt!.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Freshly^Start Menu^Programs^Startup^Think-Adz.lnk]
path=E:\Documents and Settings\Freshly\Start Menu\Programs\Startup\Think-Adz.lnk
backup=E:\WINDOWS\pss\Think-Adz.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"E:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA]
atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\csrss]
E:\WINDOWS\system32\wbem\csrss.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
E:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
E:\WINDOWS\system32\mwinndq.exe CHD001

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"E:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MacLicense]
"E:\Program Files\MacOpener\MacLic.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
E:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack9]
"E:\Program Files\QdrPack\QdrPack9.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"E:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBDrvDet]
E:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TuneUp MemOptimizer]
"C:\Program Files\TuneUp Utilities 2006\MemOptimizer.exe" autostart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Undefined]
E:\WINDOWS\system32\winter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"E:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
E:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
C:\Program Files\Logitech\iTouch\iTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"nForce Tray Options"=sstray.exe /r
"AtiPTA"=atiptaxx.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-10-27 02:10:15 E:\WINDOWS\Tasks\1-Click Maintenance.job"
"2007-09-20 03:56:46 E:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- E:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-04 18:06:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
"ServiceDll"="E:\WINDOWS\System32\es.dll"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\FAH@D:+FAH504-Console.exe]
"ImagePath"="D:\FAH504-Console.exe -svcstart"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\FAH@E:+Documents and Settings+Evan+Desktop+FAH504-Console.exe]
"ImagePath"="E:\Documents and Settings\Evan\Desktop\FAH504-Console.exe -svcstart"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\FAH@E:+Program Files+Folding+FAH504-Console.exe]
.
Completion time: 11/04/2007 18:07:01
.
--- E O F ---

muuli

Hi,


Step 1

Please Send this file to virustotal and post results to your next reply:

• When you are the virustotal.
• Press Browse button.
• Find this file - E:\WINDOWS\system32\SProxy_tmp.dll
• When you are to find a file, press Open.
• Press Send.
• Post the results to your next reply.

Please send this too and post the report:
E:\WINDOWS\bck8.dat


Step 2

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

• Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


Step 3

Download F-Secure Blacklight (fsbl.exe) to the desktop from here.

Open it and click Accept Agreement.
Click Scan.
After the scan is complete, click Next, then Exit.
It will create a log on the desktop named fsbl-xxxxxxx.log (the xxxxxxx will be the date and time of the scan)
Save the log to your desktop.

Step 4

Please download AVG anti-spyware to your Desktop or to your usual Download Folder, from HERE

• Install AVG Anti-Spyware by double clicking the installer.
• Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
• On the main screen under Your Computer's security.
  • Click on Change state next to Resident shield. It should now change to inactive.
  • Click on Change state next to Automatic updates. It should now change to inactive.
  • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
  • Wait until you see the Update succesfull message.
• Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
• Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

If you are having problems with the updater, you can use this link to manually update AVG.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
Don't run a scan yet.


Step 5

Open HijackThis, press Do a system scan only, checkmark these lines:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O20 - Winlogon Notify: igotsovh - igotsovh.dll (file missing)
Then close ALL windows including browser and press Fix checked.


Step 6

Open notepad and copy/paste the text in the quotebox below into it:

File::
E:\WINDOWS\system32\wbem\csrss.exe
E:\WINDOWS\system32\winter.exe
E:\WINDOWS\system32\mwinndq.exe
E:\Documents and Settings\Freshly\Start Menu\Programs\Startup\Think-Adz.lnk
E:\WINDOWS\pss\Think-Adz.lnkStartup
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Freshly^Start Menu^Programs^Startup^Think-Adz.lnk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\csrss]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Undefined]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

Step 7

Reboot your computer in Safe Mode.

• If the computer is running, shut down Windows, and then turn off the power.
• Wait 30 seconds, and then turn the computer on.
• Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
• Ensure that the Safe Mode option is selected.
• Press Enter. The computer then begins to start in Safe mode.
• Login on your usual account.

Once in Safe Mode:


Step 8

RUN AVG ANTI-SPYWARE
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.

• Click on Scanner on the toolbar.
• Click on the Settings tab.
  • Under How to act?
    • Click on Recommended Action and choose Quarantine from the popup menu.
  • Under How to scan?
    • All checkboxes should be ticked.
  • Under Possibly unwanted software:
    • All checkboxes should be ticked.
  • Under Reports:
    • Select Automatically generate report after every scan and uncheck Only if threats were found.
  • Under What to scan?
    • Select Scan every file.
• Click on the Scan tab.
• Click on Complete System Scan to start the scan process.
• Let the program scan the machine.
• When the scan has finished, follow the instructions below.
  IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
  • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
  • At the bottom of the window click on the Apply all Actions button. (3)
    
• When done, click the Save Scan Report button. (4)
  • Click the Save Report as button.
  • Save the report to your Desktop.
• Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

Reboot in Normal Mode.

Step 9

Please post a fresh HijackThis log, blacklight log, Combofix log, AVG Anti-Spyware log and Virustotal results.

ArbysOvenMitt

Antivirus Version Last Update Result
AhnLab-V3 2007.11.6.1 2007.11.06 -
AntiVir 7.6.0.30 2007.11.05 HEUR/Malware
Authentium 4.93.8 2007.11.05 -
Avast 4.7.1074.0 2007.11.05 -
AVG 7.5.0.503 2007.11.05 -
BitDefender 7.2 2007.11.06 -
CAT-QuickHeal 9.00 2007.11.05 -
ClamAV 0.91.2 2007.11.06 -
DrWeb 4.44.0.09170 2007.11.05 Trojan.Proxy.2360
eSafe 7.0.15.0 2007.10.28 -
eTrust-Vet 31.2.5270 2007.11.05 -
Ewido 4.0 2007.11.05 -
FileAdvisor 1 2007.11.06 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.4.2.54 2007.11.06 W32/Heuristic-170!Eldorado
F-Secure 6.70.13030.0 2007.11.05 W32/Malware.BFFB
Ikarus T3.1.1.12 2007.11.06 -
Kaspersky 7.0.0.125 2007.11.06 -
McAfee 5156 2007.11.05 -
Microsoft 1.2908 2007.11.05 -
NOD32v2 2637 2007.11.06 -
Norman 5.80.02 2007.11.05 W32/Malware.BFFB
Panda 9.0.0.4 2007.11.06 Suspicious file
Prevx1 V2 2007.11.06 -
Rising 20.17.02.00 2007.11.06 -
Sophos 4.23.0 2007.11.06 -
Sunbelt 2.2.907.0 2007.11.02 -
Symantec 10 2007.11.06 Hacktool.Proxy
TheHacker 6.2.9.117 2007.11.06 -
VBA32 3.12.2.4 2007.11.05 -
VirusBuster 4.3.26:9 2007.11.05 -
Webwasher-Gateway 6.0.1 2007.11.05 Heuristic.Malware

Additional information
File size: 3144 bytes
MD5: 9b0f56e8386bf5eb07a99bbf693e619a
SHA1: d894754b0ef4460d21eb3aa5f5424952d0692c90



There's the scan of the first file. I somehow lost the AVG scan record, but it found 174 problems, about 15 of them being pretty major. The scan above was done after every step you listed was completed. I'll go through and post fresh logs shortly.

ArbysOvenMitt

One thing I noticed is that almost no changes I try to do actually "stick." For instance, every time I open up my E: drive it warns me that the files are hidden and shouldn't be altered... I continue and it lets me, but the next time I click on it the same thing happens.

My start menu doesn't show any of the left column, My Network Places. It doesn't allow me to change to Classic View in the Control Panel. I still have no internet connection.

Here's a HiJackThis log. I went through and Fixed the ones you listed, but as you can see 8 of them came back. I tried 4-5 times to no avail.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:42:58 AM, on 11/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\csrss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
E:\Program Files\MacOpener\FORMATM.EXE
E:\WINDOWS\System32\msiexec.exe
E:\WINDOWS\system32\wdfmgr.exe
E:\WINDOWS\System32\svchost.exe
E:\HijackThis\HijackThis.exe
E:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1127266059866
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: [email]FAH@D:+FAH504-Console.exe[/email] - Unknown owner - D:\FAH504-Console.exe (file missing)
O23 - Service: FAH@E:+Program Files+Folding+FAH504-Console.exe - Unknown owner - E:\Program Files\Folding\FAH504-Console.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MacFormatService - DataViz Inc. - E:\Program Files\MacOpener\FORMATM.EXE
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - E:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005.SR2a\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - E:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005.SR2a\RpcSandraSrv.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

--
End of file - 4321 bytes



ComboFix 07-11-01.1 - Evan 11/05/2007 18:54:04.7 - NTFSx86
Running from: E:\Documents and Settings\Evan\Desktop\ComboFix.exe
Command switches used :: E:\Documents and Settings\Evan\Desktop\CFScript.txt

FILE::
E:\Documents and Settings\Freshly\Start Menu\Programs\Startup\Think-Adz.lnk
E:\WINDOWS\pss\Think-Adz.lnkStartup
E:\WINDOWS\system32\mwinndq.exe
E:\WINDOWS\system32\wbem\csrss.exe
E:\WINDOWS\system32\winter.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\WINDOWS\pss\Think-Adz.lnkStartup

.
((((((((((((((((((((((((( Files Created from 2007-10-05 to 2007-11-05 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-05 23:50

---

d

---

w E:\DOCUME~1\Evan\APPLIC~1\Grisoft
2007-11-05 23:46

---

d

---

w E:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-05 04:35

---

d

---

w E:\Program Files\Common Files\Symantec Shared
2007-11-05 02:05

---

d

---

w E:\DOCUME~1\Evan\APPLIC~1\uTorrent
2007-11-04 00:01

---

d

---

w E:\Documents and Settings\Administrator\Application Data\U3
2007-10-31 18:20 359,808 ----a-w E:\WINDOWS\system32\drivers\tcpip.sys
2007-10-31 04:20

---

d

---

w E:\Program Files\microsoft frontpage
2007-10-30 23:13

---

d

---

w E:\Documents and Settings\Administrator\Application Data\TuneUp Software
2007-10-30 22:43

---

d

---

w E:\Documents and Settings\Administrator\Application Data\Talkback
2007-10-30 22:00

---

d

---

w E:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-10-30 17:16

---

d

---

w E:\Documents and Settings\Freshly\Application Data\Lavasoft
2007-10-23 05:27

---

d

---

w E:\DOCUME~1\Evan\APPLIC~1\mIRC
2007-10-23 03:49

---

d

---

w E:\Program Files\mIRC
2007-10-22 20:08 139,264 ----a-w E:\WINDOWS\War3Unin.exe
2007-10-22 14:07

---

d--h--w E:\Program Files\InstallShield Installation Information
2007-10-22 13:45

---

d

---

w E:\Program Files\Activision
2007-10-22 13:34

---

d

---

w E:\Program Files\MagicDisc
2007-10-16 03:25 3,144 ----a-w E:\WINDOWS\system32\SProxy_tmp.dll
2007-10-07 21:00

---

d

---

w E:\Program Files\WinUHA
2007-10-04 20:20

---

d

---

w E:\Documents and Settings\Freshly\Application Data\atitray
2007-10-04 20:12

---

d

---

w E:\Program Files\Radeon Omega Drivers
2007-10-04 17:33 451,072 ----a-w E:\WINDOWS\Radeon Omega Drivers v3.8.413 Uninstall.exe
2007-10-04 17:17

---

d

---

w E:\Program Files\Common Files\Adobe
2007-10-04 04:36 25,600 ----a-w E:\WINDOWS\system32\WS2Fix.exe
2007-10-02 17:48 451,072 ----a-w E:\WINDOWS\Radeon Omega Drivers v3.8.360 Uninstall.exe
2007-10-02 17:34

---

d

---

w E:\Documents and Settings\All Users\Application Data\Viewpoint
2007-09-28 19:39

---

d

---

w E:\Program Files\Microsoft Games
2007-09-26 04:25

---

d

---

w E:\Program Files\iTunes
2007-09-26 04:25

---

d

---

w E:\Program Files\iPod
2007-09-15 13:39

---

d

---

w E:\Program Files\Apple Software Update
2007-09-06 04:22 289,144 ----a-w E:\WINDOWS\system32\VCCLSID.exe
2007-09-05 05:46 92,544 ----a-w E:\WINDOWS\system32\drivers\mcdbus.sys
.

((((((((((((((((((((((((((((( snapshot@2007-11-03_21.53.51.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-04 06:14:10 73,472 ----a-w E:\WINDOWS\bck8.dat
+ 2007-05-30 12:10:42 10,872 ----a-w E:\WINDOWS\system32\drivers\AvgAsCln.sys
- 2005-02-25 00:35:06 14,048 ----a-w E:\WINDOWS\system32\spmsg.dll
+ 2005-05-03 17:58:20 13,536

---

w E:\WINDOWS\system32\spmsg.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [10/06/2003 01:57 AM E:\WINDOWS\system32\CTHELPER.EXE]
"!AVG Anti-Spyware"="E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 04:25 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=E:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^MacName.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\MacName.lnk
backup=E:\WINDOWS\pss\MacName.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Evan^Start Menu^Programs^Startup^Folding@Home 5.03.lnk]
path=E:\Documents and Settings\Evan\Start Menu\Programs\Startup\Folding@Home 5.03.lnk
backup=E:\WINDOWS\pss\Folding@Home 5.03.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Evan^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=E:\Documents and Settings\Evan\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=E:\WINDOWS\pss\OpenOffice.org 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Evan^Start Menu^Programs^Startup^TrayIt!.lnk]
path=E:\Documents and Settings\Evan\Start Menu\Programs\Startup\TrayIt!.lnk
backup=E:\WINDOWS\pss\TrayIt!.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"E:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA]
atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
E:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"E:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MacLicense]
"E:\Program Files\MacOpener\MacLic.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
E:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack9]
"E:\Program Files\QdrPack\QdrPack9.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"E:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBDrvDet]
E:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TuneUp MemOptimizer]
"C:\Program Files\TuneUp Utilities 2006\MemOptimizer.exe" autostart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"E:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
E:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
C:\Program Files\Logitech\iTouch\iTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"nForce Tray Options"=sstray.exe /r
"AtiPTA"=atiptaxx.exe

*Newly Created Service* - AVG_ANTI-SPYWARE_DRIVER
*Newly Created Service* - AVG_ANTI-SPYWARE_GUARD
.
Contents of the 'Scheduled Tasks' folder
"2007-10-27 02:10:15 E:\WINDOWS\Tasks\1-Click Maintenance.job"
"2007-09-20 03:56:46 E:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- E:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-05 18:56:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
"ServiceDll"="E:\WINDOWS\System32\es.dll"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\FAH@D:+FAH504-Console.exe]
"ImagePath"="D:\FAH504-Console.exe -svcstart"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\FAH@E:+Documents and Settings+Evan+Desktop+FAH504-Console.exe]
"ImagePath"="E:\Documents and Settings\Evan\Desktop\FAH504-Console.exe -svcstart"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\FAH@E:+Program Files+Folding+FAH504-Console.exe]
.
Completion time: 11/05/2007 18:56:53
E:\ComboFix2.txt ... 11/04/2007 11:26 PM
.
--- E O F ---



Backlight found nothing. I'll upload a screenshot of all the quarantined files when I can, but something I'd like to mention is that one just won't go away. It's in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WinOpts and is infected with Proxy.Small. I've cleaned it a couple times yet each time in normal mode it comes back.

muuli

Hi,

Did you send this to virustotal?
E:\WINDOWS\bck8.dat


If you didn't send, so please send and give the results

And we'll try to solve your connection problems, when the malware is deleted.

ArbysOvenMitt

Here's the log for bck8.dat.

Antivirus;Version;Last Update;Result
AhnLab-V3;2007.11.7.0;2007.11.06;Win-Trojan/Agent.69856
AntiVir;7.6.0.30;2007.11.06;TR/Dropper.Gen
Authentium;4.93.8;2007.11.05;-
Avast;4.7.1074.0;2007.11.05;Win32:Nulprot-B
AVG;7.5.0.503;2007.11.06;Proxy.VHE
BitDefender;7.2;2007.11.06;-
CAT-QuickHeal;9.00;2007.11.06;TrojanProxy.Agent.nu
ClamAV;0.91.2;2007.11.06;-
DrWeb;4.44.0.09170;2007.11.06;DLOADER.Trojan
eSafe;7.0.15.0;2007.10.28;Win32.Agent.nu
eTrust-Vet;31.2.5270;2007.11.05;-
Ewido;4.0;2007.11.06;-
FileAdvisor;1;2007.11.06;-
Fortinet;3.11.0.0;2007.10.19;-
F-Prot;4.4.2.54;2007.11.06;-
F-Secure;6.70.13030.0;2007.11.06;Trojan-Proxy.Win32.Agent.nu
Ikarus;T3.1.1.12;2007.11.06;Trojan-Proxy.Win32.Agent.nu
Kaspersky;7.0.0.125;2007.11.06;Trojan-Proxy.Win32.Agent.nu
McAfee;5157;2007.11.06;Ascesso!rootkit
Microsoft;1.3007;2007.11.06;Backdoor:WinNT/Tofsee.A!sys
NOD32v2;2641;2007.11.06;Win32/TrojanProxy.Agent.NCY
Norman;5.80.02;2007.11.06;W32/Agent.CVMW
Panda;9.0.0.4;2007.11.06;Trj/Downloader.MDW
Prevx1;V2;2007.11.06;Heuristic: Suspicious File With Bad Parent Associations
Rising;20.17.12.00;2007.11.06;-
Sophos;4.23.0;2007.11.06;-
Sunbelt;2.2.907.0;2007.11.02;-
Symantec;10;2007.11.06;Hacktool.Spammer
TheHacker;6.2.9.117;2007.11.06;Trojan/Proxy.Agent.nu
VBA32;3.12.2.4;2007.11.06;Trojan-Proxy.Win32.Agent.nu
VirusBuster;4.3.26:9;2007.11.06;-
Webwasher-Gateway;6.0.1;2007.11.06;Trojan.Dropper.Gen

Additional information
File size: 73472 bytes
MD5: 13739b01616d2e5f040ebf099a0ca7a9
SHA1: ce99b591f9276cb20497c18b332a1fce393af6d5
packers: embedded
packers: embedded
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5=71830E0E007FAA301F650128E1022F0003E8E48B
Pretty brutal.

muuli

Hi,

Step 1

My start menu doesn't show any of the left column, My Network Places. It doesn't allow me to change to Classic View in the Control Panel.

I'm not sure what you meant, so that can you take screen shots and post to here. Here is a instruction that how you can take screen shot --> link

And I don't see any firewall and antivirus to your computer. Have you installed any firewall and antivirus?

Step 2

Is really possible that AVG Anti-Spyware disabled the HjT fix, so please disable AVG Anti-Spyware so that HjT fix to working.
Here is instruction that how you do it.

Open AVG Anti-Spyware.

• Click on Change state next to Resident shield. It should now change to inactive.
• Click on Change state next to Automatic updates. It should now change to inactive.

Step 3

Open notepad and copy/paste the text in the quotebox below into it:

File::
E:\WINDOWS\system32\SProxy_tmp.dll
E:\WINDOWS\bck8.dat
E:\WINDOWS\system32\WS2Fix.exe
E:\WINDOWS\bck8.dat
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

Step 4

Open HijackThis8, press Do a system scan only, checkmark these lines:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
Then close ALL windows including browser and press Fix checked.

Step 5

Please download MWav:

• Unzip it to its predetermined directory (C:\Kaspersky)
• Locate kavupd.exe in the new folder and double-click to Update.
• If your firewall gives any messages about this program accessing to internet, allow it.
• If it says the signatures are more than 30 days old, keep trying, until you get the actual definition updates.
• When you see Updates Downloaded Successfully, hit Enter to continue.
• Restart onto Safe Mode and locate the Kaspersky folder.
• Locate mwavscan.com and double-click on it to launch the MWAV Scanner.

Now lets do the settings:

• Leave the Default Settings checked.
• Add a check to Drives
• This will light up All Drives
• Add a check to Scan all Files
• Click Scan Clean to begin.

This scan might take around 3+ hours to finish when set to scan everything.

• Please be sure it has finished before proceeding.
• Once the Scan has finished, all entries identified as Infected, will be displayed in the lower panel.
• Highlight everything that is inside the lower panel and hit Ctrl+C at the same time to copy.
• Open an empty notepad file and paste the results (Ctrl+V) to it. Save the notepad to your desktop, name it as you want (e.g; MWav Results).

Reboot into normal Windows and post the results here.

Step 6

Then, Post a fresh HijackThis log, Combofix log eScan log and Screen shots.