Trojan... need help (Trojan.Win32.Agent.ftz File: c:\windows\system32\ntspool.exe

strikerX90 · February 2008

Der is a trojan in my pc my antivirus detected it but its not disinfecting it...
& also this is a Hijack this log....check if der are more than one trojan in my pc.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:22:27 PM, on 2/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\smax4.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.finderg.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Policies\Explorer\Run: [NTSpool] NTSpool.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.orkut.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://www.bitdefender.co.uk/scan_uk/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196090485859
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2906B65A-0AC5-42AD-A39B-FC278A83C5AD}: NameServer = 58.65.175.74 203.82.48.3
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 6658 bytes

strikerX90 · February 2008

Der is another problem on which i would like to get ur attention....I have registry mechanic for my registry fixes but it is not fixing entries made by Kaspersky antivirus.....it finds around 90+ problems in Kaspersky registry entries but does'nt fix them...........ANY IDEAS
I have tried other registry softwares too but these problems r still der

kryyst · February 2008

This line needs to be fixed
O1 - Hosts: 66.98.148.65 auto.search.msn.es

Make sure that your hosts file in c:\windows\system32\drivers\etc\hosts isn't full of garbage

This line
O4 - HKCU\..\Policies\Explorer\Run: [NTSpool] NTSpool.exe
Is particularly nasty

This line
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) -
could be an issue with a problematic active-x site.

This line

O17 - HKLM\System\CCS\Services\Tcpip\..\{2906B65A-0AC5-42AD-A39B-FC278A83C5AD}: NameServer = 58.65.175.74 203.82.48.3
if you don't know what those IP's are this could be another hijack

Thomas · February 2008

The DNS server settings are for Micronet Broadband in Islamabad, so you would likely have set those yourself. The 016 ActiveX Object is Yahoo.

But your system has an SDBot infection there strikerX90, and perhaps other infection not yet showing in this one view.

You will want to copy or have other access to these steps, as they will be done while offline.

Be sure to temporarily disable any protective software when running the scan tools we use here.

Download SDFix.exe and save it to your desktop.

Download ComboFix.exe from here to your desktop.

Then disconnect from net access. If cable/dsl physically disconnect the modem cable, if dial-up disconnect the phone line. This will keep infection from reinstalling right now.

===================================================

Reboot into Safe Mode (at startup tap the F8 key and select Safe Mode).

In Safe Mode, click the SDFix.exe and allow it to extract to it's own folder (C:\SDFix). Navigate to that folder and double click RunThis.bat to start the script.

Next type Y to begin the script. Once the fix has run it will prompt you to restart your computer. Press any key to restart at this time. Your system will take longer that normal to restart as the fixtool will be running and removing files.

When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.

Then open the C:\SDFix folder and copy and paste the contents of the results file Report.txt back here.

=============================

After the reboot click on the downloaded ComboFix.exe to run the scan.

When the command window opens, select 1 (and Enter). Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

(ComboFix will also disable any screensaver settings made, so know that at some point when we complete repairs you will need to reset your screensaver)

Reconnect to net access, and post back the C:\ComboFix.txt log as well as the SFDix report.txt and a new HijackThis log please.

strikerX90 · February 2008

This is the SDfix log:

SDFix: Version 1.147

Run by Umair on Tue 02/26/2008 at 11:10 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting

Checking Files :

No Trojan Files Found

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-26 11:23:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:07,68,40,2f,a6,6d,e0,4c,86,51,ba,26,c7,04,07,0e,4b,af,e9,25,3f,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,bb,d4,26,38,30,61,e3,c2,f7,d1,71,88,dd,d7,55,58,ed,..
"khjeh"=hex:20,51,aa,89,87,fd,49,6f,53,78,c8,95,03,2a,96,90,b5,22,32,9a,fd,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:46,51,f8,17,e2,7e,2d,da,8d,ec,f1,13,4d,fc,fa,e9,27,ae,ea,16,aa,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000001
"ujdew"=hex:51,41,ae,aa,ea,53,f7,b6,e4,67,94,d6,9d,0a,a6,a4,a6,60,b7,8a,98,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:07,68,40,2f,a6,6d,e0,4c,86,51,ba,26,c7,04,07,0e,4b,af,e9,25,3f,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,bb,d4,26,38,30,61,e3,c2,f7,d1,71,88,dd,d7,55,58,ed,..
"khjeh"=hex:20,51,aa,89,87,fd,49,6f,53,78,c8,95,03,2a,96,90,b5,22,32,9a,fd,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:69,15,dc,51,06,f7,51,b2,9a,b0,88,48,56,cb,9a,b6,4a,0b,bf,3b,3d,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000001
"ujdew"=hex:51,41,ae,aa,ea,53,f7,b6,e4,67,94,d6,9d,0a,a6,a4,a6,60,b7,8a,98,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:c6,50,ac,0d,a0,e1,2c,93,70,fc,1c,df,e1,a7,54,b5,89,50,8b,09,fd,..
"p0"="C:\Program Files\DAEMON Tools\"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:86,97,18,b2,f0,42,0c,51,96,9f,e5,6b,45,60,cd,08,45,83,b7,19,f6,..
"a0"=hex:20,01,00,00,ff,84,63,1b,c4,6c,72,ea,93,3d,f5,12,c1,b7,e2,58,61,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:92,2a,27,6e,5f,7f,21,ce,ca,db,eb,41,fc,0b,ec,65,f4,92,5b,f7,9d,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000001
"ujdew"=hex:51,41,ae,aa,ea,53,f7,b6,e4,67,94,d6,9d,0a,a6,a4,a6,60,b7,8a,98,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:2e,c5,94,fd,32,d3,26,12,cc,03,e7,3a,29,9e,55,e4,f2,33,1c,53,4b,..
"p0"="C:\Program Files\DAEMON Tools\"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:86,97,18,b2,f0,42,0c,51,96,9f,e5,6b,45,60,cd,08,45,83,b7,19,f6,..
"a0"=hex:20,01,00,00,ff,84,63,1b,c4,6c,72,ea,93,3d,f5,12,c1,b7,e2,58,61,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:92,2a,27,6e,5f,7f,21,ce,ca,db,eb,41,fc,0b,ec,65,f4,92,5b,f7,9d,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:71acedfc
"s2"=dword:85d0bc73
"h0"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000001
"ujdew"=hex:51,41,ae,aa,ea,53,f7,b6,e4,67,94,d6,9d,0a,a6,a4,a6,60,b7,8a,98,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:b1,67,fe,a8,91,5e,a8,36,67,8c,c4,8c,50,71,17,0f,98,a6,a3,f2,a9,..
"p0"="C:\Program Files\DAEMON Tools\"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:86,97,18,b2,f0,42,0c,51,96,9f,e5,6b,45,60,cd,08,45,83,b7,19,f6,..
"a0"=hex:20,01,00,00,c8,b5,a8,1f,a9,dc,b6,e2,00,d8,0f,88,2c,b6,48,19,8e,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:6f,51,46,b6,95,9a,d6,5b,bf,98,95,ee,84,00,13,53,c2,9a,54,62,bd,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000001
"ujdew"=hex:51,41,ae,aa,ea,53,f7,b6,e4,67,94,d6,9d,0a,a6,a4,a6,60,b7,8a,98,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:b1,67,fe,a8,91,5e,a8,36,67,8c,c4,8c,50,71,17,0f,98,a6,a3,f2,a9,..
"p0"="C:\Program Files\DAEMON Tools\"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:86,97,18,b2,f0,42,0c,51,96,9f,e5,6b,45,60,cd,08,45,83,b7,19,f6,..
"a0"=hex:20,01,00,00,c8,b5,a8,1f,a9,dc,b6,e2,00,d8,0f,88,2c,b6,48,19,8e,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:6f,51,46,b6,95,9a,d6,5b,bf,98,95,ee,84,00,13,53,c2,9a,54,62,bd,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\DAP\\DAP.exe"="C:\\Program Files\\DAP\\DAP.exe:*:Enabled:Download Accelerator Plus (DAP)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"="C:\\Program Files\\Windows Media Player\\wmplayer.exe:*:Enabled:Windows Media Player"
"C:\\WINDOWS\\system32\\mmc.exe"="C:\\WINDOWS\\system32\\mmc.exe:*:Enabled:Microsoft Management Console"
"C:\\Program Files\\Opera\\Opera.exe"="C:\\Program Files\\Opera\\Opera.exe:*:Enabled:Opera Internet Browser"
"C:\\WINDOWS\\system32\\desk.exe"="C:\\WINDOWS\\system32\\desk.exe:*:Enabled:desk"
"\\??\\C:\\WINDOWS\\System32\\winlogon.exe"="\\??\\C:\\WINDOWS\\System32\\winlogon.exe:*:enabled:@shell32.dll,-1"
"SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List"="SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List:*:enabled:@shell32.dll,-1"
"C:\\Program Files\\ASUS\\AsusUpdate\\Update.exe"="C:\\Program Files\\ASUS\\AsusUpdate\\Update.exe:*:Enabled:ASUS Windows Platform Flash Program"
"C:\\Program Files\\eMule\\emule.exe"="C:\\Program Files\\eMule\\emule.exe:*:Enabled:eMule"
"F:\\World in Conflict\\wic.exe"="F:\\World in Conflict\\wic.exe:*:Enabled:World in Conflict"
"F:\\World in Conflict\\wic_online.exe"="F:\\World in Conflict\\wic_online.exe:*:Enabled:World in Conflict - Online Only"
"F:\\World in Conflict\\wic_ds.exe"="F:\\World in Conflict\\wic_ds.exe:*:Enabled:World in Conflict - Dedicated Server"
"E:\\Need for Speed Most Wanted\\speed.exe"="E:\\Need for Speed Most Wanted\\speed.exe:*:Enabled:speed"
"F:\\FIFA 08\\FIFA08.exe"="F:\\FIFA 08\\FIFA08.exe:*:Enabled:FIFA08"
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"="C:\\WINDOWS\\system32\\usmt\\migwiz.exe:*:Enabled:Files and Settings Transfer Wizard"
"C:\\Program Files\\Hamachi\\hamachi.exe"="C:\\Program Files\\Hamachi\\hamachi.exe:*:Enabled:Hamachi Client"
"F:\\NBA LIVE 08\\nbalive08.exe"="F:\\NBA LIVE 08\\nbalive08.exe:*:Enabled:NBA LIVE 08"
"G:\\Unreal Tournament 3\\Binaries\\UT3.exe"="G:\\Unreal Tournament 3\\Binaries\\UT3.exe:*:Enabled:Unreal Tournament 3"
"F:\\Gears of War\\Binaries\\WarGame-G4WLive.exe"="F:\\Gears of War\\Binaries\\WarGame-G4WLive.exe:*:Enabled:Gears of War"
"E:\\Crysis\\Bin32\\Crysis.exe"="E:\\Crysis\\Bin32\\Crysis.exe:*:Enabled:Crysis_32"
"E:\\Crysis\\Bin32\\CrysisDedicatedServer.exe"="E:\\Crysis\\Bin32\\CrysisDedicatedServer.exe:*:Enabled:CrysisDedicatedServer_32"
"C:\\WINDOWS\\system32\\PnkBstrA.exe"="C:\\WINDOWS\\system32\\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\\WINDOWS\\system32\\PnkBstrB.exe"="C:\\WINDOWS\\system32\\PnkBstrB.exe:*:Enabled:PnkBstrB"
"C:\\Program Files\\Elite Utilities 9 Professional\\Elite Internet Security.exe"="C:\\Program Files\\Elite Utilities 9 Professional\\Elite Internet Security.exe:*:Enabled:Elite Utilities Internet Security"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"E:\\Command & Conquer 3\\RetailExe\\1.0\\cnc3game.dat"="E:\\Command & Conquer 3\\RetailExe\\1.0\\cnc3game.dat:*:Enabled:Command & Conquer 3 Tiberium Wars"
"C:\\Documents and Settings\\Umair\\Local Settings\\Temp\\ElectronicArts_Patcher_000.exe"="C:\\Documents and Settings\\Umair\\Local Settings\\Temp\\ElectronicArts_Patcher_000.exe:*:Enabled:ElectronicArts_Patcher_000"
"E:\\Command & Conquer 3\\RetailExe\\1.9\\cnc3game.dat"="E:\\Command & Conquer 3\\RetailExe\\1.9\\cnc3game.dat:*:Enabled:Command & Conquer 3 Tiberium Wars"
"G:\\Call Of Duty 4\\Call of duty 4\\Data\\iw3mpHAMACHI 1.4.exe"="G:\\Call Of Duty 4\\Call of duty 4\\Data\\iw3mpHAMACHI 1.4.exe:*:Enabled:iw3mpHAMACHI 1.4"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"G:\\Call Of Duty 4\\Call of duty 4\\Data\\iw3mp.exe"="G:\\Call Of Duty 4\\Call of duty 4\\Data\\iw3mp.exe:*:Enabled:Call of Duty(R) 4 - Modern Warfare(TM) "
"e:\\Football Manager 2008\\fm.exe"="e:\\Football Manager 2008\\fm.exe:*:Disabled:Football Manager 2008"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\Xfire\\xfire.exe"="C:\\Program Files\\Xfire\\xfire.exe:*:Enabled:Xfire"
"C:\\Program Files\\The All-Seeing Eye\\eye.exe"="C:\\Program Files\\The All-Seeing Eye\\eye.exe:*:Enabled:Yahoo! All-Seeing Eye"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"F:\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"="F:\\Sins of a Solar Empire\\Sins of a Solar Empire.exe:*:Enabled:Sins of a Solar Empire"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"

Remaining Files :

Files with Hidden Attributes :

Tue 16 Oct 2007 4,096 ..SHR --- "C:\WINDOWS\system32\runouce.exe"
Mon 23 Jul 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 26 Jan 2008 4,965 ...HR --- "C:\Documents and Settings\Umair\Application Data\SecuROM\UserData\securom_v7_01.bak"

Finished!

strikerX90 · February 2008

This is the combo fix log:
ComboFix 08-02-25.3 - Umair 2008-02-26 11:33:58.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1662 [GMT 5:00]
Running from: C:\Documents and Settings\Umair\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
ADS - svchost.exe: deleted 88 bytes in 2 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\down
C:\WINDOWS\system32\sysdm.exe
C:\WINDOWS\youtubex.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

\LEGACY_IPRIP

\Iprip

((((((((((((((((((((((((( Files Created from 2008-01-26 to 2008-02-26 )))))))))))))))))))))))))))))))
.

2008-02-26 11:09 . 2008-02-26 11:09 <DIR> d

C:\WINDOWS\ERUNT
2008-02-26 11:08 . 2008-02-26 11:25 <DIR> d

C:\SDFix
2008-02-24 13:57 . 2008-02-24 13:57 <DIR> d

C:\tmpDownload
2008-02-24 01:25 . 2008-02-24 01:25 <DIR> d--h

C:\Documents and Settings\All Users\Application Data\{0E8E33D8-193A-414A-A909-0F101A142D26}
2008-02-23 20:48 . 2008-02-23 20:48 <DIR> d

C:\Program Files\uTorrent
2008-02-23 20:48 . 2008-02-25 17:58 <DIR> d

C:\Documents and Settings\Umair\Application Data\uTorrent
2008-02-23 20:23 . 2008-02-23 23:19 <DIR> d

C:\Program Files\Shareaza
2008-02-21 06:57 . 2008-02-21 06:57 54,608 --a

C:\WINDOWS\system32\xfcodec.dll
2008-02-19 13:12 . 2008-02-19 13:12 37,888 --a

C:\WINDOWS\system32\rar.exe
2008-02-13 15:36 . 2008-02-13 15:36 <DIR> d

C:\Documents and Settings\Umair\Application Data\teamspeak2
2008-02-13 15:36 . 2008-02-13 15:36 34,064 --a

C:\WINDOWS\system32\lhacm.acm
2008-02-12 18:55 . 2004-05-14 16:53 462,848 --a

C:\WINDOWS\system32\ltkrn13n.dll
2008-02-12 18:55 . 2004-05-14 16:53 450,560 --a

C:\WINDOWS\system32\ltimg13n.dll
2008-02-12 18:55 . 2004-05-14 16:53 401,408 --a

C:\WINDOWS\system32\lfcmp13n.dll
2008-02-12 18:55 . 2004-05-14 16:53 299,008 --a

C:\WINDOWS\system32\ltdis13n.dll
2008-02-12 18:55 . 2004-01-12 02:09 206,336 --a

C:\WINDOWS\system32\ltefx13n.dll
2008-02-12 18:55 . 2004-05-14 16:53 163,840 --a

C:\WINDOWS\system32\ltfil13n.dll
2008-02-12 18:55 . 2003-11-04 15:10 69,632 --a

C:\WINDOWS\system32\lfgif13n.dll
2008-02-12 18:55 . 2004-05-14 16:53 57,344 --a

C:\WINDOWS\system32\lfbmp13n.dll
2008-02-12 13:31 . 2008-02-12 14:22 <DIR> d

C:\Program Files\The All-Seeing Eye
2008-02-12 11:21 . 2008-02-12 11:21 <DIR> d

C:\Documents and Settings\LocalService\Application Data\Xfire
2008-02-12 09:54 . 2008-02-12 09:54 <DIR> d

C:\Documents and Settings\NetworkService\Application Data\Xfire
2008-02-12 07:41 . 2008-02-26 10:57 <DIR> d

C:\Program Files\Xfire
2008-02-12 07:41 . 2008-02-26 08:37 <DIR> d

C:\Documents and Settings\Umair\Application Data\Xfire
2008-02-09 18:06 . 2008-02-09 21:32 <DIR> d

C:\Program Files\mIRC
2008-02-09 18:06 . 2008-02-09 21:37 <DIR> d

C:\Documents and Settings\Umair\Application Data\mIRC
2008-02-09 14:57 . 2008-02-09 14:57 <DIR> d

C:\Program Files\oZone3D
2008-02-09 10:14 . 2008-02-09 10:14 <DIR> d

C:\WINDOWS\system32\Kaspersky Lab
2008-02-08 16:52 . 2004-08-04 05:56 35,328 --a

C:\WINDOWS\system32\iprip.dll
2008-02-08 16:52 . 2004-08-04 05:56 35,328 --a--c--- C:\WINDOWS\system32\dllcache\iprip.dll
2008-02-08 16:52 . 2001-08-23 19:00 18,944 --a

C:\WINDOWS\system32\simptcp.dll
2008-02-08 16:52 . 2001-08-23 19:00 18,944 --a--c--- C:\WINDOWS\system32\dllcache\simptcp.dll
2008-02-08 12:24 . 2008-02-08 12:24 106,496 --a

C:\WINDOWS\system32\3f8b4f1c.dll.bak
2008-02-07 15:40 . 2008-02-09 15:27 <DIR> d

C:\Program Files\RivaTuner v2.06
2008-02-06 18:49 . 2001-08-17 13:28 794,654 --a--c--- C:\WINDOWS\system32\dllcache\usr1801.sys
2008-02-06 18:48 . 2004-08-04 03:32 571,392 --a--c--- C:\WINDOWS\system32\dllcache\tintlgnt.ime
2008-02-06 18:47 . 2008-02-06 18:47 <DIR> d

C:\Program Files\ToniArts
2008-02-06 18:47 . 2001-08-17 22:36 495,616 --a--c--- C:\WINDOWS\system32\dllcache\sblfx.dll
2008-02-06 18:46 . 2001-08-17 13:28 899,146 --a--c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-02-06 18:45 . 2001-08-23 19:00 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-02-06 18:44 . 2008-02-06 18:44 <DIR> d

C:\Program Files\Trend Micro
2008-02-06 18:44 . 2001-08-23 19:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-02-06 18:43 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2008-02-06 18:42 . 2001-08-17 12:14 952,007 --a--c--- C:\WINDOWS\system32\dllcache\diwan.sys
2008-02-06 18:41 . 2001-08-23 19:00 1,677,824 --a--c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll
2008-02-06 18:40 . 2004-08-04 00:56 1,888,992 --a--c--- C:\WINDOWS\system32\dllcache\ati3duag.dll
2008-02-06 18:39 . 2004-08-04 05:56 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-02-06 18:16 . 2008-02-26 10:53 280 --a

C:\WINDOWS\system32\PDBootState
2008-02-06 14:43 . 2008-02-06 14:43 <DIR> d

C:\Program Files\Alex Feinman
2008-02-06 14:17 . 2008-02-06 14:45 1,228,800 --a

C:\memtest86+-1.70.iso
2008-02-06 10:36 . 2008-02-06 10:36 <DIR> d

C:\Program Files\Sun
2008-02-04 10:26 . 2008-02-04 10:26 <DIR> d

C:\Program Files\Yahoo!
2008-02-01 15:55 . 2008-02-01 15:55 0 --a

C:\WINDOWS\nsreg.dat
2008-02-01 15:36 . 2008-02-01 15:36 <DIR> d

C:\Program Files\Common Files\iS3
2008-02-01 15:36 . 2008-02-01 15:55 <DIR> d

C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-02-01 10:08 . 2007-10-05 16:53 56,868 --a

C:\WINDOWS\AWDFLASH.EXE
2008-01-31 11:25 . 2008-01-31 11:29 <DIR> d

C:\Program Files\Cheatbook Database 2008
2008-01-29 21:38 . 2008-01-29 21:38 <DIR> d

C:\Program Files\Monte Cristo
2008-01-29 21:35 . 2008-01-29 21:35 980,714 --a

C:\WINDOWS\Prison Tycoon 3 Uninstaller.exe
2008-01-29 21:32 . 2008-01-29 21:32 <DIR> d

C:\Program Files\Common Files\Thraex Software
2008-01-27 22:58 . 2008-01-27 22:58 268 --ah

C:\sqmdata12.sqm
2008-01-27 22:58 . 2008-01-27 22:58 244 --ah

C:\sqmnoopt12.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-26 06:36 58,089,504 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-26 06:36 3,909,408 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-02-26 06:36

d

w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-26 06:35 791,540 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-26 06:35 375,884 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-02-26 06:06

d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-26 04:14

d

w C:\Documents and Settings\Umair\Application Data\Hamachi
2008-02-26 03:50 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-02-26 03:50 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-02-23 20:24

d

w C:\Program Files\eMule
2008-02-11 08:08

d--h--w C:\Program Files\InstallShield Installation Information
2008-02-11 06:53 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2008-02-07 09:57 80,912 ----a-w C:\WINDOWS\system32\sherlock2.exe
2008-02-06 10:58

d

w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-06 10:58

d

w C:\Program Files\AGEIA Technologies
2008-02-06 05:36

d

w C:\Program Files\Java
2008-02-05 11:47

d

w C:\Documents and Settings\Umair\Application Data\Command & Conquer 3 Tiberium Wars
2008-02-04 18:36 91,700 ----a-w C:\WINDOWS\system32\drivers\klin.dat
2008-02-01 10:16

d

w C:\Program Files\Uniblue
2008-02-01 10:11 14,336 ----a-w C:\WINDOWS\system32\svchost.exe
2008-02-01 05:08 414,199 ----a-w C:\WINDOWS\M2N-E.zip
2008-01-31 09:27

d

w C:\Documents and Settings\Umair\Application Data\Uniblue
2008-01-27 08:53

d

w C:\Program Files\Google
2008-01-23 10:16

d

w C:\Documents and Settings\Umair\Application Data\Talkback
2008-01-18 07:09

d

w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-18 05:23

d

w C:\Program Files\Real Alternative
2008-01-18 04:59

d

w C:\Program Files\K-Lite Codec Pack
2008-01-18 04:48

d

w C:\Program Files\DAP
2008-01-05 18:50 669,184 ----a-w C:\WINDOWS\system32\pbsvc.exe
2008-01-05 18:50 22,328 ----a-w C:\Documents and Settings\Umair\Application Data\PnkBstrK.sys
2007-12-28 12:58

d

w C:\Program Files\Common Files\xing shared
2007-12-28 12:58

d

w C:\Program Files\Common Files\Real
2007-12-26 08:12

d

w C:\Program Files\CEZEO software
2007-12-26 08:12

d

w C:\Documents and Settings\Umair\Application Data\CEZEO software
2007-12-24 10:55 102,400 ----a-w C:\WINDOWS\AwdSLP.exe
2007-12-24 08:49 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
2007-12-17 05:36 262,144 ----a-w C:\ntuser.dat
2007-12-07 01:07 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 21:53 356,352 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-03 21:33 682,496 ----a-w C:\WINDOWS\system32\divx.dll
2007-11-29 18:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-11-29 18:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-11-26 16:56 13,653,824 ----a-w C:\WINDOWS\system32\xlivefnt.dll
2007-11-26 16:56 10,155,840 ----a-w C:\WINDOWS\system32\xlive.dll
2007-10-16 17:08 4,096 --sh--r C:\WINDOWS\system32\runouce.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:56 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" [2007-03-09 19:50 200768]
"PCTVOICE"="pctspk.exe" [2001-08-17 22:36 86016 C:\WINDOWS\system32\pctspk.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"amd_dc_opt"="C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2007-07-23 11:06 77824]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 21:34 868352]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\smax4.exe" [2006-07-13 07:12 729088]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"RegistryMechanic"="" []

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Umair^Start Menu^Programs^Startup^Registration .LNK]
backup=C:\WINDOWS\pss\Registration .LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVP]
--a

2007-03-09 19:50 200768 C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a

2007-10-17 00:45 5674496 C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegDoctor]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a

2005-01-12 03:01 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]

2006-07-13 07:12 729088 C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a

2006-12-18 21:34 868352 C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a

2007-08-30 17:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
"Shareaza"="C:\Program Files\Shareaza\Shareaza.exe" -tray

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PV92TRAY"=PV92Tray.exe
"DownloadAccelerator"="C:\Program Files\DAP\DAP.EXE" /STARTUP
"MSConfig"=C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\DAP\\DAP.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Program Files\\Opera\\Opera.exe"=
"C:\\WINDOWS\\system32\\desk.exe"=
"C:\\Program Files\\ASUS\\AsusUpdate\\Update.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"F:\\World in Conflict\\wic.exe"=
"F:\\World in Conflict\\wic_online.exe"=
"F:\\World in Conflict\\wic_ds.exe"=
"E:\\Need for Speed Most Wanted\\speed.exe"=
"F:\\FIFA 08\\FIFA08.exe"=
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"C:\\Program Files\\Hamachi\\hamachi.exe"=
"F:\\NBA LIVE 08\\nbalive08.exe"=
"G:\\Unreal Tournament 3\\Binaries\\UT3.exe"=
"F:\\Gears of War\\Binaries\\WarGame-G4WLive.exe"=
"E:\\Crysis\\Bin32\\Crysis.exe"=
"E:\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"E:\\Command & Conquer 3\\RetailExe\\1.0\\cnc3game.dat"=
"E:\\Command & Conquer 3\\RetailExe\\1.9\\cnc3game.dat"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"G:\\Call Of Duty 4\\Call of duty 4\\Data\\iw3mp.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\Program Files\\The All-Seeing Eye\\eye.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"F:\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2754:TCP"= 2754:TCP:messenger
"1518:TCP"= 1518:TCP:messenger
"7616:TCP"= 7616:TCP:messenger
"3131:TCP"= 3131:TCP:messenger
"2547:TCP"= 2547:TCP:messenger
"6368:TCP"= 6368:TCP:messenger
"2284:TCP"= 2284:TCP:messenger
"1885:TCP"= 1885:TCP:messenger
"5321:TCP"= 5321:TCP:messenger
"7357:TCP"= 7357:TCP:messenger
"1862:TCP"= 1862:TCP:messenger
"1517:TCP"= 1517:TCP:messenger
"1615:TCP"= 1615:TCP:messenger
"4234:TCP"= 4234:TCP:messenger
"1221:TCP"= 1221:TCP:messenger
"5446:TCP"= 5446:TCP:messenger
"5722:TCP"= 5722:TCP:messenger
"7752:TCP"= 7752:TCP:messenger
"5218:TCP"= 5218:TCP:messenger
"3351:TCP"= 3351:TCP:messenger
"2141:TCP"= 2141:TCP:messenger
"7747:TCP"= 7747:TCP:messenger
"4143:TCP"= 4143:TCP:messenger
"8545:TCP"= 8545:TCP:messenger
"7184:TCP"= 7184:TCP:messenger
"5225:TCP"= 5225:TCP:messenger
"6138:TCP"= 6138:TCP:messenger
"4888:TCP"= 4888:TCP:messenger
"6162:TCP"= 6162:TCP:messenger
"8816:TCP"= 8816:TCP:messenger
"6575:TCP"= 6575:TCP:messenger
"3457:TCP"= 3457:TCP:messenger
"6578:TCP"= 6578:TCP:messenger
"6347:TCP"= 6347:TCP:messenger
"8383:TCP"= 8383:TCP:messenger

R0 AmdAcpi;AmdAcpi Bus Filter Driver;C:\WINDOWS\system32\DRIVERS\AmdAcpi.sys [2006-09-05 16:04]
R3 AmdTools;AMD Special Tools Driver;C:\WINDOWS\system32\DRIVERS\AmdTools.sys [2006-08-24 15:37]
S3 cpuz128;cpuz128;C:\DOCUME~1\Umair\LOCALS~1\Temp\cpuz_x32.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Autorun.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-02-15 12:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe
"2008-02-03 09:00:00 C:\WINDOWS\Tasks\At1.job"
- C:\Documents
"2008-02-03 15:00:00 C:\WINDOWS\Tasks\At10.job"
- C:\Documents
"2008-02-03 09:00:00 C:\WINDOWS\Tasks\At11.job"
- C:\Documents
"2008-02-03 03:00:00 C:\WINDOWS\Tasks\At12.job"
- C:\Documents
"2008-02-03 15:00:00 C:\WINDOWS\Tasks\At2.job"
- C:\Documents
"2008-02-03 03:00:00 C:\WINDOWS\Tasks\At3.job"
- C:\Documents
"2008-02-03 15:00:00 C:\WINDOWS\Tasks\At4.job"
- C:\Documents
"2008-02-03 09:00:00 C:\WINDOWS\Tasks\At5.job"
- C:\Documents
"2008-02-03 03:00:00 C:\WINDOWS\Tasks\At6.job"
- C:\Documents
"2008-02-03 15:00:00 C:\WINDOWS\Tasks\At7.job"
- C:\Documents
"2008-02-03 09:00:00 C:\WINDOWS\Tasks\At8.job"
- C:\Documents
"2008-02-03 03:00:00 C:\WINDOWS\Tasks\At9.job"
- C:\Documents
"2008-01-07 15:08:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-11-28 15:08:31 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-26 11:36:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.

Other Running Processes

.
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-02-26 11:39:35 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-26 06:39:32
.
2008-02-16 18:41:21 --- E O F ---

strikerX90 · February 2008

This is the hijack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:44:40 AM, on 2/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\smax4.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.finderg.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.orkut.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://www.bitdefender.co.uk/scan_uk/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196090485859
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2906B65A-0AC5-42AD-A39B-FC278A83C5AD}: NameServer = 58.65.175.74 203.82.48.3
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 6251 bytes

strikerX90 · February 2008

I use p2p softwares too.

Thomas · February 2008

I surely see P2P use there. It's usually where most of the infection showing in these requests originates from, or at least using it to steal software. I would hope you do not do that, since so much of it is just a malware trick install it is not worth it (and illegal and stealing). ComboFix was prepared for this malware variant, so for now let's scan for what might remain.

Go to Control Panel - Scheduled Tasks, and delete all these At# tasks listed below:

"2008-02-03 09:00:00 C:\WINDOWS\Tasks\At1.job"
- C:\Documents
"2008-02-03 15:00:00 C:\WINDOWS\Tasks\At10.job"
- C:\Documents
"2008-02-03 09:00:00 C:\WINDOWS\Tasks\At11.job"
- C:\Documents
"2008-02-03 03:00:00 C:\WINDOWS\Tasks\At12.job"
- C:\Documents
"2008-02-03 15:00:00 C:\WINDOWS\Tasks\At2.job"
- C:\Documents
"2008-02-03 03:00:00 C:\WINDOWS\Tasks\At3.job"
- C:\Documents
"2008-02-03 15:00:00 C:\WINDOWS\Tasks\At4.job"
- C:\Documents
"2008-02-03 09:00:00 C:\WINDOWS\Tasks\At5.job"
- C:\Documents
"2008-02-03 03:00:00 C:\WINDOWS\Tasks\At6.job"
- C:\Documents
"2008-02-03 15:00:00 C:\WINDOWS\Tasks\At7.job"
- C:\Documents
"2008-02-03 09:00:00 C:\WINDOWS\Tasks\At8.job"
- C:\Documents
"2008-02-03 03:00:00 C:\WINDOWS\Tasks\At9.job"

Go here and run the Kaspersky online scan, and post back the log it creates (it requires IE).

To use the scan, accept the agreement and make sure you allow the ActiveX object to download and install (check the "yellow bar" at the top of IE if needed to allow this). Once the download has completed click Next, then Scan Settings, then make sure the "extended option" is checked (leave all others as they are) and click OK. Then click "My Computer" to begin the scan. Save the Report as a text file and post that back here.

To save it as a text file, still with the page in Internet Explorer, go to the top of the page and select File - Save As... Then make sure in the "Save as type" drop down you change it to "Text File(*.txt)".

For now just post that log here please.

strikerX90 · February 2008

Sry cant send the log..............Too long.........

Thomas · February 2008

Zip a copy of it, and just send it to [noparse]jintan@cfl.rr.com[/noparse] as an attachment. Please place "Submitted Files - strikerX90" as the email Subject.

strikerX90 · February 2008

Der is one more problem........as im the second administrator of the PC.....these r somelines from the log....u tell i should run the scan from Administrator or from my User.These r those lines:

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\6.0\AcroForm\MRUFormsList Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\6.0\AdobeComFnt06.lst Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\6.0\Collab\OfflineDocs Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\6.0\Collab\Reviews Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\6.0\Preferences\AutoFillDefaults.dat Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\6.0\Preferences\defaultHeuristics.dat Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\6.0\TMGrpPrm.sav Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\6.0\Updater\udstore.js Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Hamachi\client.id Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Hamachi\client.pri Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Hamachi\client.pub Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Hamachi\hamachi.ini Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Hamachi\peers.ini Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Hamachi\RSA Keys\5.120.13.68.pub Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Hamachi\RSA Keys\5.3.107.30.pub Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Hamachi\RSA Keys\5.40.215.32.pub Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Hamachi\RSA Keys\5.48.57.24.pub Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Hamachi\RSA Keys\5.55.136.88.pub Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Hamachi\RSA Keys\5.6.181.24.pub Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Hamachi\RSA Keys\5.9.27.125.pub Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\#SharedObjects\VQYFHSKN\localhost\core.sol Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\#SharedObjects\VQYFHSKN\www.youtube.com\soundData.sol Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\#SharedObjects\VQYFHSKN\www.youtube.com\videostats.sol Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#local\settings.sol Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.youtube.com\settings.sol Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Media Player Classic\default.mpcpl Object is locked skipped

Thomas · February 2008

If the scan is run by a more limited user account many of the normally locked system functions will be reflected in the scan (like what is showing in the one you posted). Looks like doing it logged in as the Administrator would be the best solution for that large log issue.

strikerX90 · February 2008

I will send u the log tomorrow then.....as the scan takes too much time......i will leave my pc overnight for the scan

Thomas · February 2008

If needed to remove some of the unnecessary temp items Go Here and download ATF cleaner. Click on the downloaded file to run it, and select "Select All", then click Empty Selected (and close ATF).

If you have them, also click on Firefox/Opera at the top and repeat the steps (and close ATF). Firefox/Opera will need to be closed first for the cleaning to be effective. Just to reduce anything shown as "locked" when IE is in use there.

Also be sure to completely disable your on-system Kaspersky software and any others there. But post or send when you can and we can follow up then.

Trojan... need help (Trojan.Win32.Agent.ftz File: c:\windows\system32\ntspool.exe

Comments