Virus Problem

garfield619 · March 2008

i am new in this forums, read some other threads, which i see that it was successful, now like peteconfused, i also have avtap.dll virus, i use avast and before i accidentaly closed it and i think the virus went through, which i believe it is the yellow fake warning thingie in the active/inactive icons which warns you that you have a virus, and brings you to the website of antiviruses, WHICH I DONT NEED. i would be expecting replys! here's my HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:33:16 AM, on 3/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\VM303_STI.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Encarta Web Companion Helper Object - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: (no name) - {E4EC9393-42C7-4282-9C1D-1281855328E4} - C:\WINDOWS\system32\avtap.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Encarta Web Companion - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Task Manager] C:\WINDOWS\system\svchost32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [tarkmgr.exe] tarkmgr.exe
O4 - HKLM\..\Run: [ccPrxy.exe] ccPrxy.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Download all with Free Download Manager - [URL]file://C:\Program[/URL] Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - [URL]file://C:\Program[/URL] Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - [URL]file://C:\Program[/URL] Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - [URL]file://C:\Program[/URL] Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Upload - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - C:\Program Files\Free Download Manager\FUM\fumiebtn.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1202230686937
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - https://my.levelupgames.ph/keycrypt/npkcx.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
--
End of file - 10941 bytes

Veka · March 2008

Hi garfield619,

I must warn you, there is at least one backdoor trojan present. Backdoor trojan is a generic detection for a group of Trojan horse programs that open a back door and allow a remote attacker to have unauthorized access to the compromised computer.

You are strongly advised to do the following immediately:

Disconnect infected computer from the internet and from any networked computers until the computer can be cleaned.
Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
From a clean computer, change *all* of your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
- Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

Please note that there is no way to be sure that your PC can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. However, if you do not have the resources to reinstall your OS and would like me to attempt to clean your machine, I will be happy to do so.

To help you make a more informed decision, please read the following articles

Should you have any questions, please feel free to ask.

Please let me know your decision and we'll get started with clean up if that's what you choose.

garfield619 · March 2008

Actually, about those accounts, no problem.. this net is just used for my studies.. and lotsa gamming ahaha.. is there kinda some way to remove it? is it the avtap.dll? and what is that fake system alert? sorry for the lots of questions, but yeah, about those paypal, cred accounts, i do not do purchasing online, and all my accounts are.. not that important. EXEPT for the ISP. i would take action on that.

Veka · March 2008

Hi garfield619,

Yea, there is a way but no certainty as I don't know what else is lurking there. We can still try!

You may want to print out these instructions or save them as a text file with Notepad to your desktop because we will be restarting into Safe Mode later on in the fix.

Step 1:

Please download SDFix to your desktop.

Step 2:

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Step 3:

Run SDFix

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

garfield619 · March 2008

Here it is, as what is written on the instructions!

SDFix Report:

scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Softnyx\\Rakion\\Bin\\rakion.bin"="C:\\Program Files\\Softnyx\\Rakion\\Bin\\rakion.bin:*:Disabled:rakion"
"C:\\SIERRA\\Half-Life\\hl.exe"="C:\\SIERRA\\Half-Life\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"C:\\Documents and Settings\\ok3o\\Local Settings\\Temp\\~os14.tmp\\ossproxy.exe"="C:\\Documents and Settings\\ok3o\\Local Settings\\Temp\\~os14.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Program Files\\BitTorrent_DNA\\dna.exe"="C:\\Program Files\\BitTorrent_DNA\\dna.exe:*:Enabled:BitTorrent DNA"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"="C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe:*:Enabled:Call of Duty(R) 4 - Modern Warfare(TM)"
"C:\\Program Files\\Ocean Technology\\GG E-Sports Platform\\Garena.exe"="C:\\Program Files\\Ocean Technology\\GG E-Sports Platform\\Garena.exe:*:Enabled:Garena"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Wed 29 Aug 2007 81 A.SH. --- "C:\WINDOWS\NT.Config`.exe"
Thu 13 Mar 2008 43,265,912 A..H. --- "C:\Downloads\Software\5.05.54.00_ntune_winxp_international.exe"
Tue 25 Dec 2007 486,108,144 A..H. --- "C:\Downloads\Software\ADBEPHSPCS3_WWE.exe"
Sat 10 Nov 2007 2,093,156,528 A..H. --- "C:\Downloads\Software\RF_Online_Ep2_Setup.exe"
Sat 10 Nov 2007 2,093,156,528 A..H. --- "C:\Downloads\Software\RF_Online_Ep2_Setup(1).exe"
Sat 15 Mar 2008 278,927,592 A..H. --- "C:\Downloads\Software\WindowsXP-KB835935-SP2-ENU.exe"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 8 Feb 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 29 Aug 2006 81 A.SH. --- "C:\Documents and Settings\ok3o\Templates\NT.Config`.exe"
Tue 26 Feb 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 31 Mar 2008 1,119,744 ..SH. --- "C:\Program Files\Zhyper Networks\ZhyperMU Season 3 Episode 2\zhypermu full s3 ep2\main.dll"
Fri 29 Jun 2007 32,768 A..H. --- "C:\Documents and Settings\ok3o\Application Data\Microsoft\Word\~WRL0004.tmp"
Fri 29 Jun 2007 31,744 A..H. --- "C:\Documents and Settings\ok3o\Application Data\Microsoft\Word\~WRL2693.tmp"
Fri 29 Jun 2007 32,256 A..H. --- "C:\Documents and Settings\ok3o\Application Data\Microsoft\Word\~WRL2703.tmp"
Fri 29 Jun 2007 30,720 A..H. --- "C:\Documents and Settings\ok3o\Application Data\Microsoft\Word\~WRL3054.tmp"
Fri 29 Jun 2007 33,792 A..H. --- "C:\Documents and Settings\ok3o\Application Data\Microsoft\Word\~WRL3473.tmp"
Fri 29 Jun 2007 29,696 A..H. --- "C:\Documents and Settings\ok3o\Application Data\Microsoft\Word\~WRL3848.tmp"
Sat 27 Oct 2007 1,246 A..H. --- "C:\Documents and Settings\ok3o\Local Settings\Temp\Free Download Manager\tic16C.tmp"
Sat 27 Oct 2007 318 A..H. --- "C:\Documents and Settings\ok3o\Local Settings\Temp\Free Download Manager\tic16D.tmp"
Sat 27 Oct 2007 318 A..H. --- "C:\Documents and Settings\ok3o\Local Settings\Temp\Free Download Manager\tic16E.tmp"
Sat 27 Oct 2007 462 A..H. --- "C:\Documents and Settings\ok3o\Local Settings\Temp\Free Download Manager\tic171.tmp"
Sat 27 Oct 2007 673 A..H. --- "C:\Documents and Settings\ok3o\Local Settings\Temp\Free Download Manager\tic172.tmp"
Thu 31 May 2007 640 A..H. --- "C:\Documents and Settings\ok3o\Local Settings\Temp\Free Download Manager\tic4C.tmp"
Sun 17 Feb 2008 1,035 A..H. --- "C:\Documents and Settings\ok3o\Local Settings\Temp\Free Download Manager\tic8.tmp"
Thu 31 May 2007 1,039 A..H. --- "C:\Documents and Settings\ok3o\Local Settings\Temp\Free Download Manager\tic88.tmp"
Thu 31 May 2007 1,534 A..H. --- "C:\Documents and Settings\ok3o\Local Settings\Temp\Free Download Manager\ticA0.tmp"
Fri 8 Jun 2007 249 A..H. --- "C:\Documents and Settings\ok3o\Local Settings\Temp\Free Download Manager\ticF0.tmp"
Finished!

HijackThis Log:

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Encarta Web Companion Helper Object - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: (no name) - {E4EC9393-42C7-4282-9C1D-1281855328E4} - C:\WINDOWS\system32\avtap.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Encarta Web Companion - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [tarkmgr.exe] tarkmgr.exe
O4 - HKLM\..\Run: [ccPrxy.exe] ccPrxy.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Download all with Free Download Manager - [URL]file://C:\Program[/URL] Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - [URL]file://C:\Program[/URL] Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - [URL]file://C:\Program[/URL] Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - [URL]file://C:\Program[/URL] Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Upload - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - C:\Program Files\Free Download Manager\FUM\fumiebtn.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1202230686937
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - https://my.levelupgames.ph/keycrypt/npkcx.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
--
End of file - 11025 bytes

Veka · March 2008

Hi garfield619. Is your SDfix log complete? It seems to be broken.

garfield619 · March 2008

dunno, but vekarppe here it is again, tell me if i gotta repeat the proccess, and to inform you, the fake system alert is still going

SDFix: Version 1.165
Run by Sam on Tue 04/01/2008 at 12:16 AM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :

Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting

Checking Files :
Trojan Files Found:
C:\Documents and Settings\All Users\Application Data\SecurePCCleaner\Abbr - Deleted
C:\Documents and Settings\All Users\Application Data\SecurePCCleaner\prod_code - Deleted
C:\WINDOWS\system\svchost32.exe - Deleted

Folder C:\Documents and Settings\All Users\Application Data\SecurePCCleaner - Removed

Removing Temp Files
ADS Check :

Final Check :
catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-01 00:21:56
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Softnyx\\Rakion\\Bin\\rakion.bin"="C:\\Program Files\\Softnyx\\Rakion\\Bin\\rakion.bin:*:Disabled:rakion"
"C:\\SIERRA\\Half-Life\\hl.exe"="C:\\SIERRA\\Half-Life\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"C:\\Documents and Settings\\ok3o\\Local Settings\\Temp\\~os14.tmp\\ossproxy.exe"="C:\\Documents and Settings\\ok3o\\Local Settings\\Temp\\~os14.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Program Files\\BitTorrent_DNA\\dna.exe"="C:\\Program Files\\BitTorrent_DNA\\dna.exe:*:Enabled:BitTorrent DNA"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"="C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe:*:Enabled:Call of Duty(R) 4 - Modern Warfare(TM)"
"C:\\Program Files\\Ocean Technology\\GG E-Sports Platform\\Garena.exe"="C:\\Program Files\\Ocean Technology\\GG E-Sports Platform\\Garena.exe:*:Enabled:Garena"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Wed 29 Aug 2007 81 A.SH. --- "C:\WINDOWS\NT.Config`.exe"
Thu 13 Mar 2008 43,265,912 A..H. --- "C:\Downloads\Software\5.05.54.00_ntune_winxp_international.exe"
Tue 25 Dec 2007 486,108,144 A..H. --- "C:\Downloads\Software\ADBEPHSPCS3_WWE.exe"
Sat 10 Nov 2007 2,093,156,528 A..H. --- "C:\Downloads\Software\RF_Online_Ep2_Setup.exe"
Sat 10 Nov 2007 2,093,156,528 A..H. --- "C:\Downloads\Software\RF_Online_Ep2_Setup(1).exe"
Sat 15 Mar 2008 278,927,592 A..H. --- "C:\Downloads\Software\WindowsXP-KB835935-SP2-ENU.exe"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 8 Feb 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 29 Aug 2006 81 A.SH. --- "C:\Documents and Settings\ok3o\Templates\NT.Config`.exe"
Tue 26 Feb 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 31 Mar 2008 1,119,744 ..SH. --- "C:\Program Files\Zhyper Networks\ZhyperMU Season 3 Episode 2\zhypermu full s3 ep2\main.dll"
Fri 29 Jun 2007 32,768 A..H. --- "C:\Documents and Settings\ok3o\Application Data\Microsoft\Word\~WRL0004.tmp"
Fri 29 Jun 2007 31,744 A..H. --- "C:\Documents and Settings\ok3o\Application Data\Microsoft\Word\~WRL2693.tmp"
Fri 29 Jun 2007 32,256 A..H. --- "C:\Documents and Settings\ok3o\Application Data\Microsoft\Word\~WRL2703.tmp"
Fri 29 Jun 2007 30,720 A..H. --- "C:\Documents and Settings\ok3o\Application Data\Microsoft\Word\~WRL3054.tmp"
Fri 29 Jun 2007 33,792 A..H. --- "C:\Documents and Settings\ok3o\Application Data\Microsoft\Word\~WRL3473.tmp"
Fri 29 Jun 2007 29,696 A..H. --- "C:\Documents and Settings\ok3o\Application Data\Microsoft\Word\~WRL3848.tmp"
Sat 27 Oct 2007 1,246 A..H. --- "C:\Documents and Settings\ok3o\Local Settings\Temp\Free Download Manager\tic16C.tmp"
Sat 27 Oct 2007 318 A..H. --- "C:\Documents and Settings\ok3o\Local Settings\Temp\Free Download Manager\tic16D.tmp"
Sat 27 Oct 2007 318 A..H. --- "C:\Documents and Settings\ok3o\Local Settings\Temp\Free Download Manager\tic16E.tmp"
Sat 27 Oct 2007 462 A..H. --- "C:\Documents and Settings\ok3o\Local Settings\Temp\Free Download Manager\tic171.tmp"
Sat 27 Oct 2007 673 A..H. --- "C:\Documents and Settings\ok3o\Local Settings\Temp\Free Download Manager\tic172.tmp"
Thu 31 May 2007 640 A..H. --- "C:\Documents and Settings\ok3o\Local Settings\Temp\Free Download Manager\tic4C.tmp"
Sun 17 Feb 2008 1,035 A..H. --- "C:\Documents and Settings\ok3o\Local Settings\Temp\Free Download Manager\tic8.tmp"
Thu 31 May 2007 1,039 A..H. --- "C:\Documents and Settings\ok3o\Local Settings\Temp\Free Download Manager\tic88.tmp"
Thu 31 May 2007 1,534 A..H. --- "C:\Documents and Settings\ok3o\Local Settings\Temp\Free Download Manager\ticA0.tmp"
Fri 8 Jun 2007 249 A..H. --- "C:\Documents and Settings\ok3o\Local Settings\Temp\Free Download Manager\ticF0.tmp"
Finished!

Veka · March 2008

Hi. SDFix wasn't expected to remove that fake system alert. Its aim was to get rid of those trojan.

We'll deal with the rest right away.

Please download SmitfraudFix and MBAM to your desktop.

Step 1:

Run SmitfraudFix

Double-click SmitfraudFix.exe.
Select option #1 - Search by typing 1 and press Enter.
A text file will appear, which lists infected files (if present).
Copy & paste the content of that report into your next reply.

If the tool fails to launch from the desktop, please move SmitfraudFix directly to the root of the system drive (usually C:) and launch from there.

Note: Process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes.

Step 2:

Run MBAM

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

garfield619 · March 2008

Oh. Was the Trojan removed? SDFix removed i already? the one that dtects my accounts? XD lotsa questions by me again, and here it is, the logs:

SmitFraudFix Log:

SmitFraudFix v2.309
Scan done at 5:29:05.82, Tue 04/01/2008
Run from C:\Documents and Settings\Sam\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\VM303_STI.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\PROGRA~1\FREEDO~1\fdm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Sam

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Sam\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Sam\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!
IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!
VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: VIA Compatable Fast Ethernet Adapter - Packet Scheduler Miniport
DNS Server Search Order: 203.84.191.216
DNS Server Search Order: 121.1.3.208
DNS Server Search Order: 121.1.3.199
DNS Server Search Order: 121.1.3.250
HKLM\SYSTEM\CCS\Services\Tcpip\..\{08889E7F-A014-426B-AC00-1D5C38C00B75}: DhcpNameServer=203.84.191.216 121.1.3.208 121.1.3.199 121.1.3.250
HKLM\SYSTEM\CS1\Services\Tcpip\..\{08889E7F-A014-426B-AC00-1D5C38C00B75}: DhcpNameServer=203.84.191.216 121.1.3.208 121.1.3.199 121.1.3.250
HKLM\SYSTEM\CS2\Services\Tcpip\..\{08889E7F-A014-426B-AC00-1D5C38C00B75}: DhcpNameServer=203.84.191.216 121.1.3.208 121.1.3.199 121.1.3.250
HKLM\SYSTEM\CS3\Services\Tcpip\..\{08889E7F-A014-426B-AC00-1D5C38C00B75}: DhcpNameServer=203.84.191.216 121.1.3.208 121.1.3.199 121.1.3.250
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=203.84.191.216 121.1.3.208 121.1.3.199 121.1.3.250
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=203.84.191.216 121.1.3.208 121.1.3.199 121.1.3.250
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=203.84.191.216 121.1.3.208 121.1.3.199 121.1.3.250
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=203.84.191.216 121.1.3.208 121.1.3.199 121.1.3.250

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

And The MBAM Log:

Malwarebytes' Anti-Malware 1.09
Database version: 574
Scan type: Quick Scan
Objects scanned: 34593
Time elapsed: 5 minute(s), 10 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WUSN.1 (Adware.WhenUSave) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\setup.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

Veka · March 2008

Yea, the trojan should be gone for good. How about the alert? Are you still getting that?

Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Extended (if available otherwise Standard)
- Scan Options:
- Scan Archives
  Scan Mail Bases
Click OK
Now under select a target to scan:
- Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

garfield619 · April 2008

Yes i am still getting the alert. Heres the kapersky report:

Tuesday, April 01, 2008 12:39:25 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 31/03/2008
Kaspersky Anti-Virus database records: 675122
Scan SettingsScan using the following antivirus databaseextendedScan ArchivestrueScan Mail BasestrueScan TargetMy ComputerC:\
D:\ Scan StatisticsTotal number of scanned objects60883Number of viruses found1Number of infected objects7Number of suspicious objects0Duration of the scan process01:15:33
Infected Object NameVirus NameLast ActionC:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\$shtdwn$.req Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\baseline.dat Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\deffactory.dat Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\DeleteTemp.exe Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\dlmgr.dll Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\DW20.EXE Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\DWINTL20.DLL Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\eula.1025.rtf Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\eula.1028.rtf Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\eula.1029.rtf Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\eula.1030.rtf Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\eula.1031.rtf Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\eula.1032.rtf Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\eula.1033.rtf Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\eula.1035.rtf Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\eula.1036.rtf Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\eula.1037.rtf Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\eula.1038.rtf Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\eula.1040.rtf Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\eula.1041.rtf Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\eula.1042.rtf Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\eula.1043.rtf Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\eula.1044.rtf Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\eula.1045.rtf Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\eula.1046.rtf Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\eula.1049.rtf Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\eula.1053.rtf Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\eula.1055.rtf Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\eula.2052.rtf Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\eula.2070.rtf Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\eula.3082.rtf Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\gencomp.dll Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\HtmlLite.dll Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\locdata.1025.ini Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\locdata.1028.ini Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\locdata.1029.ini Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\locdata.1030.ini Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\locdata.1031.ini Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\locdata.1032.ini Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\locdata.1035.ini Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\locdata.1036.ini Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\locdata.1037.ini Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\locdata.1038.ini Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\locdata.1040.ini Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\locdata.1041.ini Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\locdata.1042.ini Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\locdata.1043.ini Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\locdata.1044.ini Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\locdata.1045.ini Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\locdata.1046.ini Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\locdata.1049.ini Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\locdata.1053.ini Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\locdata.1055.ini Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\locdata.2052.ini Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\locdata.2070.ini Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\locdata.3082.ini Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\locdata.ini Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\logo.bmp Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\setup.sdb Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\setupres.1025.dll Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\setupres.1028.dll Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\setupres.1029.dll Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\setupres.1030.dll Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\setupres.1031.dll Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\setupres.1032.dll Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\setupres.1035.dll Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\setupres.1036.dll Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\setupres.1037.dll Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\setupres.1038.dll Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\setupres.1040.dll Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\setupres.1041.dll Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\setupres.1042.dll Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\setupres.1043.dll Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\setupres.1044.dll Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\setupres.1045.dll Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\setupres.1046.dll Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\setupres.1049.dll Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\setupres.1053.dll Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\setupres.1055.dll Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\setupres.2052.dll Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\setupres.2070.dll Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\setupres.3082.dll Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\setupres.dll Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\SITSetup.dll Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\vs70uimgr.dll Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\vsbasereqs.dll Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\vsscenario.dll Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\vs_setup.dll Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\vs_setup.MS_ Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\vs_setup.pdi Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\WapRes.1025.dll Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\WapRes.1028.dll Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\WapRes.1029.dll Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\WapRes.1030.dll Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\WapRes.1031.dll Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\WapRes.1032.dll Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\WapRes.1035.dll Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\WapRes.1036.dll Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\WapRes.1037.dll Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\WapRes.1038.dll Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\WapRes.1040.dll Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\WapRes.1041.dll Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\WapRes.1042.dll Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\WapRes.1043.dll Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\WapRes.1044.dll Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\WapRes.1045.dll Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\WapRes.1046.dll Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\WapRes.1049.dll Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\WapRes.1053.dll Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\WapRes.1055.dll Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\WapRes.2052.dll Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\WapRes.2070.dll Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\WapRes.3082.dll Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\WapRes.dll Object is locked skipped C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\WapUI.dll Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\ok3o\NTUSER.DAT Object is locked skipped C:\Documents and Settings\ok3o\NTUSER.DAT.LOG Object is locked skipped C:\Documents and Settings\Sam\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Sam\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\Documents and Settings\Sam\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\Documents and Settings\Sam\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\Documents and Settings\Sam\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped C:\Documents and Settings\Sam\Local Settings\Application Data\Ahead\Nero Home\bl.db Object is locked skipped C:\Documents and Settings\Sam\Local Settings\Application Data\Ahead\Nero Home\is2.db Object is locked skipped C:\Documents and Settings\Sam\Local Settings\Application Data\Identities\{B8190752-326D-4B56-A9F6-F1A3A182F46C}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped C:\Documents and Settings\Sam\Local Settings\Application Data\Identities\{B8190752-326D-4B56-A9F6-F1A3A182F46C}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped C:\Documents and Settings\Sam\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped C:\Documents and Settings\Sam\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Sam\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Sam\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Sam\Local Settings\History\History.IE5\MSHist012008040120080402\index.dat Object is locked skipped C:\Documents and Settings\Sam\Local Settings\Temp\Free Download Manager\tic43F.tmp Object is locked skipped C:\Documents and Settings\Sam\Local Settings\Temp\hpodvd09.log Object is locked skipped C:\Documents and Settings\Sam\Local Settings\Temp\~DFD099.tmp Object is locked skipped C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Sam\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Sam\NTUSER.DAT.LOG Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped C:\Program Files\Free Download Manager\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\Program Files\Free Download Manager\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\Program Files\Free Download Manager\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\WINDOWS\CSC\00000001 Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\Internet.evt Object is locked skipped C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped C:\WINDOWS\system32\config\OSession.evt Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\Temp\Perflib_Perfdata_5a0.dat Object is locked skipped C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped Scan process completed.

Veka · April 2008

The Kaspersky's log is clean. But I think I know what's the problem.

Please download ComboFix from here or here to your desktop.

* In the event you already have Combofix, this is a new version that I need you to download.
* It is important that it is saved directly to your desktop

Warning: You should not use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could render your system/pc inoperable.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

garfield619 · April 2008

>_< that warning from combofix scared me XD " roughly, 1/1000 succeeded to fix blah blah blah... ahaha anyway here's the logs:

ComboFix Log:

ComboFix 08-03-30.5 - Sam 2008-04-01 23:19:00.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.707 [GMT 8:00]
Running from: C:\Downloads\Software\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system\_sv_CMD_
C:\WINDOWS\system32\avtap.dll
C:\WINDOWS\system32\drivers\srnlvzym.dat
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

\Legacy_DNSCON

\Legacy_NETMANAGER

\Legacy_SDUEDSNR

\Service_dnscon

\Service_NetManager

\Service_sduedsnr

((((((((((((((((((((((((( Files Created from 2008-03-01 to 2008-04-01 )))))))))))))))))))))))))))))))
.
2008-04-01 06:55 . 2008-04-01 06:55 <DIR> d

C:\WINDOWS\system32\Kaspersky Lab
2008-04-01 06:55 . 2008-04-01 06:55 <DIR> d

C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-01 05:30 . 2008-04-01 05:30 <DIR> d

C:\Program Files\Malwarebytes' Anti-Malware
2008-04-01 05:30 . 2008-04-01 05:30 <DIR> d

C:\Documents and Settings\Sam\Application Data\Malwarebytes
2008-04-01 05:30 . 2008-04-01 05:30 <DIR> d

C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-01 00:13 . 2008-04-01 00:13 <DIR> d

C:\WINDOWS\ERUNT
2008-04-01 00:10 . 2008-04-01 00:27 <DIR> d

C:\SDFix
2008-03-31 10:46 . 2008-03-30 02:31 75,856 --a

C:\WINDOWS\system32\drivers\aswSP.sys
2008-03-31 10:46 . 2008-03-30 02:35 20,560 --a

C:\WINDOWS\system32\drivers\aswFsBlk.sys
2008-03-30 14:51 . 2008-03-30 14:51 <DIR> d

C:\Documents and Settings\Sam\Application Data\Grisoft
2008-03-30 14:51 . 2008-03-30 14:51 <DIR> d

C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-30 14:51 . 2007-05-30 20:10 10,872 --a

C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-30 14:46 . 2008-03-30 14:46 <DIR> d

C:\Program Files\Trend Micro
2008-03-29 03:15 . 2008-03-29 03:15 <DIR> d

C:\Program Files\Spybot - Search & Destroy
2008-03-29 03:15 . 2008-03-29 03:15 <DIR> d

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-21 21:04 . 2008-03-21 21:04 <DIR> d

C:\Program Files\Zhyper Networks
2008-03-20 00:59 . 2008-03-20 00:59 <DIR> d--h

C:\Documents and Settings\Sam\Application Data\ijjigame
2008-03-19 03:56 . 2008-03-19 03:56 <DIR> d

C:\Documents and Settings\MU double\Application Data\MEGAUPLOADTOOLBAR
2008-03-16 20:25 . 2008-03-16 20:25 319 --a

C:\WINDOWS\game.ini
2008-03-16 19:46 . 2008-03-16 19:46 <DIR> d

C:\Program Files\Activision
2008-03-16 19:41 . 2008-03-16 19:41 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-03-16 01:07 . 2008-03-16 01:07 <DIR> d

C:\Documents and Settings\Sam\WINDOWS
2008-03-16 00:22 . 2008-03-16 00:22 <DIR> d

C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
2008-03-14 16:32 . 2008-03-15 09:20 <DIR> d

C:\Documents and Settings\Sam\Shared
2008-03-14 16:32 . 2008-03-15 10:17 <DIR> d

C:\Documents and Settings\Sam\Incomplete
2008-03-14 16:32 . 2008-03-30 17:27 <DIR> d

C:\Documents and Settings\Sam\Application Data\LimeWire
2008-03-12 00:47 . 2008-03-12 00:47 <DIR> d

C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-12 00:23 . 2008-04-01 05:29 2,972 --a

C:\WINDOWS\system32\tmp.reg
2008-03-11 21:43 . 2006-10-26 19:56 32,592 --a

C:\WINDOWS\system32\msonpmon.dll
2008-03-11 21:40 . 2008-03-11 21:40 <DIR> d

C:\Program Files\Microsoft Works
2008-03-11 21:38 . 2008-03-11 21:38 <DIR> d

C:\Program Files\Microsoft.NET
2008-03-11 21:32 . 2008-03-11 21:32 <DIR> d

C:\Program Files\Microsoft Visual Studio 8
2008-03-11 21:31 . 2008-03-11 21:47 <DIR> d

C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-08 01:20 . 2008-03-08 01:20 <DIR> d

C:\Documents and Settings\Sam\Application Data\Ahead
2008-03-07 23:45 . 2008-03-07 23:45 <DIR> d

C:\Program Files\Hewlett-Packard
2008-03-07 23:40 . 2008-03-07 23:53 <DIR> d

C:\Documents and Settings\Sam\Application Data\HP
2008-03-07 23:40 . 2008-03-07 23:51 113,011 --a

C:\WINDOWS\hpoins07.dat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-01 15:18

d

w C:\Documents and Settings\Sam\Application Data\Free Download Manager
2008-04-01 15:15

d

w C:\Documents and Settings\Sam\Application Data\MegauploadToolbar
2008-04-01 14:35

d

w C:\Program Files\Warcraft III
2008-03-31 21:22

d

w C:\Program Files\Free Download Manager
2008-03-29 18:35 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-29 18:29 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-29 18:27 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-29 18:26 26,944 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-26 18:57

d

w C:\Program Files\Java
2008-03-21 13:04

d--h--w C:\Program Files\InstallShield Installation Information
2008-03-15 02:18

d

w C:\Program Files\LimeWire
2008-03-07 15:45

d

w C:\Program Files\HP
2008-02-26 18:14

d

w C:\Program Files\Windows Media Bonus Pack for Windows XP
2008-02-22 12:22

d

w C:\Program Files\MegauploadToolbar
2008-02-22 12:19

d

w C:\Documents and Settings\Sam\Application Data\Yahoo!
2008-02-21 17:23

d

w C:\Documents and Settings\ok3o\Application Data\Free Download Manager
2008-02-20 19:07

d

w C:\Documents and Settings\ok3o\Application Data\LimeWire
2008-02-14 16:15

d

w C:\Program Files\Common Files\Adobe
2008-02-12 18:50

d

w C:\Program Files\MSBuild
2008-02-12 18:49

d

w C:\Program Files\Reference Assemblies
2008-02-12 18:46

d

w C:\Program Files\MSXML 6.0
2008-02-10 17:05

d

w C:\Program Files\Microsoft Silverlight
2008-02-10 07:36

d--h--r C:\Documents and Settings\ok3o\Application Data\yahoo!
2008-02-10 07:36

d

w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-02-08 18:52

d

w C:\Program Files\Alwil Software
2008-02-08 15:59

d

w C:\Program Files\CCleaner
2008-02-08 13:57

d

w C:\Documents and Settings\ok3o\Application Data\IGN_DLM
2008-02-08 13:52

d

w C:\Program Files\Windows Media Connect 2
2008-02-08 12:51

d

w C:\Documents and Settings\All Users\Application Data\Avg7
2008-02-08 12:39

d

w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-02-05 16:15

d

w C:\Documents and Settings\All Users\Application Data\NVIDIA
2008-02-01 14:11

d

w C:\Program Files\Common Files\INCA Shared
2007-11-07 11:39 633,848 -c--a-w C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\DW20.EXE
2007-11-07 11:39 111,616 -c--a-w C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\DWINTL20.DLL
2007-11-07 11:00 784 ----a-w C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\deffactory.dat
2007-11-07 11:00 210,834 ----a-w C:\Documents and Settings\7ffe084e802fe89695bf697f33298b9e\baseline.dat
2007-08-29 15:50 81 --sha-w C:\WINDOWS\NT.Config`.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-05-15 17:12 484904]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 10:21 153136]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 21:49 4662776]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RaidTool"="C:\Program Files\VIA\RAID\raid_tool.exe" [2005-06-20 18:53 1056768]
"SoundMan"="SOUNDMAN.EXE" [2005-08-17 18:39 90112 C:\WINDOWS\soundman.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"BigDog303"="C:\WINDOWS\VM303_STI.exe" [2005-10-25 12:56 61440]
"tarkmgr.exe"="tarkmgr.exe" []
"ccPrxy.exe"="ccPrxy.exe" []
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12 49152]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 17:25 6731312]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26 282624]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\Ocean Technology\\GG E-Sports Platform\\Garena.exe"=
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-30 02:31]
R1 BIOS;BIOS;C:\WINDOWS\system32\drivers\BIOS.sys [2005-03-16 14:23]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-30 02:35]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;C:\Program Files\Lavalys\EVEREST Home Edition\kerneld.wnt []
S3 XDva009;XDva009;C:\WINDOWS\system32\XDva009.sys []
S3 XDva016;XDva016;C:\WINDOWS\system32\XDva016.sys []
S3 XDva019;XDva019;C:\WINDOWS\system32\XDva019.sys []
S3 XDva025;XDva025;C:\WINDOWS\system32\XDva025.sys []
S3 XDva031;XDva031;C:\WINDOWS\system32\XDva031.sys []
S3 XDva032;XDva032;C:\WINDOWS\system32\XDva032.sys []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{07d33abc-c1c0-11dc-af7f-00e04cf2ceb9}]
\Shell\AutoRun\command - setupSNK.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{329df72c-ac27-11dc-af40-00e04cf2ceb9}]
\Shell\AutoRun\command - E:\bar311.exe %1
\Shell\Explore\command - E:\bar311.exe %1
\Shell\Open\command - E:\bar311.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{feb39966-f196-11dc-b039-00e04cf2ceb9}]
\Shell\AutoRun\command - scvhosts.exe
\Shell\Open\command - scvhosts.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
"2008-03-28 09:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-02 02:23:12
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver]
"ImagePath"="\??\C:\Program Files\Lavalys\EVEREST Home Edition\kerneld.wnt"
.

Other Running Processes

.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
.
**************************************************************************
.
Completion time: 2008-04-02 2:26:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-01 18:26:04
Pre-Run: 8,987,320,320 bytes free
Post-Run: 8,963,792,896 bytes free
.
2008-03-31 16:36:43 --- E O F ---

HijackThis Log:

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Encarta Web Companion Helper Object - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Encarta Web Companion - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [tarkmgr.exe] tarkmgr.exe
O4 - HKLM\..\Run: [ccPrxy.exe] ccPrxy.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Download all with Free Download Manager - [URL]file://C:\Program[/URL] Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - [URL]file://C:\Program[/URL] Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - [URL]file://C:\Program[/URL] Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - [URL]file://C:\Program[/URL] Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Upload - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - C:\Program Files\Free Download Manager\FUM\fumiebtn.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1202230686937
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - https://my.levelupgames.ph/keycrypt/npkcx.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
--
End of file - 9980 bytes

Veka · April 2008

Hello there. Now it looks pretty good.

Please do the following...

1. Please open Notepad

Click Start , then Run
Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
E:\bar311.exe

Driver::
XDva009
XDva016
XDva019
XDva025
XDva031
XDva032

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"tarkmgr.exe"=-
"ccPrxy.exe"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{329df72c-ac27-11dc-af40-00e04cf2ceb9}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{feb39966-f196-11dc-b039-00e04cf2ceb9}]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

Is the alert gone now?

garfield619 · April 2008

before doing that, yes the alert is gone. is double post alright here? XD. i gotta attend at a event at my game >_< but yes the alert does not already appear. tired it by oppening folders from MY Doc. and MY. Com. just gonna finish this and i will post the logs quickly!

Veka · April 2008

Thank you, I'm waiting your logs.

garfield619 · April 2008

Ahh At last here it is Vekarppe:

ComboFix Txt:

ComboFix 08-03-30.5 - Sam 2008-04-03 0:46:31.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.802 [GMT 8:00]
Running from: C:\Downloads\Software\ComboFix.exe
Command switches used :: C:\Documents and Settings\Sam\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
E:\bar311.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

\Legacy_XDVA009

\Legacy_XDVA016

\Legacy_XDVA019

\Legacy_XDVA025

\Legacy_XDVA031

\Legacy_XDVA032

\Service_XDva009

\Service_XDva016

\Service_XDva019

\Service_XDva025

\Service_XDva031

\Service_XDva032

((((((((((((((((((((((((( Files Created from 2008-03-02 to 2008-04-02 )))))))))))))))))))))))))))))))
.
2008-04-03 00:38 . 2008-01-07 14:29 352 --ah

C:\WINDOWS\nod32fixtemdono.reg
2008-04-03 00:33 . 2008-04-03 00:33 <DIR> d

C:\Program Files\ESET
2008-04-03 00:33 . 2008-04-03 00:33 <DIR> d