csrss.exe issue

Thomas

Good, not that. But then still not sure where this is loading from. I notice along with all the other software you have Adobe's $1800 CS software there. Any chance you swapped out the legit Photoshop.exe for a doctored one, to bypass the registrations on that? Since an affirmative answer means we stop all assistance here better not answer that if yes. But the majority of those doctored files are doctored by the malware vendors lately, so it is most definitely not any freebie.


Go again to Start - Run, type cmd (and OK). At the prompt copy and paste the below commands (hit Enter after each line).

cd\

regdelnull hkcu -s

(be sure to place a space after hkcu)

Your registry will be scanned, and if any Null entries are found, the scan will stop and you will be asked to confirm deletion. For now, type n and hit Enter let the scan continue until it has finished.

The again at the command prompt copy/paste the following, and do the same procedures, including choosing n for No for now.

regdelnull hklm -s

Repeat the copy steps and post that info back here please.

Paulfcb

Weirdly no scan took place. I've got this:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator>cd\

C:\>regdelnull hkcu -s
'regdelnull' is not recognized as an internal or external command,
operable program or batch file.

C:\>

On the Adobe thing I have to say at this point I'm not the only user of this machine so chances are this is has been installed by someone else. If this stops the Malware issue I'll be happy to delete it if that's OK.

Thomas

Best to check with the other user and ensure the copy there is a legitimate and authorized use. If not, then yes, you would want any software like that off the system. If you recheck your RegDelNull step you will see you did not use cd\ so it was starting from the wrong location. Basically right now you will want to do this:

cd\

regdelnull hkcu -s

Then that runs, and you then type or copy/paste:

regdelnull hklm -s

Then that runs, you have chosen "n" for no to both and you copy and poste those results back here please.

Paulfcb

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator>cd\

C:\>regdelnull hkcu -s

RegDelNull v1.10 - Delete Registry keys with embedded Nulls
Copyright (C) 2005-2006 Mark Russinovich
Sysinternals - www.sysinternals.com

Scan complete.


C:\>regdelnull hklm -s

RegDelNull v1.10 - Delete Registry keys with embedded Nulls
Copyright (C) 2005-2006 Mark Russinovich
Sysinternals - www.sysinternals.com

Scan complete.


C:\>

Thomas

Good. No recreation there, but of course still no ID on what is recreating the BHO infection.


Make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types"

Then go here, press new topic, fill in the needed details and just give a link to your post back here (see the "Instructions for uploading files" there for help, if needed). Then press the browse button and then navigate to & select the file(s) on your computer.

C:\Documents and Settings\Administrator\Application Data\vso_ts_preview.xml
C:\WINDOWS\system32\msafd32.dll

You DO NOT need to be a member to upload, anybody can upload the files. You will not be able to see the file once uploaded.

Paulfcb

OK. I believe I've done that.

Thomas

I received the file, thanks. The .dll is recognized malware, which really is no surprise. A little unrecognized as far as the majority of the vendors right now. It has the capabilities using some part of the speech recognition software there to load as a a language bar, and using that for connecting, logging in and downloading malware. So all the repair steps there from here on out will require you disconnect from net access before doing them Completely disconnect, so not just close your browser window).


On that note, once you have made some accessible copy of the following steps, disconnect from net access.


Then open OTMoveIt again.

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C, or right-click and choose Copy):

C:\WINDOWS\system32\msafd32.dll

Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window and select Paste. Then click the red MoveIt! button. A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder, in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.

---

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C507FA85-E226-4AAC-99AA-B6C27A14AE9E}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A9C50ACC-AEBA-4D27-B7EC-0767ECFC11E8}]

[-HKEY_CLASSES_ROOT\CLSID\{C507FA85-E226-4AAC-99AA-B6C27A14AE9E}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C507FA85-E226-4AAC-99AA-B6C27A14AE9E}]

[-HKEY_CLASSES_ROOT\TypeLib\{C507FA85-E226-4AAC-99AA-B6C27A14AE9E}]

[-HKEY_CLASSES_ROOT\CLSID\{A9C50ACC-AEBA-4D27-B7EC-0767ECFC11E8}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A9C50ACC-AEBA-4D27-B7EC-0767ECFC11E8}]

[-HKEY_CLASSES_ROOT\TypeLib\{A9C50ACC-AEBA-4D27-B7EC-0767ECFC11E8}]

Open Notepad (Start - Run, type notepad and OK) and copy and paste the above text (inside the box) into the text file. Now go to File > Save As and call it morfix.reg. Where it says "Files of Type", select All Files and click on Save. Exit Notepad, double-click on the file and ok the prompt asking if you wish to merge the file with your registry.

---

Go to Start > Run and type:

cmd.exe

and ok. Copy and paste the below string after the prompt >

dir /s /a "c:\ac3f9co3*.*" > c:\find.txt & start notepad c:\find.txt

Your drive will be scanned and when finished, Notepad will pop up with some information. Copy and paste it in this thread.

---

@ECHO OFF
if exist Regsearch1.txt del /q Regsearch1.txt
regedit /e Regsearch1.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
Notepad Regsearch1.txt

Copy/paste the above text into the open text box, then save this to your desktop as "runlook.bat"

Be sure to include the "" quotes in the name. Then click on runlook.bat. When the scan completes a textbox will open - copy/paste those contents back here please.

---

Then still making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):

"%userprofile%\desktop\dss.exe" /config

When the DSS Configuration display opens click the "Check All" button. Next, under Main Log, again uncheck the following:

System Restore
Process Modules

Then under Extra Log, uncheck all the boxes.

Don't make any other changes at this time. Then click the "Scan!" button to start the scan.

Once the scan has completed a textbox will appear - copy/paste those contents back here please (main.txt). (The logs can also be found in the C:\Deckard\System Scanner folder)

Reconnect to net access, and post that along with the c:\find.txt and the regsearch1.txt results please.

Thomas

Don't worry about doing this Run step:

dir /s /a "c:\ac3f9co3*.*" > c:\find.txt & start notepad c:\find.txt

I can see in the file code now it is just some of the user interface functions the malware is loading from this legit file:

C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03/comctl32.dll

Paulfcb

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-05-18 12:20:20
Computer is in Normal Mode.

---

Performed disk cleanup.



-- HijackThis (run as Administrator.exe)

---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:20:54, on 18/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\NVATray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Administrator\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/weather/5day.shtml?id=2478
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {D91896F8-8BC7-44B8-9C17-D64F7FAC7F30} - C:\WINDOWS\system32\msafd32.dll (file missing)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 5926 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\)

---

backup-20080503-172548-312 O24 - Desktop Component 0: (no name) - (no file)
backup-20080503-172548-651 O1 - Hosts: 66.98.148.65 auto.search.msn.es
backup-20080503-172548-872 O1 - Hosts: 66.98.148.65 auto.search.msn.com
backup-20080503-172548-955 F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Config\csrss.exe
backup-20080515-171114-494 O2 - BHO: (no name) - {A9C50ACC-AEBA-4D27-B7EC-0767ECFC11E8} - C:\WINDOWS\system32\netmogon.dll (file missing)
backup-20080515-171114-942 O24 - Desktop Component 0: (no name) - (no file)

-- File Associations

---

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

---

R3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>

S3 catchme - c:\docume~1\admini~1\locals~1\temp\catchme.sys (file missing)
S3 mbr - c:\docume~1\admini~1\locals~1\temp\mbr.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

---

S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
S3 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>


-- Device Manager: Disabled

---

Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
Description: Nokia Windows Portable Device Driver
Device ID: ROOT\WPD\0000
Manufacturer: Nokia
Name: Nokia 5200
PNP Device ID: ROOT\WPD\0000
Service: WUDFRd

Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
Description: Nokia Windows Portable Device Driver
Device ID: ROOT\WPD\0001
Manufacturer: Nokia
Name: Nokia 6300ows Portable Device Driver
PNP Device ID: ROOT\WPD\0001
Service: WUDFRd


-- Scheduled Tasks

---

2008-05-16 19:06:15 392 --a

---

C:\WINDOWS\Tasks\1-Click Maintenance.job


-- Files created between 2008-04-18 and 2008-05-18

---

2008-05-16 20:15:18 66048 --a

---

C:\mbr.exe
2008-05-15 17:13:29 1478 --a

---

C:\WINDOWS\system32\tmp.reg
2008-05-15 17:13:10 25600 --a

---

C:\WINDOWS\system32\WS2Fix.exe
2008-05-15 17:13:10 289144 --a

---

C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-05-15 17:13:10 86528 --a

---

C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-05-15 17:13:10 288417 --a

---

C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-05-15 17:13:10 51200 --a

---

C:\WINDOWS\system32\dumphive.exe
2008-05-15 17:13:09 53248 --a

---

C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-05-14 14:56:53 0 d

---

C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-14 10:31:57 0 d

---

C:\Program Files\GetTubeVideo
2008-05-10 10:32:33 0 d

---

C:\Documents and Settings\Administrator\Application Data\GeoVid
2008-05-10 10:32:28 60416 --a

---

C:\WINDOWS\system32\dsetup.dll <Not Verified; Microsoft Corporation; Microsoft® DirectX for Windows®>
2008-05-10 10:32:27 0 d

---

C:\Program Files\GeoVid
2008-05-07 06:00:35 0 dr-h

---

C:\Documents and Settings\Administrator\Recent
2008-05-03 18:15:40 0 d

---

C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-05-03 18:15:34 0 d

---

C:\Program Files\Malwarebytes' Anti-Malware
2008-05-03 18:15:34 0 d

---

C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-03 18:15:15 0 d

---

C:\Program Files\Common Files\Download Manager
2008-05-03 17:36:36 0 d

---

C:\WINDOWS\ERUNT
2008-05-03 17:23:20 0 d

---

C:\Program Files\Trend Micro


-- Find3M Report

---

2008-05-18 09:31:43 0 d

---

C:\Documents and Settings\Administrator\Application Data\AVG7
2008-05-17 21:58:16 0 d

---

C:\Documents and Settings\Administrator\Application Data\Vso
2008-05-17 21:58:14 668 --a

---

C:\Documents and Settings\Administrator\Application Data\vso_ts_preview.xml
2008-05-17 17:19:14 0 d

---

C:\Documents and Settings\Administrator\Application Data\Azureus
2008-05-03 19:08:42 0 d

---

C:\Documents and Settings\Administrator\Application Data\ppstream
2008-05-03 18:15:15 0 d

---

C:\Program Files\Common Files
2008-04-27 13:32:21 664 --a

---

C:\WINDOWS\system32\d3d9caps.dat
2008-04-24 21:53:14 0 d

---

C:\Program Files\Picasa2
2008-04-16 18:43:24 0 d

---

C:\Program Files\VSO
2008-04-16 18:40:59 34 --a

---

C:\Documents and Settings\Administrator\Application Data\pcouffin.log
2008-04-16 18:40:29 47360 --a

---

C:\Documents and Settings\Administrator\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-04-16 18:40:29 1144 --a

---

C:\Documents and Settings\Administrator\Application Data\pcouffin.inf
2008-04-16 18:40:29 7887 --a

---

C:\Documents and Settings\Administrator\Application Data\pcouffin.cat
2008-04-15 20:39:10 0 d

---

C:\Program Files\eMule
2008-04-15 19:49:03 0 d

---

C:\Program Files\Azureus
2008-04-14 09:26:15 2399 --a

---

C:\Documents and Settings\Administrator\Application Data\NMM-MetaData.db
2008-04-14 09:17:41 0 d

---

C:\Documents and Settings\Administrator\Application Data\FrostWire
2008-04-09 19:31:26 0 d

---

C:\Documents and Settings\Administrator\Application Data\dvdcss
2008-04-06 17:06:53 0 d

---

C:\Program Files\TuneUp Utilities 2008
2008-04-06 17:03:43 0 d

---

C:\Program Files\Common Files\Wise Installation Wizard
2008-04-06 16:44:03 0 d

---

C:\Program Files\Common Files\Ahead
2008-04-06 16:43:59 0 d

---

C:\Program Files\Ahead
2008-04-05 20:56:38 0 d

---

C:\Program Files\Nero
2008-04-05 20:32:18 0 d

---

C:\Program Files\Common Files\Ahead(2)
2008-04-05 20:18:32 0 d

---

C:\Program Files\MSI
2008-04-03 19:55:34 0 d

---

C:\Documents and Settings\Administrator\Application Data\ImgBurn
2008-03-26 07:01:35 0 d

---

C:\Program Files\Astonsoft
2008-03-26 06:48:08 0 d

---

C:\Documents and Settings\Administrator\Application Data\DeepBurner
2008-03-25 20:38:16 0 d--h

---

C:\Program Files\InstallShield Installation Information
2008-03-20 07:02:05 0 d

---

C:\Program Files\My Screensaver
2008-03-19 21:01:42 0 d

---

C:\Program Files\SopCast
2008-03-14 16:42:57 5338 --a

---

C:\WINDOWS\system32\EPPICResdb0000
2008-03-14 16:42:57 120 --a

---

C:\WINDOWS\system32\EPPICResdb


-- Registry Dump

---

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D91896F8-8BC7-44B8-9C17-D64F7FAC7F30}]
C:\WINDOWS\system32\msafd32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [15/04/2008 08:43]
"NVIDIA nForce APU1 Utilities"="NVATray.exe" [19/01/2002 00:33 C:\WINDOWS\system32\NVATray.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 10:50]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [10/04/2007 19:10]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"PcSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=&quot;Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@=&quot;Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@=&quot;Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"EPSON Stylus Photo RX420 Series"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB001" /M "Stylus Photo RX420"
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp




-- End of Deckard's System Scanner: finished at 2008-05-18 12:21:21

---

C:\WINDOWS\system32\msafd32.dll unregistered successfully.
C:\WINDOWS\system32\msafd32.dll moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 05182008_121149

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"NVIDIA nForce APU1 Utilities"="NVATray.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
@=&quot;"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
@=&quot;"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
@=&quot;"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
@=&quot;"

Thomas

Good. Let's see where you are at now as far as this nuisance goes.

Open and update Malwarebytes (they have this file info now so let's see if any updated scans catch anything). Close it without scanning for the moment. Then copy in some manner the following steps, and disconnect from net access again.

Once disconnected from net access open Malwarebytes again.

* Once the program has loaded, this time select "Perform Complete Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply. If it calls for a reboot to complete the repairs skip that for now.

---

Then Close all open windows and run a scan in HijackThis. Place a check next to all of the following lines, then select “Fix Checked” and close HijackThis. Malwarebytes may have already removed this, so if it does not show in HijackThis just move to the next steps.

O2 - BHO: (no name) - {D91896F8-8BC7-44B8-9C17-D64F7FAC7F30} - C:\WINDOWS\system32\msafd32.dll (file missing)

---

Now reboot.

After the reboot, still making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):

"%userprofile%\desktop\dss.exe" /config

When the DSS Configuration display opens click the "Check All" button. Next, under Main Log, again uncheck the following:

System Restore
Process Modules

Then under Extra Log, uncheck all the boxes except this one:

Security Center

Don't make any other changes at this time. Then click the "Scan!" button to start the scan.

Once the scan has completed a textbox will appear - copy/paste those contents back here please (main.txt). (The logs can also be found in the C:\Deckard\System Scanner folder)

Reconnect to net access, and post that along with the Malwarebytes log please.

Paulfcb

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-05-18 16:58:50
Computer is in Normal Mode.

---

Performed disk cleanup.



-- HijackThis (run as Administrator.exe)

---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:58:58, on 18/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\NVATray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrator\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/weather/5day.shtml?id=2478
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {E748823A-E93B-4E8C-B503-7698EC1DF350} - C:\WINDOWS\system32\mqise32.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 5878 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\)

---

backup-20080503-172548-312 O24 - Desktop Component 0: (no name) - (no file)
backup-20080503-172548-651 O1 - Hosts: 66.98.148.65 auto.search.msn.es
backup-20080503-172548-872 O1 - Hosts: 66.98.148.65 auto.search.msn.com
backup-20080503-172548-955 F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Config\csrss.exe
backup-20080515-171114-494 O2 - BHO: (no name) - {A9C50ACC-AEBA-4D27-B7EC-0767ECFC11E8} - C:\WINDOWS\system32\netmogon.dll (file missing)
backup-20080515-171114-942 O24 - Desktop Component 0: (no name) - (no file)
backup-20080518-165447-599 O2 - BHO: (no name) - {D91896F8-8BC7-44B8-9C17-D64F7FAC7F30} - C:\WINDOWS\system32\msafd32.dll (file missing)

-- File Associations

---

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

---

R3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>

S3 catchme - c:\docume~1\admini~1\locals~1\temp\catchme.sys (file missing)
S3 mbr - c:\docume~1\admini~1\locals~1\temp\mbr.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

---

S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
S3 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>


-- Device Manager: Disabled

---

Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
Description: Nokia Windows Portable Device Driver
Device ID: ROOT\WPD\0000
Manufacturer: Nokia
Name: Nokia 5200
PNP Device ID: ROOT\WPD\0000
Service: WUDFRd

Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
Description: Nokia Windows Portable Device Driver
Device ID: ROOT\WPD\0001
Manufacturer: Nokia
Name: Nokia 6300ows Portable Device Driver
PNP Device ID: ROOT\WPD\0001
Service: WUDFRd


-- Scheduled Tasks

---

2008-05-16 19:06:15 392 --a

---

C:\WINDOWS\Tasks\1-Click Maintenance.job


-- Files created between 2008-04-18 and 2008-05-18

---

2008-05-18 16:58:17 14848 --a

---

C:\WINDOWS\system32\mqise32.dll
2008-05-16 20:15:18 66048 --a

---

C:\mbr.exe
2008-05-15 17:13:29 1478 --a

---

C:\WINDOWS\system32\tmp.reg
2008-05-15 17:13:10 25600 --a

---

C:\WINDOWS\system32\WS2Fix.exe
2008-05-15 17:13:10 289144 --a

---

C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-05-15 17:13:10 86528 --a

---

C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-05-15 17:13:10 288417 --a

---

C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-05-15 17:13:10 51200 --a

---

C:\WINDOWS\system32\dumphive.exe
2008-05-15 17:13:09 53248 --a

---

C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-05-14 14:56:53 0 d

---

C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-14 10:31:57 0 d

---

C:\Program Files\GetTubeVideo
2008-05-10 10:32:33 0 d

---

C:\Documents and Settings\Administrator\Application Data\GeoVid
2008-05-10 10:32:28 60416 --a

---

C:\WINDOWS\system32\dsetup.dll <Not Verified; Microsoft Corporation; Microsoft® DirectX for Windows®>
2008-05-10 10:32:27 0 d

---

C:\Program Files\GeoVid
2008-05-07 06:00:35 0 dr-h

---

C:\Documents and Settings\Administrator\Recent
2008-05-03 18:15:40 0 d

---

C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-05-03 18:15:34 0 d

---

C:\Program Files\Malwarebytes' Anti-Malware
2008-05-03 18:15:34 0 d

---

C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-03 18:15:15 0 d

---

C:\Program Files\Common Files\Download Manager
2008-05-03 17:36:36 0 d

---

C:\WINDOWS\ERUNT
2008-05-03 17:23:20 0 d

---

C:\Program Files\Trend Micro


-- Find3M Report

---

2008-05-18 15:38:04 0 d

---

C:\Documents and Settings\Administrator\Application Data\AVG7
2008-05-17 21:58:16 0 d

---

C:\Documents and Settings\Administrator\Application Data\Vso
2008-05-17 21:58:14 668 --a

---

C:\Documents and Settings\Administrator\Application Data\vso_ts_preview.xml
2008-05-17 17:19:14 0 d

---

C:\Documents and Settings\Administrator\Application Data\Azureus
2008-05-03 19:08:42 0 d

---

C:\Documents and Settings\Administrator\Application Data\ppstream
2008-05-03 18:15:15 0 d

---

C:\Program Files\Common Files
2008-04-27 13:32:21 664 --a

---

C:\WINDOWS\system32\d3d9caps.dat
2008-04-24 21:53:14 0 d

---

C:\Program Files\Picasa2
2008-04-16 18:43:24 0 d

---

C:\Program Files\VSO
2008-04-16 18:40:59 34 --a

---

C:\Documents and Settings\Administrator\Application Data\pcouffin.log
2008-04-16 18:40:29 47360 --a

---

C:\Documents and Settings\Administrator\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-04-16 18:40:29 1144 --a

---

C:\Documents and Settings\Administrator\Application Data\pcouffin.inf
2008-04-16 18:40:29 7887 --a

---

C:\Documents and Settings\Administrator\Application Data\pcouffin.cat
2008-04-15 20:39:10 0 d

---

C:\Program Files\eMule
2008-04-15 19:49:03 0 d

---

C:\Program Files\Azureus
2008-04-14 09:26:15 2399 --a

---

C:\Documents and Settings\Administrator\Application Data\NMM-MetaData.db
2008-04-14 09:17:41 0 d

---

C:\Documents and Settings\Administrator\Application Data\FrostWire
2008-04-09 19:31:26 0 d

---

C:\Documents and Settings\Administrator\Application Data\dvdcss
2008-04-06 17:06:53 0 d

---

C:\Program Files\TuneUp Utilities 2008
2008-04-06 17:03:43 0 d

---

C:\Program Files\Common Files\Wise Installation Wizard
2008-04-06 16:44:03 0 d

---

C:\Program Files\Common Files\Ahead
2008-04-06 16:43:59 0 d

---

C:\Program Files\Ahead
2008-04-05 20:56:38 0 d

---

C:\Program Files\Nero
2008-04-05 20:32:18 0 d

---

C:\Program Files\Common Files\Ahead(2)
2008-04-05 20:18:32 0 d

---

C:\Program Files\MSI
2008-04-03 19:55:34 0 d

---

C:\Documents and Settings\Administrator\Application Data\ImgBurn
2008-03-26 07:01:35 0 d

---

C:\Program Files\Astonsoft
2008-03-26 06:48:08 0 d

---

C:\Documents and Settings\Administrator\Application Data\DeepBurner
2008-03-25 20:38:16 0 d--h

---

C:\Program Files\InstallShield Installation Information
2008-03-20 07:02:05 0 d

---

C:\Program Files\My Screensaver
2008-03-19 21:01:42 0 d

---

C:\Program Files\SopCast
2008-03-14 16:42:57 5338 --a

---

C:\WINDOWS\system32\EPPICResdb0000
2008-03-14 16:42:57 120 --a

---

C:\WINDOWS\system32\EPPICResdb


-- Registry Dump

---

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E748823A-E93B-4E8C-B503-7698EC1DF350}]
18/05/2008 16:58 14848 --a

---

C:\WINDOWS\system32\mqise32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [15/04/2008 08:43]
"NVIDIA nForce APU1 Utilities"="NVATray.exe" [19/01/2002 00:33 C:\WINDOWS\system32\NVATray.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 10:50]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [10/04/2007 19:10]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"PcSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=&quot;Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@=&quot;Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@=&quot;Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"EPSON Stylus Photo RX420 Series"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB001" /M "Stylus Photo RX420"
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp




-- End of Deckard's System Scanner: finished at 2008-05-18 16:59:28

---

Malware found 6 infections. Here's the log:

Malwarebytes' Anti-Malware 1.12
Database version: 762

Scan type: Full Scan (C:\|)
Objects scanned: 143857
Time elapsed: 47 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ec6c69f7-decb-4c3c-af36-6853ed0fcd66} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ec6c69f7-decb-4c3c-af36-6853ed0fcd66} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{72AD84C7-0D55-4911-842C-050ACFF80187}\RP504\A0121715.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\keymgr32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\05152008_055053\WINDOWS\system32\netmogon.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\05182008_121149\WINDOWS\system32\msafd32.dll (Trojan.Agent) -> Quarantined and deleted successfully.

Thomas

It was able to recreate again.

Go here and download sysdump.zip to your desktop, and unzip it to it's own folder. Then in that folder locate and click on sysdump.exe. The scan will run fairly quickly, after which it will create some files in the new sysdump folder. Since the resulting log files will be too large to post back here, locate the sysdump.html.gz and the sysdump.txt files in the sysdump folder, and again go here, press new topic, fill in the needed details and just give a link to your post back here. Then press the browse button and then navigate to & select the files on your computer.

You DO NOT need to be a member to upload, anybody can upload the files. You will not be able to see the file once uploaded.

Paulfcb

When I click to download I get this http://windowsitpro.com/docs/files/78483/sysdump.zip

Thomas

They must have scooped up the site. Darn, it was a last holdout for the download I am aware of, so that scan is no longer available.


Download DiagHelp.zip from here and unzip it. In the DiagHelp folder created locate the go.cmd file and click on it to start the scan. A window will open, and from the menu select option 1. Follow all prompts, but do not run any other programs and unless you are responding to a prompt do not touch your keyboard. Once the scan has completed a text should open in Notepad - please copy the contents back here. This will take a few minutes so please be patient.

Due to a system difference in language use when the scan shows the following in the command window:

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Just press ENTER at that point to finish out the scan. The resulting log should be C:\resultat.txt if a text copy does not popup at the end of the scan.

(Note: If you have XP Pro your system will automatically reboot at this time. After the reboot a window will open - press any key to continue. Diaghelp will then open Notepad with the resultat.txt log. Close this for now and allow your desktop to complete loading, then locate the C:\resultat.txt log and copy/paste that back here.)

This scan also does it's own file capturing process, and encourages an upload of that. Though you can opt to do that it is not necessary, and not clear if all the correct arrangements have been made for it to do that. My steps may also be dated, since I have not used it recently enough to update them, but you should be able to run it without problems.

Paulfcb

No scan took place. Some French writing appeared in a cmd box so I just hit 1 and enter but no scan.

Thomas

The scan uses cmd.exe to open that window, then next uses more functions of that to start the scanning process. Not quite sure with that scenario why one starts but the next step hangs. Make sure all security software is disabled, then try that again. If it does not respond, reboot into Safe Mode (at startup tap the F8 key and select that from the menu - not Safe Mode with Networking though).

Try the same steps there and see if you can get a log produced.

Paulfcb

My apologies. First time around avg was running. Here's the log:

DiagHelp version v1.4 - http://www.malekal.com
excute le 19/05/2008 à 21:48:25.25


Liste des derniers fichies modifies/crees dans windir\system32 et prefetch
C:\WINDOWS\prefetch\CMD.EXE-087B4001.pf -->19/05/2008 21:48:20
C:\WINDOWS\prefetch\CHCP.COM-18156052.pf -->19/05/2008 21:48:15
C:\WINDOWS\prefetch\WINRAR.EXE-39C6DAD9.pf -->19/05/2008 21:47:53
C:\WINDOWS\prefetch\WUAUCLT.EXE-399A8E72.pf -->19/05/2008 21:46:36
C:\WINDOWS\prefetch\WMIPRVSE.EXE-28F301A9.pf -->19/05/2008 21:46:36
C:\WINDOWS\prefetch\NTOSBOOT-B00DFAAD.pf -->19/05/2008 21:46:36
C:\WINDOWS\prefetch\LOGONUI.EXE-0AF22957.pf -->19/05/2008 20:17:33
C:\WINDOWS\prefetch\FIREFOX.EXE-28641590.pf -->19/05/2008 20:14:18
C:\WINDOWS\prefetch\VLC.EXE-22DF01AA.pf -->19/05/2008 20:13:08
C:\WINDOWS\prefetch\VERCLSID.EXE-3667BD89.pf -->19/05/2008 20:12:37

C:\WINDOWS\System32\drivers\gmer.sys -->13/05/2008 19:34:34
C:\WINDOWS\System32\drivers\mbamcatchme.sys -->05/05/2008 20:46:36
C:\WINDOWS\System32\drivers\mbam.sys -->05/05/2008 20:46:32
C:\WINDOWS\System32\drivers\pcouffin.sys -->16/04/2008 18:40:29
C:\WINDOWS\System32\drivers\avgclean.sys -->21/12/2007 11:23:47
C:\WINDOWS\System32\drivers\avgmfx86.sys -->21/12/2007 11:23:29
C:\WINDOWS\System32\drivers\mrxdav.sys -->18/12/2007 10:51:35

C:\WINDOWS\System32\d3d9caps.dat -->18/05/2008 18:09:29
C:\WINDOWS\System32\mqise32.dll -->18/05/2008 16:58:17
C:\WINDOWS\System32\wpa.dbl -->18/05/2008 09:30:39
C:\WINDOWS\System32\tmp.txt -->15/05/2008 17:13:29
C:\WINDOWS\System32\tmp.reg -->15/05/2008 17:13:29
C:\WINDOWS\System32\MRT.exe -->09/05/2008 22:35:04
C:\WINDOWS\System32\VACFix.exe -->24/04/2008 08:10:33
C:\WINDOWS\System32\FNTCACHE.DAT -->09/04/2008 17:50:55
C:\WINDOWS\System32\TuneUpDefragService.exe -->06/04/2008 17:06:57
C:\WINDOWS\System32\nscompat.tlb -->05/04/2008 21:05:17
C:\WINDOWS\System32\amcompat.tlb -->05/04/2008 21:05:17
C:\WINDOWS\System32\PerfStringBackup.INI -->30/03/2008 07:42:37
C:\WINDOWS\System32\perfh009.dat -->30/03/2008 07:42:37
C:\WINDOWS\System32\perfc009.dat -->30/03/2008 07:42:37
C:\WINDOWS\System32\msjint40.dll -->27/03/2008 09:12:54
C:\WINDOWS\System32\msxbde40.dll -->25/03/2008 05:50:58
C:\WINDOWS\System32\mswstr10.dll -->25/03/2008 05:50:58
C:\WINDOWS\System32\mswdat10.dll -->25/03/2008 05:50:57
C:\WINDOWS\System32\mstext40.dll -->25/03/2008 05:50:55
C:\WINDOWS\System32\msrepl40.dll -->25/03/2008 05:50:52
C:\WINDOWS\System32\msrd3x40.dll -->25/03/2008 05:50:49
C:\WINDOWS\System32\msrd2x40.dll -->25/03/2008 05:50:47
C:\WINDOWS\System32\mspbde40.dll -->25/03/2008 05:50:45
C:\WINDOWS\System32\msltus40.dll -->25/03/2008 05:50:44
C:\WINDOWS\System32\msjtes40.dll -->25/03/2008 05:50:42

C:\WINDOWS\WindowsUpdate.log -->19/05/2008 21:46:15
C:\WINDOWS\0.log -->19/05/2008 21:45:37
C:\WINDOWS\wiadebug.log -->19/05/2008 21:45:35
C:\WINDOWS\wiaservc.log -->19/05/2008 21:45:28
C:\WINDOWS\bootstat.dat -->19/05/2008 21:45:05
C:\WINDOWS\SchedLgU.Txt -->19/05/2008 20:17:34
C:\WINDOWS\NeroDigital.ini -->19/05/2008 20:14:00
C:\WINDOWS\QTFont.qfn -->18/05/2008 22:11:22
C:\WINDOWS\QTFont.for -->15/05/2008 14:12:53
C:\WINDOWS\wmsetup.log -->15/05/2008 13:11:02
C:\WINDOWS\setupapi.log -->14/05/2008 22:05:08
C:\WINDOWS\tsoc.log -->14/05/2008 18:33:30
C:\WINDOWS\tabletoc.log -->14/05/2008 18:33:30
C:\WINDOWS\ocmsn.log -->14/05/2008 18:33:30
C:\WINDOWS\ocgen.log -->14/05/2008 18:33:30

winlogon.exe
Verified: Unsigned
svchost.exe
Verified: Signed
ws2_32.dll
Verified: Signed
user32.dll
Verified: Signed
tcpip.sys
Verified: Signed
ndis.sys
Verified: Signed
null.sys
Verified: Signed


ListDLLs v2.25 - DLL lister for Win9x/NT
Copyright (C) 1997-2004 Mark Russinovich
Sysinternals - www.sysinternals.com

---

explorer.exe pid: 1580
Command line: C:\WINDOWS\Explorer.EXE

Base Size Version Path
0x5d090000 0x9a000 5.82.2900.2982 C:\WINDOWS\system32\comctl32.dll
0x76fd0000 0x7f000 2001.12.4414.0308 C:\WINDOWS\system32\CLBCATQ.DLL
0x77050000 0xc5000 2001.12.4414.0258 C:\WINDOWS\system32\COMRes.dll
0x7d1e0000 0x2be000 3.01.4000.4039 C:\WINDOWS\system32\msi.dll
0x76b20000 0x11000 3.05.2284.0000 C:\WINDOWS\system32\ATL.DLL
0x164a0000 0x23000 5.02.5721.5145 C:\WINDOWS\system32\WPDShServiceObj.dll
0x10000000 0x8e000 6.82.0063.0009 C:\Program Files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
0x022c0000 0x8b000 6.82.0077.0000 C:\Program Files\Nokia\Nokia PC Suite 6\PCSCM.dll
0x02350000 0x3b000 6.82.0072.0002 C:\Program Files\PC Connectivity Solution\ConnAPI.DLL
0x7c420000 0x87000 8.00.50727.1433 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCP80.dll
0x78130000 0x9b000 8.00.50727.1433 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll
0x7c3a0000 0x7b000 7.10.3077.0000 C:\WINDOWS\system32\MSVCP71.dll
0x7c340000 0x56000 7.10.3052.0004 C:\WINDOWS\system32\MSVCR71.dll
0x024c0000 0xa000 6.82.0036.0001 C:\Program Files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr
0x024d0000 0x79000 6.82.0014.0000 C:\Program Files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
0x024b0000 0xe000 C:\Program Files\ArcSoft\PhotoImpression 5\share\pihook.dll
0x109c0000 0x2c000 5.02.5721.5145 C:\WINDOWS\system32\PortableDeviceTypes.dll
0x10930000 0x49000 5.02.5721.5145 C:\WINDOWS\system32\PortableDeviceApi.dll
0x00e20000 0x2c000 C:\Program Files\WinRAR\rarext.dll
0x00c10000 0x9000 2.00.0000.0004 C:\Program Files\TuneUp Utilities 2008\SDShelEx-win32.dll
0x00c30000 0x8000 1.00.0000.0000 C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll
0x621a0000 0x10000 7.05.0000.0409 C:\Program Files\Grisoft\AVG Free\avgse.dll
0x00c40000 0x10000 8.00.0000.0456 C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
0x026e0000 0xd5000 1.04.0000.0000 C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
0x01270000 0x6000 C:\WINDOWS\system32\mqise32.dll
0x012a0000 0x54000 1.00.0000.0000 C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
0x32520000 0x12000 10.00.2609.0000 C:\Program Files\Microsoft Office\Office10\msohev.dll
0x02c70000 0x5b000 8.01.0000.0000 C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll

ListDLLs v2.25 - DLL lister for Win9x/NT
Copyright (C) 1997-2004 Mark Russinovich
Sysinternals - www.sysinternals.com

---

winlogon.exe pid: 640
Command line: winlogon.exe

Base Size Version Path
0x01000000 0x80000 \??\C:\WINDOWS\system32\winlogon.exe
0x5d090000 0x9a000 5.82.2900.2982 C:\WINDOWS\system32\COMCTL32.dll
0x74320000 0x3d000 3.525.1117.0000 C:\WINDOWS\system32\ODBC32.dll
0x20000000 0x17000 3.525.1117.0000 C:\WINDOWS\system32\odbcint.dll
0x01350000 0x32000 1.07.0018.0007 C:\WINDOWS\system32\WgaLogon.dll
0x76fd0000 0x7f000 2001.12.4414.0308 C:\WINDOWS\system32\CLBCATQ.DLL
0x77050000 0xc5000 2001.12.4414.0258 C:\WINDOWS\system32\COMRes.dll


Volume in drive C has no label.
Volume Serial Number is 8013-BCB6

Directory of C:\WINDOWS\system32

03/08/2004 23:56 6,144 csrss.exe
1 File(s) 6,144 bytes
0 Dir(s) 24,631,103,488 bytes free

Contenu de Downloaded Program Files
Volume in drive C has no label.
Volume Serial Number is 8013-BCB6

Directory of C:\WINDOWS\Downloaded Program Files

14/05/2008 14:56 <DIR> .
14/05/2008 14:56 <DIR> ..
28/01/2007 21:42 65 desktop.ini
07/01/2007 12:55 2,305 kavwebscan.inf
09/09/2005 19:45 1,516 wvc1dmo.inf
3 File(s) 3,886 bytes

Total Files Listed:
3 File(s) 3,886 bytes
2 Dir(s) 24,631,103,488 bytes free

Recherche de rootkit! (Merci S!Ri)

Recherche d'infections connues

Export des clefs sensibles..


Liste des fichiers en exception sur le pare-feu XP SP2

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\WINDOWS\\Temp\\NavBrowser.exe"="C:\\WINDOWS\\Temp\\NavBrowser.exe:*:Enabled:NAVBrowser"
"C:\\Program Files\\eMule\\emule.exe"="C:\\Program Files\\eMule\\emule.exe:*:Enabled:eMule"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\PPStream\\PPStream.exe"="C:\\Program Files\\PPStream\\PPStream.exe:*:Enabled:PPStream"
"C:\\Program Files\\FrostWire\\FrostWire.exe"="C:\\Program Files\\FrostWire\\FrostWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"="C:\\Program Files\\TVUPlayer\\TVUPlayer.exe:*:Enabled:TVU Player Component"
"C:\\Program Files\\SopCast\\SopCast.exe"="C:\\Program Files\\SopCast\\SopCast.exe:*:Enabled:SopCast Main Application"
"C:\\Documents and Settings\\Administrator\\Application Data\\SopCast\\adv\\SopAdver.exe"="C:\\Documents and Settings\\Administrator\\Application Data\\SopCast\\adv\\SopAdver.exe:*:Enabled:SopCast Adver"
"C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\Rar$EX00.782\\ODDUpdate.exe"="C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\Rar$EX00.782\\ODDUpdate.exe:*:Enabled:AsusUpdate"
"C:\\Program Files\\PPMate\\ppmate.exe"="C:\\Program Files\\PPMate\\ppmate.exe:*:Enabled:PPMate"
"C:\\Program Files\\PPMate\\ppmnet.exe"="C:\\Program Files\\PPMate\\ppmnet.exe:*:Enabled:PPMate"
"D:\\eMule Applejuice\\emule.exe"="D:\\eMule Applejuice\\emule.exe:*:Enabled:eMule"
"C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\Rar$EX01.475\\eMule Applejuice\\emule.exe"="C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\Rar$EX01.475\\eMule Applejuice\\emule.exe:*:Enabled:eMule"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\TVAnts\\Tvants.exe"="C:\\Program Files\\TVAnts\\Tvants.exe:*:Enabled:TVAnts"
"C:\\WINDOWS\\system32\\SYSWB6.exe"="C:\\WINDOWS\\system32\\SYSWB6.exe:*:Enabled:SYSWB6"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"="C:\\Program Files\\Windows Media Player\\wmplayer.exe:*:Enabled:Windows Media Player"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"="C:\\Program Files\\SopCast\\adv\\SopAdver.exe:*:Disabled:SopCast Adver"
"C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"="C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe:*:Enabled:Nokia Software Updater"
"C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"="C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe:*:Enabled:Nokia Service Layer Host Process "
"C:\\Program Files\\Kontiki\\KService.exe"="C:\\Program Files\\Kontiki\\KService.exe:*:Enabled:Delivery Manager Service"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Messenger"
"C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"="C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe:*:Disabled:Football Manager 2008"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Disabled:Firefox"

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Export de la clef SharedTaskScheduler

[SharedTaskScheduler]



exports des policies
REGEDIT4

[system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001



Export des clefs sensibles..
Rechercher adresses sensibles dans le fichier HOSTS...
catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-19 21:49:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden services: 0
hidden files: 0


KProcCheck Version 0.2-beta1 Proof-of-Concept by SIG^2 (www.security.org.sg)

Process list by traversal of KiWaitListHead

4 - System
172 - avgemc.exe
284 - GoogleUpdaterSe
616 - csrss.exe
640 - winlogon.exe
684 - services.exe
696 - lsass.exe
848 - svchost.exe
916 - svchost.exe
1008 - svchost.exe
1076 - svchost.exe
1184 - svchost.exe
1248 - svchost.exe
1424 - aawservice.exe
1476 - alg.exe
1580 - explorer.exe
1724 - NVATray.exe
1740 - GoogleToolbarNo
1776 - spoolsv.exe
1932 - firefox.exe
1984 - avgamsvr.exe
2448 - wuauclt.exe
2720 - cmd.exe

Total number of processes = 23
NOTE: Under WinXP, this will not show all processes.

KProcCheck Version 0.2-beta1 Proof-of-Concept by SIG^2 (www.security.org.sg)

Driver/Module list by traversal of PsLoadedModuleList

804D7000 - \WINDOWS\system32\ntoskrnl.exe
806EC000 - \WINDOWS\system32\hal.dll
F7987000 - \WINDOWS\system32\KDCOM.DLL
F7897000 - \WINDOWS\system32\BOOTVID.dll
F7438000 - ACPI.sys
F7989000 - \WINDOWS\system32\DRIVERS\WMILIB.SYS
F7427000 - pci.sys
F7487000 - isapnp.sys
F7A4F000 - pciide.sys
F7707000 - \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
F7497000 - MountMgr.sys
F7408000 - ftdisk.sys
F798B000 - dmload.sys
F73E2000 - dmio.sys
F770F000 - PartMgr.sys
F74A7000 - VolSnap.sys
F73CA000 - atapi.sys
F74B7000 - disk.sys
F74C7000 - \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
F73AA000 - fltmgr.sys
F7398000 - sr.sys
F74D7000 - PxHelp20.sys
F7381000 - KSecDD.sys
F736E000 - WudfPf.sys
F72E1000 - Ntfs.sys
F72B4000 - NDIS.sys
F789B000 - nv_agp.sys
F7299000 - Mup.sys
F7587000 - \SystemRoot\system32\DRIVERS\amdk7.sys
F77EF000 - \SystemRoot\system32\DRIVERS\usbohci.sys
F6A89000 - \SystemRoot\system32\DRIVERS\USBPORT.SYS
F6A71000 - \SystemRoot\system32\DRIVERS\NVENET.sys
F7983000 - \SystemRoot\system32\drivers\nvax.sys
F6993000 - \SystemRoot\system32\DRIVERS\HCF_MSFT.sys
F77F7000 - \SystemRoot\System32\Drivers\Modem.SYS
F7597000 - \SystemRoot\system32\DRIVERS\imapi.sys
F75A7000 - \SystemRoot\system32\DRIVERS\cdrom.sys
F75B7000 - \SystemRoot\system32\DRIVERS\redbook.sys
F6970000 - \SystemRoot\system32\DRIVERS\ks.sys
F67A0000 - \SystemRoot\system32\DRIVERS\nv4_mini.sys
F678C000 - \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
F77FF000 - \SystemRoot\system32\DRIVERS\fdc.sys
F75C7000 - \SystemRoot\system32\DRIVERS\serial.sys
F726D000 - \SystemRoot\system32\DRIVERS\serenum.sys
F6778000 - \SystemRoot\system32\DRIVERS\parport.sys
F7269000 - \SystemRoot\system32\DRIVERS\gameenum.sys
F7265000 - \SystemRoot\system32\drivers\nvmpu401.sys
F6754000 - \SystemRoot\system32\drivers\portcls.sys
F75D7000 - \SystemRoot\system32\drivers\drmk.sys
F7BCD000 - \SystemRoot\system32\DRIVERS\audstub.sys
F75E7000 - \SystemRoot\system32\DRIVERS\rasl2tp.sys
F7261000 - \SystemRoot\system32\DRIVERS\ndistapi.sys
F673D000 - \SystemRoot\system32\DRIVERS\ndiswan.sys
F75F7000 - \SystemRoot\system32\DRIVERS\raspppoe.sys
F7607000 - \SystemRoot\system32\DRIVERS\raspptp.sys
F7807000 - \SystemRoot\system32\DRIVERS\TDI.SYS
F672C000 - \SystemRoot\system32\DRIVERS\psched.sys
F7617000 - \SystemRoot\system32\DRIVERS\msgpc.sys
F780F000 - \SystemRoot\system32\DRIVERS\ptilink.sys
F7817000 - \SystemRoot\system32\DRIVERS\raspti.sys
F7627000 - \SystemRoot\System32\Drivers\pcouffin.sys
F66D3000 - \SystemRoot\system32\DRIVERS\rdpdr.sys
F7637000 - \SystemRoot\system32\DRIVERS\termdd.sys
F781F000 - \SystemRoot\system32\DRIVERS\kbdclass.sys
F7827000 - \SystemRoot\system32\DRIVERS\mouclass.sys
F79AF000 - \SystemRoot\system32\DRIVERS\swenum.sys
F669F000 - \SystemRoot\system32\DRIVERS\update.sys
F7923000 - \SystemRoot\system32\DRIVERS\mssmbios.sys
F7657000 - \SystemRoot\system32\DRIVERS\usbhub.sys
F79B1000 - \SystemRoot\system32\DRIVERS\USBD.SYS
F7667000 - \SystemRoot\System32\Drivers\NDProxy.SYS
F64E3000 - \SystemRoot\system32\drivers\nvapu.sys
F643D000 - \SystemRoot\system32\drivers\nvmcp.sys
F7677000 - \SystemRoot\system32\drivers\nvarm.sys
F785F000 - \SystemRoot\system32\DRIVERS\flpydisk.sys
F79D7000 - \SystemRoot\System32\Drivers\Fs_Rec.SYS
F7B35000 - \SystemRoot\System32\Drivers\Null.SYS
F79D9000 - \SystemRoot\System32\Drivers\Beep.SYS
F7B34000 - \SystemRoot\System32\Drivers\avgclean.sys
F786F000 - \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
F7877000 - \SystemRoot\System32\drivers\vga.sys
F79DB000 - \SystemRoot\System32\Drivers\mnmdd.SYS
F79DD000 - \SystemRoot\System32\DRIVERS\RDPCDD.sys
F787F000 - \SystemRoot\System32\Drivers\Msfs.SYS
F7887000 - \SystemRoot\System32\Drivers\Npfs.SYS
F7967000 - \SystemRoot\system32\DRIVERS\rasacd.sys
F5243000 - \SystemRoot\system32\DRIVERS\ipsec.sys
F51EB000 - \SystemRoot\system32\DRIVERS\tcpip.sys
F51C3000 - \SystemRoot\system32\DRIVERS\netbt.sys
F51A1000 - \SystemRoot\System32\drivers\afd.sys
F76E7000 - \SystemRoot\system32\DRIVERS\netbios.sys
F5176000 - \SystemRoot\system32\DRIVERS\rdbss.sys
F5107000 - \SystemRoot\system32\DRIVERS\mrxsmb.sys
F76F7000 - \SystemRoot\System32\Drivers\Fips.SYS
F50E6000 - \SystemRoot\system32\DRIVERS\ipnat.sys
F7507000 - \SystemRoot\system32\DRIVERS\wanarp.sys
F4F7D000 - \SystemRoot\System32\Drivers\avg7core.sys
F7727000 - \SystemRoot\system32\DRIVERS\usbccgp.sys
F6720000 - \SystemRoot\system32\DRIVERS\hidusb.sys
F6B2C000 - \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
F671C000 - \SystemRoot\system32\DRIVERS\kbdhid.sys
F79E1000 - \SystemRoot\System32\Drivers\avg7rsw.sys
F772F000 - \SystemRoot\System32\Drivers\avg7rsxp.sys
F6718000 - \SystemRoot\system32\DRIVERS\mouhid.sys
F4F32000 - \SystemRoot\System32\Drivers\Fastfat.SYS
F4F1A000 - \SystemRoot\System32\Drivers\dump_atapi.sys
F79FB000 - \SystemRoot\System32\Drivers\dump_WMILIB.SYS
BF800000 - \SystemRoot\System32\win32k.sys
F7937000 - \SystemRoot\System32\drivers\Dxapi.sys
F7757000 - \SystemRoot\System32\watchdog.sys
BF000000 - \SystemRoot\System32\drivers\dxg.sys
F7A94000 - \SystemRoot\System32\drivers\dxgthk.sys
BF012000 - \SystemRoot\System32\nv4_disp.dll
BFFA0000 - \SystemRoot\System32\ATMFD.DLL
F3DE6000 - \SystemRoot\system32\DRIVERS\ndisuio.sys
F3EDA000 - \SystemRoot\System32\Drivers\Cdfs.SYS
F29EE000 - \SystemRoot\system32\DRIVERS\mrxdav.sys
F29B1000 - \SystemRoot\system32\drivers\wdmaud.sys
F2B52000 - \SystemRoot\system32\drivers\sysaudio.sys
F7A47000 - \SystemRoot\System32\Drivers\ParVdm.SYS
F79F3000 - \SystemRoot\System32\Drivers\avgtdi.sys
F2661000 - \SystemRoot\system32\DRIVERS\srv.sys
F1300000 - \SystemRoot\System32\Drivers\HTTP.sys
F7B96000 - \SystemRoot\System32\DRIVERS\KProcCheck.sys

Total number of drivers = 124

Liste des programmes installes

Ad-Aware 2007
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit 2
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Photoshop CS3
Adobe Reader 8.1.2
Adobe Setup
Adobe Setup
Adobe Setup
Adobe Shockwave Player
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
AVG Free Edition
Azureus Vuze
BBC iPlayer Download Manager
BBC iPlayer Download Manager
CCleaner (remove only)
CCScore
ConvertXtoDVD 3.0.0.7
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
eMule
EPSON CardMonitor
EPSON Copy Utility 3
EPSON PhotoQuicker3.5
EPSON PhotoStarter3.1
EPSON PRINT Image Framer Tool2.1
EPSON Printer Software
EPSON Scan
EPSON Smart Panel
EPSON Web-To-Page
ESPRX420 Reference Guide
ESPRX420 Software Guide
ESSPDock
fflink
Free Window Registry Repair
Free YouTube to iPod Converter version 2.7
Free YouTube to Mp3 Converter version 2.4
FreeRIP v3.05
FrostWire 4.13.1.5 BETA
Google Earth
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Updater
Hijackthis 1.99.1
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB926239)
Java(TM) 6 Update 2
Kaspersky Online Scanner
KSU
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office XP Professional with FrontPage
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft User-Mode Driver Framework Feature Pack 1.5
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (2.0.0.14)
MSN
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Nero 6 Ultra Edition
Next Generation Visualisations
Nokia Connectivity Cable Driver
Nokia PC Suite
NVIDIA Drivers
NVIDIA nForce APU1 Utilities
NvMixer
Panda ActiveScan
PC Connectivity Solution
PDF Settings
PhotoImpression 5
Picasa 2
PIF DESIGNER2.1
PowerDVD
QuickTime
RealPlayer
ScanToWeb
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
SopCast 3.0.0
Spybot - Search & Destroy 1.4
TuneUp Utilities 2008
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
USB Audio/Video
USB Audio/Video
VideoAvatar
VideoLAN VLC media player 0.8.6c
WebFldrs XP
Windows Driver Package - Nokia (WUDFRd) WPD (11/03/2006 6.82.26.2)
Windows Driver Package - Nokia Modem (11/03/2006 6.82.0.1)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Live installer
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Writer
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver



Volume in drive C has no label.
Volume Serial Number is 8013-BCB6

Directory of C:\Program Files

14/05/2008 10:31 <DIR> .
14/05/2008 10:31 <DIR> ..
27/02/2008 21:15 <DIR> Adobe
06/04/2008 16:43 <DIR> Ahead
29/01/2007 22:12 <DIR> ArcSoft
26/03/2008 07:01 <DIR> Astonsoft
30/08/2007 20:10 <DIR> AviSynth 2.5
15/04/2008 19:49 <DIR> Azureus
23/10/2007 20:20 <DIR> Bonjour
08/04/2007 13:59 <DIR> BroadJump
02/07/2007 13:29 <DIR> cache
08/02/2007 20:06 <DIR> CCleaner
20/04/2007 22:53 <DIR> CDBurnerXP Pro 3
03/05/2008 18:15 <DIR> Common Files
28/01/2007 21:39 <DIR> ComPlus Applications
25/09/2007 18:34 <DIR> CyberLink
06/09/2007 18:03 <DIR> DIFX
02/10/2007 18:02 <DIR> DivX
23/09/2007 16:28 <DIR> DVDVIDEOSOFT
15/04/2008 20:39 <DIR> eMule
29/01/2007 22:17 <DIR> epson
11/12/2007 17:33 <DIR> Free Window Registry Repair
10/01/2008 13:55 <DIR> FreeRIP3
13/01/2008 17:00 <DIR> FrostWire
10/05/2008 10:32 <DIR> GeoVid
06/09/2007 18:08 <DIR> Google
29/01/2007 06:55 <DIR> Grisoft
11/04/2007 20:37 <DIR> Hijackthis
09/04/2008 16:32 <DIR> Internet Explorer
18/07/2007 16:07 <DIR> Java
16/07/2007 22:49 <DIR> Kodak
10/01/2008 11:06 <DIR> Kontiki
03/03/2008 22:03 <DIR> Lavasoft
18/05/2008 15:54 <DIR> Malwarebytes' Anti-Malware
31/01/2007 11:46 <DIR> Messenger
12/02/2007 22:28 <DIR> Microsoft ActiveSync
28/01/2007 21:43 <DIR> microsoft frontpage
06/02/2007 16:54 <DIR> Microsoft Office
14/12/2007 17:13 <DIR> Microsoft SQL Server Compact Edition
28/01/2007 21:40 <DIR> Movie Maker
19/05/2008 21:45 <DIR> Mozilla Firefox
05/04/2008 20:18 <DIR> MSI
28/01/2007 22:28 <DIR> MSN
28/01/2007 21:38 <DIR> MSN Gaming Zone
14/12/2007 18:23 <DIR> MSN Messenger
07/07/2007 01:44 <DIR> MSXML 4.0
20/03/2008 07:02 <DIR> My Screensaver
05/04/2008 20:56 <DIR> Nero
28/01/2007 21:40 <DIR> NetMeeting
31/12/2007 13:29 <DIR> Nokia
28/01/2007 21:58 <DIR> NVIDIA Corporation
28/01/2007 21:38 <DIR> Online Services
13/06/2007 12:12 <DIR> Outlook Express
06/09/2007 18:03 <DIR> PC Connectivity Solution
24/04/2008 21:53 <DIR> Picasa2
05/07/2007 11:50 <DIR> QuickTime
18/04/2007 12:30 <DIR> r2 Studios
19/02/2007 21:37 <DIR> Real
20/09/2007 12:02 <DIR> Replay Media Catcher
29/01/2007 22:11 <DIR> Smart Panel
19/03/2008 21:01 <DIR> SopCast
05/03/2008 20:33 <DIR> Spybot - Search & Destroy
03/05/2008 17:23 <DIR> Trend Micro
06/04/2008 17:06 <DIR> TuneUp Utilities 2008
06/01/2008 18:44 <DIR> USB video device
22/10/2007 16:13 <DIR> VideoLAN
16/04/2008 18:43 <DIR> VSO
14/12/2007 17:15 <DIR> Windows Live
08/02/2007 12:24 <DIR> Windows Live Toolbar
06/03/2008 20:55 <DIR> Windows Media Connect 2
06/03/2008 20:55 <DIR> Windows Media Player
28/01/2007 21:38 <DIR> Windows NT
06/09/2007 17:55 <DIR> WinImage
11/08/2007 08:35 <DIR> WinRAR
28/01/2007 21:43 <DIR> xerox
11/07/2007 05:27 <DIR> Yahoo!
0 File(s) 0 bytes
78 Dir(s) 24,619,147,264 bytes free
Volume in drive C has no label.
Volume Serial Number is 8013-BCB6

Directory of C:\Program Files\common files

03/05/2008 18:15 <DIR> .
03/05/2008 18:15 <DIR> ..
27/02/2008 21:08 <DIR> Adobe
06/04/2008 16:44 <DIR> Ahead
05/04/2008 20:32 <DIR> Ahead(2)
12/02/2007 22:28 <DIR> Designer
03/05/2008 18:15 <DIR> Download Manager
23/02/2008 13:00 <DIR> DVDVIDEOSOFT
09/05/2007 22:41 <DIR> InstallShield
31/01/2007 13:08 <DIR> Java
05/07/2007 11:48 <DIR> Kodak
23/10/2007 19:52 <DIR> Macrovision Shared
01/03/2008 10:35 <DIR> Microsoft Shared
28/01/2007 21:40 <DIR> MSSoap
31/12/2007 13:29 <DIR> Nokia
28/01/2007 21:58 <DIR> NVIDIA Shared
28/01/2007 21:22 <DIR> ODBC
06/09/2007 18:02 <DIR> PCSuite
19/02/2007 21:37 <DIR> Real
28/01/2007 21:40 <DIR> Services
28/01/2007 21:22 <DIR> SpeechEngines
24/03/2007 19:04 <DIR> Synacast
13/06/2007 12:12 <DIR> System
06/04/2008 17:03 <DIR> Wise Installation Wizard
19/02/2007 21:37 <DIR> xing shared
0 File(s) 0 bytes
25 Dir(s) 24,619,147,264 bytes free
Volume in drive C has no label.
Volume Serial Number is 8013-BCB6

Directory of C:\

16/05/2008 20:15 66,048 mbr.exe
01/11/2006 13:06 162,616 RegDelNull.exe
2 File(s) 228,664 bytes
0 Dir(s) 24,619,147,264 bytes free




c:\Documents and Settings\Administrator\Application Data\inst.exe
c:\Documents and Settings\Administrator\Application Data\FrostWire\.NetworkShare\LimeWireWin4.16.6.exe
c:\Documents and Settings\Administrator\Application Data\FrostWire\.NetworkShare\Incomplete\T-3381280-LimeWireWin4.14.12.exe
c:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
c:\Documents and Settings\Administrator\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
c:\Documents and Settings\Administrator\Application Data\Move Networks\ie_bin\Uninst.exe
c:\Documents and Settings\Administrator\Application Data\ppstream\update.exe
c:\Documents and Settings\Administrator\Application Data\SopCast\adv\SopAdver.exe
c:\Documents and Settings\Administrator\Desktop\dss.exe
c:\Documents and Settings\Administrator\Desktop\OTMoveIt2.exe
c:\Documents and Settings\Administrator\Desktop\DiagHelp\catchme.exe
c:\Documents and Settings\Administrator\Desktop\DiagHelp\diff.exe
c:\Documents and Settings\Administrator\Desktop\DiagHelp\dumphive.exe
c:\Documents and Settings\Administrator\Desktop\DiagHelp\FilesInfoCmd.exe
c:\Documents and Settings\Administrator\Desktop\DiagHelp\find2.exe
c:\Documents and Settings\Administrator\Desktop\DiagHelp\Fport.exe
c:\Documents and Settings\Administrator\Desktop\DiagHelp\grep.exe
c:\Documents and Settings\Administrator\Desktop\DiagHelp\gzip.exe
c:\Documents and Settings\Administrator\Desktop\DiagHelp\KProcCheck.exe
c:\Documents and Settings\Administrator\Desktop\DiagHelp\LFiles.exe
c:\Documents and Settings\Administrator\Desktop\DiagHelp\LISTDLLS.exe
c:\Documents and Settings\Administrator\Desktop\DiagHelp\md5sums.exe
c:\Documents and Settings\Administrator\Desktop\DiagHelp\pslist.exe
c:\Documents and Settings\Administrator\Desktop\DiagHelp\sigcheck.exe
c:\Documents and Settings\Administrator\Desktop\DiagHelp\streams.exe
c:\Documents and Settings\Administrator\Desktop\DiagHelp\swreg.exe
c:\Documents and Settings\Administrator\Desktop\DiagHelp\tar.exe
c:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Updater5\Install\cameraraw4\CameraRaw4_3_1.exe
c:\Documents and Settings\Administrator\Local Settings\Application Data\Installer1072\Setup.exe
c:\Documents and Settings\Administrator\Local Settings\Application Data\Installer1072\redist\WindowsInstaller-KB893803-v2-x86.exe
c:\Documents and Settings\Administrator\Local Settings\Application Data\Installer1072\redist\WindowsServer2003-KB898715-ia64-enu.exe
c:\Documents and Settings\Administrator\Local Settings\Application Data\Installer1072\redist\WindowsServer2003-KB898715-x64-enu.exe
c:\Documents and Settings\Administrator\Local Settings\Application Data\Installer1072\redist\WindowsServer2003-KB898715-x86-enu.exe
c:\Documents and Settings\Administrator\Local Settings\Application Data\Installer1072\redist\WindowsXP-KB898715-x64-enu.exe
c:\Documents and Settings\Administrator\Local Settings\Application Data\Installer3492\Setup.exe
c:\Documents and Settings\Administrator\Local Settings\Application Data\Installer3492\redist\WindowsInstaller-KB893803-v2-x86.exe
c:\Documents and Settings\Administrator\Local Settings\Application Data\Installer3492\redist\WindowsServer2003-KB898715-ia64-enu.exe
c:\Documents and Settings\Administrator\Local Settings\Application Data\Installer3492\redist\WindowsServer2003-KB898715-x64-enu.exe
c:\Documents and Settings\Administrator\Local Settings\Application Data\Installer3492\redist\WindowsServer2003-KB898715-x86-enu.exe
c:\Documents and Settings\Administrator\Local Settings\Application Data\Installer3492\redist\WindowsXP-KB898715-x64-enu.exe
c:\Documents and Settings\Administrator\Local Settings\Application Data\Installer568\Setup.exe
c:\Documents and Settings\Administrator\Local Settings\Application Data\Installer568\redist\WindowsInstaller-KB893803-v2-x86.exe
c:\Documents and Settings\Administrator\Local Settings\Application Data\Installer568\redist\WindowsServer2003-KB898715-ia64-enu.exe
c:\Documents and Settings\Administrator\Local Settings\Application Data\Installer568\redist\WindowsServer2003-KB898715-x64-enu.exe
c:\Documents and Settings\Administrator\Local Settings\Application Data\Installer568\redist\WindowsServer2003-KB898715-x86-enu.exe
c:\Documents and Settings\Administrator\Local Settings\Application Data\Installer568\redist\WindowsXP-KB898715-x64-enu.exe
c:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WXFPHK0L\mbam-setup[1].exe
c:\Documents and Settings\Administrator\My Documents\Paul\fm2008_802_boxed-pc.exe
c:\Documents and Settings\Administrator\My Documents\Paul\Nero 7.0 Premium\setupx.exe
c:\Documents and Settings\Administrator\My Documents\Paul\Nero 7.0 Premium\Nero 7 Premium\SetupX.exe
c:\Documents and Settings\Administrator\My Documents\Paul\Nero 7.0 Premium\Nero 7 Premium\Redist\50comupd.exe
c:\Documents and Settings\Administrator\My Documents\Paul\Nero 7.0 Premium\Nero 7 Premium\Redist\instmsia.exe
c:\Documents and Settings\Administrator\My Documents\Paul\Nero 7.0 Premium\Nero 7 Premium\Redist\instmsiw.exe
c:\Documents and Settings\Administrator\My Documents\Paul\Nero 7.0 Premium\Nero 7 Premium\Redist\ShFolder.Exe
c:\Documents and Settings\Administrator\My Documents\Paul\Nero 7.0 Premium\Nero 7 Premium\Redist\WMFADist.exe
c:\Documents and Settings\Administrator\My Documents\Paul\Nero 7.0 Premium\Nero 7 Premium\Redist\wmfdist.exe
c:\Documents and Settings\Administrator\My Documents\Paul\Nero 7.0 Premium\Nero 7 Premium\Redist\DirectX\DXSETUP.exe
c:\Documents and Settings\Administrator\My Documents\Paul\Nero 7.0 Premium\Nero 7 Premium\Redist\TTS\AgtX0407.exe
c:\Documents and Settings\Administrator\My Documents\Paul\Nero 7.0 Premium\Nero 7 Premium\Redist\TTS\InstMsiA.exe
c:\Documents and Settings\Administrator\My Documents\Paul\Nero 7.0 Premium\Nero 7 Premium\Redist\TTS\InstMsiW.exe
c:\Documents and Settings\Administrator\My Documents\Paul\Nero 7.0 Premium\Nero 7 Premium\Redist\TTS\msagent.exe
c:\Documents and Settings\Administrator\My Documents\Paul\Nero 7.0 Premium\Nero 7 Premium\Redist\TTS\Setup.exe
c:\Documents and Settings\Administrator\My Documents\Paul\Nero 7.0 Premium\Nero 7 Premium\Redist\TTS\spchapi.exe
c:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\QuickTime 7.1.3.100\QuickTimeInstallerAdmin.exe
c:\Documents and Settings\All Users\Application Data\Installations\{3741689E-584D-40C9-B011-373A0371846D}\NokiaSoftwareUpdaterSetup_en[1].exe
c:\Documents and Settings\All Users\Application Data\Installations\{3741689E-584D-40C9-B011-373A0371846D}\Installer\CommonCustomActions\Sleep.exe
c:\Documents and Settings\All Users\Application Data\Installations\{3741689E-584D-40C9-B011-373A0371846D}\Installer\CommonCustomActions\vcredistExec.exe
c:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
c:\Documents and Settings\Administrator\Application Data\Microsoft\IdentityCRL\ppcrlconfig.dll
c:\Documents and Settings\Administrator\Application Data\Microsoft\IdentityCRL\PROD\ppcrlconfig.dll
c:\Documents and Settings\Administrator\Application Data\Move Networks\ie_bin\qsp2ie07073001.dll
c:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\08rl2l2o.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\components\FoxyTunes.dll
c:\Documents and Settings\All Users\Application Data\Microsoft\IdentityCRL\ppcrlconfig.dll
c:\Documents and Settings\All Users\Application Data\Microsoft\IdentityCRL\production\ppcrlconfig.dll
c:\Documents and Settings\All Users\Application Data\Microsoft\IdentityCRL(2)\ppcrlconfig.dll
c:\Documents and Settings\All Users\Application Data\SecTaskMan\_entreelist.dll
c:\Documents and Settings\All Users\Application Data\SecTaskMan\_enviewlist.dll
c:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_038648152B7E812498867BF7F04F578B.dll
c:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_07E18D2A89A280A46A824983B860C3E5.dll
c:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_0A2C799B3834FB147BE6B9B8E7FC2B76.dll
c:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_0B79C053C7D38EE4AB9A00CB3B5D2472.dll
c:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_0E23E40C6140D434FA9B96967D309AFE.dll
c:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_0F007175D9BDA3B40BD3531AB45B39F9.dll
c:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_10AF64009B5C5894ABBC93D84C08CF50.dll
c:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_13353B9B4E7BC5E4FBC4B78C876521D4.dll
c:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_14367109B8A0CCC47AD88F2622A8B659.dll
c:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_193EC481E0E736C499537D1AE0FD3D6C.dll
c:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_1AA3974510054F24BA6B3C4616C70687.dll
c:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_29C1BDCF6C3067C46852732142520619.dll
c:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_2D9C85B15291F3142BA94C7E95C6345F.dll
c:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_2E8086E8D316DCF4182AC6F88A0E3321.dll
c:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_4301AEBD288588A40833184CFEC0AF92.dll
c:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_474AB2D8604F0174A94E4D2FD2120FDD.dll
c:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_4A5CA4D69FC409F418119B5BC32E75FB.dll
c:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_4DE556595AC7FD6409F7174478A7235E.dll
c:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_568774731F3A2774DA34AACFB6FC9FF9.dll
c:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_5748B91684F07B143A0715747F909298.dll
c:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_5C3BD7DD3AF63AF4A8172C2F49E00B92.dll
c:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_615AECB15C4BD2B4FB0ABA9701AB8D26.dll
c:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_6444BB1DC9EA6524A9F7D46406D44226.dll
c:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_68AB67CA7DA73301B7448A0100000030.dll
c:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_798EA96EB0E9C584582587144FD8248D.dll
c:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_79AE5E9247F575A48B2B4D1F96111738.dll
c:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_7EF44B4BFF14DAD4C8A04E60DD7A9229.dll
c:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_88B9552DD9CC84B418BB4F29AB9A4CC8.dll
c:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_8A0F842331866D117AB7000B0D610002.dll
c:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_9040820900063D11C8EF00054038389C.dll
c:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_91823B80FEE67504EAADA56B183AA632.dll
c:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_91C0B5CA158D4F24DB0A14E0FCF7075A.dll
c:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_9866FB3BD18A8D04A968A44CCA9DCFC1.dll
c:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_9A177208658A14A4CA7F41055E329C32.dll
c:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_9D4289C9000937346A5A0D5E4D383149.dll
c:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_9DA673E294C5D7F40AABA6448EAFA5B3.dll
c:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_A29FFD0DE29404C48B267AA471C3525C.dll
c:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_A303405DD717C414ABF9EF1090E3E28F.dll
c:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_A7DD5FF682EF93448BFCE1A94FAEA016.dll
c:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_A9AF1C4649AFE6B43B4E583737E8A41D.dll
c:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_B38F40E19BA21034E97F8E36707FC927.dll
c:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_C168B70F9B274A04B8A1AADEC4607A8E.dll
c:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_C2291FF04C6BBB04FA03EB7FA5844244.dll
c:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_C3A2D806988611C4B9454AF254CAFBBD.dll
c:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_D6461317C3DC4F04799BDCE9E42626FE.dll
c:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_D66A4E8D86BDF184BA8ACA2652664DBC.dll
c:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_D702FA4077A9A564B86799F1A66B2654.dll
c:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_DB242B2AD8FF0484D9AA1907AEEB5CC9.dll
c:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_EEB0EBA6275D8EF44B43E9272A9834B1.dll
c:\Documents and Settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll

****** Fin du rapport DiagHelp
Veuillez svp envoyer le fichier C:\upload_moi_PAUL-2072994E84.tar.gz a l'adresse http://upload.malekal.com

Thomas

Mostly just major curious issues about software installs there. If that Nero 7 is free it is adware bundled, but not sure why it is showing but Nero 6 is the installed version. There is one Lop adware related folder/file we will remove now, but if the malware is being recreated from on of those many free/ripping/burning/downloading software installed there locating which source would be not likely possible. And as I mentioned before, if any of the software there is a legit trial install with some possible malware sourced patch file as a work-around, unless you address that yourself we will not make progress.


To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.



Disconnect from net access.

Then open Task Manager (Ctrl - Alt - Delete), Processes tab, locate and click to hilight explorer.exe, then click End Process (and okay the warning). You desktop will disappear, but this may also take the wind out of the sails of the malware file hooked into the explorer process there.

Then still in Task Manager go to File - New Task, type explorer and OK. This will restore the desktop.

---

Open OTMoveIt again.

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C, or right-click and choose Copy):

c:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax
C:\WINDOWS\System32\mqise32.dll

Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window and select Paste. Then click the red MoveIt! button. A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder, in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose "No".

---

Close Internet Explorer and all running programs and run a scan in HijackThis. Place a check next to all of the following lines, then select “Fix Checked” and close HijackThis.

O2 - BHO: (no name) - {E748823A-E93B-4E8C-B503-7698EC1DF350} - C:\WINDOWS\system32\mqise32.dll

---

Then open Malwarebytes again (still with no net access) and do a Complete Scan with that.

---

Reconnect to net access, and Go here http://www.billsway.com/vbspage/ and download, unzip and run the Registry Search Tool (scroll down the page to locate it). Type (or copy/paste) SfcDisable in the dialog box. Let it run and after a few minutes, a prompt will appear. Click OK to write the results to Notepad and post them back here please.

---

Still making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):

"%userprofile%\desktop\dss.exe" /config

When the DSS Configuration display opens click the "Check All" button. Next, under Main Log, again uncheck the following:

System Restore
Temp Cleanup
Process Modules

Then under Extra Log, uncheck all the boxes except this one:

Security Center

Don't make any other changes at this time. Then click the "Scan!" button to start the scan.

Once the scan has completed a textbox will appear - copy/paste those contents back here please (main.txt). (The logs can also be found in the C:\Deckard\System Scanner folder)

Post that along with the Malwarebytes log please. Also the reg search results and the OTMoveIt log.

Paulfcb

File/Folder c:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax not found.
File/Folder C:\WINDOWS\System32\mqise32.dll not found.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 05202008_164450

Malwarebytes' Anti-Malware 1.12
Database version: 762

Scan type: Full Scan (C:\|)
Objects scanned: 144390
Time elapsed: 47 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\poof (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\_OTMoveIt\MovedFiles\05202008_054209\WINDOWS\System32\mqise32.dll (Trojan.Agent) -> Quarantined and deleted successfully.

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "SfcDisable" 20/05/2008 18:03:01

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"SFCDisable"=dword:00000000

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-05-20 18:04:38
Computer is in Normal Mode.

---

-- HijackThis (run as Administrator.exe)

---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:04:42, on 20/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\NVATray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\Desktop\OTMoveIt2.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Documents and Settings\Administrator\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/weather/5day.shtml?id=2478
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 5937 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\)

---

backup-20080503-172548-312 O24 - Desktop Component 0: (no name) - (no file)
backup-20080503-172548-651 O1 - Hosts: 66.98.148.65 auto.search.msn.es
backup-20080503-172548-872 O1 - Hosts: 66.98.148.65 auto.search.msn.com
backup-20080503-172548-955 F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Config\csrss.exe
backup-20080515-171114-494 O2 - BHO: (no name) - {A9C50ACC-AEBA-4D27-B7EC-0767ECFC11E8} - C:\WINDOWS\system32\netmogon.dll (file missing)
backup-20080515-171114-942 O24 - Desktop Component 0: (no name) - (no file)
backup-20080518-165447-599 O2 - BHO: (no name) - {D91896F8-8BC7-44B8-9C17-D64F7FAC7F30} - C:\WINDOWS\system32\msafd32.dll (file missing)
backup-20080520-054257-999 O2 - BHO: (no name) - {E748823A-E93B-4E8C-B503-7698EC1DF350} - C:\WINDOWS\system32\mqise32.dll (file missing)

-- File Associations

---

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

---

R3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>

S3 catchme - c:\docume~1\admini~1\locals~1\temp\catchme.sys (file missing)
S3 mbr - c:\docume~1\admini~1\locals~1\temp\mbr.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

---

S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
S3 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>


-- Device Manager: Disabled

---

Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
Description: Nokia Windows Portable Device Driver
Device ID: ROOT\WPD\0000
Manufacturer: Nokia
Name: Nokia 5200
PNP Device ID: ROOT\WPD\0000
Service: WUDFRd

Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
Description: Nokia Windows Portable Device Driver
Device ID: ROOT\WPD\0001
Manufacturer: Nokia
Name: Nokia 6300ows Portable Device Driver
PNP Device ID: ROOT\WPD\0001
Service: WUDFRd


-- Scheduled Tasks

---

2008-05-16 19:06:15 392 --a

---

C:\WINDOWS\Tasks\1-Click Maintenance.job


-- Files created between 2008-04-20 and 2008-05-20

---

2008-05-16 20:15:18 66048 --a

---

C:\mbr.exe
2008-05-15 17:13:29 1478 --a

---

C:\WINDOWS\system32\tmp.reg
2008-05-15 17:13:10 25600 --a

---

C:\WINDOWS\system32\WS2Fix.exe
2008-05-15 17:13:10 289144 --a

---

C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-05-15 17:13:10 86528 --a

---

C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-05-15 17:13:10 288417 --a

---

C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-05-15 17:13:10 51200 --a

---

C:\WINDOWS\system32\dumphive.exe
2008-05-15 17:13:09 53248 --a

---

C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-05-14 14:56:53 0 d

---

C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-14 10:31:57 0 d

---

C:\Program Files\GetTubeVideo
2008-05-10 10:32:33 0 d

---

C:\Documents and Settings\Administrator\Application Data\GeoVid
2008-05-10 10:32:28 60416 --a

---

C:\WINDOWS\system32\dsetup.dll <Not Verified; Microsoft Corporation; Microsoft® DirectX for Windows®>
2008-05-10 10:32:27 0 d

---

C:\Program Files\GeoVid
2008-05-07 06:00:35 0 dr-h

---

C:\Documents and Settings\Administrator\Recent
2008-05-03 18:15:40 0 d

---

C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-05-03 18:15:34 0 d

---

C:\Program Files\Malwarebytes' Anti-Malware
2008-05-03 18:15:34 0 d

---

C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-03 18:15:15 0 d

---

C:\Program Files\Common Files\Download Manager
2008-05-03 17:36:36 0 d

---

C:\WINDOWS\ERUNT
2008-05-03 17:23:20 0 d

---

C:\Program Files\Trend Micro


-- Find3M Report

---

2008-05-20 16:40:22 0 d

---

C:\Documents and Settings\Administrator\Application Data\Vso
2008-05-20 16:40:20 668 --a

---

C:\Documents and Settings\Administrator\Application Data\vso_ts_preview.xml
2008-05-19 20:13:05 0 d

---

C:\Documents and Settings\Administrator\Application Data\Azureus
2008-05-19 15:48:45 0 d

---

C:\Documents and Settings\Administrator\Application Data\AVG7
2008-05-18 18:09:29 664 --a

---

C:\WINDOWS\system32\d3d9caps.dat
2008-05-03 19:08:42 0 d

---

C:\Documents and Settings\Administrator\Application Data\ppstream
2008-05-03 18:15:15 0 d

---

C:\Program Files\Common Files
2008-04-24 21:53:14 0 d

---

C:\Program Files\Picasa2
2008-04-16 18:43:24 0 d

---

C:\Program Files\VSO
2008-04-16 18:40:59 34 --a

---

C:\Documents and Settings\Administrator\Application Data\pcouffin.log
2008-04-16 18:40:29 47360 --a

---

C:\Documents and Settings\Administrator\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-04-16 18:40:29 1144 --a

---

C:\Documents and Settings\Administrator\Application Data\pcouffin.inf
2008-04-16 18:40:29 7887 --a

---

C:\Documents and Settings\Administrator\Application Data\pcouffin.cat
2008-04-15 20:39:10 0 d

---

C:\Program Files\eMule
2008-04-15 19:49:03 0 d

---

C:\Program Files\Azureus
2008-04-14 09:26:15 2399 --a

---

C:\Documents and Settings\Administrator\Application Data\NMM-MetaData.db
2008-04-14 09:17:41 0 d

---

C:\Documents and Settings\Administrator\Application Data\FrostWire
2008-04-09 19:31:26 0 d

---

C:\Documents and Settings\Administrator\Application Data\dvdcss
2008-04-06 17:06:53 0 d

---

C:\Program Files\TuneUp Utilities 2008
2008-04-06 17:03:43 0 d

---

C:\Program Files\Common Files\Wise Installation Wizard
2008-04-06 16:44:03 0 d

---

C:\Program Files\Common Files\Ahead
2008-04-06 16:43:59 0 d

---

C:\Program Files\Ahead
2008-04-05 20:56:38 0 d

---

C:\Program Files\Nero
2008-04-05 20:32:18 0 d

---

C:\Program Files\Common Files\Ahead(2)
2008-04-05 20:18:32 0 d

---

C:\Program Files\MSI
2008-04-03 19:55:34 0 d

---

C:\Documents and Settings\Administrator\Application Data\ImgBurn
2008-03-26 07:01:35 0 d

---

C:\Program Files\Astonsoft
2008-03-26 06:48:08 0 d

---

C:\Documents and Settings\Administrator\Application Data\DeepBurner
2008-03-25 20:38:16 0 d--h

---

C:\Program Files\InstallShield Installation Information
2008-03-20 07:02:05 0 d

---

C:\Program Files\My Screensaver
2008-03-14 16:42:57 5338 --a

---

C:\WINDOWS\system32\EPPICResdb0000
2008-03-14 16:42:57 120 --a

---

C:\WINDOWS\system32\EPPICResdb


-- Registry Dump

---

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [15/04/2008 08:43]
"NVIDIA nForce APU1 Utilities"="NVATray.exe" [19/01/2002 00:33 C:\WINDOWS\system32\NVATray.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 10:50]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [10/04/2007 19:10]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"PcSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=&quot;Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@=&quot;Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@=&quot;Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"EPSON Stylus Photo RX420 Series"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB001" /M "Stylus Photo RX420"
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp




-- End of Deckard's System Scanner: finished at 2008-05-20 18:05:33

---

Thomas

Hmm - located and removed poof, which is a rootkit driver. I sense the null key settings were protecting that when SDFix was run. And something we need to check now as well. Make a copy or arrange other access for the following steps, then again disconnect from net access.


Go again to Start - Run, type cmd (and OK). At the prompt copy and paste the below commands (hit Enter after each line).

cd\

regdelnull hkcu -s

(be sure to place a space after hkcu)

Your registry will be scanned, and if any Null entries are found, the scan will stop and you will be asked to confirm deletion. For now, type "Y" for Yes and hit Enter let the scan continue until it has finished. If no null keys are located still complete these steps to copy the results.

When it has finished, click on the Icon in the top left hand corner of the Command Prompt and choose Edit > Select All and then Edit > Copy. Rightclick on your Desktop and create a text file. Open it and position your mouse inside the file, rightclick again and choose Paste. Save the file and post the contents here please.

=======================

Reboot into Safe Mode.

Go again to Start - Run, type cmd (and OK). At the prompt copy and paste the below commands (hit Enter after each line).

cd\

regdelnull hkcu -s

(be sure to place a space after hkcu)

Your registry will be scanned, and if any Null entries are found, the scan will stop and you will be asked to confirm deletion. For now, type "Y" for Yes and hit Enter let the scan continue until it has finished. If no null keys are located still complete these steps to copy the results.

When it has finished, click on the Icon in the top left hand corner of the Command Prompt and choose Edit > Select All and then Edit > Copy. Rightclick on your Desktop and create a text file. Open it and position your mouse inside the file, rightclick again and choose Paste. Save the file and post the contents here please.

---

Navigate to C:\SDFix again and double click RunThis.bat to start the script.

Next type Y to begin the script. Once the fix has run it will prompt you to restart your computer. Press any key to restart at this time. Your system will take longer that normal to restart as the fixtool will be running and removing files.

When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.

Then open the C:\SDFix folder and copy and paste the contents of the results file Report.txt back here.

=====================

After the reboot open Malwarebytes and run a Complete Scan again, posting the log from it back here as well.

Then still making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):

"%userprofile%\desktop\dss.exe" /config

When the DSS Configuration display opens click the "Check All" button. Next, under Main Log, again uncheck the following:

System Restore
Temp Cleanup
Process Modules

Then under Extra Log, uncheck all the boxes except this one:

Security Center

Don't make any other changes at this time. Then click the "Scan!" button to start the scan.

Once the scan has completed a textbox will appear - copy/paste those contents back here please (main.txt). (The logs can also be found in the C:\Deckard\System Scanner folder)

Post that along with the Malwarebytes log and the SDFix report.txt log please. Also the results of both the RegDelNull steps (pre-Safe Mode and the one in Safe Mode).

Paulfcb

RegDellNull log pre-safe mode:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator>cd\

C:\>regdelnull hkcu -s

RegDelNull v1.10 - Delete Registry keys with embedded Nulls
Copyright (C) 2005-2006 Mark Russinovich
Sysinternals - www.sysinternals.com

Scan complete.


C:\>

Safe mode:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator>cd\

C:\>regdelnull hkcu -s

RegDelNull v1.10 - Delete Registry keys with embedded Nulls
Copyright (C) 2005-2006 Mark Russinovich
Sysinternals - www.sysinternals.com

Scan complete.


C:\>

SDFix: Version 1.184
Run by Administrator on 21/05/2008 at 17:46

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\ADMINI~1\Desktop\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-21 17:56:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\WINDOWS\\Temp\\NavBrowser.exe"="C:\\WINDOWS\\Temp\\NavBrowser.exe:*:Enabled:NAVBrowser"
"C:\\Program Files\\eMule\\emule.exe"="C:\\Program Files\\eMule\\emule.exe:*:Enabled:eMule"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\PPStream\\PPStream.exe"="C:\\Program Files\\PPStream\\PPStream.exe:*:Enabled:PPStream"
"C:\\Program Files\\FrostWire\\FrostWire.exe"="C:\\Program Files\\FrostWire\\FrostWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"="C:\\Program Files\\TVUPlayer\\TVUPlayer.exe:*:Enabled:TVU Player Component"
"C:\\Program Files\\SopCast\\SopCast.exe"="C:\\Program Files\\SopCast\\SopCast.exe:*:Enabled:SopCast Main Application"
"C:\\Documents and Settings\\Administrator\\Application Data\\SopCast\\adv\\SopAdver.exe"="C:\\Documents and Settings\\Administrator\\Application Data\\SopCast\\adv\\SopAdver.exe:*:Enabled:SopCast Adver"
"C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\Rar$EX00.782\\ODDUpdate.exe"="C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\Rar$EX00.782\\ODDUpdate.exe:*:Enabled:AsusUpdate"
"C:\\Program Files\\PPMate\\ppmate.exe"="C:\\Program Files\\PPMate\\ppmate.exe:*:Enabled:PPMate"
"C:\\Program Files\\PPMate\\ppmnet.exe"="C:\\Program Files\\PPMate\\ppmnet.exe:*:Enabled:PPMate"
"D:\\eMule Applejuice\\emule.exe"="D:\\eMule Applejuice\\emule.exe:*:Enabled:eMule"
"C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\Rar$EX01.475\\eMule Applejuice\\emule.exe"="C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\Rar$EX01.475\\eMule Applejuice\\emule.exe:*:Enabled:eMule"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\TVAnts\\Tvants.exe"="C:\\Program Files\\TVAnts\\Tvants.exe:*:Enabled:TVAnts"
"C:\\WINDOWS\\system32\\SYSWB6.exe"="C:\\WINDOWS\\system32\\SYSWB6.exe:*:Enabled:SYSWB6"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"="C:\\Program Files\\Windows Media Player\\wmplayer.exe:*:Enabled:Windows Media Player"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"="C:\\Program Files\\SopCast\\adv\\SopAdver.exe:*:Disabled:SopCast Adver"
"C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"="C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe:*:Enabled:Nokia Software Updater"
"C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"="C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe:*:Enabled:Nokia Service Layer Host Process "
"C:\\Program Files\\Kontiki\\KService.exe"="C:\\Program Files\\Kontiki\\KService.exe:*:Enabled:Delivery Manager Service"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Messenger"
"C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"="C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe:*:Disabled:Football Manager 2008"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Disabled:Firefox"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :


File Backups: - C:\DOCUME~1\ADMINI~1\Desktop\SDFix\backups\backups.zip

Files with Hidden Attributes :

Thu 24 Apr 2008 6,104,632 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Thu 8 Feb 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 5 Apr 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Thu 6 Mar 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv03.tmp"
Wed 7 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\BIT1D.tmp"

Finished!

Malwarebytes' Anti-Malware 1.12
Database version: 762

Scan type: Full Scan (C:\|)
Objects scanned: 145306
Time elapsed: 52 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{027098c2-7fb9-40be-9b59-a63d6acbacc6} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{027098c2-7fb9-40be-9b59-a63d6acbacc6} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\wmatf(4).dll (Trojan.Agent) -> Quarantined and deleted successfully.

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-05-21 19:02:41
Computer is in Normal Mode.

---

-- HijackThis (run as Administrator.exe)

---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:02:45, on 21/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\NVATray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrator\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/weather/5day.shtml?id=2478
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 5815 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\)

---

backup-20080503-172548-312 O24 - Desktop Component 0: (no name) - (no file)
backup-20080503-172548-651 O1 - Hosts: 66.98.148.65 auto.search.msn.es
backup-20080503-172548-872 O1 - Hosts: 66.98.148.65 auto.search.msn.com
backup-20080503-172548-955 F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Config\csrss.exe
backup-20080515-171114-494 O2 - BHO: (no name) - {A9C50ACC-AEBA-4D27-B7EC-0767ECFC11E8} - C:\WINDOWS\system32\netmogon.dll (file missing)
backup-20080515-171114-942 O24 - Desktop Component 0: (no name) - (no file)
backup-20080518-165447-599 O2 - BHO: (no name) - {D91896F8-8BC7-44B8-9C17-D64F7FAC7F30} - C:\WINDOWS\system32\msafd32.dll (file missing)
backup-20080520-054257-999 O2 - BHO: (no name) - {E748823A-E93B-4E8C-B503-7698EC1DF350} - C:\WINDOWS\system32\mqise32.dll (file missing)

-- File Associations

---

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

---

R3 catchme - c:\docume~1\admini~1\locals~1\temp\catchme.sys (file missing)
R3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>

S3 mbr - c:\docume~1\admini~1\locals~1\temp\mbr.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

---

S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
S3 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>


-- Device Manager: Disabled

---

Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
Description: Nokia Windows Portable Device Driver
Device ID: ROOT\WPD\0000
Manufacturer: Nokia
Name: Nokia 5200
PNP Device ID: ROOT\WPD\0000
Service: WUDFRd

Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
Description: Nokia Windows Portable Device Driver
Device ID: ROOT\WPD\0001
Manufacturer: Nokia
Name: Nokia 6300ows Portable Device Driver
PNP Device ID: ROOT\WPD\0001
Service: WUDFRd


-- Scheduled Tasks

---

2008-05-16 19:06:15 392 --a

---

C:\WINDOWS\Tasks\1-Click Maintenance.job


-- Files created between 2008-04-21 and 2008-05-21

---

2008-05-16 20:15:18 66048 --a

---

C:\mbr.exe
2008-05-15 17:13:29 1478 --a

---

C:\WINDOWS\system32\tmp.reg
2008-05-15 17:13:10 25600 --a

---

C:\WINDOWS\system32\WS2Fix.exe
2008-05-15 17:13:10 289144 --a

---

C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-05-15 17:13:10 86528 --a

---

C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-05-15 17:13:10 288417 --a

---

C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-05-15 17:13:10 51200 --a

---

C:\WINDOWS\system32\dumphive.exe
2008-05-15 17:13:09 53248 --a

---

C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-05-14 14:56:53 0 d

---

C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-10 10:32:33 0 d

---

C:\Documents and Settings\Administrator\Application Data\GeoVid
2008-05-10 10:32:28 60416 --a

---

C:\WINDOWS\system32\dsetup.dll <Not Verified; Microsoft Corporation; Microsoft® DirectX for Windows®>
2008-05-10 10:32:27 0 d

---

C:\Program Files\GeoVid
2008-05-07 06:00:35 0 dr-h

---

C:\Documents and Settings\Administrator\Recent
2008-05-03 18:15:40 0 d

---

C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-05-03 18:15:34 0 d

---

C:\Program Files\Malwarebytes' Anti-Malware
2008-05-03 18:15:34 0 d

---

C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-03 18:15:15 0 d

---

C:\Program Files\Common Files\Download Manager
2008-05-03 17:36:36 0 d

---

C:\WINDOWS\ERUNT
2008-05-03 17:23:20 0 d

---

C:\Program Files\Trend Micro


-- Find3M Report

---

2008-05-21 17:19:41 0 d

---

C:\Documents and Settings\Administrator\Application Data\AVG7
2008-05-20 21:34:53 0 d

---

C:\Documents and Settings\Administrator\Application Data\Azureus
2008-05-20 16:40:22 0 d

---

C:\Documents and Settings\Administrator\Application Data\Vso
2008-05-20 16:40:20 668 --a

---

C:\Documents and Settings\Administrator\Application Data\vso_ts_preview.xml
2008-05-18 18:09:29 664 --a

---

C:\WINDOWS\system32\d3d9caps.dat
2008-05-03 19:08:42 0 d

---

C:\Documents and Settings\Administrator\Application Data\ppstream
2008-05-03 18:15:15 0 d

---

C:\Program Files\Common Files
2008-04-24 21:53:14 0 d

---

C:\Program Files\Picasa2
2008-04-16 18:43:24 0 d

---

C:\Program Files\VSO
2008-04-16 18:40:59 34 --a

---

C:\Documents and Settings\Administrator\Application Data\pcouffin.log
2008-04-16 18:40:29 47360 --a

---

C:\Documents and Settings\Administrator\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-04-16 18:40:29 1144 --a

---

C:\Documents and Settings\Administrator\Application Data\pcouffin.inf
2008-04-16 18:40:29 7887 --a

---

C:\Documents and Settings\Administrator\Application Data\pcouffin.cat
2008-04-15 20:39:10 0 d

---

C:\Program Files\eMule
2008-04-15 19:49:03 0 d

---

C:\Program Files\Azureus
2008-04-14 09:26:15 2399 --a

---

C:\Documents and Settings\Administrator\Application Data\NMM-MetaData.db
2008-04-14 09:17:41 0 d

---

C:\Documents and Settings\Administrator\Application Data\FrostWire
2008-04-09 19:31:26 0 d

---

C:\Documents and Settings\Administrator\Application Data\dvdcss
2008-04-06 17:06:53 0 d

---

C:\Program Files\TuneUp Utilities 2008
2008-04-06 17:03:43 0 d

---

C:\Program Files\Common Files\Wise Installation Wizard
2008-04-06 16:44:03 0 d

---

C:\Program Files\Common Files\Ahead
2008-04-06 16:43:59 0 d

---

C:\Program Files\Ahead
2008-04-05 20:56:38 0 d

---

C:\Program Files\Nero
2008-04-05 20:32:18 0 d

---

C:\Program Files\Common Files\Ahead(2)
2008-04-05 20:18:32 0 d

---

C:\Program Files\MSI
2008-04-03 19:55:34 0 d

---

C:\Documents and Settings\Administrator\Application Data\ImgBurn
2008-03-26 07:01:35 0 d

---

C:\Program Files\Astonsoft
2008-03-26 06:48:08 0 d

---

C:\Documents and Settings\Administrator\Application Data\DeepBurner
2008-03-25 20:38:16 0 d--h

---

C:\Program Files\InstallShield Installation Information
2008-03-14 16:42:57 5338 --a

---

C:\WINDOWS\system32\EPPICResdb0000
2008-03-14 16:42:57 120 --a

---

C:\WINDOWS\system32\EPPICResdb


-- Registry Dump

---

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [15/04/2008 08:43]
"NVIDIA nForce APU1 Utilities"="NVATray.exe" [19/01/2002 00:33 C:\WINDOWS\system32\NVATray.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 10:50]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [10/04/2007 19:10]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"PcSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=&quot;Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@=&quot;Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@=&quot;Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"EPSON Stylus Photo RX420 Series"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB001" /M "Stylus Photo RX420"
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp




-- End of Deckard's System Scanner: finished at 2008-05-21 19:03:16

---

Thomas

No null keys but again the repeat BHO infection and file created and removed. I am seeing if I can arrange a new host download location for Sysdump, which is freeware a tool I would like you to use here. In the interim PM me an email address I can send a copy to, so you can use it to better analyze where this malware is loading from there. No other PM's from anyone but Paulfcb please - sorry, but they will be deleted without reply.

Thomas

As you know we have been going back and forth through email trying to get an email account that doesn't block the attachment, which was finally done. I did receive the Sysdump logs, but no malware is loading from any services/drivers or any of those views.

I am running a new analysis of one of the malware files you uploaded, and see it is taking me back to assessing a file of interest earlier. The malware reloading is run from some sort of desktop shell hook there, so let's take a look at a shell file.

Go here, press new topic, fill in the needed details and just give a link to your post back here. Then press the browse button and then navigate to & select the file on your computer.

C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03/comctl32.dll

You DO NOT need to be a member to upload, anybody can upload the files. You will not be able to see the file once uploaded.

Thomas

I would also like you to check on a specific file type there.

Go to Start > Run and type:

cmd.exe

and ok. Copy and paste the below string after the prompt >

dir /s /a "c:\Deskmovr*.*" > c:\find1.txt & start notepad c:\find1.txt

Your drive will be scanned and when finished, Notepad will pop up with some information. Copy and paste it in this thread.

Paulfcb

Post 54. Done

Post 55. No scan took place.

Thomas

I received the file, thanks. It is one of your user shell interface files, so pretty busy file code to weed through. Not sure if anything in that provided ideas though. I went back to the bad .dll you uploaded and ran more analysis on it, and see it calling on an ieplugin.dll function. There is a DCADS adware that stores files in Firefox, that it uses to recreate IE infection. This isn't that same package, but let's see if it is applying some of the same tricks.


Navigate to and upload to the SpyKiller site this entire folder please:

C:\Program Files\Mozilla Firefox\components

Paulfcb

After a long think I've come to the conclusion that it might be a good idea to format my hard drive. This will possibly be the only way to rid my system of any malware or trojan horses. Thank you very much for your work. It really is appreciated and I won't hesitate to go down this avenue again.

Thomas

I can appreciate your making that choice, especially with our many checks and repairs done so far. If you have not made the move yet, please consider uploading the requested folder, even if you still opt to do the reinstall as well.