After using the internet for awhile..I feel that the malware didn't removed yet .. thank you for helping .. hope to help me kill this malware until the final step
this is the combofix log :
ComboFix 07-10-26.4 - Sayed Hadi 2007-10-25 19:00:07.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1256.965.1033.18.444 [GMT -7:00]
Running from: C:\Documents and Settings\Sayed Hadi\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data.\salesmonitor
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\hala\Desktop\Live Safety Center.lnk
C:\Documents and Settings\hala\Desktop\Online Security Guide.lnk
C:\Documents and Settings\hala\Favorites\Online Security Guide.lnk
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\Sayed Hadi\Application Data\BestsellerAntivirus
C:\Documents and Settings\Sayed Hadi\Application Data\BestsellerAntivirus\avtasks.dat
C:\Documents and Settings\Sayed Hadi\Application Data\BestsellerAntivirus\Logs\av.log
C:\Documents and Settings\Sayed Hadi\Application Data\BestsellerAntivirus\Logs\ga6Support.log
C:\Documents and Settings\Sayed Hadi\Application Data\BestsellerAntivirus\Logs\update.log
C:\Documents and Settings\Sayed Hadi\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Sayed Hadi\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Sayed Hadi\Favorites\Online Security Guide.lnk
C:\Documents and Settings\Sayed Hadi\ResErrors.log
C:\Program Files\Common Files\uwmu
C:\Program Files\Common Files\uwmu\uwmua.lck
C:\Program Files\Common Files\uwmu\uwmud\class-barrel
C:\Program Files\Common Files\uwmu\uwmud\uwmuc.dll
C:\Program Files\Common Files\uwmu\uwmud\vocabulary
C:\Program Files\Common Files\uwmu\uwmuh
C:\Program Files\Common Files\uwmu\uwmul.exe
C:\Program Files\Common Files\uwmu\uwmul.lck
C:\Program Files\Common Files\uwmu\uwmum.lck
C:\Program Files\Common Files\uwmu\uwmup.exe
C:\Program Files\inetget2
C:\Program Files\MSN Gaming Zone\qufaqy.dll
C:\Program Files\MSN Gaming Zone\qufaqy538.dll
C:\Program Files\MSN Gaming Zone\qufaqy695.dll
C:\Program Files\MSN Gaming Zone\rtenefsu.html
C:\Program Files\network monitor
C:\Program Files\network monitor\netmon.exe
C:\Program Files\Online Services\meso4444.dll
C:\Program Files\Online Services\meso83122.dll
C:\Program Files\svhost
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fCOe
C:\Temp\fCOe\tOasF.log
C:\Temp\fse
C:\Temp\xOe
C:\UGA6P
C:\WINDOWS\b103.exe
C:\WINDOWS\b104.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\adccf.bak1
C:\WINDOWS\system32\adccf.bak2
C:\WINDOWS\system32\adccf.ini
C:\WINDOWS\system32\adccf.ini2
C:\WINDOWS\system32\adccf.tmp
C:\WINDOWS\system32\aixkrjqv.exe
C:\WINDOWS\system32\atmtd.dll.tmp
C:\WINDOWS\system32\blbyhkwj.exe
C:\WINDOWS\system32\cufxcwdp.exe
C:\WINDOWS\system32\cyblhjfm.exe
C:\WINDOWS\system32\datynokx.exe
C:\WINDOWS\system32\dcrnrxcx.exe
C:\WINDOWS\system32\dhrkwjzv.dll
C:\WINDOWS\system32\dhrkwjzv.dllbox
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\fccda.dll
C:\WINDOWS\system32\gircmvlm.exe
C:\WINDOWS\system32\gknohdle.dll
C:\WINDOWS\system32\gknohdle.dllbox
C:\WINDOWS\system32\gtbkibxy.dll
C:\WINDOWS\system32\gtbkibxy.dllbox
C:\WINDOWS\system32\gyimmiir.exe
C:\WINDOWS\system32\hjqookoj.exe
C:\WINDOWS\system32\husdnoro.exe
C:\WINDOWS\system32\hyixrkyr.exe
C:\WINDOWS\system32\iftkyyrk.exe
C:\WINDOWS\system32\ineprhgc.exe
C:\WINDOWS\system32\ioelsnoj.exe
C:\WINDOWS\system32\iqkhopts.exe
C:\WINDOWS\system32\jcwftgvp.dll
C:\WINDOWS\system32\jcwftgvp.dllbox
C:\WINDOWS\system32\jjriyff.dll
C:\WINDOWS\system32\jponhbcg.exe
C:\WINDOWS\system32\klrpddmp.ini
C:\WINDOWS\system32\lwmxkxji.exe
C:\WINDOWS\system32\lwutvctw.exe
C:\WINDOWS\system32\mwyhgfuf.exe
C:\WINDOWS\system32\oTt02e
C:\WINDOWS\system32\oTt02e\oTt02e1065.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pmddprlk.dll
C:\WINDOWS\system32\pnbcivfs.exe
C:\WINDOWS\system32\pryiqioj.exe
C:\WINDOWS\system32\qcehqean.exe
C:\WINDOWS\system32\qnctbsqk.exe
C:\WINDOWS\system32\rehjgjdb.dll
C:\WINDOWS\system32\rybxsnly.exe
C:\WINDOWS\system32\sjfcldvg.exe
C:\WINDOWS\system32\sucdmsmy.exe
C:\WINDOWS\system32\tbjntnrg.exe
C:\WINDOWS\system32\tlxnmyta.exe
C:\WINDOWS\system32\tyeolmgg.exe
C:\WINDOWS\system32\uhrphsrx.dll
C:\WINDOWS\system32\uhrphsrx.dllbox
C:\WINDOWS\system32\ujqlijjm.exe
C:\WINDOWS\system32\ukuilegn.exe
C:\WINDOWS\system32\vczaikai.dll
C:\WINDOWS\system32\vczaikai.dllbox
C:\WINDOWS\system32\vectscqj.exe
C:\WINDOWS\system32\vjlcsqrv.exe
C:\WINDOWS\system32\vMW02a
C:\WINDOWS\system32\wapypwcm.exe
C:\WINDOWS\system32\wbettxan.exe
C:\WINDOWS\system32\wlataqcq.exe
C:\WINDOWS\system32\wttswgzy.dll
C:\WINDOWS\system32\wttswgzy.dllbox
C:\WINDOWS\system32\wytadons.dll
C:\WINDOWS\system32\wytadons.dllbox
C:\WINDOWS\system32\xtliqyms.exe
C:\WINDOWS\system32\ybfervzi.dll
C:\WINDOWS\system32\ybfervzi.dllbox
C:\WINDOWS\system32\ygxtodos.exe
C:\WINDOWS\system32\yldltsqy.ini
C:\WINDOWS\system32\yqstldly.dll
C:\WINDOWS\system32\zngnqmsc.dll
C:\WINDOWS\system32\zngnqmsc.dllbox
C:\WINDOWS\tk58.exe
C:\WINDOWS\tsitra1000106.exe
C:\WINDOWS\tsitra572.exe
C:\WINDOWS\TTC-4444.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\uwmu
C:\WINDOWS\uwmu\uwmu.dat
C:\WINDOWS\uwmu\wu
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_FMTR
-------\LEGACY_NETWORK_MONITOR
-------\cmdService
-------\DomainService
-------\Network Monitor
((((((((((((((((((((((((( Files Created from 2007-09-26 to 2007-10-26 )))))))))))))))))))))))))))))))
.
2007-10-26 01:15 83,008 --a------ C:\WINDOWS\system32\pmioihpn.dll
2007-10-25 21:43 83,008 --a------ C:\WINDOWS\system32\palmrewc.dll
2007-10-25 18:52 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-25 18:42 <DIR> d-------- C:\Documents and Settings\hala\Contacts
2007-10-25 02:50 <DIR> d-------- C:\Documents and Settings\hala\Application Data\Yahoo!
2007-10-25 02:33 <DIR> d-------- C:\Program Files\Norton AntiVirus
2007-10-25 02:31 108,728 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-25 02:31 48,824 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-10-25 02:30 <DIR> d-------- C:\Documents and Settings\hala\Application Data\AdobeUM
2007-10-25 02:23 <DIR> d-------- C:\Documents and Settings\hala\Application Data\Symantec
2007-10-25 02:23 <DIR> d-------- C:\Documents and Settings\hala\Application Data\Sony Corporation
2007-10-25 02:23 <DIR> d-------- C:\Documents and Settings\hala\Application Data\Drag'n Drop CD+DVD
2007-10-24 18:46 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-23 18:58 84,544 --a------ C:\WINDOWS\system32\yvnaunie.dll
2007-10-23 02:16 84,544 --a------ C:\WINDOWS\system32\gdpyvvtc.dll
2007-10-20 01:31 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2007-10-19 00:38 <DIR> d--hs---- C:\WINDOWS\U2F5ZWQgSGFkaQ
2007-10-19 00:38 421,888 --a------ C:\WINDOWS\system32\bkinnxyt.dll
2007-10-19 00:38 118,784 --a------ C:\WINDOWS\system32\artchker.exe
2007-10-19 00:38 45,056 --a------ C:\WINDOWS\system32\katzpwwcx.exe
2007-10-19 00:38 45,056 --a------ C:\WINDOWS\system32\katzppd.exe
2007-10-19 00:38 44,922 --a------ C:\WINDOWS\system32\IKatzuUninstall.exe
2007-10-19 00:37 <DIR> d-------- C:\WINDOWS\system32\xx1
2007-10-19 00:37 <DIR> d-------- C:\WINDOWS\system32\od2
2007-10-19 00:37 <DIR> d-------- C:\WINDOWS\system32\ib1
2007-10-19 00:37 <DIR> d-------- C:\WINDOWS\system32\cp1
2007-10-19 00:37 <DIR> d-------- C:\WINDOWS\system32\bo2
2007-10-19 00:37 <DIR> d-------- C:\WINDOWS\system32\ap1
2007-10-19 00:37 549,949 --a------ C:\temp\cilo.exe
2007-10-19 00:37 35,840 --a------ C:\WINDOWS\system32\xxyawwu.dll
2007-10-18 15:22 <DIR> d-------- C:\Program Files\XoftSpySE
2007-10-12 13:15 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-10-08 12:34 1,156 --a------ C:\WINDOWS\mozver.dat
2007-10-08 12:33 <DIR> d-------- C:\Documents and Settings\Sayed Hadi\Application Data\Talkback
2007-10-08 12:32 0 --a------ C:\WINDOWS\nsreg.dat
2007-10-06 22:02 <DIR> d-------- C:\Program Files\CONEXANT
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-26 01:54 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-25 09:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-25 09:41 --------- d-----w C:\Program Files\Symantec
2007-10-19 07:38 24,576 ----a-w C:\WINDOWS\system32\msxml3a.dll
2007-10-12 20:15 --------- d-----w C:\Program Files\Common Files\Real
2007-10-09 08:47 --------- d-----w C:\Program Files\Golden Al-Wafi Translator
2007-10-09 01:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-07 05:13 --------- d-----w C:\Program Files\Common Files\SupportSoft
2007-10-07 05:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\SupportSoft
2007-09-06 21:24 337,056 ----a-w C:\WINDOWS\system32\ENTER.scr
2007-09-06 06:29 359,808 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2007-08-29 04:30 --------- d-----w C:\Program Files\support.com
2007-08-29 00:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Support.com
2007-08-26 08:27 --------- d-----w C:\Program Files\HP
2007-08-26 08:20 --------- d-----w C:\Program Files\Hewlett-Packard
2007-08-26 06:30 --------- d-----w C:\Program Files\Paltalk Messenger
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-14 01:54 413,696 ----a-w C:\WINDOWS\system32\vbscript.dll
2007-08-14 01:54 156,160 ----a-w C:\WINDOWS\system32\msls31.dll
2007-08-14 01:45 78,336 ----a-w C:\WINDOWS\system32\ieencode.dll
2007-08-14 01:44 40,960 ----a-w C:\WINDOWS\system32\licmgr10.dll
2007-08-14 01:39 71,680 ----a-w C:\WINDOWS\system32\admparse.dll
2007-08-14 01:39 55,296 ----a-w C:\WINDOWS\system32\iesetup.dll
2007-08-14 01:36 36,352 ----a-w C:\WINDOWS\system32\imgutil.dll
2007-08-14 01:32 45,568 ----a-w C:\WINDOWS\system32\mshta.exe
2007-08-14 01:01 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll
2007-07-31 02:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-31 02:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-31 02:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-31 02:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-31 02:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-31 02:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-31 02:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-31 02:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2005-08-02 23:46:54 187,904 --sha-r C:\WINDOWS\U2F5ZWQgSGFkaQ\asappsrv.dll
2005-07-29 23:24:26 472 --sha-r C:\WINDOWS\U2F5ZWQgSGFkaQ\oZIctqk0m3I4uk.vbs
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{140BD8E3-C167-11D4-B4A3-080000180323}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C92B957B-4767-4E53-A63C-1E547C35F0C6}]
2007-10-19 00:37 35840 --a------ C:\WINDOWS\system32\xxyawwu.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EA5159DF-E413-4878-8AE2-D921D41BB942}]
2007-10-19 00:38 421888 --a------ C:\WINDOWS\system32\bkinnxyt.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 08:30]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-07-28 01:34]
"54a58e5f"="C:\WINDOWS\system32\bqfjhrhq.dll" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-09-02 18:04]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-05 12:22]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-05-19 08:39]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{C92B957B-4767-4E53-A63C-1E547C35F0C6}"= C:\WINDOWS\system32\xxyawwu.dll [2007-10-19 00:37 35840]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyawwu]
xxyawwu.dll 2007-10-19 00:37 35840 C:\WINDOWS\system32\xxyawwu.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\fccda.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=C:\WINDOWS\pss\Bluetooth Manager.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalStart.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PalStart.lnk
backup=C:\WINDOWS\pss\PalStart.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PowerPanel.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PowerPanel.lnk
backup=C:\WINDOWS\pss\PowerPanel.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickTV.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickTV.lnk
backup=C:\WINDOWS\pss\QuickTV.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\54a58e5f]
rundll32.exe "C:\WINDOWS\system32\gdpyvvtc.dll",b
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
C:\Program Files\Apoint\Apoint.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArtChk]
C:\WINDOWS\system32\artchker.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezShieldProtector for Px]
C:\WINDOWS\System32\ezSP_Px.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Flashget]
C:\DOCUME~1\SAYEDH~1\LOCALS~1\Temp\RarSFX0\rd.exe /min
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HKSERV.EXE]
C:\Program Files\Sony\HotKey Utility\HKserv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\System32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LClock]
C:\Program Files\LClock\LClock.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
ICO.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando]
C:\Program Files\Pando Networks\Pando\pando.exe /Automation
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Propel Accelerator]
C:\Program Files\Propel Accelerator\PropelAC.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sweeper.exe]
C:\Program Files\History Sweeper\sweeper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Switcher.exe]
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"cmdService"=2 (0x2)
"Network Monitor"=2 (0x2)
"LiveUpdate Notice Service"=2 (0x2)
"LiveUpdate Notice Ex"=2 (0x2)
"LiveUpdate"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"ose"=3 (0x3)
"DomainService"=2 (0x2)
"Dnscache"=2 (0x2)
"CLTNetCnService"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
S3 Cap7134;Cap7134 Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys
S3 CSRBC01;CSRBC01.Sys CSR test driver;C:\WINDOWS\system32\Drivers\CSRBC01.sys
S3 DCamUSBSony4;Sony Visual Communication Camera;C:\WINDOWS\system32\DRIVERS\snyucam4.sys
S3 DCamUSBSonyA4;Sony USB Microphone;C:\WINDOWS\system32\drivers\snyuflt4.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ca623c30-4613-11dc-bcc9-080046cc81a2}]
AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
"2007-10-25 09:50:58 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - hala.job"
"2007-10-26 02:21:38 C:\WINDOWS\Tasks\XoftSpySE 2.job"
"2007-10-20 10:00:38 C:\WINDOWS\Tasks\XoftSpySE.job"
.
**************************************************************************
catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2007-10-25 19:22:46
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-10-25 19:29:16 - machine was rebooted
.
--- E O F ---
and that's the Hijack log :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:32:57 PM, on 10/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [54a58e5f] rundll32.exe "C:\WINDOWS\system32\bqfjhrhq.dll",b
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - .DEFAULT User Startup: E-Flyer.lnk = C:\Program Files\Sony\E-Flyer\E-Flyer.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://vaio-online.sony.com/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://fpdownload2.macromedia.com/get/s ... wflash.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
--
End of file - 5305 bytes
thanks a lot