Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Spyware flood -- inquiring prompt assistance!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Spyware flood -- inquiring prompt assistance!

Unread postby Leshka » September 1st, 2008, 12:33 pm

Guys,

I seem to have just contaminated my PC with a really nasty spyware after installing a piece of software from an unauthorized source. I now deeply regret the moment I clicked the installer file which I think spawned a chain of spyware files being copied onto my system.

In a matter of seconds I noticed that many primary functions of my PC got disabled. This is truly frightening, as for example I cannot see my "C:" drive at all, nor can I see the "All Programs" option in the "Start" menu with the list of all installed apps. On top of this, the "Run" function is disabled, so I can't even seem to be able to run something as simple as a DOS prompt.

I get frequent Pop-ups warning me of the virus that has taken over my PC. My system clock has been altered with "VIRUS ALERT!" suffix next to the time. After struggling for half an hour with system slowness and countless pop-ups I was finally able to get on the Internet.

Luckily, I managed to open the HijackThis app sitting on my desktop and run it. The generated log is provided below. I greatly appreciate if someone would take a look at it and assist in cleaning my system. I really need a functional PC as soon as possible.


===============================================

Logfile of HijackThis v1.99.1
Scan saved at 01:19: VIRUS ALERT!, on 9/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Neoteris\Installer Service\NeoterisSetupService.exe
C:\Program Files\ROVA Update\rovasrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PowerArchiver\PASTARTER.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avcenter.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avscan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\rundll32.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wm ... Ojg5&lid=2
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=488
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.ml.com:8083
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: QXK Olive - {26027218-80B3-40FA-9FA1-70FD56AA5328} - C:\WINDOWS\rodqgpvldbv.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: EWPBrowseObject Class - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {BE45F323-53BF-45D5-A73A-358DDFA2E3EB} - C:\WINDOWS\system32\khfccYrR.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: qalkfxor - {5371FF76-9602-4029-9626-BE8CD757EB36} - C:\WINDOWS\qalkfxor.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [GUpload] C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Cm\GRAS301\GUpload.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [%GoForFun] http://www.dannz.com
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [PowerArchiver Tray] C:\Program Files\PowerArchiver\PASTARTER.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [WinUpdate] C:\WINDOWS\wuauclt.vbs
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download &Flash Movies - C:\Program Files\Flash2X\Flash Hunter\save.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash2X Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: &Launch Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 7208574453
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/softwa ... Plugin.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O20 - Winlogon Notify: khfccYrR - C:\WINDOWS\SYSTEM32\khfccYrR.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: rqbmvpso - {ED1AC4E8-CBFD-44E5-B586-6A92A3EDCF6C} - C:\WINDOWS\rqbmvpso.dll
O21 - SSODL: pdoskegl - {BE0E6C61-890E-4D64-84DC-A22F1F3DC041} - C:\WINDOWS\pdoskegl.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Neoteris Setup Service - Juniper Networks - C:\Program Files\Neoteris\Installer Service\NeoterisSetupService.exe
O23 - Service: ROVA Service (ROVA_Srvc) - Quintech, Inc. - C:\Program Files\ROVA Update\rovasrvc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
===============================================


Thanks,
Alex
Leshka
Regular Member
 
Posts: 32
Joined: May 20th, 2008, 11:23 am
Advertisement
Register to Remove

Re: Spyware flood -- inquiring prompt assistance!

Unread postby Shaba » September 3rd, 2008, 6:55 am

Hi Leshka

Your HijackThis is outdated and it needs to be updated.

Click here to download HJTInstall.exe
  • Save HJTInstall.exe to your desktop.
  • Doubleclick on the HJTInstall.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button, its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Spyware flood -- inquiring prompt assistance!

Unread postby Leshka » September 3rd, 2008, 8:11 pm

Shaba,

Thank you so much for attending to my inquiry !!

I downloaded the latest HijackThis installer, but when trying to install it my system gave an "Out of memory" error. I figured this is due to loads of spyware that hogged up the CPU. I then rebooted the PC, and after choosing to login from my normal administrator account, the system appeared to have started loading, so I saw my desktop wallpaper appear on the screen; however it never went anywhere from there, and seems to have gotten stuck at this screen for a really long time (at least 15+ minutes). I still waited and waited but then gave up and rebooted the PC again. To my dismay, the result was still the same.

I then tried booting up in the Safe mode, and it worked. Being in the safe mode, I saw that the latest HijackThis was actually installed properly. (I can scan the system with "Trend Micro HijackThis - v2.0.2") However, I believe scanning the system in Safe mode wouldn't do much good since all the malicious processes are disabled... Kindly let me know if that's actually the case, and consequently, the course of action I should take from here.

I greatly appreciate all the assistance you can provide.

Regards,
Alex
Leshka
Regular Member
 
Posts: 32
Joined: May 20th, 2008, 11:23 am

Re: Spyware flood -- inquiring prompt assistance!

Unread postby Shaba » September 4th, 2008, 3:46 am

If you are unable to scan in normal mode then a scan in safe mode is fine :)
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Spyware flood -- inquiring prompt assistance!

Unread postby Leshka » September 4th, 2008, 8:15 am

Shaba,

I was actually able to start my PC up in normal mode last night :-) so, below is updated HijackThis log that I ran from normal mode...


=========================================================================================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:08: VIRUS ALERT!, on 9/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Neoteris\Installer Service\NeoterisSetupService.exe
C:\Program Files\ROVA Update\rovasrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\PowerArchiver\PASTARTER.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wm ... Ojg5&lid=2
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=488
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.ml.com:8083
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: qalkfxor - {5371FF76-9602-4029-9626-BE8CD757EB36} - C:\WINDOWS\qalkfxor.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [GUpload] C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Cm\GRAS301\GUpload.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [%GoForFun] http://www.dannz.com
O4 - HKLM\..\Run: [98278818] rundll32.exe "C:\WINDOWS\system32\xxcmovui.dll",b
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [PowerArchiver Tray] C:\Program Files\PowerArchiver\PASTARTER.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [WinUpdate] C:\WINDOWS\wuauclt.vbs
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download &Flash Movies - C:\Program Files\Flash2X\Flash Hunter\save.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash2X Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: &Launch Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 7208574453
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/softwa ... Plugin.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O21 - SSODL: rqbmvpso - {ED1AC4E8-CBFD-44E5-B586-6A92A3EDCF6C} - C:\WINDOWS\rqbmvpso.dll
O21 - SSODL: pdoskegl - {BE0E6C61-890E-4D64-84DC-A22F1F3DC041} - C:\WINDOWS\pdoskegl.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Neoteris Setup Service - Juniper Networks - C:\Program Files\Neoteris\Installer Service\NeoterisSetupService.exe
O23 - Service: ROVA Service (ROVA_Srvc) - Quintech, Inc. - C:\Program Files\ROVA Update\rovasrvc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe (file missing)

--
End of file - 9256 bytes
Leshka
Regular Member
 
Posts: 32
Joined: May 20th, 2008, 11:23 am

Re: Spyware flood -- inquiring prompt assistance!

Unread postby Shaba » September 4th, 2008, 8:38 am

Great :)

Rename HijackThis.exe to Leshka.exe.

After that:

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Spyware flood -- inquiring prompt assistance!

Unread postby Leshka » September 4th, 2008, 10:54 pm

Shaba,

Thank you so much again for providing such prompt and valuable assistance in cleaning my PC. After considerable efforts I was finally able to perform everything as instructed. I am posting the contents of the Report.txt and new HijackThis log.

Just FYI,

1). After running SDFix for the first time and then rebooting my PC, it got stuck at the desktop wallpaper screen and icons never showed up (this was exactly what I experienced a few days ago when I told you the desktop never finished loading...) Even so, SDFix still loaded up to finish up the cleaning process. I then kept on rebooting PC over and over in normal mode until I was finally able to get the desktop to fully load with all the icons.

2). I am still unable to see my "C:\" and "D:\" drives as well as "Run" option in the "Start" menu. What I ended up doing to copy the contents of "Report.txt" (which was saved under "C:\SDFix") was create a shortcut to this folder on my desktop, which worked.


============================================================================================
SDFix: Version 1.221
Run by Lesha on Thu 09/04/2008 at 21:42

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value
Restoring Windows Product ID To Remove Fake Virus Alert
Restoring Time Format To Remove Fake Virus Alert

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\khfccYrR.dll - Deleted
C:\WINDOWS\EAXF.EXE - Deleted
C:\Documents and Settings\Alenka\Desktop\Error Cleaner.url - Deleted
C:\Documents and Settings\Alenka\Favorites\Error Cleaner.url - Deleted
C:\Documents and Settings\Lesha\Desktop\Error Cleaner.url - Deleted
C:\Documents and Settings\Lesha\Favorites\Error Cleaner.url - Deleted
C:\Documents and Settings\Alenka\Desktop\Privacy Protector.url - Deleted
C:\Documents and Settings\Alenka\Favorites\Privacy Protector.url - Deleted
C:\Documents and Settings\Lesha\Desktop\Privacy Protector.url - Deleted
C:\Documents and Settings\Lesha\Favorites\Privacy Protector.url - Deleted
C:\Documents and Settings\Alenka\Desktop\Spyware&Malware Protection.url - Deleted
C:\Documents and Settings\Alenka\Favorites\Spyware&Malware Protection.url - Deleted
C:\Documents and Settings\Lesha\Desktop\Spyware&Malware Protection.url - Deleted
C:\Documents and Settings\Lesha\Favorites\Spyware&Malware Protection.url - Deleted
C:\DOCUME~1\Lesha\LOCALS~1\Temp\sfsrv.exe.bat - Deleted
C:\DOCUME~1\Lesha\LOCALS~1\Temp\smchk.exe.bat - Deleted
C:\DOCUME~1\Lesha\LOCALS~1\Temp\tmp15.tmp - Deleted
C:\DOCUME~1\Lesha\LOCALS~1\Temp\tmp17.tmp - Deleted
C:\DOCUME~1\Lesha\LOCALS~1\Temp\tmp26.tmp - Deleted
C:\DOCUME~1\Lesha\LOCALS~1\Temp\tmp27.tmp - Deleted
C:\DOCUME~1\Lesha\LOCALS~1\Temp\tmp28.tmp - Deleted
C:\DOCUME~1\Lesha\LOCALS~1\Temp\tmp29.tmp - Deleted
C:\DOCUME~1\Lesha\LOCALS~1\Temp\tmp2A.tmp - Deleted
C:\DOCUME~1\Lesha\LOCALS~1\Temp\tmp2B.tmp - Deleted
C:\DOCUME~1\Lesha\LOCALS~1\Temp\tmp2C.tmp - Deleted
C:\WINDOWS\rodqgpvldbv.dll - Deleted
C:\DOCUME~1\Lesha\LOCALS~1\Temp\08.php.bat - Deleted
C:\DOCUME~1\Lesha\LOCALS~1\Temp\lsass.exe - Deleted
C:\DOCUME~1\Lesha\LOCALS~1\Temp\removalfile.bat - Deleted
C:\DOCUME~1\Lesha\LOCALS~1\Temp\sfsrv.exe - Deleted
C:\WINDOWS\pdoskegl.dll - Deleted
C:\WINDOWS\qalkfxor.dll - Deleted
C:\WINDOWS\rqbmvpso.dll - Deleted
C:\WINDOWS\rvoelbxt.exe - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-04 21:54:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2B4FCF45-3340-B349-42AE-1C546AB8B938}]
"iaecaghiddncmfifaa"=hex:6a,61,66,70,6f,65,62,6d,6c,6a,6a,62,61,66,6b,66,6e,6e,64,65,00,..
"hakagnfdmioafoli"=hex:6a,61,66,70,68,66,69,6a,6f,63,66,6b,6e,67,6c,66,67,69,6c,6f,00,..

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\mmc.exe"="C:\\WINDOWS\\system32\\mmc.exe:*:Enabled:Microsoft Management Console"
"C:\\Program Files\\Totalcmd\\TOTALCMD.EXE"="C:\\Program Files\\Totalcmd\\TOTALCMD.EXE:*:Enabled:Total Commander 32 bit international version, file manager replacement for Windows"
"C:\\Program Files\\Ahead\\Nero\\nero.exe"="C:\\Program Files\\Ahead\\Nero\\nero.exe:*:Enabled:Nero Burning ROM"
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"="C:\\Program Files\\BitTornado\\btdownloadgui.exe:*:Enabled:btdownloadgui"
"C:\\Program Files\\Microsoft Visual Studio\\COMMON\\Tools\\VS-Ent98\\Vanalyzr\\VARPC.EXE"="C:\\Program Files\\Microsoft Visual Studio\\COMMON\\Tools\\VS-Ent98\\Vanalyzr\\VARPC.EXE:*:Enabled:Microsoft (R) Visual Studio VSA RPC Event Creator"
"C:\\Program Files\\eMule\\emule.exe"="C:\\Program Files\\eMule\\emule.exe:*:Enabled:eMule"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\TVU Player\\TVUPlayer.exe"="C:\\Program Files\\TVU Player\\TVUPlayer.exe:*:Enabled:TVUPlayer"
"C:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"="C:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe:*:Enabled:MSI starter"
"C:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupXu.exe"="C:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupXu.exe:*:Enabled:MSI starter"
"C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"="C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe:*:Enabled:Nero Home"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"="C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7"
"E:\\Gateway Image\\Games\\Electronic Arts\\Sports Car GT Demo\\Spcar.exe"="E:\\Gateway Image\\Games\\Electronic Arts\\Sports Car GT Demo\\Spcar.exe:*:Enabled:Sports Car GT"
"C:\\Program Files\\BitComet\\BitComet.exe"="C:\\Program Files\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"C:\\Documents and Settings\\Lesha\\Desktop\\0.90\\BitComet.exe"="C:\\Documents and Settings\\Lesha\\Desktop\\0.90\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"C:\\Documents and Settings\\Lesha\\Desktop\\BitComet.exe"="C:\\Documents and Settings\\Lesha\\Desktop\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"="C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Thu 20 Jan 2005 1,056 A.SH. --- "C:\hdvja6hw.sys"
Tue 3 Jul 2007 4 A..H. --- "C:\WINDOWS\uccspecb.sys"
Wed 13 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Thu 12 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Wed 19 Jul 2006 5,355,320 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Fri 2 Sep 2005 56 ..SHR --- "C:\WINDOWS\system32\49AF5AB142.sys"
Fri 13 May 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 14 Mar 2005 299,008 A..H. --- "C:\Program Files\Canon\MP Navigator 2.2\Maint.exe"
Mon 28 Feb 2005 61,440 A..H. --- "C:\Program Files\Canon\MP Navigator 2.2\uinstrsc.dll"
Thu 15 Mar 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Thu 17 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\523d056929e13eacf8392044f602e53e\BITA.tmp"
Thu 17 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\afa5528a2269b5106016bdbc1ea3037f\BIT9.tmp"
Sun 27 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f1d01f188c8132c12d35c3222b7723a4\BIT14.tmp"
Fri 13 May 2005 4,348 A..H. --- "C:\Documents and Settings\Lesha\My Documents\My Music\License Backup\drmv1key.bak"
Sat 14 May 2005 20 A..H. --- "C:\Documents and Settings\Lesha\My Documents\My Music\License Backup\drmv1lic.bak"
Fri 13 May 2005 400 A.SH. --- "C:\Documents and Settings\Lesha\My Documents\My Music\License Backup\drmv2key.bak"
Sat 23 Feb 2008 8,892 ..SH. --- "C:\Documents and Settings\Lesha\Local Settings\Application Data\NewSoft\PageManager\7.15.11A\Setting\PM65.BAK"

Finished!

============================================================================================



Now, HijackThis log:
============================================================================================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:52:28, on 9/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Neoteris\Installer Service\NeoterisSetupService.exe
C:\Program Files\ROVA Update\rovasrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\PowerArchiver\PASTARTER.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\Leshka.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=488
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.ml.com:8083
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: {72007457-4647-1a3b-b1e4-752158db7a12} - {21a7bd85-1257-4e1b-b3a1-746475470027} - C:\WINDOWS\system32\purvxo.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: EWPBrowseObject Class - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {FDC6170B-1DC1-41DC-BF6C-9964B5F0790A} - C:\WINDOWS\system32\hgGvuUno.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [GUpload] C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Cm\GRAS301\GUpload.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [%GoForFun] http://www.dannz.com
O4 - HKLM\..\Run: [98278818] rundll32.exe "C:\WINDOWS\system32\irhkjajs.dll",b
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [PowerArchiver Tray] C:\Program Files\PowerArchiver\PASTARTER.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download &Flash Movies - C:\Program Files\Flash2X\Flash Hunter\save.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash2X Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: &Launch Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 7208574453
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/softwa ... Plugin.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O20 - AppInit_DLLs: purvxo.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Neoteris Setup Service - Juniper Networks - C:\Program Files\Neoteris\Installer Service\NeoterisSetupService.exe
O23 - Service: ROVA Service (ROVA_Srvc) - Quintech, Inc. - C:\Program Files\ROVA Update\rovasrvc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe (file missing)

--
End of file - 9423 bytes

============================================================================================
Leshka
Regular Member
 
Posts: 32
Joined: May 20th, 2008, 11:23 am

Re: Spyware flood -- inquiring prompt assistance!

Unread postby Shaba » September 5th, 2008, 3:10 am

Yes looks better.

To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

Image

5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Spyware flood -- inquiring prompt assistance!

Unread postby Leshka » September 5th, 2008, 8:43 am

Here we go... thanks
============================================================================================

Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Photoshop 6.0
Adobe Reader 7.1.0
Adobe Shockwave Player
AOL Instant Messenger
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
AutoShrinkIso 1.6
AVI Splitter
avi.NET 2.5.8.0
Avira AntiVir Personal - Free Antivirus
AviScreen Pro
AviSynth 2.5
Belarc Advisor 7.0
BitComet 1.02
bitRipper
Blaine's Custom Photo Album Title
Blaze Media Pro
Blaze Media Pro
Boilsoft Video Splitter 5.01
Broadcom Gigabit Integrated Controller
Canon MP Navigator 2.2
Canon MP830
Canon Utilities Easy-PhotoPrint
CDCheck
Cisco Systems VPN Client 4.0.2 (D)
ConvertXtoDVD 2.0.13
DivX Codec
DivX Converter
DivX Player
DivX Web Player
DVD Decrypter (Remove Only)
DVD Identifier
DVDAuthorGUI (remove only)
DVDFab Decrypter 3.0.5.0
DVDFab Platinum 4.0.3.5 Beta Registered by AxMan
DVDFab Platinum 4.0.6.5B by Team RES
DVDFab Platinum 4.1.2.0
DVDx
Easy CD & DVD Creator 6
Easy-WebPrint
eMule Plus 1.2
Encore
Encore for Windows
Freedom Fighters
Garmin Communicator Plugin
Google Earth
GTA San Andreas
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
ImgBurn (Remove Only)
ImTOO HD Video Converter
Installer Service
Intel(R) 537EP V9x DF PCI Modem
iPod for Windows 2005-03-23
iTunes
Juniper Networks Network Connect 5.2.0
Kaspersky Online Scanner
LingvoSoft Talking Dictionary 2006 (English<->Russian) for Windows
Logitech Harmony Remote Software 7
Macromedia Flash 5
Magic ISO Maker v5.5 (build 0272)
MediaCoder 0.6.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual Studio 6.0 Enterprise Edition
Microsoft Web Publishing Wizard 1.53
Modem Event Monitor
Movie Splitter
Mozilla Firefox (2.0.0.2)
MP3 Wav Editor 3.30
MpcStar 1.9
MPEG Joiner version 2.0
MSXML 6.0 Parser (KB933579)
muvee HD Addon
muvee Reveal
Nero OEM
OmniPage SE 2.0
Photodex Presenter
Picasa 2
PowerArchiver 2004 v9.25
PowerArchiver 2007
PowerDVD 5.3
Presto! PageManager 7.15.11
QuickTime
RealPlayer
ROVA
ROVA Update 2.4.116
RSA ACE/Agent for Windows
SDFormatter
SDP Downloader
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Sibelius Scorch (ActiveX Only)
Sony Vegas Movie Studio 8.0
Sony Vegas Pro 8.0
SoundMAX
STOIK Video Converter 2
Total Commander (Remove or Repair)
TransLite Dictionary
TVUPlayer 1.5.12
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
URGE
VideoLAN VLC media player 0.8.6a
VNC Free Edition 4.1.1
VobSub v2.23 (Remove Only)
Winamp (remove only)
Windows Communication Foundation
Windows Genuine Advantage v1.3.0254.0
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
WinRAR archiver
WMV Joiner version 1.1
WMV to AVI MPEG DVD WMV Converter 3.4.0730
Yahoo! Browser Services
Yahoo! Messenger
Yahoo! Toolbar
Leshka
Regular Member
 
Posts: 32
Joined: May 20th, 2008, 11:23 am

Re: Spyware flood -- inquiring prompt assistance!

Unread postby Shaba » September 5th, 2008, 11:49 am

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

BitComet 1.02
eMule Plus 1.2


I'd like you to read the MRU policy for P2P Programs.

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

Please run a new HJT scan when finished and post the log back here along with a fresh uninstall list.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Spyware flood -- inquiring prompt assistance!

Unread postby Leshka » September 5th, 2008, 8:42 pm

I removed all P2P programs from my PC as instructed.

Latest HijackThis Log:

============================================================================================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:38:14, on 9/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Neoteris\Installer Service\NeoterisSetupService.exe
C:\Program Files\ROVA Update\rovasrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\PowerArchiver\PASTARTER.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Trend Micro\HijackThis\Leshka.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=488
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.ml.com:8083
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {3C5EF796-4692-4F74-99A6-DEBFF062ECA0} - C:\WINDOWS\system32\hgGvuUno.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: EWPBrowseObject Class - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: {724d58a3-b71a-1d4b-7c44-31394205d6c8} - {8c6d5024-9313-44c7-b4d1-a17b3a85d427} - C:\WINDOWS\system32\gfwoxf.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [GUpload] C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Cm\GRAS301\GUpload.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [%GoForFun] http://www.dannz.com
O4 - HKLM\..\Run: [98278818] rundll32.exe "C:\WINDOWS\system32\iaymidae.dll",b
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [PowerArchiver Tray] C:\Program Files\PowerArchiver\PASTARTER.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Download &Flash Movies - C:\Program Files\Flash2X\Flash Hunter\save.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash2X Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: &Launch Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 7208574453
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/softwa ... Plugin.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O20 - AppInit_DLLs: gfwoxf.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Neoteris Setup Service - Juniper Networks - C:\Program Files\Neoteris\Installer Service\NeoterisSetupService.exe
O23 - Service: ROVA Service (ROVA_Srvc) - Quintech, Inc. - C:\Program Files\ROVA Update\rovasrvc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe (file missing)

--
End of file - 9081 bytes
============================================================================================



Latest Uninstall List:

Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Photoshop 6.0
Adobe Reader 7.1.0
Adobe Shockwave Player
AOL Instant Messenger
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
AutoShrinkIso 1.6
AVI Splitter
avi.NET 2.5.8.0
Avira AntiVir Personal - Free Antivirus
AviScreen Pro
AviSynth 2.5
Belarc Advisor 7.0
bitRipper
Blaine's Custom Photo Album Title
Blaze Media Pro
Blaze Media Pro
Boilsoft Video Splitter 5.01
Broadcom Gigabit Integrated Controller
Canon MP Navigator 2.2
Canon MP830
Canon Utilities Easy-PhotoPrint
CDCheck
Cisco Systems VPN Client 4.0.2 (D)
ConvertXtoDVD 2.0.13
DivX Codec
DivX Converter
DivX Player
DivX Web Player
DVD Decrypter (Remove Only)
DVD Identifier
DVDAuthorGUI (remove only)
DVDFab Decrypter 3.0.5.0
DVDFab Platinum 4.0.3.5 Beta Registered by AxMan
DVDFab Platinum 4.0.6.5B by Team RES
DVDFab Platinum 4.1.2.0
DVDx
Easy CD & DVD Creator 6
Easy-WebPrint
Encore
Encore for Windows
Freedom Fighters
Garmin Communicator Plugin
Google Earth
GTA San Andreas
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
ImgBurn (Remove Only)
ImTOO HD Video Converter
Installer Service
Intel(R) 537EP V9x DF PCI Modem
iPod for Windows 2005-03-23
iTunes
Juniper Networks Network Connect 5.2.0
Kaspersky Online Scanner
LingvoSoft Talking Dictionary 2006 (English<->Russian) for Windows
Logitech Harmony Remote Software 7
Macromedia Flash 5
Magic ISO Maker v5.5 (build 0272)
MediaCoder 0.6.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual Studio 6.0 Enterprise Edition
Microsoft Web Publishing Wizard 1.53
Modem Event Monitor
Movie Splitter
Mozilla Firefox (2.0.0.2)
MP3 Wav Editor 3.30
MpcStar 1.9
MPEG Joiner version 2.0
MSXML 6.0 Parser (KB933579)
muvee HD Addon
muvee Reveal
Nero OEM
OmniPage SE 2.0
Photodex Presenter
Picasa 2
PowerArchiver 2004 v9.25
PowerArchiver 2007
PowerDVD 5.3
Presto! PageManager 7.15.11
QuickTime
RealPlayer
ROVA
ROVA Update 2.4.116
RSA ACE/Agent for Windows
SDFormatter
SDP Downloader
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Sibelius Scorch (ActiveX Only)
Sony Vegas Movie Studio 8.0
Sony Vegas Pro 8.0
SoundMAX
STOIK Video Converter 2
Total Commander (Remove or Repair)
TransLite Dictionary
TVUPlayer 1.5.12
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
URGE
VideoLAN VLC media player 0.8.6a
VNC Free Edition 4.1.1
VobSub v2.23 (Remove Only)
Winamp (remove only)
Windows Communication Foundation
Windows Genuine Advantage v1.3.0254.0
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
WinRAR archiver
WMV Joiner version 1.1
WMV to AVI MPEG DVD WMV Converter 3.4.0730
Yahoo! Browser Services
Yahoo! Messenger
Yahoo! Toolbar
Leshka
Regular Member
 
Posts: 32
Joined: May 20th, 2008, 11:23 am

Re: Spyware flood -- inquiring prompt assistance!

Unread postby Shaba » September 6th, 2008, 4:46 am

Thank you :)

We will begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.


A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Spyware flood -- inquiring prompt assistance!

Unread postby Leshka » September 6th, 2008, 11:31 am

The report from ComboFix.txt


ComboFix 08-09-05.02 - Lesha 2008-09-06 11:16:07.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1631 [GMT -4:00]
Running from: C:\Documents and Settings\Lesha\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\Lesha\LOCALS~1\Temp\tmp1.tmp
C:\Documents and Settings\Lesha\Application Data\inst.exe
C:\Documents and Settings\Lesha\Cookies\lesha@advertising[1].txt
C:\Documents and Settings\Lesha\Cookies\lesha@advertising[2].txt
C:\Documents and Settings\Mayya\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\actskn43.ocx
C:\WINDOWS\system32\eadimyai.ini
C:\WINDOWS\system32\gfwoxf.dll
C:\WINDOWS\system32\hgGvuUno.dll
C:\WINDOWS\system32\hgGxXpOG.dll
C:\WINDOWS\system32\iaymidae.dll
C:\WINDOWS\system32\iuvomcxx.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mdm.exe
C:\WINDOWS\system32\Memman.vxd
C:\WINDOWS\system32\onUuvGgh.ini
C:\WINDOWS\system32\onUuvGgh.ini2
C:\WINDOWS\system32\purvxo.dll
C:\WINDOWS\system32\sjajkhri.ini
C:\WINDOWS\system32\skinboxer43.dll
C:\WINDOWS\system32\ughwqflp.dll
C:\WINDOWS\system32\yiwfxesw.dll

.
((((((((((((((((((((((((( Files Created from 2008-08-06 to 2008-09-06 )))))))))))))))))))))))))))))))
.

2008-09-06 10:44 . 2008-09-06 10:44 268 --ah----- C:\sqmdata17.sqm
2008-09-06 10:44 . 2008-09-06 10:44 244 --ah----- C:\sqmnoopt17.sqm
2008-09-05 23:51 . 2008-09-05 23:51 244 --ah----- C:\sqmnoopt16.sqm
2008-09-05 23:51 . 2008-09-05 23:51 232 --ah----- C:\sqmdata16.sqm
2008-09-05 21:32 . 2008-09-05 21:32 244 --ah----- C:\sqmnoopt15.sqm
2008-09-05 21:32 . 2008-09-05 21:32 232 --ah----- C:\sqmdata15.sqm
2008-09-05 21:26 . 2008-09-05 21:26 244 --ah----- C:\sqmnoopt14.sqm
2008-09-05 21:26 . 2008-09-05 21:26 232 --ah----- C:\sqmdata14.sqm
2008-09-05 21:25 . 2008-09-05 21:25 244 --ah----- C:\sqmnoopt13.sqm
2008-09-05 21:25 . 2008-09-05 21:25 232 --ah----- C:\sqmdata13.sqm
2008-09-05 21:24 . 2008-09-05 21:24 244 --ah----- C:\sqmnoopt12.sqm
2008-09-05 21:24 . 2008-09-05 21:24 232 --ah----- C:\sqmdata12.sqm
2008-09-05 20:55 . 2008-09-05 20:55 244 --ah----- C:\sqmnoopt11.sqm
2008-09-05 20:55 . 2008-09-05 20:55 232 --ah----- C:\sqmdata11.sqm
2008-09-05 20:46 . 2008-09-05 20:46 268 --ah----- C:\sqmdata10.sqm
2008-09-05 20:46 . 2008-09-05 20:46 244 --ah----- C:\sqmnoopt10.sqm
2008-09-05 20:10 . 2008-09-05 20:33 <DIR> d-------- C:\Old Movies
2008-09-05 19:10 . 2008-09-05 19:10 268 --ah----- C:\sqmdata09.sqm
2008-09-05 19:10 . 2008-09-05 19:10 244 --ah----- C:\sqmnoopt09.sqm
2008-09-05 15:25 . 2008-09-05 15:25 268 --ah----- C:\sqmdata08.sqm
2008-09-05 15:25 . 2008-09-05 15:25 244 --ah----- C:\sqmnoopt08.sqm
2008-09-04 21:39 . 2008-09-04 21:39 <DIR> d-------- C:\WINDOWS\ERUNT
2008-09-04 21:31 . 2008-09-04 21:57 <DIR> d-------- C:\SDFix
2008-09-04 20:59 . 2008-09-04 20:59 268 --ah----- C:\sqmdata07.sqm
2008-09-04 20:59 . 2008-09-04 20:59 244 --ah----- C:\sqmnoopt07.sqm
2008-09-04 08:08 . 2008-09-04 08:08 268 --ah----- C:\sqmdata06.sqm
2008-09-04 08:08 . 2008-09-04 08:08 244 --ah----- C:\sqmnoopt06.sqm
2008-09-01 19:29 . 2008-09-01 19:29 244 --ah----- C:\sqmnoopt05.sqm
2008-09-01 19:29 . 2008-09-01 19:29 232 --ah----- C:\sqmdata05.sqm
2008-09-01 11:21 . 2008-09-01 11:21 124,544 --a------ C:\WINDOWS\system32\tiysldxg.dll
2008-09-01 11:21 . 2008-09-01 11:21 124,544 --a------ C:\WINDOWS\system32\ncyraz.dll
2008-09-01 00:43 . 2008-09-01 00:43 268 --ah----- C:\sqmdata04.sqm
2008-09-01 00:43 . 2008-09-01 00:43 244 --ah----- C:\sqmnoopt04.sqm
2008-09-01 00:39 . 2008-09-01 00:39 <DIR> d-------- C:\Documents and Settings\Alenka\Application Data\TmpRecentIcons
2008-08-31 22:43 . 2008-08-31 22:57 <DIR> d-------- C:\VideoOutput
2008-08-31 22:40 . 2008-08-31 22:43 <DIR> d-------- C:\Program Files\WMV to AVI MPEG DVD WMV Converter
2008-08-30 20:39 . 2008-08-30 21:08 191 --a------ C:\WINDOWS\Cryvideoslpitter.ini
2008-08-30 20:38 . 2005-05-04 11:58 1,245,184 --a------ C:\WINDOWS\system32\NCTRMFile.dll
2008-08-30 20:38 . 2005-04-18 19:01 991,232 --a------ C:\WINDOWS\system32\NCTVideoCoreM.dll
2008-08-30 20:38 . 2003-01-09 13:43 793,536 --a------ C:\WINDOWS\system32\wmpcdcs8.exe
2008-08-30 20:38 . 2005-03-29 14:35 356,352 --a------ C:\WINDOWS\system32\NCTVideoDxPlayer.dll
2008-08-30 20:38 . 2005-05-05 15:46 282,624 --a------ C:\WINDOWS\system32\NCTQuickTimeFile.dll
2008-08-30 20:38 . 2005-04-14 19:06 196,608 --a------ C:\WINDOWS\system32\NCTWMVFile.dll
2008-08-30 20:38 . 2008-08-30 21:08 5 --a------ C:\WINDOWS\system32\SySvideocutter.dat
2008-08-29 19:57 . 2008-08-29 19:57 <DIR> d-------- C:\Program Files\Cucusoft
2008-08-29 19:57 . 2003-04-03 00:17 172,032 --a------ C:\WINDOWS\system32\ac3filter.ax
2008-08-29 19:54 . 2008-08-29 19:54 <DIR> d-------- C:\Program Files\MPEGJOINER
2008-08-23 00:11 . 2008-08-23 13:24 <DIR> d-------- C:\wmdownloads
2008-08-22 19:16 . 2008-08-31 22:15 <DIR> d-------- C:\WEDDING MOVIE (FINAL)
2008-08-22 15:02 . 2008-08-22 15:22 35,374,160 --a------ C:\Credits.wmv
2008-08-22 13:04 . 2008-08-22 14:17 <DIR> d-------- C:\Documents and Settings\Alenka\Application Data\muvee Technologies
2008-08-22 04:31 . 2008-08-22 16:26 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-08-22 04:31 . 2008-08-22 16:26 1,409 --a------ C:\WINDOWS\QTFont.for
2008-08-21 23:46 . 2008-08-22 15:59 979,327,436 --a------ C:\WeddingLoveStory.wmv
2008-08-21 23:46 . 2008-08-21 23:47 978,711,316 --a------ C:\WeddingLoveStoryOld.wmv
2008-08-21 16:42 . 2008-08-21 16:42 <DIR> d-------- C:\Documents and Settings\Mayya\Application Data\Media Player Classic
2008-08-21 13:59 . 2008-08-21 14:00 <DIR> d-------- C:\Documents and Settings\Grisha\Application Data\Canon
2008-08-21 13:37 . 2008-08-21 14:23 <DIR> d-------- C:\Documents and Settings\Grisha\Application Data\muvee Technologies
2008-08-19 01:06 . 2008-08-24 15:32 <DIR> d-------- C:\Program Files\ImTOO
2008-08-19 01:06 . 2008-08-19 01:06 <DIR> d-------- C:\Documents and Settings\Lesha\Application Data\ImTOO Software Studio
2008-08-18 22:50 . 2008-08-18 22:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Movavi Video Converter 6
2008-08-18 09:17 . 2008-08-18 09:17 <DIR> d-------- C:\Documents and Settings\Mayya\Application Data\Yahoo!
2008-08-18 08:53 . 2008-08-18 08:53 <DIR> d-------- C:\Documents and Settings\Mayya\Application Data\DivX
2008-08-18 03:43 . 2008-08-18 08:57 <DIR> d-------- C:\Documents and Settings\Mayya\Application Data\muvee Technologies
2008-08-17 16:28 . 2008-08-31 21:48 <DIR> d-------- C:\Program Files\Boilsoft Video Splitter
2008-08-17 16:02 . 2008-08-17 16:02 <DIR> d-------- C:\Program Files\Pegasus Media Software
2008-08-17 14:26 . 2008-08-17 14:26 268 --ah----- C:\sqmdata03.sqm
2008-08-17 14:26 . 2008-08-17 14:26 244 --ah----- C:\sqmnoopt03.sqm
2008-08-17 14:18 . 2008-08-17 14:18 <DIR> d-------- C:\Program Files\WMVJoiner
2008-08-17 13:39 . 2008-08-17 13:39 268 --ah----- C:\sqmdata02.sqm
2008-08-17 13:39 . 2008-08-17 13:39 244 --ah----- C:\sqmnoopt02.sqm
2008-08-17 12:55 . 2008-08-21 13:51 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-17 11:35 . 2008-08-17 11:35 268 --ah----- C:\sqmdata01.sqm
2008-08-17 11:35 . 2008-08-17 11:35 244 --ah----- C:\sqmnoopt01.sqm
2008-08-17 02:53 . 2008-08-17 02:53 268 --ah----- C:\sqmdata00.sqm
2008-08-17 02:53 . 2008-08-17 02:53 244 --ah----- C:\sqmnoopt00.sqm
2008-08-16 23:31 . 2008-08-17 13:17 <DIR> d-------- C:\Documents and Settings\Lesha\Contacts
2008-08-16 23:22 . 2008-08-16 23:30 <DIR> d-------- C:\Program Files\Windows Live
2008-08-16 23:22 . 2008-08-16 23:29 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-08-16 23:22 . 2008-08-16 23:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-08-16 14:00 . 2008-08-16 14:00 <DIR> d-------- C:\Documents and Settings\Grisha\Application Data\Sony
2008-08-16 14:00 . 2008-08-16 14:00 <DIR> d-------- C:\Documents and Settings\Grisha\Application Data\Publish Providers
2008-08-16 13:54 . 2008-08-16 13:54 <DIR> d-------- C:\Documents and Settings\Alenka\Application Data\Sony
2008-08-16 13:54 . 2008-08-16 13:54 <DIR> d-------- C:\Documents and Settings\Alenka\Application Data\Publish Providers
2008-08-15 02:18 . 2008-08-15 02:18 <DIR> d-------- C:\Program Files\MagicISO
2008-08-11 01:32 . 2008-08-17 16:45 <DIR> d-------- C:\My Music
2008-08-11 01:24 . 2008-08-22 13:38 <DIR> d-------- C:\Program Files\MP3 Wav Editor

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-06 00:35 --------- d-----w C:\Program Files\BitComet
2008-09-06 00:29 --------- d-----w C:\Program Files\eMule
2008-09-05 23:28 --------- d-----w C:\Program Files\PowerArchiver
2008-08-31 19:27 --------- d-----w C:\Program Files\MediaCoder
2008-08-30 15:21 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-30 01:28 --------- d-----w C:\Documents and Settings\Lesha\Application Data\TransLite
2008-08-29 01:28 --------- d-----w C:\Documents and Settings\Lesha\Application Data\Move Networks
2008-08-21 18:25 --------- d-----w C:\Documents and Settings\Mayya\Application Data\translite
2008-08-21 17:35 --------- d-----w C:\Documents and Settings\Grisha\Application Data\translite
2008-08-19 21:50 --------- d-----w C:\Documents and Settings\Lesha\Application Data\Vso
2008-08-19 16:54 --------- d-----w C:\Documents and Settings\Lesha\Application Data\dvdcss
2008-08-19 07:02 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-08-19 05:39 --------- d-----w C:\Documents and Settings\Lesha\Application Data\Sony
2008-08-18 07:41 --------- d-----w C:\Documents and Settings\Mayya\Application Data\Roxio
2008-08-18 00:41 --------- d-----w C:\Documents and Settings\Lesha\Application Data\Canon
2008-08-16 16:24 --------- d-----w C:\Documents and Settings\Alenka\Application Data\translite
2008-08-15 06:24 --------- d-----w C:\Program Files\Sony Setup
2008-08-15 06:24 --------- d-----w C:\Program Files\Sony
2008-08-13 05:06 --------- d-----w C:\Program Files\avi.NET
2008-08-03 00:26 --------- d--h--r C:\Documents and Settings\Grisha\Application Data\yahoo!
2008-08-03 00:21 --------- d--h--r C:\Documents and Settings\Alenka\Application Data\yahoo!
2008-07-30 03:41 --------- d-----w C:\Program Files\Common Files\AVSMedia
2008-07-30 03:41 --------- d-----w C:\Program Files\AVS4YOU
2008-07-29 07:02 --------- d-----w C:\Program Files\Microsoft Works
2008-07-29 03:10 --------- d-----w C:\Documents and Settings\Lesha\Application Data\muvee Technologies
2008-07-29 00:51 --------- d-----w C:\Program Files\bobyte
2008-07-29 00:40 --------- d-----w C:\Documents and Settings\Lesha\Application Data\AVS4YOU
2008-07-29 00:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-07-28 02:14 --------- dc-h--w C:\Documents and Settings\All Users\Application Data\{8928E3C2-3767-4ADC-B470-9B87A98E3B0D}
2008-07-28 02:14 --------- d-----w C:\Program Files\Blaze Media Pro
2008-07-28 01:59 --------- d-----w C:\Program Files\TVU Player
2008-07-25 04:00 --------- d-----w C:\Documents and Settings\Lesha\Application Data\Publish Providers
2008-07-25 03:27 --------- d-----w C:\Program Files\Vstplugins
2008-07-25 03:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony
2008-07-18 06:04 --------- d-----w C:\Documents and Settings\Lesha\Application Data\Roxio
2008-07-18 04:39 --------- d-----w C:\Program Files\DivX
2008-07-17 07:01 --------- d-----w C:\Program Files\MSXML 6.0
2008-07-16 03:16 --------- d-----w C:\Program Files\muvee Technologies
2008-07-16 03:16 --------- d-----w C:\Program Files\Common Files\muvee Technologies
2008-07-16 03:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\muvee Technologies
2008-07-16 03:13 --------- d-----w C:\Program Files\MSBuild
2008-07-16 03:11 --------- d-----w C:\Program Files\Reference Assemblies
2008-07-15 05:55 --------- d-----w C:\Program Files\Photodex Presenter
2008-07-15 05:55 --------- d-----w C:\Documents and Settings\Lesha\Application Data\Netscape
2008-07-09 04:45 --------- d--h--r C:\Documents and Settings\Lesha\Application Data\yahoo!
2008-07-09 04:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-07-09 03:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2008-04-16 00:51 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-04-08 02:23 47,360 ----a-w C:\Documents and Settings\Lesha\Application Data\pcouffin.sys
2007-10-10 18:38 10,666 ----a-w C:\Program Files\uninstal.log
2007-06-08 03:57 87,608 ----a-w C:\Documents and Settings\Lesha\Application Data\ezpinst.exe
2005-09-02 04:34 56 --sh--r C:\WINDOWS\system32\49AF5AB142.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PowerArchiver Tray"="C:\Program Files\PowerArchiver\PASTARTER.EXE" [2007-02-22 139816]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 15360]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-01-24 180269]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"GUpload"="C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Cm\GRAS301\GUpload.exe" [2003-08-22 122880]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 286720]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=gfwoxf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TransLite Dictionary.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TransLite Dictionary.lnk
backup=C:\WINDOWS\pss\TransLite Dictionary.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=C:\WINDOWS\pss\VPN Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
--a------ 2008-07-17 16:23 266497 C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2004-10-12 17:54 57344 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-12-11 13:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 C:\Program Files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
--------- 2005-09-16 16:41 1961984 C:\Program Files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-11 11:56 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ROVATray]
--a------ 2007-02-09 08:00 143360 C:\Program Files\ROVA\rovatray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
--a------ 2003-07-15 13:38 319488 C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2003-12-09 19:24 868352 C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
--a------ 2003-05-01 19:44 65536 C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WLSetupSvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Program Files\\Totalcmd\\TOTALCMD.EXE"=
"C:\\Program Files\\Ahead\\Nero\\nero.exe"=
"C:\\Program Files\\Microsoft Visual Studio\\COMMON\\Tools\\VS-Ent98\\Vanalyzr\\VARPC.EXE"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\TVU Player\\TVUPlayer.exe"=
"C:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupXu.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"E:\\Gateway Image\\Games\\Electronic Arts\\Sports Car GT Demo\\Spcar.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4662:TCP"= 4662:TCP:eMule
"12785:TCP"= 12785:TCP:BitComet 12785 TCP
"12785:UDP"= 12785:UDP:BitComet 12785 UDP
"7429:TCP"= 7429:TCP:BitComet 7429 TCP
"7429:UDP"= 7429:UDP:BitComet 7429 UDP

R2 Neoteris Setup Service;Neoteris Setup Service;C:\Program Files\Neoteris\Installer Service\NeoterisSetupService.exe [2006-09-25 36864]
R2 ROVA_Srvc;ROVA Service;C:\Program Files\ROVA Update\rovasrvc.exe [2006-11-09 83536]
R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys [2006-09-25 23552]
S3 ASPI;Advanced SCSI Programming Interface Driver;C:\WINDOWS\System32\DRIVERS\ASPI32.sys [2002-07-17 16512]
S3 BCM44X2;BCM 10/100 Ethernet Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\BCM4E5.SYS [2001-08-17 26568]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{66734c8a-106c-11db-807f-001111b8cd87}]
\Shell\AutoRun\command - H:\JDSecure\Windows\JDSecure31.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f90610d8-13b1-11db-99d7-001111b8cd87}]
\Shell\AutoRun\command - H:\JDSecure\Windows\JDSecure31.exe
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{3126E19F-BF85-4919-8184-FE9463447E84} - C:\WINDOWS\system32\hgGvuUno.dll
BHO-{8c6d5024-9313-44c7-b4d1-a17b3a85d427} - C:\WINDOWS\system32\gfwoxf.dll
HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
HKLM-Run-98278818 - C:\WINDOWS\system32\iaymidae.dll
HKLM-Run-%GoForFun - http://www.dannz.com
MSConfigStartUp-Run - C:\Documents and Settings\Lesha\Application Data\Adobe\Manager.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Lesha\Application Data\Mozilla\Firefox\Profiles\wuk6p1qb.default\
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-06 11:21:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-09-06 11:26:46 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-06 15:26:32

Pre-Run: 6,157,877,248 bytes free
Post-Run: 6,471,278,592 bytes free

313 --- E O F --- 2008-08-21 16:53:25





The new HijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:31:09 AM, on 9/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Neoteris\Installer Service\NeoterisSetupService.exe
C:\Program Files\ROVA Update\rovasrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\PowerArchiver\PASTARTER.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Trend Micro\HijackThis\Leshka.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=488
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.ml.com:8083
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: EWPBrowseObject Class - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [GUpload] C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Cm\GRAS301\GUpload.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [PowerArchiver Tray] C:\Program Files\PowerArchiver\PASTARTER.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: Download &Flash Movies - C:\Program Files\Flash2X\Flash Hunter\save.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O9 - Extra button: Flash2X Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: &Launch Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 7208574453
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/softwa ... Plugin.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O20 - AppInit_DLLs: gfwoxf.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Neoteris Setup Service - Juniper Networks - C:\Program Files\Neoteris\Installer Service\NeoterisSetupService.exe
O23 - Service: ROVA Service (ROVA_Srvc) - Quintech, Inc. - C:\Program Files\ROVA Update\rovasrvc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe (file missing)

--
End of file - 8967 bytes
Leshka
Regular Member
 
Posts: 32
Joined: May 20th, 2008, 11:23 am

Re: Spyware flood -- inquiring prompt assistance!

Unread postby Shaba » September 6th, 2008, 11:46 am

Open notepad and copy/paste the text in the codebox below into it:

Code: Select all
File::
C:\WINDOWS\system32\tiysldxg.dll
C:\WINDOWS\system32\ncyraz.dll

Folder::
C:\Program Files\BitComet
C:\Program Files\eMule

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4662:TCP"=-
"12785:TCP"=-
"12785:UDP"=-
"7429:TCP"=-
"7429:UDP"=-


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Spyware flood -- inquiring prompt assistance!

Unread postby Leshka » September 6th, 2008, 12:23 pm

Shaba,

Thank you again and again!! ComboFix did not take more than 20 minutes to run, it was done in under 10 minutes if not less.

Brand new Combofix.txt

ComboFix 08-09-05.02 - Lesha 2008-09-06 12:10:54.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1595 [GMT -4:00]
Running from: C:\Documents and Settings\Lesha\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Lesha\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\BitComet
C:\Program Files\BitComet\BitComet.xml
C:\Program Files\BitComet\Downloads.xml
C:\Program Files\BitComet\Favourite.xml
C:\Program Files\BitComet\rules\dhtnodes.dat
C:\Program Files\BitComet\share\my_shares.xml
C:\Program Files\BitComet\torrents\Agnez.torrent
C:\Program Files\BitComet\torrents\Agnez.xml
C:\Program Files\BitComet\torrents\Allok.WMV.to.AVI.MPEG.DVD.WMV.Converter.v1.6.8.Incl.Keygen-Lz0.torrent
C:\Program Files\BitComet\torrents\Allok.WMV.to.AVI.MPEG.DVD.WMV.Converter.v1.6.8.Incl.Keygen-Lz0.xml
C:\Program Files\BitComet\torrents\Boilsoft_Video_Splitter_v5.01.rar.torrent
C:\Program Files\BitComet\torrents\Boilsoft_Video_Splitter_v5.01.rar.xml
C:\Program Files\BitComet\torrents\DVDFab Platinum 4.0.6.5 Beta - Personalized.torrent
C:\Program Files\BitComet\torrents\DVDFab Platinum 4.0.6.5 Beta - Personalized.xml
C:\Program Files\BitComet\torrents\DVDFabPlatinum4035Beta-Licensed.exe.torrent
C:\Program Files\BitComet\torrents\DVDFabPlatinum4035Beta-Licensed.exe.xml
C:\Program Files\BitComet\torrents\dvdSanta v4.00.exe.torrent
C:\Program Files\BitComet\torrents\dvdSanta v4.00.exe.xml
C:\Program Files\BitComet\torrents\lost.torrent
C:\Program Files\BitComet\torrents\lost.xml
C:\Program Files\BitComet\torrents\MuveeReveal-7.torrent
C:\Program Files\BitComet\torrents\MuveeReveal-7.xml
C:\Program Files\BitComet\torrents\Slepoi-3.(12.serii.iz.12).2008.XviD.SATRip.torrent
C:\Program Files\BitComet\torrents\Slepoi-3.(12.serii.iz.12).2008.XviD.SATRip.xml
C:\Program Files\BitComet\torrents\Sony Vegas 8 Pro + Crack.torrent
C:\Program Files\BitComet\torrents\Sony Vegas 8 Pro + Crack.xml
C:\Program Files\BitComet\torrents\XXIX_Letnie_Igri_Pekin.avi.torrent
C:\Program Files\BitComet\torrents\XXIX_Letnie_Igri_Pekin.avi.xml
C:\Program Files\eMule
C:\Program Files\eMule\config\AC_SearchStrings.dat
C:\Program Files\eMule\config\addresses.dat
C:\Program Files\eMule\config\cancelled.met
C:\Program Files\eMule\config\clients.met
C:\Program Files\eMule\config\clients.met.bak
C:\Program Files\eMule\config\cryptkey.dat
C:\Program Files\eMule\config\emfriends.met
C:\Program Files\eMule\config\fileinfo.ini
C:\Program Files\eMule\config\filter.dat
C:\Program Files\eMule\config\gui.dat
C:\Program Files\eMule\config\ip-to-country.csv
C:\Program Files\eMule\config\ipfilter.dat
C:\Program Files\eMule\config\known.met
C:\Program Files\eMule\config\known2_64.met
C:\Program Files\eMule\config\partperm.dat
C:\Program Files\eMule\config\preferences.dat
C:\Program Files\eMule\config\preferences.ini
C:\Program Files\eMule\config\preferences[0.47a].ini
C:\Program Files\eMule\config\server.met
C:\Program Files\eMule\config\server_met.old
C:\Program Files\eMule\config\shareddir.dat
C:\Program Files\eMule\config\staticservers.dat
C:\Program Files\eMule\config\statistics.ini
C:\Program Files\eMule\config\tempdir.dat
C:\Program Files\eMule\config\traffic.dat
C:\Program Files\eMule\config\userhash.dat
C:\Program Files\eMule\config\webservices.dat
C:\Program Files\eMule\Db\__db.001
C:\Program Files\eMule\Db\__db.002
C:\Program Files\eMule\Db\__db.003
C:\Program Files\eMule\Db\__db.004
C:\Program Files\eMule\Db\__db.005
C:\Program Files\eMule\Db\Jumpstart.db
C:\Program Files\eMule\Db\log.0000000001
C:\Program Files\eMule\Temp\001.part.met
C:\Program Files\eMule\Temp\001.part.met.bak
C:\Program Files\eMule\Temp\001.part.settings
C:\Program Files\eMule\Temp\001.part.stats
C:\Program Files\eMule\Temp\002.part.met
C:\Program Files\eMule\Temp\002.part.met.bak
C:\Program Files\eMule\Temp\002.part.settings
C:\Program Files\eMule\Temp\002.part.stats
C:\Program Files\eMule\Temp\003.part.met
C:\Program Files\eMule\Temp\003.part.met.bak
C:\Program Files\eMule\Temp\003.part.stats
C:\Program Files\eMule\Temp\004.part.met
C:\Program Files\eMule\Temp\004.part.met.bad
C:\Program Files\eMule\Temp\004.part.met.bak
C:\Program Files\eMule\Temp\004.part.stats
C:\Program Files\eMule\Temp\005.part.met
C:\Program Files\eMule\Temp\005.part.met.bak
C:\Program Files\eMule\Temp\005.part.stats
C:\Program Files\eMule\Temp\006.part.met
C:\Program Files\eMule\Temp\006.part.met.bak
C:\Program Files\eMule\Temp\006.part.stats
C:\Program Files\eMule\Temp\007.part.met
C:\Program Files\eMule\Temp\007.part.met.bak
C:\Program Files\eMule\Temp\007.part.stats
C:\Program Files\eMule\WebServer\Thumbs.db
C:\WINDOWS\system32\ncyraz.dll
C:\WINDOWS\system32\tiysldxg.dll

.
((((((((((((((((((((((((( Files Created from 2008-08-06 to 2008-09-06 )))))))))))))))))))))))))))))))
.

2008-09-06 10:44 . 2008-09-06 10:44 268 --ah----- C:\sqmdata17.sqm
2008-09-06 10:44 . 2008-09-06 10:44 244 --ah----- C:\sqmnoopt17.sqm
2008-09-05 23:51 . 2008-09-05 23:51 244 --ah----- C:\sqmnoopt16.sqm
2008-09-05 23:51 . 2008-09-05 23:51 232 --ah----- C:\sqmdata16.sqm
2008-09-05 21:32 . 2008-09-05 21:32 244 --ah----- C:\sqmnoopt15.sqm
2008-09-05 21:32 . 2008-09-05 21:32 232 --ah----- C:\sqmdata15.sqm
2008-09-05 21:26 . 2008-09-05 21:26 244 --ah----- C:\sqmnoopt14.sqm
2008-09-05 21:26 . 2008-09-05 21:26 232 --ah----- C:\sqmdata14.sqm
2008-09-05 21:25 . 2008-09-05 21:25 244 --ah----- C:\sqmnoopt13.sqm
2008-09-05 21:25 . 2008-09-05 21:25 232 --ah----- C:\sqmdata13.sqm
2008-09-05 21:24 . 2008-09-05 21:24 244 --ah----- C:\sqmnoopt12.sqm
2008-09-05 21:24 . 2008-09-05 21:24 232 --ah----- C:\sqmdata12.sqm
2008-09-05 20:55 . 2008-09-05 20:55 244 --ah----- C:\sqmnoopt11.sqm
2008-09-05 20:55 . 2008-09-05 20:55 232 --ah----- C:\sqmdata11.sqm
2008-09-05 20:46 . 2008-09-05 20:46 268 --ah----- C:\sqmdata10.sqm
2008-09-05 20:46 . 2008-09-05 20:46 244 --ah----- C:\sqmnoopt10.sqm
2008-09-05 20:10 . 2008-09-05 20:33 <DIR> d-------- C:\Old Movies
2008-09-05 19:10 . 2008-09-05 19:10 268 --ah----- C:\sqmdata09.sqm
2008-09-05 19:10 . 2008-09-05 19:10 244 --ah----- C:\sqmnoopt09.sqm
2008-09-05 15:25 . 2008-09-05 15:25 268 --ah----- C:\sqmdata08.sqm
2008-09-05 15:25 . 2008-09-05 15:25 244 --ah----- C:\sqmnoopt08.sqm
2008-09-04 21:39 . 2008-09-04 21:39 <DIR> d-------- C:\WINDOWS\ERUNT
2008-09-04 21:31 . 2008-09-04 21:57 <DIR> d-------- C:\SDFix
2008-09-04 20:59 . 2008-09-04 20:59 268 --ah----- C:\sqmdata07.sqm
2008-09-04 20:59 . 2008-09-04 20:59 244 --ah----- C:\sqmnoopt07.sqm
2008-09-04 08:08 . 2008-09-04 08:08 268 --ah----- C:\sqmdata06.sqm
2008-09-04 08:08 . 2008-09-04 08:08 244 --ah----- C:\sqmnoopt06.sqm
2008-09-01 19:29 . 2008-09-01 19:29 244 --ah----- C:\sqmnoopt05.sqm
2008-09-01 19:29 . 2008-09-01 19:29 232 --ah----- C:\sqmdata05.sqm
2008-09-01 00:43 . 2008-09-01 00:43 268 --ah----- C:\sqmdata04.sqm
2008-09-01 00:43 . 2008-09-01 00:43 244 --ah----- C:\sqmnoopt04.sqm
2008-09-01 00:39 . 2008-09-01 00:39 <DIR> d-------- C:\Documents and Settings\Alenka\Application Data\TmpRecentIcons
2008-08-31 22:43 . 2008-08-31 22:57 <DIR> d-------- C:\VideoOutput
2008-08-31 22:40 . 2008-08-31 22:43 <DIR> d-------- C:\Program Files\WMV to AVI MPEG DVD WMV Converter
2008-08-30 20:39 . 2008-08-30 21:08 191 --a------ C:\WINDOWS\Cryvideoslpitter.ini
2008-08-30 20:38 . 2005-05-04 11:58 1,245,184 --a------ C:\WINDOWS\system32\NCTRMFile.dll
2008-08-30 20:38 . 2005-04-18 19:01 991,232 --a------ C:\WINDOWS\system32\NCTVideoCoreM.dll
2008-08-30 20:38 . 2003-01-09 13:43 793,536 --a------ C:\WINDOWS\system32\wmpcdcs8.exe
2008-08-30 20:38 . 2005-03-29 14:35 356,352 --a------ C:\WINDOWS\system32\NCTVideoDxPlayer.dll
2008-08-30 20:38 . 2005-05-05 15:46 282,624 --a------ C:\WINDOWS\system32\NCTQuickTimeFile.dll
2008-08-30 20:38 . 2005-04-14 19:06 196,608 --a------ C:\WINDOWS\system32\NCTWMVFile.dll
2008-08-30 20:38 . 2008-08-30 21:08 5 --a------ C:\WINDOWS\system32\SySvideocutter.dat
2008-08-29 19:57 . 2008-08-29 19:57 <DIR> d-------- C:\Program Files\Cucusoft
2008-08-29 19:57 . 2003-04-03 00:17 172,032 --a------ C:\WINDOWS\system32\ac3filter.ax
2008-08-29 19:54 . 2008-08-29 19:54 <DIR> d-------- C:\Program Files\MPEGJOINER
2008-08-23 00:11 . 2008-08-23 13:24 <DIR> d-------- C:\wmdownloads
2008-08-22 19:16 . 2008-08-31 22:15 <DIR> d-------- C:\WEDDING MOVIE (FINAL)
2008-08-22 15:02 . 2008-08-22 15:22 35,374,160 --a------ C:\Credits.wmv
2008-08-22 13:04 . 2008-08-22 14:17 <DIR> d-------- C:\Documents and Settings\Alenka\Application Data\muvee Technologies
2008-08-22 04:31 . 2008-08-22 16:26 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-08-22 04:31 . 2008-08-22 16:26 1,409 --a------ C:\WINDOWS\QTFont.for
2008-08-21 23:46 . 2008-08-22 15:59 979,327,436 --a------ C:\WeddingLoveStory.wmv
2008-08-21 23:46 . 2008-08-21 23:47 978,711,316 --a------ C:\WeddingLoveStoryOld.wmv
2008-08-21 16:42 . 2008-08-21 16:42 <DIR> d-------- C:\Documents and Settings\Mayya\Application Data\Media Player Classic
2008-08-21 13:59 . 2008-08-21 14:00 <DIR> d-------- C:\Documents and Settings\Grisha\Application Data\Canon
2008-08-21 13:37 . 2008-08-21 14:23 <DIR> d-------- C:\Documents and Settings\Grisha\Application Data\muvee Technologies
2008-08-19 01:06 . 2008-08-24 15:32 <DIR> d-------- C:\Program Files\ImTOO
2008-08-19 01:06 . 2008-08-19 01:06 <DIR> d-------- C:\Documents and Settings\Lesha\Application Data\ImTOO Software Studio
2008-08-18 22:50 . 2008-08-18 22:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Movavi Video Converter 6
2008-08-18 09:17 . 2008-08-18 09:17 <DIR> d-------- C:\Documents and Settings\Mayya\Application Data\Yahoo!
2008-08-18 08:53 . 2008-08-18 08:53 <DIR> d-------- C:\Documents and Settings\Mayya\Application Data\DivX
2008-08-18 03:43 . 2008-08-18 08:57 <DIR> d-------- C:\Documents and Settings\Mayya\Application Data\muvee Technologies
2008-08-17 16:28 . 2008-08-31 21:48 <DIR> d-------- C:\Program Files\Boilsoft Video Splitter
2008-08-17 16:02 . 2008-08-17 16:02 <DIR> d-------- C:\Program Files\Pegasus Media Software
2008-08-17 14:26 . 2008-08-17 14:26 268 --ah----- C:\sqmdata03.sqm
2008-08-17 14:26 . 2008-08-17 14:26 244 --ah----- C:\sqmnoopt03.sqm
2008-08-17 14:18 . 2008-08-17 14:18 <DIR> d-------- C:\Program Files\WMVJoiner
2008-08-17 13:39 . 2008-08-17 13:39 268 --ah----- C:\sqmdata02.sqm
2008-08-17 13:39 . 2008-08-17 13:39 244 --ah----- C:\sqmnoopt02.sqm
2008-08-17 12:55 . 2008-08-21 13:51 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-17 11:35 . 2008-08-17 11:35 268 --ah----- C:\sqmdata01.sqm
2008-08-17 11:35 . 2008-08-17 11:35 244 --ah----- C:\sqmnoopt01.sqm
2008-08-17 02:53 . 2008-08-17 02:53 268 --ah----- C:\sqmdata00.sqm
2008-08-17 02:53 . 2008-08-17 02:53 244 --ah----- C:\sqmnoopt00.sqm
2008-08-16 23:31 . 2008-08-17 13:17 <DIR> d-------- C:\Documents and Settings\Lesha\Contacts
2008-08-16 23:22 . 2008-08-16 23:30 <DIR> d-------- C:\Program Files\Windows Live
2008-08-16 23:22 . 2008-08-16 23:29 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-08-16 23:22 . 2008-08-16 23:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-08-16 14:00 . 2008-08-16 14:00 <DIR> d-------- C:\Documents and Settings\Grisha\Application Data\Sony
2008-08-16 14:00 . 2008-08-16 14:00 <DIR> d-------- C:\Documents and Settings\Grisha\Application Data\Publish Providers
2008-08-16 13:54 . 2008-08-16 13:54 <DIR> d-------- C:\Documents and Settings\Alenka\Application Data\Sony
2008-08-16 13:54 . 2008-08-16 13:54 <DIR> d-------- C:\Documents and Settings\Alenka\Application Data\Publish Providers
2008-08-15 02:18 . 2008-08-15 02:18 <DIR> d-------- C:\Program Files\MagicISO
2008-08-11 01:32 . 2008-08-17 16:45 <DIR> d-------- C:\My Music
2008-08-11 01:24 . 2008-08-22 13:38 <DIR> d-------- C:\Program Files\MP3 Wav Editor

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-05 23:28 --------- d-----w C:\Program Files\PowerArchiver
2008-08-31 19:27 --------- d-----w C:\Program Files\MediaCoder
2008-08-30 15:21 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-30 01:28 --------- d-----w C:\Documents and Settings\Lesha\Application Data\TransLite
2008-08-29 01:28 --------- d-----w C:\Documents and Settings\Lesha\Application Data\Move Networks
2008-08-21 18:25 --------- d-----w C:\Documents and Settings\Mayya\Application Data\translite
2008-08-21 17:35 --------- d-----w C:\Documents and Settings\Grisha\Application Data\translite
2008-08-19 21:50 --------- d-----w C:\Documents and Settings\Lesha\Application Data\Vso
2008-08-19 16:54 --------- d-----w C:\Documents and Settings\Lesha\Application Data\dvdcss
2008-08-19 07:02 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-08-19 05:39 --------- d-----w C:\Documents and Settings\Lesha\Application Data\Sony
2008-08-18 07:41 --------- d-----w C:\Documents and Settings\Mayya\Application Data\Roxio
2008-08-18 00:41 --------- d-----w C:\Documents and Settings\Lesha\Application Data\Canon
2008-08-16 16:24 --------- d-----w C:\Documents and Settings\Alenka\Application Data\translite
2008-08-15 06:24 --------- d-----w C:\Program Files\Sony Setup
2008-08-15 06:24 --------- d-----w C:\Program Files\Sony
2008-08-13 05:06 --------- d-----w C:\Program Files\avi.NET
2008-08-03 00:26 --------- d--h--r C:\Documents and Settings\Grisha\Application Data\yahoo!
2008-08-03 00:21 --------- d--h--r C:\Documents and Settings\Alenka\Application Data\yahoo!
2008-07-30 03:41 --------- d-----w C:\Program Files\Common Files\AVSMedia
2008-07-30 03:41 --------- d-----w C:\Program Files\AVS4YOU
2008-07-29 07:02 --------- d-----w C:\Program Files\Microsoft Works
2008-07-29 03:10 --------- d-----w C:\Documents and Settings\Lesha\Application Data\muvee Technologies
2008-07-29 00:51 --------- d-----w C:\Program Files\bobyte
2008-07-29 00:40 --------- d-----w C:\Documents and Settings\Lesha\Application Data\AVS4YOU
2008-07-29 00:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-07-28 02:14 --------- dc-h--w C:\Documents and Settings\All Users\Application Data\{8928E3C2-3767-4ADC-B470-9B87A98E3B0D}
2008-07-28 02:14 --------- d-----w C:\Program Files\Blaze Media Pro
2008-07-28 01:59 --------- d-----w C:\Program Files\TVU Player
2008-07-25 04:00 --------- d-----w C:\Documents and Settings\Lesha\Application Data\Publish Providers
2008-07-25 03:27 --------- d-----w C:\Program Files\Vstplugins
2008-07-25 03:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony
2008-07-18 06:04 --------- d-----w C:\Documents and Settings\Lesha\Application Data\Roxio
2008-07-18 04:39 --------- d-----w C:\Program Files\DivX
2008-07-17 07:01 --------- d-----w C:\Program Files\MSXML 6.0
2008-07-16 03:16 --------- d-----w C:\Program Files\muvee Technologies
2008-07-16 03:16 --------- d-----w C:\Program Files\Common Files\muvee Technologies
2008-07-16 03:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\muvee Technologies
2008-07-16 03:13 --------- d-----w C:\Program Files\MSBuild
2008-07-16 03:11 --------- d-----w C:\Program Files\Reference Assemblies
2008-07-15 05:55 --------- d-----w C:\Program Files\Photodex Presenter
2008-07-15 05:55 --------- d-----w C:\Documents and Settings\Lesha\Application Data\Netscape
2008-07-09 04:45 --------- d--h--r C:\Documents and Settings\Lesha\Application Data\yahoo!
2008-07-09 04:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-07-09 03:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2008-04-16 00:51 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-04-08 02:23 47,360 ----a-w C:\Documents and Settings\Lesha\Application Data\pcouffin.sys
2007-10-10 18:38 10,666 ----a-w C:\Program Files\uninstal.log
2007-06-08 03:57 87,608 ----a-w C:\Documents and Settings\Lesha\Application Data\ezpinst.exe
2005-09-02 04:34 56 --sh--r C:\WINDOWS\system32\49AF5AB142.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PowerArchiver Tray"="C:\Program Files\PowerArchiver\PASTARTER.EXE" [2007-02-22 139816]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 15360]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-01-24 180269]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"GUpload"="C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Cm\GRAS301\GUpload.exe" [2003-08-22 122880]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 286720]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TransLite Dictionary.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TransLite Dictionary.lnk
backup=C:\WINDOWS\pss\TransLite Dictionary.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=C:\WINDOWS\pss\VPN Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
--a------ 2008-07-17 16:23 266497 C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2004-10-12 17:54 57344 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-12-11 13:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 C:\Program Files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
--------- 2005-09-16 16:41 1961984 C:\Program Files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-11 11:56 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ROVATray]
--a------ 2007-02-09 08:00 143360 C:\Program Files\ROVA\rovatray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
--a------ 2003-07-15 13:38 319488 C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2003-12-09 19:24 868352 C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
--a------ 2003-05-01 19:44 65536 C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WLSetupSvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Program Files\\Totalcmd\\TOTALCMD.EXE"=
"C:\\Program Files\\Ahead\\Nero\\nero.exe"=
"C:\\Program Files\\Microsoft Visual Studio\\COMMON\\Tools\\VS-Ent98\\Vanalyzr\\VARPC.EXE"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\TVU Player\\TVUPlayer.exe"=
"C:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupXu.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"E:\\Gateway Image\\Games\\Electronic Arts\\Sports Car GT Demo\\Spcar.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R2 Neoteris Setup Service;Neoteris Setup Service;C:\Program Files\Neoteris\Installer Service\NeoterisSetupService.exe [2006-09-25 36864]
R2 ROVA_Srvc;ROVA Service;C:\Program Files\ROVA Update\rovasrvc.exe [2006-11-09 83536]
R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys [2006-09-25 23552]
S3 ASPI;Advanced SCSI Programming Interface Driver;C:\WINDOWS\System32\DRIVERS\ASPI32.sys [2002-07-17 16512]
S3 BCM44X2;BCM 10/100 Ethernet Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\BCM4E5.SYS [2001-08-17 26568]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{66734c8a-106c-11db-807f-001111b8cd87}]
\Shell\AutoRun\command - H:\JDSecure\Windows\JDSecure31.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f90610d8-13b1-11db-99d7-001111b8cd87}]
\Shell\AutoRun\command - H:\JDSecure\Windows\JDSecure31.exe
.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-06 12:14:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-09-06 12:19:19 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-06 16:19:03
ComboFix2.txt 2008-09-06 15:26:47

Pre-Run: 6,833,000,448 bytes free
Post-Run: 6,874,902,528 bytes free

357 --- E O F --- 2008-08-21 16:53:25



Latest HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:23:38 PM, on 9/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Neoteris\Installer Service\NeoterisSetupService.exe
C:\Program Files\ROVA Update\rovasrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\PowerArchiver\PASTARTER.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Trend Micro\HijackThis\Leshka.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=488
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.ml.com:8083
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: EWPBrowseObject Class - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [GUpload] C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Cm\GRAS301\GUpload.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [PowerArchiver Tray] C:\Program Files\PowerArchiver\PASTARTER.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: Download &Flash Movies - C:\Program Files\Flash2X\Flash Hunter\save.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O9 - Extra button: Flash2X Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: &Launch Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 7208574453
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/softwa ... Plugin.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Neoteris Setup Service - Juniper Networks - C:\Program Files\Neoteris\Installer Service\NeoterisSetupService.exe
O23 - Service: ROVA Service (ROVA_Srvc) - Quintech, Inc. - C:\Program Files\ROVA Update\rovasrvc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe (file missing)

--
End of file - 8935 bytes
Leshka
Regular Member
 
Posts: 32
Joined: May 20th, 2008, 11:23 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 382 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware