Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Help!! First post here!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Help!! First post here!

Unread postby Rebel XT » June 29th, 2007, 2:40 pm

Hi everyone. I've tried EVERYTHING in my powers to fix my computer, but it's truly gone downhill. Tried installing Norton, Mcaffee, BitDefender, Ad-Aware, Registry Fix, Spybot, Webroot Spysweeper (which oddly enough showed a trojan that was caught with bitdefender?)....tried running them in safe mode, nothing helps! I tried trend Housecall, but can't seem to get through the scanning without it freezing up.

Basically what I'm running into is random computer resets, firefox and IE7 closing constantly (i'm surprised firefox has stayed on long enough for me to post this). Things were going fine a while back, then all hell broke loose when I did some upgrades to the computer. Not sure if it had anything to do with the upgrades, could merely have been coincidental. I added a 512mb ram card, upgraded my video card.

Here's my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 11:21:54 AM, on 6/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\windows\Explorer.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\windows\System32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\windows\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\windows\soundman.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\windows\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
C:\Program Files\TrojanHunter 4.7\THGuard.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 6.0\Acrobat\Acrobat.exe
C:\WINDOWS\System32\WISPTIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Mega Manager IE Click Monitor - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [POINTER] "C:\Program Files\Microsoft IntelliPoint" 4.1\Mouse\SETUP\MSH\Mouse\point32.exe
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [RegPure] "C:\Program Files\RegistryPurifier\bin\Release\RgPurify.exe" -startup
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.7\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\nbj.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [CursorXP] "C:\Program Files\CursorXP\CursorXP.exe"
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
O4 - Global Startup: SnagIt 8.lnk = C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: HPAiODevice(hp psc 900 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open Selected URL - C:\Program Files\RightClickGoogle\openselectedurl.htm
O8 - Extra context menu item: Search &Google - C:\Program Files\RightClickGoogle\google.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... Client.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://remote.cintas.com/dana-cached/s ... tupSP1.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... owdown.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WB - C:\PROGRA~1\OBJECT~1\WINDOW~1\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\windows\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)


Any help or guidance would much much appreciated.
Thanks!

XT
Rebel XT
Active Member
 
Posts: 8
Joined: June 29th, 2007, 4:03 am
Advertisement
Register to Remove

Unread postby Rebel XT » June 30th, 2007, 7:18 pm

Sorry don't mean to bump my own thread, but I noticed there's quite a few 'views' but on one's responded yet. Am I doing something wrong? Is that the right hijack log?

Thanks for the help!!

XT
Rebel XT
Active Member
 
Posts: 8
Joined: June 29th, 2007, 4:03 am

Unread postby Trogan » July 1st, 2007, 3:13 am

Hi Rebel XT,

Your HijackThis log is clean.

It is not uncommon for problems like the ones you describe to occur after hardware upgrades. I would start be ensuring that everything within your case is securely seated and that no cable or component is loose.
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Unread postby Trogan » July 4th, 2007, 1:32 pm

Have you managed to sort out this problem?

Please let me know.
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Unread postby Rebel XT » July 4th, 2007, 3:54 pm

Hi Trogan,

I pulled out my computer casing and made sure all cards/cables were in tight, and still have the problem. Firefox will shut down randomly (it hasnt done so for a day now) and the error report box/prompt will pop up. Seems to happen more often with media files (ie., viewing google, or trying to watch wmv embedded video on sites).

Another problem that happens is when i'm browsing through my video folders and click on a videoclip, it'll play fine through VLC player, but the windows explorer will close down and reload (causing icons in the lower right hand taskbar to be missing).

Tried running Spybot with the latest updates, it found a few items to remove, but i believe they were mostly various tracking cookies (funweb, etc).


I'm not really sure what to do .... thanks for the help!
Rebel XT
Active Member
 
Posts: 8
Joined: June 29th, 2007, 4:03 am

Unread postby Trogan » July 4th, 2007, 4:22 pm

Hi Rebel XT,

Lets check what's going on.

Please download this file to your Desktop - combofix.exe
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Also, post a new HijackThis log.
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Unread postby Rebel XT » July 5th, 2007, 12:47 am

Hi Trogan,

ComboFIX log:


"User" - 2007-07-04 21:01:39 - ComboFix 07-07-04.4 - Service Pack 2 FAT32


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_NM
-------\nm


((((((((((((((((((((((((( Files Created from 2007-06-05 to 2007-07-05 )))))))))))))))))))))))))))))))


2007-07-04 20:45 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-06-29 01:18 <DIR> d-------- C:\Program Files\TrojanHunter 4.7
2007-06-28 15:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-28 10:44 <DIR> d-------- C:\Program Files\XoftSpySE
2007-06-28 04:01 <DIR> d-------- C:\DOCUME~1\ADMINI~1\.housecall6.6
2007-06-28 03:48 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Talkback
2007-06-28 03:36 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Bitdefender
2007-06-26 18:35 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\dvdcss
2007-06-24 20:01 <DIR> d-------- C:\Program Files\RegistryFix
2007-06-20 18:56 <DIR> d--hs---- C:\FOUND.006
2007-06-20 15:32 <DIR> d--hs---- C:\FOUND.005
2007-06-15 01:21 <DIR> d--hs---- C:\FOUND.004
2007-06-12 13:43 <DIR> d-------- C:\spoolerlogs
2007-06-12 12:11 <DIR> d-------- C:\Program Files\Xilisoft
2007-06-10 01:46 <DIR> d-------- C:\Program Files\CD-DA X-Tractor
2007-06-04 17:47 <DIR> d--hs---- C:\FOUND.003
2007-06-04 15:18 9,344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 15:17 8,320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 15:14 6,272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-05 04:22:20 81,984 ----a-w C:\windows\system32\bdod.bin
2007-07-01 19:00:56 913,408 ----a-w C:\windows\system32\xreglib.dll
2007-06-28 11:01:58 76,560 ----a-w C:\windows\system32\drivers\tmcomm.sys
2007-05-23 06:11:08 96,256 ----a-w C:\windows\system32\drivers\sptd1117.sys
2007-05-18 15:53:22 -------- d-----w C:\DOCUME~1\User\APPLIC~1\Bitdefender
2007-05-16 15:12:02 683,520 ----a-w C:\windows\system32\inetcomm.dll
2007-05-12 16:53:58 -------- d-----w C:\Program Files\WinAVI VideoConverter
2007-04-25 14:21:16 144,896 ----a-w C:\windows\system32\schannel.dll
2007-04-18 16:12:24 2,854,400 ----a-w C:\windows\system32\msi.dll
2007-04-17 05:47:36 33,624 ----a-w C:\windows\system32\wups.dll
2007-04-17 05:45:54 1,710,936 ----a-w C:\windows\system32\wuaueng.dll
2007-04-17 05:45:48 549,720 ----a-w C:\windows\system32\wuapi.dll
2007-04-17 05:45:42 325,976 ----a-w C:\windows\system32\wucltui.dll
2007-04-17 05:45:36 203,096 ----a-w C:\windows\system32\wuweb.dll
2007-04-17 05:45:28 92,504 ----a-w C:\windows\system32\cdm.dll
2007-04-17 05:45:20 53,080 ----a-w C:\windows\system32\wuauclt.exe
2007-04-17 05:45:20 43,352 ----a-w C:\windows\system32\wups2.dll
2007-04-13 22:19:52 7,680 ----a-w C:\windows\system32\lsdelete.exe
2001-08-18 19:00:00 94,784 --sh--w C:\windows\twain.dll
2004-08-04 07:56:48 50,688 --sh--w C:\windows\twain_32.dll
2004-08-04 07:56:44 1,028,096 --sh--w C:\windows\system32\mfc42.dll
2004-08-04 07:56:56 11,776 --sh--w C:\windows\system32\regsvr32.exe
2004-08-04 07:56:44 54,784 --sh--w C:\windows\system32\msvcirt.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2003-05-15 00:47 50376 --a------ C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}]
2006-10-30 22:55 1803720 --a------ C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
2006-04-17 13:32 323904 --a------ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
2003-05-15 01:03 147456 --a------ C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bf00e119-21a3-4fd1-b178-3b8537e75c92}]
2007-02-15 19:25 110592 --a------ C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="soundman.exe" [2001-05-29 10:02 C:\WINDOWS\soundman.exe]
"BDMCon"="C:\Program Files\Softwin\BitDefender10\bdmcon.exe" [2007-05-24 17:45]
"BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [2007-05-18 13:05]
"WheelMouse"="C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe" [2002-03-11 18:11]
"RegPure"="C:\Program Files\RegistryPurifier\bin\Release\RgPurify.exe" [2004-09-29 22:26]
"THGuard"="C:\Program Files\TrojanHunter 4.7\THGuard.exe" [2007-06-23 00:19]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2005-06-10 01:24]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-18 09:57]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-12-08 17:35]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-09 19:34]
"POINTER"="C:\Program Files\Microsoft IntelliPoint 4.1\Mouse\SETUP\MSH\Mouse\point32.exe" [2002-04-11 11:47]
"LogonStudio"="C:\Program Files\LogonStudio\logonstudio.exe" [2002-09-03 18:38]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 16:24]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-06-10 01:21]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\windows\system32\ctfmon.exe" [2004-08-04 00:56]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\nbj.exe" [2004-11-10 18:02]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2003-09-01 18:52]
"CursorXP"="C:\Program Files\CursorXP\CursorXP.exe" [2002-06-18 22:52]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\PROGRA~1\OBJECT~1\WINDOW~1\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=sockspy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup


*Newly Created Service* - HTTPFILTER

Contents of the 'Scheduled Tasks' folder
2007-07-04 00:56:04 C:\windows\tasks\XoftSpySE.job
2007-07-05 04:24:40 C:\windows\tasks\XoftSpySE 2.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-04 21:25:09
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-04 21:30:48 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-04 21:30

--- E O F ---



HijackThis LOG:

Logfile of HijackThis v1.99.1
Scan saved at 9:45:20 PM, on 7/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\windows\System32\nvsvc32.exe
C:\windows\Explorer.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\windows\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\windows\soundman.exe
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
C:\windows\System32\svchost.exe
C:\Program Files\TrojanHunter 4.7\THGuard.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Mega Manager IE Click Monitor - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [RegPure] "C:\Program Files\RegistryPurifier\bin\Release\RgPurify.exe" -startup
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.7\THGuard.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [POINTER] "C:\Program Files\Microsoft IntelliPoint" 4.1\Mouse\SETUP\MSH\Mouse\point32.exe
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\nbj.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [CursorXP] "C:\Program Files\CursorXP\CursorXP.exe"
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
O4 - Global Startup: SnagIt 8.lnk = C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: HPAiODevice(hp psc 900 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open Selected URL - C:\Program Files\RightClickGoogle\openselectedurl.htm
O8 - Extra context menu item: Search &Google - C:\Program Files\RightClickGoogle\google.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... Client.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://remote.cintas.com/dana-cached/s ... tupSP1.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... owdown.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WB - C:\PROGRA~1\OBJECT~1\WINDOW~1\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\windows\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)



Thanks for all the help Trogan. Let me know what I need to do!

Also, thanks to anyone else that chimes in.

XT
Rebel XT
Active Member
 
Posts: 8
Joined: June 29th, 2007, 4:03 am

Unread postby Trogan » July 5th, 2007, 6:25 am

Hi Rebel XT,

Is there a reason why your computer is using the FAT32 file system instead of NTFS? Please let me know.

Also, you're using Megaupload Toolbar. Here is some info on it. This may or may not have something to do with the browser crashes. I suggest uninstalling it via Add/Remove programs for a short period atleast and see how the computer behaves.

Please do the following...

1. Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

- Close ALL open windows (especially Internet Explorer!)
- Click Fix Checked
Close HiajckThis

2. Your Java is outdated. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 6u2.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.

3. Open Notepad and copy/paste the text in the Quote Box below into it:

Folder::
C:\FOUND.006
C:\FOUND.005
C:\FOUND.004
C:\FOUND.003

Save this as "CFScript" to your Desktop!

Image

Refering to the picture above, drag CFScript into ComboFix.exe.

ComboFix.exe will run again, and produce a new log. Post this, along with a new HijackThis log and answers to the above question.
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Unread postby Rebel XT » July 9th, 2007, 5:07 am

Hi Trogan,

My system's hard drive came as a FAT32 system from the place I bought it from (~5 years ago). It was actually split into 2 partions (c: & d:). I do have an external hard drive that added on not too long ago that I formatted as an NTFS drive.

What's the difference between fat32 and ntfs?

As for the Megaupload Toolbar, that was just installed when I installed the megaupload download manager. I have now uninstalled the toolbar.

I performed the hijack fix, and uninstalled all java related items and installed the new version as instructed.

Here are the new logs:

HIJACKTHIS LOG:

Logfile of HijackThis v1.99.1
Scan saved at 1:39:01 AM, on 7/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\windows\System32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\windows\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\windows\soundman.exe
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\windows\explorer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Mega Manager IE Click Monitor - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL (file missing)
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [RegPure] "C:\Program Files\RegistryPurifier\bin\Release\RgPurify.exe" -startup
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.7\THGuard.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [POINTER] "C:\Program Files\Microsoft IntelliPoint" 4.1\Mouse\SETUP\MSH\Mouse\point32.exe
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\nbj.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [CursorXP] "C:\Program Files\CursorXP\CursorXP.exe"
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
O4 - Global Startup: SnagIt 8.lnk = C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: HPAiODevice(hp psc 900 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open Selected URL - C:\Program Files\RightClickGoogle\openselectedurl.htm
O8 - Extra context menu item: Search &Google - C:\Program Files\RightClickGoogle\google.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... Client.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://remote.cintas.com/dana-cached/s ... tupSP1.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... owdown.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WB - C:\PROGRA~1\OBJECT~1\WINDOW~1\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\windows\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)





ComboFIX LOG:

"User" - 2007-07-09 1:25:31 - ComboFix 07-07-04.4 - Service Pack 2 FAT32
Command switches used :: C:\Documents and Settings\User\Desktop\CFScript


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\FOUND.003
C:\FOUND.003\FILE0000.CHK
C:\FOUND.004
C:\FOUND.004\FILE0000.CHK
C:\FOUND.004\FILE0001.CHK
C:\FOUND.004\FILE0002.CHK
C:\FOUND.004\FILE0003.CHK
C:\FOUND.004\FILE0004.CHK
C:\FOUND.004\FILE0005.CHK
C:\FOUND.004\FILE0006.CHK
C:\FOUND.004\FILE0007.CHK
C:\FOUND.004\FILE0008.CHK
C:\FOUND.004\FILE0009.CHK
C:\FOUND.004\FILE0010.CHK
C:\FOUND.004\FILE0011.CHK
C:\FOUND.004\FILE0012.CHK
C:\FOUND.005
C:\FOUND.005\FILE0000.CHK
C:\FOUND.005\FILE0001.CHK
C:\FOUND.006
C:\FOUND.006\FILE0000.CHK
C:\FOUND.006\FILE0001.CHK
C:\FOUND.006\FILE0002.CHK
C:\FOUND.006\FILE0003.CHK
C:\FOUND.006\FILE0004.CHK


((((((((((((((((((((((((( Files Created from 2007-06-09 to 2007-07-09 )))))))))))))))))))))))))))))))


2007-07-08 18:28 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-07-05 16:59 <DIR> d--hs---- C:\FOUND.007
2007-07-04 20:45 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-06-29 01:18 <DIR> d-------- C:\Program Files\TrojanHunter 4.7
2007-06-28 15:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-28 10:44 <DIR> d-------- C:\Program Files\XoftSpySE
2007-06-28 04:01 <DIR> d-------- C:\DOCUME~1\ADMINI~1\.housecall6.6
2007-06-28 03:48 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Talkback
2007-06-28 03:36 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Bitdefender
2007-06-26 18:35 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\dvdcss
2007-06-24 20:01 <DIR> d-------- C:\Program Files\RegistryFix
2007-06-12 13:43 <DIR> d-------- C:\spoolerlogs
2007-06-12 12:11 <DIR> d-------- C:\Program Files\Xilisoft
2007-06-10 01:46 <DIR> d-------- C:\Program Files\CD-DA X-Tractor


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-09 08:30:02 81,984 ----a-w C:\windows\system32\bdod.bin
2007-07-01 19:00:56 913,408 ----a-w C:\windows\system32\xreglib.dll
2007-06-28 11:01:58 76,560 ----a-w C:\windows\system32\drivers\tmcomm.sys
2007-06-04 22:18:48 9,344 ----a-w C:\windows\system32\drivers\NSDriver.sys
2007-06-04 22:17:02 8,320 ----a-w C:\windows\system32\drivers\AWRTRD.sys
2007-06-04 22:14:56 6,272 ----a-w C:\windows\system32\drivers\AWRTPD.sys
2007-05-23 06:11:08 96,256 ----a-w C:\windows\system32\drivers\sptd1117.sys
2007-05-18 15:53:22 -------- d-----w C:\DOCUME~1\User\APPLIC~1\Bitdefender
2007-05-16 15:12:02 683,520 ----a-w C:\windows\system32\inetcomm.dll
2007-05-12 16:53:58 -------- d-----w C:\Program Files\WinAVI VideoConverter
2007-04-25 14:21:16 144,896 ----a-w C:\windows\system32\schannel.dll
2007-04-18 16:12:24 2,854,400 ----a-w C:\windows\system32\msi.dll
2007-04-17 05:47:36 33,624 ----a-w C:\windows\system32\wups.dll
2007-04-17 05:45:54 1,710,936 ----a-w C:\windows\system32\wuaueng.dll
2007-04-17 05:45:48 549,720 ----a-w C:\windows\system32\wuapi.dll
2007-04-17 05:45:42 325,976 ----a-w C:\windows\system32\wucltui.dll
2007-04-17 05:45:36 203,096 ----a-w C:\windows\system32\wuweb.dll
2007-04-17 05:45:28 92,504 ----a-w C:\windows\system32\cdm.dll
2007-04-17 05:45:20 53,080 ----a-w C:\windows\system32\wuauclt.exe
2007-04-17 05:45:20 43,352 ----a-w C:\windows\system32\wups2.dll
2007-04-13 22:19:52 7,680 ----a-w C:\windows\system32\lsdelete.exe
2001-08-18 19:00:00 94,784 --sh--w C:\windows\twain.dll
2004-08-04 07:56:48 50,688 --sh--w C:\windows\twain_32.dll
2004-08-04 07:56:44 1,028,096 --sh--w C:\windows\system32\mfc42.dll
2004-08-04 07:56:56 11,776 --sh--w C:\windows\system32\regsvr32.exe
2004-08-04 07:56:44 54,784 --sh--w C:\windows\system32\msvcirt.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2003-05-15 00:47 50376 --a------ C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}]
C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-06-14 18:32 509592 --a------ C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
2006-04-17 13:32 323904 --a------ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
2003-05-15 01:03 147456 --a------ C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bf00e119-21a3-4fd1-b178-3b8537e75c92}]
2007-02-15 19:25 110592 --a------ C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="soundman.exe" [2001-05-29 10:02 C:\WINDOWS\soundman.exe]
"BDMCon"="C:\Program Files\Softwin\BitDefender10\bdmcon.exe" [2007-05-24 17:45]
"BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [2007-05-18 13:05]
"WheelMouse"="C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe" [2002-03-11 18:11]
"RegPure"="C:\Program Files\RegistryPurifier\bin\Release\RgPurify.exe" [2004-09-29 22:26]
"THGuard"="C:\Program Files\TrojanHunter 4.7\THGuard.exe" [2007-06-23 00:19]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2005-06-10 01:24]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-18 09:57]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-12-08 17:35]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-09 19:34]
"POINTER"="C:\Program Files\Microsoft IntelliPoint 4.1\Mouse\SETUP\MSH\Mouse\point32.exe" [2002-04-11 11:47]
"LogonStudio"="C:\Program Files\LogonStudio\logonstudio.exe" [2002-09-03 18:38]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 16:24]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-06-10 01:21]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-06-14 18:32]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\windows\system32\ctfmon.exe" [2004-08-04 00:56]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\nbj.exe" [2004-11-10 18:02]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2003-09-01 18:52]
"CursorXP"="C:\Program Files\CursorXP\CursorXP.exe" [2002-06-18 22:52]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\PROGRA~1\OBJECT~1\WINDOW~1\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=sockspy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup



Contents of the 'Scheduled Tasks' folder
2007-07-07 17:55:42 C:\windows\tasks\XoftSpySE.job
2007-07-09 02:02:50 C:\windows\tasks\XoftSpySE 2.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-09 01:32:34
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-09 1:34:20
C:\ComboFix2.txt ... 2007-07-04 21:30
C:\ComboFix-quarantined-files.txt ... 2007-07-09 01:34

--- E O F ---



Thanks for taking the time to help! Truly appreciate it :) :D
Rebel XT
Active Member
 
Posts: 8
Joined: June 29th, 2007, 4:03 am

Unread postby Trogan » July 9th, 2007, 3:26 pm

Hi Rebel XT,

Regarding Fat32 and NTFS, here is one article and another from Microsoft. Let me know what you decide regarding this.

Find and delete the following Folder...

C:\FOUND.007 <-- This folder

Apart from that, I don't see much wrong. How is the computer?
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Unread postby Rebel XT » July 10th, 2007, 2:43 am

Trogan,

Seems to me that NTFS is the way to go, and that the only reason my system files are FAT32 is due to the low budget store from which I bought the computer from had to upgrade win 98 system to an XP system?

I've deleted the found.007 folder.

My system reset on its own both times towards the end of a spybot S&D scan where it seem to hang while scanning bookmarks. Other than that, I haven't experienced a browser shut down yet (I haven't gone onto media-heavy sites though either, like break and gorillamask).

In your opinion, should I convert my C: and D: (one HD) to NTFS format?
Rebel XT
Active Member
 
Posts: 8
Joined: June 29th, 2007, 4:03 am

Unread postby Rebel XT » July 10th, 2007, 2:55 am

edit: Firefox just crashed while browsing some online forums.

No embedded media on the page except for some pictures, and multiple tabs going at once.

Should I uninstall and reinstall the newest version of firefox? When I had Opera installed it was crashing as well.
Rebel XT
Active Member
 
Posts: 8
Joined: June 29th, 2007, 4:03 am

Unread postby Trogan » July 10th, 2007, 7:41 am

Hi Rebel XT,

The browser crashes do not look malware related. I suggesting visiting CastleCops Software forum and asking there. I would go with the NTFS format, but also ask this question at CastleCops.

Please keep me informed on how things go.
Good luck!
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Unread postby Rebel XT » July 10th, 2007, 6:34 pm

What's the process for converting from fat32 to ntfs? I understand that once you go NTFS, there's no turning back! Will I lose any data/functionality/anything with the switch?

So I guess my system is acting like it's infected, without actually being infected.
:?

Thanks for all your help Trogan
Rebel XT
Active Member
 
Posts: 8
Joined: June 29th, 2007, 4:03 am

Unread postby Trogan » July 11th, 2007, 1:22 pm

Hi Rebel XT,

So I guess my system is acting like it's infected, without actually being infected.

We can run another scan or two, if you want?

What's the process for converting from fat32 to ntfs?

Two articles that will explain how:
http://support.microsoft.com/kb/307881
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/choosing_between_ntfs_fat_and_fat32.mspx?mfr=true

Let me know how you would like to proceed. :)
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 289 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware