Free Malware Removal Forum

[Renauldo]

I recently got something, dont know what it is (virus, spyware), but my pc is slow as anything and I have bad adware as well. heres my HJT log.

-Thanks for the help



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:32, on 2008-04-25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\All Users\Application Data\fmhcrgbq\finipaxu.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hphmon07.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\WinSpooler.exe
C:\Program Files\Stardock\CursorFX\CursorFX.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WinSpooler.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\dkhuhctc.exe
C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iHotKey\iHotKey.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: DVA Gate - {7A6FD945-14B0-41F8-84FB-74DEF17528BB} - C:\WINDOWS\qnmargolxgn.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O3 - Toolbar: dpevflbg - {B21EAD36-EC0C-4B82-B102-1AB20B481977} - C:\WINDOWS\dpevflbg.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zboard] C:\Program Files\Ideazon\ZEngine\Zboard.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [HPHUPD07] C:\Program Files\HP\{C8EEAA89-0A3E-441f-B646-17A46F5D6954}\hphupd07.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPHmon07] C:\WINDOWS\system32\hphmon07.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" /automount
O4 - HKCU\..\Run: [DesktopX] "C:\PROGRA~1\Stardock\OBJECT~1\DesktopX\DesktopX.exe"
O4 - HKCU\..\Run: [CursorFX] "C:\Program Files\Stardock\CursorFX\CursorFX.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [jeevjbhk] C:\WINDOWS\system32\zslevmpg.exe
O4 - HKCU\..\Run: [njouqtou] C:\WINDOWS\system32\bsvaxsfk.exe
O4 - HKCU\..\Run: [skripaah] C:\WINDOWS\system32\dkhuhctc.exe
O4 - HKCU\..\Run: [ygvwxqom] C:\WINDOWS\system32\gzchmtcf.exe
O4 - HKLM\..\Policies\Explorer\Run: [BooBbulTL5] C:\Documents and Settings\All Users\Application Data\fmhcrgbq\finipaxu.exe
O4 - HKCU\..\Policies\Explorer\Run: [WinUpdating] WinUpdating.exe
O4 - HKCU\..\Policies\Explorer\Run: [Windows Printing Driver] WinSpooler.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\digital imaging\bin\hpqthb08.exe
O4 - Global Startup: iHotKey.lnk = C:\Program Files\iHotKey\iHotKey.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 9470509437
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: byXNhfeE - byXNhfeE.dll (file missing)
O20 - Winlogon Notify: jkkHXNEV - jkkHXNEV.dll (file missing)
O20 - Winlogon Notify: jkkIYoMg - jkkIYoMg.dll (file missing)
O20 - Winlogon Notify: xxywwwv - xxywwwv.dll (file missing)
O21 - SSODL: wdpoefan - {2EB5183C-2C21-4B24-952B-59148D54F6E9} - C:\WINDOWS\wdpoefan.dll
O21 - SSODL: vadokmxt - {1D34BBDA-E574-49FE-8EB1-D8D049853F07} - C:\WINDOWS\vadokmxt.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe (file missing)
O23 - Service: McAfee Network Agent (McNASvc) - Unknown owner - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe (file missing)
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 10016 bytes

[peku006]

Welcome to the MWR forums. My name is peku006. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research. Please be patient and I'd be grateful if you would note the following:

1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic. Please stay at one forum for help.
3. Please continue reading posts until I give the All Clear. It is important to note this, as a clean looking HijackThis is not always a sign your system is clean.

Note: I am still in training here at Malware Removal, however I will be working under the direct supervision of one of our Malware Experts. Any recommendations will first be approved before being given to you. Because of this, there may be a short delay in getting our responses to you, however be assured that we will be working diligently on your problem.

[peku006]

Hello Renauldo

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible.
Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

1 - Spysweeper

Please disable SpySweeper as it may interfere with the fix.

• Open SpySweeper
• Click Options
• Click program options
• Uncheck load at windows startup
• On the left click shields and uncheck all there
• Uncheck home page shield
• Uncheck automaticly restore default without notifiction
• Close SpySweeper

Don't forget to re-enable it, when your computer is clean.



2 - SDFix

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

3 - Boot into Safe Mode

Reboot your computer in Safe Mode.

• If the computer is running, shut down Windows, and then turn off the power.
• Wait 30 seconds, and then turn the computer on.
• Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
• Ensure that the Safe Mode option is selected.
• Press Enter. The computer then begins to start in Safe mode.
• Login on your usual account.

4 - Run SDFix

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).

5 - Scan With ComboFix

Please visit this webpage for download links, and instructions for running ComboFix -

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says -

The Recovery Console was successfully installed.

Please continue as follows -

• Close/Disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
  
• Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

6 - Status Check
Please reply with

1. the SDFix Report.txt
2. the ComboFix log
3. a fresh HijackThis log
Please let me know how your pc is now.

Thanks peku006

[Renauldo]

okey dokey. Got everything done and heres the results...
pc is doing better, but still not flawless (like i prefer )



SDfix report



SDFix: Version 1.175
Run by Benjamin Brouse on 2008-04-27 at 00:49

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value

Rebooting


Checking Files :

Trojan Files Found:

C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\Desktop\Error Cleaner.url - Deleted
C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\Desktop\Privacy Protector.url - Deleted
C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\Desktop\Spyware&Malware Protection.url - Deleted
C:\WINDOWS\qnmargolxgn.dll - Deleted
C:\WINDOWS\dpevflbg.dll - Deleted
C:\WINDOWS\olgdqarf.exe - Deleted
C:\WINDOWS\rs.txt - Deleted
C:\WINDOWS\system32\WinSpooler.exe - Deleted
C:\WINDOWS\system32\winsystem.exe - Deleted
C:\WINDOWS\system32\WinUpdating.exe - Deleted
C:\WINDOWS\vadokmxt.dll - Deleted
C:\WINDOWS\wdpoefan.dll - Deleted
C:\WINDOWS\wxvgsdbq.exe - Deleted



Folder C:\WINDOWS\privacy_danger - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1353.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-27 01:02:10
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:24,be,cf,31,98,6e,2d,9b,8f,95,34,58,c2,e9,f9,c4,1f,89,88,eb,71,..
"p0"="C:\Program Files\Alcohol Soft\Alcohol 52\"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:24,be,cf,31,98,6e,2d,9b,8f,95,34,58,c2,e9,f9,c4,1f,89,88,eb,71,..
"p0"="C:\Program Files\Alcohol Soft\Alcohol 52\"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:24,be,cf,31,98,6e,2d,9b,8f,95,34,58,c2,e9,f9,c4,1f,89,88,eb,71,..
"p0"="C:\Program Files\Alcohol Soft\Alcohol 52\"

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:000000c2
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="wbsys.dll"
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\Steam\\SteamApps\\renauldo\\team fortress 2\\hl2.exe"="C:\\Program Files\\Steam\\SteamApps\\renauldo\\team fortress 2\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Steam\\SteamApps\\renauldo\\counter-strike source\\hl2.exe"="C:\\Program Files\\Steam\\SteamApps\\renauldo\\counter-strike source\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\Ares\\Ares.exe"="C:\\Program Files\\Ares\\Ares.exe:*:Enabled:Ares p2p for windows"
"C:\\Program Files\\Steam\\SteamApps\\renauldo\\day of defeat source\\hl2.exe"="C:\\Program Files\\Steam\\SteamApps\\renauldo\\day of defeat source\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Steam\\SteamApps\\common\\dawn of war dark crusade\\darkcrusade.exe"="C:\\Program Files\\Steam\\SteamApps\\common\\dawn of war dark crusade\\darkcrusade.exe:*:Enabled:darkcrusade"
"C:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"="C:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe:*:Enabled:RelicCOH"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\BROOD\\StarCraft.exe"="C:\\Program Files\\BROOD\\StarCraft.exe:*:Enabled:Starcraft"
"C:\\Program Files\\Steam\\SteamApps\\renauldo\\counter-strike\\hl.exe"="C:\\Program Files\\Steam\\SteamApps\\renauldo\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\Steam\\SteamApps\\renauldo\\condition zero\\hl.exe"="C:\\Program Files\\Steam\\SteamApps\\renauldo\\condition zero\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Sierra\\Counter-Strike\\cstrike.exe"="C:\\Sierra\\Counter-Strike\\cstrike.exe:*:Enabled:CounterStrike Launcher"
"C:\\Program Files\\Steam\\SteamApps\\common\\defcon\\defcon.exe"="C:\\Program Files\\Steam\\SteamApps\\common\\defcon\\defcon.exe:*:Enabled:Defcon"
"C:\\Program Files\\THQ\\Dawn of War - Soulstorm\\Soulstorm.exe"="C:\\Program Files\\THQ\\Dawn of War - Soulstorm\\Soulstorm.exe:*:Enabled:Soulstorm"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Documents and Settings\\Benjamin Brouse.NIGHTCRAWLER\\My Documents\\toolbar of games\\uTorrent.exe"="C:\\Documents and Settings\\Benjamin Brouse.NIGHTCRAWLER\\My Documents\\toolbar of games\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"="C:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD:*:Enabled:Age of Empires II"
"C:\\Documents and Settings\\Benjamin Brouse.NIGHTCRAWLER\\Desktop\\zsnesw.exe"="C:\\Documents and Settings\\Benjamin Brouse.NIGHTCRAWLER\\Desktop\\zsnesw.exe:*:Enabled:zsnesw"
"C:\\Program Files\\Unreal Tournament\\System\\UnrealTournament.icd"="C:\\Program Files\\Unreal Tournament\\System\\UnrealTournament.icd:*:Enabled:UnrealTournament"
"C:\\Program Files\\Steam\\SteamApps\\common\\trackmania nations forever\\TmForever.exe"="C:\\Program Files\\Steam\\SteamApps\\common\\trackmania nations forever\\TmForever.exe:*:Enabled:TmForever"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Fri 4 Jan 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 1 Feb 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Sun 30 Mar 2008 3,691 ...HR --- "C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\Application Data\SecuROM\UserData\securom_v7_01.bak"

Finished!





ComboFix log


ComboFix 08-04-24.1 - Benjamin Brouse 2008-04-27 1:07:58.9 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1516 [GMT -4:00]
Running from: C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bmkwnkaa.dll
C:\WINDOWS\system32\gknqygvv.ini
C:\WINDOWS\system32\kmbfnkte.dll
C:\WINDOWS\system32\lemilxvv.dll
C:\WINDOWS\system32\ntslgtxi.dll
C:\WINDOWS\system32\pckavddx.dll
C:\WINDOWS\system32\qfcknpon.dll
C:\WINDOWS\system32\qogfbfrg.dll
C:\WINDOWS\system32\vvgyqnkg.dll
C:\WINDOWS\system32\vvxlimel.ini
C:\WINDOWS\system32\wpmhxpib.dll
C:\WINDOWS\system32\xxyvvTJA.dll
C:\WINDOWS\system32\yayxUmJy.dll
C:\WINDOWS\system32\yJmUxyay.ini
C:\WINDOWS\system32\yJmUxyay.ini2
.
---- Previous Run -------
.
C:\WINDOWS\cookies.ini
C:\WINDOWS\rs.txt
C:\WINDOWS\system32\gjPXFfhk.ini
C:\WINDOWS\system32\gjPXFfhk.ini2
C:\WINDOWS\system32\JTuBKnpo.ini
C:\WINDOWS\system32\JTuBKnpo.ini2
C:\WINDOWS\system32\khfFXPjg.dll
C:\WINDOWS\system32\rnpocyvu.ini
C:\WINDOWS\system32\uvycopnr.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-27 to 2008-04-27 )))))))))))))))))))))))))))))))
.

2008-04-27 00:41 . 2008-04-27 00:42 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-27 00:39 . 2008-04-27 00:39 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-04-26 11:28 . 2008-04-27 01:05 <DIR> d-------- C:\SDFix
2008-04-24 21:55 . 2008-04-25 02:18 1,509,118 --ahs---- C:\WINDOWS\system32\wwmessow.ini
2008-04-24 18:23 . 2008-04-24 18:23 <DIR> d-------- C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\Application Data\TmpRecentIcons
2008-04-24 17:14 . 2008-04-24 17:14 1,509,099 --ahs---- C:\WINDOWS\system32\ldsslklo.ini
2008-04-24 17:11 . 2008-04-24 17:11 <DIR> d-------- C:\Program Files\Exportizer
2008-04-24 17:07 . 2008-04-24 17:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\fmhcrgbq
2008-04-24 07:24 . 2008-04-24 07:24 <DIR> d-------- C:\Program Files\DBF Manager
2008-04-24 07:24 . 2008-04-24 07:24 <DIR> d-------- C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\Application Data\DBF Manager
2008-04-23 18:26 . 2008-04-23 20:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TrackMania
2008-04-23 07:13 . 2008-04-23 07:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2008-04-22 20:22 . 2008-04-22 20:22 <DIR> d-------- C:\WINDOWS\wb
2008-04-22 20:19 . 2008-04-22 20:19 <DIR> d-------- C:\WINDOWS\Start Menu
2008-04-22 20:19 . 2008-04-22 20:19 <DIR> d-------- C:\Program Files\HEAT
2008-04-22 20:19 . 1998-12-07 16:20 1,020,416 --a------ C:\WINDOWS\system32\WebPro32.ocx
2008-04-22 20:19 . 1996-10-15 18:01 298,496 --a------ C:\WINDOWS\uninst.exe
2008-04-22 20:19 . 1999-01-22 17:08 34,665 --a------ C:\WINDOWS\system32\ripx.vxd
2008-04-22 19:28 . 2008-04-22 19:28 <DIR> d-------- C:\Program Files\directx
2008-04-22 19:28 . 2008-04-22 19:28 0 --a------ C:\WINDOWS\DXT125.tmp
2008-04-22 19:28 . 2008-04-22 19:28 0 --a------ C:\WINDOWS\DXT124.tmp
2008-04-22 19:28 . 2008-04-22 19:28 0 --a------ C:\WINDOWS\DXT123.tmp
2008-04-22 19:28 . 2008-04-22 19:28 0 --a------ C:\WINDOWS\DXT122.tmp
2008-04-22 19:28 . 2008-04-22 19:28 0 --a------ C:\WINDOWS\DXT121.tmp
2008-04-22 19:28 . 2008-04-22 19:28 0 --a------ C:\WINDOWS\DXT120.tmp
2008-04-22 19:26 . 2008-04-22 19:28 <DIR> d-------- C:\Program Files\Unreal Tournament
2008-04-22 19:09 . 2008-04-22 19:09 <DIR> d-------- C:\Program Files\Common Files\HP
2008-04-22 19:08 . 2008-04-22 19:08 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-04-22 19:06 . 2004-09-29 12:12 278,584 --a------ C:\WINDOWS\system32\HPZidr12.dll
2008-04-22 19:06 . 2004-09-29 12:15 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2008-04-22 19:06 . 2004-09-29 12:09 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2008-04-22 19:06 . 2004-09-29 12:14 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
2008-04-22 19:06 . 2004-09-29 12:08 61,440 --a------ C:\WINDOWS\system32\HPZinw12.exe
2008-04-22 19:06 . 2004-09-29 12:09 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2008-04-22 19:05 . 2008-04-22 19:08 <DIR> d-------- C:\Program Files\HP
2008-04-22 19:05 . 2008-04-22 19:10 49,099 --a------ C:\WINDOWS\HPHins07.dat
2008-04-22 19:05 . 2005-03-17 00:54 1,111 --------- C:\WINDOWS\hphmdl07.dat
2008-04-14 18:51 . 2008-04-14 18:51 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-14 18:51 . 2008-04-14 18:51 <DIR> d-------- C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\Application Data\SUPERAntiSpyware.com
2008-04-14 16:17 . 2008-04-27 00:01 109,069 --a------ C:\WINDOWS\BM6349c440.xml
2008-04-10 07:06 . 2008-04-10 07:06 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-04-07 19:16 . 2008-04-07 19:16 <DIR> d-------- C:\Program Files\Image-Line
2008-04-07 19:16 . 2002-07-07 19:14 1,294,336 --a------ C:\WINDOWS\system32\vorbis.acm
2008-04-07 18:59 . 2008-04-10 17:40 37,888 --a------ C:\WINDOWS\system32\rar.exe
2008-04-06 21:43 . 2008-04-06 21:43 <DIR> d-------- C:\Program Files\FASoft
2008-04-06 21:43 . 2008-04-06 21:44 <DIR> d-------- C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\Application Data\n-Track Studio
2008-04-06 20:21 . 2008-04-06 20:21 <DIR> d-------- C:\Program Files\LucasArts
2008-04-02 20:34 . 2008-04-02 20:34 <DIR> d-------- C:\Program Files\Free iPod Video Converter
2008-04-02 20:34 . 2004-05-25 17:06 417,792 --a------ C:\WINDOWS\system32\ac3filter.ax
2008-04-02 20:34 . 2005-02-27 21:48 356,352 --a------ C:\WINDOWS\system32\RealMediaSplitter.ax
2008-04-02 20:34 . 2004-01-10 17:02 258,048 --a------ C:\WINDOWS\system32\GplMpgDec.ax
2008-04-02 19:43 . 2008-04-24 21:55 <DIR> d-------- C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\Application Data\LimeWire
2008-04-02 19:42 . 2008-04-02 19:42 <DIR> d-------- C:\Program Files\LimeWire
2008-03-31 21:44 . 2008-03-31 21:44 <DIR> d-------- C:\Program Files\OpenMortal
2008-03-31 18:48 . 2008-03-31 18:48 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-27 05:15 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-27 04:16 --------- d-----w C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\Application Data\SiteAdvisor
2008-04-24 22:19 --------- d-----w C:\Program Files\Steam
2008-04-23 22:09 --------- d-----w C:\Program Files\PopCap Games
2008-04-22 01:01 --------- d-----w C:\Program Files\crayon
2008-04-14 22:51 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-04-14 22:07 --------- d-----w C:\Program Files\combofix
2008-04-11 00:29 --------- d-----w C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\Application Data\Vso
2008-04-10 21:46 --------- d-----w C:\Program Files\Free FLV Converter
2008-04-07 23:36 --------- d-----w C:\Program Files\Microsoft Games
2008-04-07 01:39 --------- d-----w C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\Application Data\Propellerhead Software
2008-04-07 00:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-06 17:13 --------- d-----w C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\Application Data\uTorrent
2008-04-02 21:59 --------- d-----w C:\Program Files\BROOD
2008-04-02 03:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-03-30 15:42 --------- d-----w C:\Documents and Settings\Everyone Else\Application Data\SiteAdvisor
2008-03-27 18:30 --------- d-----w C:\Program Files\THQ
2008-03-26 17:47 --------- d-----w C:\Program Files\Common Files\stardock
2008-03-26 17:30 --------- d-----w C:\Program Files\Stardock
2008-03-26 17:28 --------- d-----w C:\Program Files\Object Desktop
2008-03-26 02:37 162,432 ----a-w C:\WINDOWS\system32\drivers\vidstub.sys
2008-03-24 18:49 --------- d-----w C:\Program Files\Handbrake
2008-03-24 17:41 2,560 ----a-w C:\WINDOWS\_MSRSTRT.EXE
2008-03-24 17:40 --------- d-----w C:\Program Files\Common Files\AVSMedia
2008-03-24 17:40 --------- d-----w C:\Program Files\AVS4YOU
2008-03-24 17:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-03-24 16:55 --------- d-----w C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\Application Data\AVS4YOU
2008-03-03 23:39 --------- d-----w C:\Program Files\Sierra On-Line
2008-03-03 23:37 --------- d-----w C:\Program Files\Sierra
2008-02-28 21:05 --------- d-----w C:\Program Files\Half-Life Editing
2008-02-27 21:22 --------- d-----w C:\Program Files\wally
2008-02-19 00:10 94,208 ----a-w C:\WINDOWS\ScUnin.exe
2008-01-06 19:41 22,328 ----a-w C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\Application Data\PnkBstrK.sys
.

Code: Select all

<pre>
----a-w            57,344 2008-01-24 03:57:33  C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\My Documents\toolbar of games\Zboard .exe
----a-w            39,792 2008-01-24 03:57:25  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w           155,648 2008-01-24 03:57:34  C:\Program Files\Common Files\Ahead\Lib\NeroCheck .exe
----a-w           143,360 2008-01-24 02:33:16  C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor .exe
----a-w           847,872 2008-01-27 21:42:26  C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3 .exe
----a-w            57,344 2008-01-24 03:57:33  C:\Program Files\Ideazon\ZEngine\Zboard .exe
----a-w           267,048 2008-01-28 20:58:42  C:\Program Files\iTunes\iTunesHelper .exe
----a-w           385,024 2008-01-24 04:21:17  C:\Program Files\QuickTime\QTTask   .exe
----a-w           385,024 2008-01-24 03:37:20  C:\Program Files\QuickTime\QTTask  .exe
----a-w           385,024 2008-01-24 03:37:20  C:\Program Files\QuickTime\QTTask .exe
----a-w         1,103,752 2008-01-27 21:11:51  C:\Program Files\Spyware Doctor\pctsTray .exe
----a-w         1,318,912 2008-01-28 20:30:15  C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
----a-w         5,367,664 2008-01-28 20:58:43  C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI .exe
----a-w            15,360 2008-01-28 20:10:50  C:\WINDOWS\system32\ctfmon .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [ ]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" [ ]
"DesktopX"="C:\PROGRA~1\Stardock\OBJECT~1\DesktopX\DesktopX.exe" [ ]
"CursorFX"="C:\Program Files\Stardock\CursorFX\CursorFX.exe" [2008-02-05 13:23 417528]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"jeevjbhk"="C:\WINDOWS\system32\zslevmpg.exe" [ ]
"njouqtou"="C:\WINDOWS\system32\bsvaxsfk.exe" [ ]
"skripaah"="C:\WINDOWS\system32\dkhuhctc.exe" [ ]
"ygvwxqom"="C:\WINDOWS\system32\gzchmtcf.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 13:00 33280 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-05 04:08 16380416 C:\WINDOWS\RTHDCPL.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [ ]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 13:00 33280 C:\WINDOWS\system32\rundll32.exe]
"Zboard"="C:\Program Files\Ideazon\ZEngine\Zboard.exe" [ ]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [ ]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [ ]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [ ]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [ ]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"LogonStudio"="C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" [2002-09-03 19:38 987187]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"BootSkin Startup Jobs"="C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" [2004-03-24 13:37 262144]
"HPHUPD07"="C:\Program Files\HP\{C8EEAA89-0A3E-441f-B646-17A46F5D6954}\hphupd07.exe" [2005-03-17 01:08 49152]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 15:49 49152]
"HPHmon07"="C:\WINDOWS\system32\hphmon07.exe" [2005-03-17 00:59 622592]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\WINDOWS\\system32\\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byXNhfeE]
byXNhfeE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkHXNEV]
jkkHXNEV.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkIYoMg]
jkkIYoMg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll 2005-12-20 15:57 176128 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvvTJA]
xxyvvTJA.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxywwwv]
xxywwwv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.scg726"= scg726.acm
"msacm.alf2cd"= alf2cd.acm
"vidc.dvsd"= mcdvd_32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Steam\\SteamApps\\renauldo\\team fortress 2\\hl2.exe"=
"C:\\Program Files\\Steam\\SteamApps\\renauldo\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Ares\\Ares.exe"=
"C:\\Program Files\\Steam\\SteamApps\\renauldo\\day of defeat source\\hl2.exe"=
"C:\\Program Files\\Steam\\SteamApps\\common\\dawn of war dark crusade\\darkcrusade.exe"=
"C:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\BROOD\\StarCraft.exe"=
"C:\\Program Files\\Steam\\SteamApps\\renauldo\\counter-strike\\hl.exe"=
"C:\\Program Files\\Steam\\SteamApps\\renauldo\\condition zero\\hl.exe"=
"C:\\Program Files\\Steam\\SteamApps\\common\\defcon\\defcon.exe"=
"C:\\Program Files\\THQ\\Dawn of War - Soulstorm\\Soulstorm.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Documents and Settings\\Benjamin Brouse.NIGHTCRAWLER\\My Documents\\toolbar of games\\uTorrent.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"C:\\Program Files\\Unreal Tournament\\System\\UnrealTournament.icd"=
"C:\\Program Files\\Steam\\SteamApps\\common\\trackmania nations forever\\TmForever.exe"=

R3 Alpham1;Ideazon ZBoard USB Human Interface Device;C:\WINDOWS\system32\DRIVERS\Alpham1.sys [2007-07-23 10:56]
R3 Alpham2;Ideazon ZBoard MM USB Human Interface Device;C:\WINDOWS\system32\DRIVERS\Alpham2.sys [2007-03-20 12:49]
R3 WLIU2KG125S;BUFFALO WLI-U2-KG125S Wireless LAN Adapter Driver;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-08-04 13:00]
S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2008-01-06 15:08]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1b4d5d19-ea1b-11dc-9564-001601cf4256}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-04-25 16:46:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-27 01:15:45
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-04-27 1:18:28 - machine was rebooted [Benjamin Brouse]
ComboFix-quarantined-files.txt 2008-04-27 05:18:25

Pre-Run: 189,822,341,120 bytes free
Post-Run: 189,742,559,232 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

285 --- E O F --- 2008-04-11 11:28:40


Fresh HJT log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:19:23 AM, on 4/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hphmon07.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Stardock\CursorFX\CursorFX.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zboard] C:\Program Files\Ideazon\ZEngine\Zboard.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [HPHUPD07] C:\Program Files\HP\{C8EEAA89-0A3E-441f-B646-17A46F5D6954}\hphupd07.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPHmon07] C:\WINDOWS\system32\hphmon07.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" /automount
O4 - HKCU\..\Run: [DesktopX] "C:\PROGRA~1\Stardock\OBJECT~1\DesktopX\DesktopX.exe"
O4 - HKCU\..\Run: [CursorFX] "C:\Program Files\Stardock\CursorFX\CursorFX.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [jeevjbhk] C:\WINDOWS\system32\zslevmpg.exe
O4 - HKCU\..\Run: [njouqtou] C:\WINDOWS\system32\bsvaxsfk.exe
O4 - HKCU\..\Run: [skripaah] C:\WINDOWS\system32\dkhuhctc.exe
O4 - HKCU\..\Run: [ygvwxqom] C:\WINDOWS\system32\gzchmtcf.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 9470509437
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: byXNhfeE - byXNhfeE.dll (file missing)
O20 - Winlogon Notify: jkkHXNEV - jkkHXNEV.dll (file missing)
O20 - Winlogon Notify: jkkIYoMg - jkkIYoMg.dll (file missing)
O20 - Winlogon Notify: xxyvvTJA - xxyvvTJA.dll (file missing)
O20 - Winlogon Notify: xxywwwv - xxywwwv.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe (file missing)
O23 - Service: McAfee Network Agent (McNASvc) - Unknown owner - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe (file missing)
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 8628 bytes

[peku006]

Hello Renauldo

P2P Warning!
Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current malware infestation
Additional information on the safety of Peer to Peer programs themselves is here :
Clean/Infected P2P Programs
Please decide if you want to keep using P2P so I can put it in my next speech of you don't want to keep it.

1 -disable Spysweeper

Please disable SpySweeper as it may interfere with the fix.

• Open SpySweeper
• Click Options
• Click program options
• Uncheck load at windows startup
• On the left click shields and uncheck all there
• Uncheck home page shield
• Uncheck automaticly restore default without notifiction
• Close SpySweeper

Don't forget to re-enable it, when your computer is clean.

2 - disable Spyware Doctor

please disable Spyware Doctor as it may interfere with repairs.


1.Open Spyware Doctor
2.click the "OnGuard" button on the left side.
3.Uncheck "Activate OnGuard".

please remember to reactivate it when we are finished

3 - Run CFScript

Open Notepad and copy/paste the text in the box into the window:

Code: Select all

File::
C:\WINDOWS\system32\wwmessow.ini
C:\WINDOWS\system32\ldsslklo.ini
C:\WINDOWS\BM6349c440.xml
C:\WINDOWS\system32\zslevmpg.exe
C:\WINDOWS\system32\bsvaxsfk.exe
C:\WINDOWS\system32\dkhuhctc.exe
C:\WINDOWS\system32\gzchmtcf.exe
Folder::
C:\Documents and Settings\All Users\Application Data\fmhcrgbq
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"jeevjbhk"=-
"njouqtou"=-
"skripaah"=-
"ygvwxqom"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byXNhfeE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkHXNEV]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkIYoMg]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvvTJA]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxywwwv]
RenV::
C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\My Documents\toolbar of games\Zboard .exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
C:\Program Files\Common Files\Ahead\Lib\NeroCheck .exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor .exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3 .exe
C:\Program Files\Ideazon\ZEngine\Zboard .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\QuickTime\QTTask   .exe
C:\Program Files\QuickTime\QTTask  .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\Spyware Doctor\pctsTray .exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI .exe
C:\WINDOWS\system32\ctfmon .exe

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

4 - Clean temp files:

Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

if you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

if you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.


Click Exit on the Main menu to close the program

5 - Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.


• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

6 - Get Firewall and AntiVirus Status
Please go to Start, Run, type wscui.cpl into the box and hit <Enter>.
Tell me if it reports both AntiVirus and Firewall as ON, and then click on the little down arrows on the right of each, and note the name of the application being used for each.
In your reply please include the application names and ON/OFF status of each.

7 - Check on status
Please reply with

Firewall and AntiVirus Status
the Combofix.txt
the Malwarebytes log
a new HijackThis log

Thanks peku006

[Renauldo]

PC seems to be running a lot better now

The firewall is turned on and ok, but it says OFF under virus protection.


COMBOFIX LOG

ComboFix 08-04-24.1 - Benjamin Brouse 2008-04-27 8:44:04.10 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1573 [GMT -4:00]
Running from: C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\BM6349c440.xml
C:\WINDOWS\system32\bsvaxsfk.exe
C:\WINDOWS\system32\dkhuhctc.exe
C:\WINDOWS\system32\gzchmtcf.exe
C:\WINDOWS\system32\ldsslklo.ini
C:\WINDOWS\system32\wwmessow.ini
C:\WINDOWS\system32\zslevmpg.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\fmhcrgbq
C:\Documents and Settings\All Users\Application Data\fmhcrgbq\finipaxu.exe
C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\WINDOWS\BM6349c440.xml
C:\WINDOWS\system32\ldsslklo.ini
C:\WINDOWS\system32\RCXAA.tmp
C:\WINDOWS\system32\wwmessow.ini

.
((((((((((((((((((((((((( Files Created from 2008-03-27 to 2008-04-27 )))))))))))))))))))))))))))))))
.

2008-04-27 08:41 . 2008-04-27 08:41 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-27 08:41 . 2008-04-27 08:41 <DIR> d-------- C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\Application Data\Malwarebytes
2008-04-27 08:41 . 2008-04-27 08:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-27 00:41 . 2008-04-27 00:42 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-27 00:39 . 2008-04-27 00:39 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-04-26 11:28 . 2008-04-27 01:05 <DIR> d-------- C:\SDFix
2008-04-24 18:23 . 2008-04-24 18:23 <DIR> d-------- C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\Application Data\TmpRecentIcons
2008-04-24 17:11 . 2008-04-24 17:11 <DIR> d-------- C:\Program Files\Exportizer
2008-04-24 07:24 . 2008-04-24 07:24 <DIR> d-------- C:\Program Files\DBF Manager
2008-04-24 07:24 . 2008-04-24 07:24 <DIR> d-------- C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\Application Data\DBF Manager
2008-04-23 18:26 . 2008-04-23 20:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TrackMania
2008-04-23 07:13 . 2008-04-23 07:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2008-04-22 20:22 . 2008-04-22 20:22 <DIR> d-------- C:\WINDOWS\wb
2008-04-22 20:19 . 2008-04-22 20:19 <DIR> d-------- C:\WINDOWS\Start Menu
2008-04-22 20:19 . 2008-04-22 20:19 <DIR> d-------- C:\Program Files\HEAT
2008-04-22 20:19 . 1998-12-07 16:20 1,020,416 --a------ C:\WINDOWS\system32\WebPro32.ocx
2008-04-22 20:19 . 1996-10-15 18:01 298,496 --a------ C:\WINDOWS\uninst.exe
2008-04-22 20:19 . 1999-01-22 17:08 34,665 --a------ C:\WINDOWS\system32\ripx.vxd
2008-04-22 19:28 . 2008-04-22 19:28 <DIR> d-------- C:\Program Files\directx
2008-04-22 19:28 . 2008-04-22 19:28 0 --a------ C:\WINDOWS\DXT125.tmp
2008-04-22 19:28 . 2008-04-22 19:28 0 --a------ C:\WINDOWS\DXT124.tmp
2008-04-22 19:28 . 2008-04-22 19:28 0 --a------ C:\WINDOWS\DXT123.tmp
2008-04-22 19:28 . 2008-04-22 19:28 0 --a------ C:\WINDOWS\DXT122.tmp
2008-04-22 19:28 . 2008-04-22 19:28 0 --a------ C:\WINDOWS\DXT121.tmp
2008-04-22 19:28 . 2008-04-22 19:28 0 --a------ C:\WINDOWS\DXT120.tmp
2008-04-22 19:26 . 2008-04-22 19:28 <DIR> d-------- C:\Program Files\Unreal Tournament
2008-04-22 19:09 . 2008-04-22 19:09 <DIR> d-------- C:\Program Files\Common Files\HP
2008-04-22 19:08 . 2008-04-22 19:08 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-04-22 19:06 . 2004-09-29 12:12 278,584 --a------ C:\WINDOWS\system32\HPZidr12.dll
2008-04-22 19:06 . 2004-09-29 12:15 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2008-04-22 19:06 . 2004-09-29 12:09 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2008-04-22 19:06 . 2004-09-29 12:14 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
2008-04-22 19:06 . 2004-09-29 12:08 61,440 --a------ C:\WINDOWS\system32\HPZinw12.exe
2008-04-22 19:06 . 2004-09-29 12:09 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2008-04-22 19:05 . 2008-04-22 19:08 <DIR> d-------- C:\Program Files\HP
2008-04-22 19:05 . 2008-04-22 19:10 49,099 --a------ C:\WINDOWS\HPHins07.dat
2008-04-22 19:05 . 2005-03-17 00:54 1,111 --------- C:\WINDOWS\hphmdl07.dat
2008-04-14 18:51 . 2008-04-14 18:51 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-14 18:51 . 2008-04-14 18:51 <DIR> d-------- C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\Application Data\SUPERAntiSpyware.com
2008-04-10 07:06 . 2008-04-10 07:06 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-04-07 19:16 . 2008-04-07 19:16 <DIR> d-------- C:\Program Files\Image-Line
2008-04-07 19:16 . 2002-07-07 19:14 1,294,336 --a------ C:\WINDOWS\system32\vorbis.acm
2008-04-07 18:59 . 2008-04-10 17:40 37,888 --a------ C:\WINDOWS\system32\rar.exe
2008-04-06 21:43 . 2008-04-06 21:43 <DIR> d-------- C:\Program Files\FASoft
2008-04-06 21:43 . 2008-04-06 21:44 <DIR> d-------- C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\Application Data\n-Track Studio
2008-04-06 20:21 . 2008-04-06 20:21 <DIR> d-------- C:\Program Files\LucasArts
2008-04-02 20:34 . 2008-04-02 20:34 <DIR> d-------- C:\Program Files\Free iPod Video Converter
2008-04-02 20:34 . 2004-05-25 17:06 417,792 --a------ C:\WINDOWS\system32\ac3filter.ax
2008-04-02 20:34 . 2005-02-27 21:48 356,352 --a------ C:\WINDOWS\system32\RealMediaSplitter.ax
2008-04-02 20:34 . 2004-01-10 17:02 258,048 --a------ C:\WINDOWS\system32\GplMpgDec.ax
2008-04-02 19:43 . 2008-04-24 21:55 <DIR> d-------- C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\Application Data\LimeWire
2008-04-02 19:42 . 2008-04-02 19:42 <DIR> d-------- C:\Program Files\LimeWire
2008-03-31 21:44 . 2008-03-31 21:44 <DIR> d-------- C:\Program Files\OpenMortal
2008-03-31 18:48 . 2008-03-31 18:48 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-27 12:44 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-04-27 12:44 --------- d-----w C:\Program Files\Spyware Doctor
2008-04-27 12:44 --------- d-----w C:\Program Files\QuickTime
2008-04-27 12:44 --------- d-----w C:\Program Files\iTunes
2008-04-27 12:42 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-27 04:16 --------- d-----w C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\Application Data\SiteAdvisor
2008-04-24 22:19 --------- d-----w C:\Program Files\Steam
2008-04-23 22:09 --------- d-----w C:\Program Files\PopCap Games
2008-04-22 01:01 --------- d-----w C:\Program Files\crayon
2008-04-14 22:07 --------- d-----w C:\Program Files\combofix
2008-04-11 00:29 --------- d-----w C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\Application Data\Vso
2008-04-10 21:46 --------- d-----w C:\Program Files\Free FLV Converter
2008-04-07 23:36 --------- d-----w C:\Program Files\Microsoft Games
2008-04-07 01:39 --------- d-----w C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\Application Data\Propellerhead Software
2008-04-07 00:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-06 17:13 --------- d-----w C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\Application Data\uTorrent
2008-04-02 21:59 --------- d-----w C:\Program Files\BROOD
2008-04-02 03:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-03-30 15:42 --------- d-----w C:\Documents and Settings\Everyone Else\Application Data\SiteAdvisor
2008-03-27 18:37 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-03-27 18:30 --------- d-----w C:\Program Files\THQ
2008-03-26 17:47 --------- d-----w C:\Program Files\Common Files\stardock
2008-03-26 17:30 --------- d-----w C:\Program Files\Stardock
2008-03-26 17:28 --------- d-----w C:\Program Files\Object Desktop
2008-03-26 02:37 162,432 ----a-w C:\WINDOWS\system32\drivers\vidstub.sys
2008-03-24 18:49 --------- d-----w C:\Program Files\Handbrake
2008-03-24 17:41 2,560 ----a-w C:\WINDOWS\_MSRSTRT.EXE
2008-03-24 17:40 --------- d-----w C:\Program Files\Common Files\AVSMedia
2008-03-24 17:40 --------- d-----w C:\Program Files\AVS4YOU
2008-03-24 17:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-03-24 16:55 --------- d-----w C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\Application Data\AVS4YOU
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-03 23:39 --------- d-----w C:\Program Files\Sierra On-Line
2008-03-03 23:37 --------- d-----w C:\Program Files\Sierra
2008-02-28 21:05 --------- d-----w C:\Program Files\Half-Life Editing
2008-02-27 21:22 --------- d-----w C:\Program Files\wally
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-19 00:10 94,208 ----a-w C:\WINDOWS\ScUnin.exe
2008-02-16 08:59 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-08 18:01 9,655,296 ----a-w C:\WINDOWS\system32\logonuiX.exe
2008-02-08 03:25 233,472 ----a-w C:\WINDOWS\system32\REX Shared Library.dll
2008-02-08 03:25 225,280 ----a-w C:\WINDOWS\system32\ReWire.dll
2008-01-28 20:37 24,576 ----a-w C:\WINDOWS\system32\VundoFixSVC.exe
2008-01-28 20:10 15,360 ----a-w C:\WINDOWS\system32\ctfmon.exe
2008-01-06 19:41 22,328 ----a-w C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\Application Data\PnkBstrK.sys
.

Code: Select all

<pre>
----a-w         5,367,664 2008-01-28 20:58:43  C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2008-01-23 22:33 143360]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" [ ]
"DesktopX"="C:\PROGRA~1\Stardock\OBJECT~1\DesktopX\DesktopX.exe" [ ]
"CursorFX"="C:\Program Files\Stardock\CursorFX\CursorFX.exe" [2008-02-05 13:23 417528]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-28 16:10 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 13:00 33280 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-05 04:08 16380416 C:\WINDOWS\RTHDCPL.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-23 23:57 39792]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 13:00 33280 C:\WINDOWS\system32\rundll32.exe]
"Zboard"="C:\Program Files\Ideazon\ZEngine\Zboard.exe" [2008-01-23 23:57 57344]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-01-23 23:57 155648]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [ ]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [ ]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [ ]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-01-27 17:11 1103752]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"LogonStudio"="C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" [2002-09-03 19:38 987187]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-23 23:37 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-28 16:58 267048]
"BootSkin Startup Jobs"="C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" [2004-03-24 13:37 262144]
"HPHUPD07"="C:\Program Files\HP\{C8EEAA89-0A3E-441f-B646-17A46F5D6954}\hphupd07.exe" [2005-03-17 01:08 49152]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 15:49 49152]
"HPHmon07"="C:\WINDOWS\system32\hphmon07.exe" [2005-03-17 00:59 622592]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\WINDOWS\\system32\\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll 2005-12-20 15:57 176128 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.scg726"= scg726.acm
"msacm.alf2cd"= alf2cd.acm
"vidc.dvsd"= mcdvd_32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Steam\\SteamApps\\renauldo\\team fortress 2\\hl2.exe"=
"C:\\Program Files\\Steam\\SteamApps\\renauldo\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Ares\\Ares.exe"=
"C:\\Program Files\\Steam\\SteamApps\\renauldo\\day of defeat source\\hl2.exe"=
"C:\\Program Files\\Steam\\SteamApps\\common\\dawn of war dark crusade\\darkcrusade.exe"=
"C:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\BROOD\\StarCraft.exe"=
"C:\\Program Files\\Steam\\SteamApps\\renauldo\\counter-strike\\hl.exe"=
"C:\\Program Files\\Steam\\SteamApps\\renauldo\\condition zero\\hl.exe"=
"C:\\Program Files\\Steam\\SteamApps\\common\\defcon\\defcon.exe"=
"C:\\Program Files\\THQ\\Dawn of War - Soulstorm\\Soulstorm.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Documents and Settings\\Benjamin Brouse.NIGHTCRAWLER\\My Documents\\toolbar of games\\uTorrent.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"C:\\Program Files\\Unreal Tournament\\System\\UnrealTournament.icd"=
"C:\\Program Files\\Steam\\SteamApps\\common\\trackmania nations forever\\TmForever.exe"=

R3 Alpham1;Ideazon ZBoard USB Human Interface Device;C:\WINDOWS\system32\DRIVERS\Alpham1.sys [2007-07-23 10:56]
R3 Alpham2;Ideazon ZBoard MM USB Human Interface Device;C:\WINDOWS\system32\DRIVERS\Alpham2.sys [2007-03-20 12:49]
R3 WLIU2KG125S;BUFFALO WLI-U2-KG125S Wireless LAN Adapter Driver;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-08-04 13:00]
S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2008-01-06 15:08]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1b4d5d19-ea1b-11dc-9564-001601cf4256}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-25 16:46:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-27 08:46:20
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-27 8:47:21
ComboFix-quarantined-files.txt 2008-04-27 12:46:51
ComboFix2.txt 2008-04-27 05:18:29

Pre-Run: 189,728,059,392 bytes free
Post-Run: 189,709,115,392 bytes free

237 --- E O F --- 2008-04-11 11:28:40





MALWARE BYTES LOG



Malwarebytes' Anti-Malware 1.11
Database version: 689

Scan type: Quick Scan
Objects scanned: 41305
Time elapsed: 4 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 26

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{0263d762-b6e5-4dcf-91a5-e1283d25e850} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{dc33216e-1322-437e-9d55-2dd312f190c2} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4005c168-1692-4cfd-b21b-03f29dc530d4} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{aeb838dd-2819-4a77-8bf8-e75405b85f6f} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Inet Delivery (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\mslagent (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Golden Palace Casino NEW (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\MediaHoldings (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Mozilla\Firefox\Extensions\{59a40ac9-e67d-4155-b31d-4b7330fcd2d6} (Adware.PurityScan) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{0e1230f8-ea50-42a9-983c-d22abc2eeb4c} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\smp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\smp\msrc.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\akttzn.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\anticipator.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\awtoolb.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bdn.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\h@tkeysh@@k.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hoproxy.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hxiwlgpm.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hxiwlgpm.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msgp.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mssecu.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mtr2.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mwin32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\netode.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\newsd32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ps1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\regm64.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Rundl1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ssvchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysreq.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\taack.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\taack.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\temp#01.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\VBIEWER.OCX (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winlogonpc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\WINWGPX.EXE (Trojan.Agent) -> Quarantined and deleted successfully.



HJT LOG


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:00:29 AM, on 4/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hphmon07.exe
C:\Program Files\Stardock\CursorFX\CursorFX.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zboard] C:\Program Files\Ideazon\ZEngine\Zboard.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [HPHUPD07] C:\Program Files\HP\{C8EEAA89-0A3E-441f-B646-17A46F5D6954}\hphupd07.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPHmon07] C:\WINDOWS\system32\hphmon07.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" /automount
O4 - HKCU\..\Run: [DesktopX] "C:\PROGRA~1\Stardock\OBJECT~1\DesktopX\DesktopX.exe"
O4 - HKCU\..\Run: [CursorFX] "C:\Program Files\Stardock\CursorFX\CursorFX.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 9470509437
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe (file missing)
O23 - Service: McAfee Network Agent (McNASvc) - Unknown owner - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe (file missing)
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 8032 bytes

[peku006]

Hello Renauldo

What AntiVirus you use?

you should print out these instructions or copy them to a NotePad file so they will be accessible.
Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

1 - Boot into Safe Mode

Reboot your computer in Safe Mode.

• If the computer is running, shut down Windows, and then turn off the power.
• Wait 30 seconds, and then turn the computer on.
• Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
• Ensure that the Safe Mode option is selected.
• Press Enter. The computer then begins to start in Safe mode.
• Login on your usual account.

2 - Run CFScript

Open Notepad and copy/paste the text in the box into the window:

Code: Select all

RenV::
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI .exe

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Reboot into Normal Mode

3 - Check on status
Please reply with

the Combofix.txt
a new HijackThis log

Thanks peku006

[Renauldo]

I have spysweeper now (not sure if its antivirus) and i uninstalled it a while ago, but after that last combofix run it popped up again and it says that antivirus is on in the windows security center. I was hoping you could suggest some free ones (antivirus) i could download (short on cash ) thanks a bunch



ComboFix 08-04-24.1 - Benjamin Brouse 2008-04-27 20:24:44.11 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1779 [GMT -4:00]
Running from: C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-28 )))))))))))))))))))))))))))))))
.

2008-04-27 08:41 . 2008-04-27 08:41 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-27 08:41 . 2008-04-27 08:41 <DIR> d-------- C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\Application Data\Malwarebytes
2008-04-27 08:41 . 2008-04-27 08:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-27 00:41 . 2008-04-27 00:42 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-27 00:39 . 2008-04-27 00:39 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-04-26 11:28 . 2008-04-27 01:05 <DIR> d-------- C:\SDFix
2008-04-24 18:23 . 2008-04-24 18:23 <DIR> d-------- C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\Application Data\TmpRecentIcons
2008-04-24 17:11 . 2008-04-24 17:11 <DIR> d-------- C:\Program Files\Exportizer
2008-04-24 07:24 . 2008-04-24 07:24 <DIR> d-------- C:\Program Files\DBF Manager
2008-04-24 07:24 . 2008-04-24 07:24 <DIR> d-------- C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\Application Data\DBF Manager
2008-04-23 18:26 . 2008-04-23 20:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TrackMania
2008-04-23 07:13 . 2008-04-23 07:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2008-04-22 20:22 . 2008-04-22 20:22 <DIR> d-------- C:\WINDOWS\wb
2008-04-22 20:19 . 2008-04-22 20:19 <DIR> d-------- C:\WINDOWS\Start Menu
2008-04-22 20:19 . 2008-04-22 20:19 <DIR> d-------- C:\Program Files\HEAT
2008-04-22 20:19 . 1998-12-07 16:20 1,020,416 --a------ C:\WINDOWS\system32\WebPro32.ocx
2008-04-22 20:19 . 1996-10-15 18:01 298,496 --a------ C:\WINDOWS\uninst.exe
2008-04-22 20:19 . 1999-01-22 17:08 34,665 --a------ C:\WINDOWS\system32\ripx.vxd
2008-04-22 19:28 . 2008-04-22 19:28 <DIR> d-------- C:\Program Files\directx
2008-04-22 19:28 . 2008-04-22 19:28 0 --a------ C:\WINDOWS\DXT125.tmp
2008-04-22 19:28 . 2008-04-22 19:28 0 --a------ C:\WINDOWS\DXT124.tmp
2008-04-22 19:28 . 2008-04-22 19:28 0 --a------ C:\WINDOWS\DXT123.tmp
2008-04-22 19:28 . 2008-04-22 19:28 0 --a------ C:\WINDOWS\DXT122.tmp
2008-04-22 19:28 . 2008-04-22 19:28 0 --a------ C:\WINDOWS\DXT121.tmp
2008-04-22 19:28 . 2008-04-22 19:28 0 --a------ C:\WINDOWS\DXT120.tmp
2008-04-22 19:26 . 2008-04-22 19:28 <DIR> d-------- C:\Program Files\Unreal Tournament
2008-04-22 19:09 . 2008-04-22 19:09 <DIR> d-------- C:\Program Files\Common Files\HP
2008-04-22 19:08 . 2008-04-22 19:08 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-04-22 19:06 . 2004-09-29 12:12 278,584 --a------ C:\WINDOWS\system32\HPZidr12.dll
2008-04-22 19:06 . 2004-09-29 12:15 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2008-04-22 19:06 . 2004-09-29 12:09 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2008-04-22 19:06 . 2004-09-29 12:14 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
2008-04-22 19:06 . 2004-09-29 12:08 61,440 --a------ C:\WINDOWS\system32\HPZinw12.exe
2008-04-22 19:06 . 2004-09-29 12:09 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2008-04-22 19:05 . 2008-04-22 19:08 <DIR> d-------- C:\Program Files\HP
2008-04-22 19:05 . 2008-04-22 19:10 49,099 --a------ C:\WINDOWS\HPHins07.dat
2008-04-22 19:05 . 2005-03-17 00:54 1,111 --------- C:\WINDOWS\hphmdl07.dat
2008-04-14 18:51 . 2008-04-14 18:51 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-14 18:51 . 2008-04-14 18:51 <DIR> d-------- C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\Application Data\SUPERAntiSpyware.com
2008-04-10 07:06 . 2008-04-10 07:06 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-04-07 19:16 . 2008-04-07 19:16 <DIR> d-------- C:\Program Files\Image-Line
2008-04-07 19:16 . 2002-07-07 19:14 1,294,336 --a------ C:\WINDOWS\system32\vorbis.acm
2008-04-07 18:59 . 2008-04-10 17:40 37,888 --a------ C:\WINDOWS\system32\rar.exe
2008-04-06 21:43 . 2008-04-06 21:43 <DIR> d-------- C:\Program Files\FASoft
2008-04-06 21:43 . 2008-04-06 21:44 <DIR> d-------- C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\Application Data\n-Track Studio
2008-04-06 20:21 . 2008-04-06 20:21 <DIR> d-------- C:\Program Files\LucasArts
2008-04-02 20:34 . 2008-04-02 20:34 <DIR> d-------- C:\Program Files\Free iPod Video Converter
2008-04-02 20:34 . 2004-05-25 17:06 417,792 --a------ C:\WINDOWS\system32\ac3filter.ax
2008-04-02 20:34 . 2005-02-27 21:48 356,352 --a------ C:\WINDOWS\system32\RealMediaSplitter.ax
2008-04-02 20:34 . 2004-01-10 17:02 258,048 --a------ C:\WINDOWS\system32\GplMpgDec.ax
2008-04-02 19:43 . 2008-04-24 21:55 <DIR> d-------- C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\Application Data\LimeWire
2008-04-02 19:42 . 2008-04-02 19:42 <DIR> d-------- C:\Program Files\LimeWire
2008-03-31 21:44 . 2008-03-31 21:44 <DIR> d-------- C:\Program Files\OpenMortal
2008-03-31 18:48 . 2008-03-31 18:48 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-28 00:14 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-27 12:57 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-04-27 12:44 --------- d-----w C:\Program Files\Spyware Doctor
2008-04-27 12:44 --------- d-----w C:\Program Files\QuickTime
2008-04-27 12:44 --------- d-----w C:\Program Files\iTunes
2008-04-27 04:16 --------- d-----w C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\Application Data\SiteAdvisor
2008-04-24 22:19 --------- d-----w C:\Program Files\Steam
2008-04-23 22:09 --------- d-----w C:\Program Files\PopCap Games
2008-04-22 01:01 --------- d-----w C:\Program Files\crayon
2008-04-14 22:07 --------- d-----w C:\Program Files\combofix
2008-04-11 00:29 --------- d-----w C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\Application Data\Vso
2008-04-10 21:46 --------- d-----w C:\Program Files\Free FLV Converter
2008-04-07 23:36 --------- d-----w C:\Program Files\Microsoft Games
2008-04-07 01:39 --------- d-----w C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\Application Data\Propellerhead Software
2008-04-07 00:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-06 17:13 --------- d-----w C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\Application Data\uTorrent
2008-04-02 21:59 --------- d-----w C:\Program Files\BROOD
2008-04-02 03:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-03-30 15:42 --------- d-----w C:\Documents and Settings\Everyone Else\Application Data\SiteAdvisor
2008-03-27 18:37 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-03-27 18:30 --------- d-----w C:\Program Files\THQ
2008-03-26 17:47 --------- d-----w C:\Program Files\Common Files\stardock
2008-03-26 17:30 --------- d-----w C:\Program Files\Stardock
2008-03-26 17:28 --------- d-----w C:\Program Files\Object Desktop
2008-03-26 02:37 162,432 ----a-w C:\WINDOWS\system32\drivers\vidstub.sys
2008-03-24 18:49 --------- d-----w C:\Program Files\Handbrake
2008-03-24 17:41 2,560 ----a-w C:\WINDOWS\_MSRSTRT.EXE
2008-03-24 17:40 --------- d-----w C:\Program Files\Common Files\AVSMedia
2008-03-24 17:40 --------- d-----w C:\Program Files\AVS4YOU
2008-03-24 17:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-03-24 16:55 --------- d-----w C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\Application Data\AVS4YOU
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-03 23:39 --------- d-----w C:\Program Files\Sierra On-Line
2008-03-03 23:37 --------- d-----w C:\Program Files\Sierra
2008-02-28 21:05 --------- d-----w C:\Program Files\Half-Life Editing
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-19 00:10 94,208 ----a-w C:\WINDOWS\ScUnin.exe
2008-02-16 08:59 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-08 18:01 9,655,296 ----a-w C:\WINDOWS\system32\logonuiX.exe
2008-02-08 03:25 233,472 ----a-w C:\WINDOWS\system32\REX Shared Library.dll
2008-02-08 03:25 225,280 ----a-w C:\WINDOWS\system32\ReWire.dll
2008-01-28 20:37 24,576 ----a-w C:\WINDOWS\system32\VundoFixSVC.exe
2008-01-28 20:10 15,360 ----a-w C:\WINDOWS\system32\ctfmon.exe
2008-01-06 19:41 22,328 ----a-w C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\Application Data\PnkBstrK.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2008-01-23 22:33 143360]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" [ ]
"DesktopX"="C:\PROGRA~1\Stardock\OBJECT~1\DesktopX\DesktopX.exe" [ ]
"CursorFX"="C:\Program Files\Stardock\CursorFX\CursorFX.exe" [2008-02-05 13:23 417528]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-28 16:10 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 13:00 33280 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-05 04:08 16380416 C:\WINDOWS\RTHDCPL.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-23 23:57 39792]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 13:00 33280 C:\WINDOWS\system32\rundll32.exe]
"Zboard"="C:\Program Files\Ideazon\ZEngine\Zboard.exe" [2008-01-23 23:57 57344]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-01-23 23:57 155648]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [ ]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [ ]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-28 16:58 5367664]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"LogonStudio"="C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" [2002-09-03 19:38 987187]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-23 23:37 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-28 16:58 267048]
"BootSkin Startup Jobs"="C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" [2004-03-24 13:37 262144]
"HPHUPD07"="C:\Program Files\HP\{C8EEAA89-0A3E-441f-B646-17A46F5D6954}\hphupd07.exe" [2005-03-17 01:08 49152]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 15:49 49152]
"HPHmon07"="C:\WINDOWS\system32\hphmon07.exe" [2005-03-17 00:59 622592]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\WINDOWS\\system32\\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll 2005-12-20 15:57 176128 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.scg726"= scg726.acm
"msacm.alf2cd"= alf2cd.acm
"vidc.dvsd"= mcdvd_32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Steam\\SteamApps\\renauldo\\team fortress 2\\hl2.exe"=
"C:\\Program Files\\Steam\\SteamApps\\renauldo\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Ares\\Ares.exe"=
"C:\\Program Files\\Steam\\SteamApps\\renauldo\\day of defeat source\\hl2.exe"=
"C:\\Program Files\\Steam\\SteamApps\\common\\dawn of war dark crusade\\darkcrusade.exe"=
"C:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\BROOD\\StarCraft.exe"=
"C:\\Program Files\\Steam\\SteamApps\\renauldo\\counter-strike\\hl.exe"=
"C:\\Program Files\\Steam\\SteamApps\\renauldo\\condition zero\\hl.exe"=
"C:\\Program Files\\Steam\\SteamApps\\common\\defcon\\defcon.exe"=
"C:\\Program Files\\THQ\\Dawn of War - Soulstorm\\Soulstorm.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Documents and Settings\\Benjamin Brouse.NIGHTCRAWLER\\My Documents\\toolbar of games\\uTorrent.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"C:\\Program Files\\Unreal Tournament\\System\\UnrealTournament.icd"=
"C:\\Program Files\\Steam\\SteamApps\\common\\trackmania nations forever\\TmForever.exe"=

R3 Alpham1;Ideazon ZBoard USB Human Interface Device;C:\WINDOWS\system32\DRIVERS\Alpham1.sys [2007-07-23 10:56]
R3 Alpham2;Ideazon ZBoard MM USB Human Interface Device;C:\WINDOWS\system32\DRIVERS\Alpham2.sys [2007-03-20 12:49]
S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2008-01-06 15:08]
S3 WLIU2KG125S;BUFFALO WLI-U2-KG125S Wireless LAN Adapter Driver;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-08-04 13:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1b4d5d19-ea1b-11dc-9564-001601cf4256}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-04-25 16:46:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-27 20:28:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-27 20:30:40
ComboFix-quarantined-files.txt 2008-04-28 00:29:59
ComboFix2.txt 2008-04-27 12:47:21
ComboFix3.txt 2008-04-27 05:18:29

Pre-Run: 189,712,736,256 bytes free
Post-Run: 189,704,855,552 bytes free

209 --- E O F --- 2008-04-11 11:28:40



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:37:07 PM, on 4/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Ideazon\ZEngine\Zboard.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hphmon07.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Stardock\CursorFX\CursorFX.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zboard] "C:\Program Files\Ideazon\ZEngine\Zboard.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [HPHUPD07] "C:\Program Files\HP\{C8EEAA89-0A3E-441f-B646-17A46F5D6954}\hphupd07.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPHmon07] C:\WINDOWS\system32\hphmon07.exe
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" /automount
O4 - HKCU\..\Run: [DesktopX] "C:\PROGRA~1\Stardock\OBJECT~1\DesktopX\DesktopX.exe"
O4 - HKCU\..\Run: [CursorFX] "C:\Program Files\Stardock\CursorFX\CursorFX.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 9470509437
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe (file missing)
O23 - Service: McAfee Network Agent (McNASvc) - Unknown owner - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe (file missing)
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 7934 bytes

[peku006]

Hello Renauldo
I have spysweeper now (not sure if its antivirus)
It´s not antivirus
I was hoping you could suggest some free ones (antivirus) i could download
of course......."It's My Job"
You need to uninstall McAfee first
How to uninstall supported McAfee consumer products
http://service.mcafee.com/FAQDocument.aspx?id=107064&lc=1033

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:

1) Antivir PersonalEdition Classic- Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition - Free edition of the AVG anti-virus program for Windows.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.

1 - Run Kaspersky Online AV Scanner

Using Internet Explorer Go to http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

• Read the Requirements and limitations before you click Accept.
• Allow the ActiveX download if necessary.
• Once the database has downloaded, click Next.
• Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
• Click on "My Computer" and then put the kettle on!
• When the scan has completed, click Save Report As...
• Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
• Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.


2 - Check on status
Please reply with
1. the Kaspersky Online Scanner report
2. a fresh HijackThis log
Please let me know how your pc is now.

Thanks peku006

[Renauldo]

i tried all those links but all the downloads had an error halfway through for some odd reason. Also tried the web scanner and it went all the way through but didn't seem to ever stop. I let it go for several hours and didn't end, even though it looked as if i had finished.

[peku006]

Hello Renauldo

i tried all those links but all the downloads had an error halfway through for some odd reason.
What kind of errors? Please explain a little bit more
Did you uninstall McAfee before trying to install "new" Anti-virus software?

if Kaspersky Online doesn´t work we can use Panda

PANDA ONLINE SCAN
Place a shortcut to Panda ActiveScan on your desktop.

Reboot back into Windows and click the Panda ActiveScan shortcut.

• Once you are on the Panda site click the Scan your PC button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Click the big Scan Now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, click on Local Disks to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the Panda scan report, along with a new HijackThis Log

[Renauldo]

Well i just went to red-download all those files so i could explain the errors i got, and the avira one worked. fancy that

bad news with the panda scan. I tried it multiple times and it seems to just stop. Today i started before i left and got back it was only at about 60%.
thats a total of 8 hours it was running. I'm having bad luck with these internet scans.

thanks for sticking with me
-Ben

[peku006]

Hello Renauldo

"bad news with the panda scan"...
"I'm having bad luck with these internet scans"

Let's try this......

Go here to run an online scannner from ESET.

• Note: You will need to use Internet explorer for this scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
• Click Scan
• Wait for the scan to finish
• Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
• Copy and paste that log as a reply to this topic, along with a new HijackThis log & a description of any remaining problems

Thanks
peku006

[Renauldo]

you'll be happy to hear that this one worked
thanks for sticking with me so far.

heres the log and a HJT log




# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3071 (20080502)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=647a7698cda7904c9bc9744c4da6ec09
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-05-02 08:33:05
# local_time=2008-05-02 04:33:05 (-0500, Eastern Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=393691
# found=42
# scan_time=3309
C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\My Documents\LimeWire\Saved\.Fruity Loops Studio 7 Full Crack.rar Win32/Archivarius.A worm FE8098EAB9E32CF427EB995AB2BDECF5
C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\My Documents\LimeWire\Saved\.Fruity Loops Studio 7 Full Crack.rar »CAB »Installer-Crack-Keygen.exe Win32/Archivarius.A worm 00000000000000000000000000000000
C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\My Documents\LimeWire\Saved\convertxtodvd key.zip Win32/Adware.PlayMP3Z application EF66FC72812C6033A712BB5C89E2521B
C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\My Documents\LimeWire\Saved\convertxtodvd key.zip »ZIP »Setup.exe Win32/Adware.PlayMP3Z application 00000000000000000000000000000000
C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\My Documents\LimeWire\Saved\photpshop cs2 keygen.zip Win32/Adware.PlayMP3Z application 74890B34115A0BEDF90A0DC81F0D37A8
C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\My Documents\LimeWire\Saved\photpshop cs2 keygen.zip »ZIP »Setup.exe Win32/Adware.PlayMP3Z application 00000000000000000000000000000000
C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\My Documents\LimeWire\Saved\reason 3 keygen.zip Win32/Adware.PlayMP3Z application EFFCA67D3DDA138478C01C9B90272BA0
C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\My Documents\LimeWire\Saved\reason 3 keygen.zip »ZIP »Setup.exe Win32/Adware.PlayMP3Z application 00000000000000000000000000000000
C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\My Documents\LimeWire\Saved\unwritten law album bittorrent downloader.zip Win32/Obfuscated.NBG trojan 967F5B92F9BBAF0A96F6A7CFEF6914B4
C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\My Documents\LimeWire\Saved\unwritten law album bittorrent downloader.zip »ZIP »BitDownload Setup.exe Win32/Obfuscated.NBG trojan 00000000000000000000000000000000
C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\My Documents\LimeWire\Saved\unwritten law album bittorrent downloader.zip »ZIP »BitDownload Setup.exe »NSIS »minime_0.exe Win32/Obfuscated.NBG trojan 00000000000000000000000000000000
C:\QooBox\Quarantine\catchme2008-01-29_164357.59.zip Win32/TrojanDropper.Agent.DGO virus 00000000000000000000000000000000
C:\QooBox\Quarantine\catchme2008-01-29_164357.59.zip »ZIP »SpySweeperUI.exe Win32/TrojanDropper.Agent.DGO virus 00000000000000000000000000000000
C:\QooBox\Quarantine\catchme2008-04-24_215351.98.zip Win32/Adware.Virtumonde application 7BC3C144E1F08E84A4EE7D46FD49B792
C:\QooBox\Quarantine\catchme2008-04-24_215351.98.zip »ZIP »Documents and Settings/Benjamin Brouse.NIGHTCRAWLER/Desktop/catchme.zip Win32/Adware.Virtumonde application 00000000000000000000000000000000
C:\QooBox\Quarantine\catchme2008-04-24_215351.98.zip »ZIP »Documents and Settings/Benjamin Brouse.NIGHTCRAWLER/Desktop/catchme.zip »ZIP »khfFXPjg.dll Win32/Adware.Virtumonde application 00000000000000000000000000000000
C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\fmhcrgbq\finipaxu.exe.vir probably a variant of Win32/TrojanDownloader.FakeAlert.BP trojan C857B2F99A9F32D53DF4139EFFD916FF
C:\QooBox\Quarantine\C\Program Files\iTunes\iTunesHelper.exe.vir Win32/TrojanDropper.Agent.DGO virus 00000000000000000000000000000000
C:\QooBox\Quarantine\C\Program Files\Spyware Doctor\pctsTray.exe.vir Win32/TrojanDropper.Agent.DGO virus 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\bmkwnkaa.dll.vir Win32/Small.NDR trojan 7B662800EDDB88715B0E41C5AB93481F
C:\QooBox\Quarantine\C\WINDOWS\system32\csssuyfq.dll.vir Win32/Adware.AdMedia application 202FCC24C05B9D8F20F77D120F433CA3
C:\QooBox\Quarantine\C\WINDOWS\system32\ctfmon.exe.tmp.vir Win32/TrojanDropper.Agent.DGO virus 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\geBrpppp.dll.vir Win32/Adware.Virtumonde application 9EA0922817F2D054B2C55BDE6F0329D6
C:\QooBox\Quarantine\C\WINDOWS\system32\iyxwapvs.dll.vir Win32/Adware.AdMedia application 0AEB8248EA3D7BAA7FCFD9F3E552805E
C:\QooBox\Quarantine\C\WINDOWS\system32\jkkHXNEV.dll.vir Win32/Adware.Virtumonde application FD946855A1570E418FC15583C00B99DB
C:\QooBox\Quarantine\C\WINDOWS\system32\jkkIYoMg.dll.vir Win32/Adware.Virtumonde application 686FA20ADC1A2C98F4BD7E8C41FE98B2
C:\QooBox\Quarantine\C\WINDOWS\system32\ntslgtxi.dll.vir Win32/Small.NDR trojan 7B662800EDDB88715B0E41C5AB93481F
C:\QooBox\Quarantine\C\WINDOWS\system32\pawavhri.dll.vir Win32/Adware.AdMedia application B0C0BB89B893DBA3C4D966EFCC60F25B
C:\QooBox\Quarantine\C\WINDOWS\system32\pckavddx.dll.vir Win32/Adware.Virtumonde application FE42E09E36F8F17A156C0B4CD9CA2818
C:\QooBox\Quarantine\C\WINDOWS\system32\pmnlm.dll.vir Win32/Adware.Virtumonde.FP application D0979E49DDF0262E79658A2894B347E3
C:\QooBox\Quarantine\C\WINDOWS\system32\pmnlm.exe.vir Win32/TrojanDropper.Agent.DGO virus 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\qfcknpon.dll.vir Win32/Small.NDR trojan 7B662800EDDB88715B0E41C5AB93481F
C:\QooBox\Quarantine\C\WINDOWS\system32\rajnmrur.dll.vir Win32/Adware.AdMedia application B0C0BB89B893DBA3C4D966EFCC60F25B
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX15.tmp.vir Win32/TrojanDropper.Agent.DGO virus 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\RCXE.tmp.vir Win32/TrojanDropper.Agent.DGO virus 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\tuxvbqmp.dll.vir Win32/Adware.Virtumonde application D17F4D24D80D285B3E2BCC29AEE2D668
C:\QooBox\Quarantine\C\WINDOWS\system32\vfqchypy.dll.vir Win32/Adware.AdMedia application 5EB1426B2B272E2773895C0D46D48DB3
C:\QooBox\Quarantine\C\WINDOWS\system32\vtUnkHyw.dll.vir Win32/Adware.Virtumonde application F2DF731021B5A25B0F086345394DC56F
C:\QooBox\Quarantine\C\WINDOWS\system32\windows.vir Win32/Adware.SecToolbar application AD249B316368039C91BC2B6B3DDFFF64
C:\QooBox\Quarantine\C\WINDOWS\system32\wpmhxpib.dll.vir Win32/Adware.Virtumonde application 02146CF11AED60BC36B26A37EFF83346
C:\QooBox\Quarantine\C\WINDOWS\system32\xxyvvTJA.dll.vir Win32/Adware.Virtumonde application 3F4B4699EDF04C83CB34BA62CA13E22B
C:\QooBox\Quarantine\C\WINDOWS\Web\def.htm.vir Win32/TrojanDownloader.FakeAlert.AV trojan F2154DA9EA4799BB5A89191FEB0F3F4C








Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:10:53 PM, on 5/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Ideazon\ZEngine\Zboard.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hphmon07.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Stardock\CursorFX\CursorFX.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Steam\steam.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zboard] "C:\Program Files\Ideazon\ZEngine\Zboard.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [HPHUPD07] "C:\Program Files\HP\{C8EEAA89-0A3E-441f-B646-17A46F5D6954}\hphupd07.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPHmon07] C:\WINDOWS\system32\hphmon07.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" /automount
O4 - HKCU\..\Run: [DesktopX] "C:\PROGRA~1\Stardock\OBJECT~1\DesktopX\DesktopX.exe"
O4 - HKCU\..\Run: [CursorFX] "C:\Program Files\Stardock\CursorFX\CursorFX.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 9470509437
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe (file missing)
O23 - Service: McAfee Network Agent (McNASvc) - Unknown owner - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe (file missing)
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 8811 bytes

[peku006]

Hello Renauldo
Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur

I need you to right click on the start button
click on explore
and navegate to and delete these files (if present):


"C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\My Documents\LimeWire\Saved\.Fruity Loops Studio 7 Full Crack.rar"
"C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\My Documents\LimeWire\Saved\convertxtodvd key.zip"
"C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\My Documents\LimeWire\Saved\photpshop cs2 keygen.zip"
"C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\My Documents\LimeWire\Saved\reason 3 keygen.zip"
"C:\Documents and Settings\Benjamin Brouse.NIGHTCRAWLER\My Documents\LimeWire\Saved\unwritten law album bittorrent downloader.zip"

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 6.

• Go Here to download.
  
• Go to Java Runtime Environment (JRE) 6 Update 6 and click on Download button.
• In Platform box choose Windows.
• Check the box to Accept License Agreement and click Continue.
• Click on Windows Offline Installation, click on the link under it which says "jre-6u4-windows-i586-p.exe" and save the downloaded file to your desktop.
• Go to Start => Control Panel => Add or Remove Programs
• Uninstall all old versions of Java (Java 3 Runtime Environment, JRE or JSE)
• Reboot your computer
• Delete the folder C:\Program Files\Java if present
• Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
• Reboot your computer

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

:Time for some housekeeping:

• Click START then RUN
• Now type Combofix /u in the runbox and click OK
• 
• When shown the disclaimer, Select "2"

:remove tools:

Let's clear out the programmes we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if used inappropriately.


Please download OTMoveIt and save it to desktop.

• Double click OTMoveIt.exe to launch the programme.
  
• Click on the CleanUp! button.
• OTMoveIt will download a list from the Internet, if your firewall or other defensive programmes alerts you, allow it access.
• Select Yes when the "Begin cleanup Process?" prompt appears.
• If you are prompted to Reboot during the cleanup, select Yes.
• When finished exit out of OTMoveIt
• The tool will delete itself once it finishes, if not delete it by yourself.

• Make your Internet Explorer more secure - This can be done by following these simple instructions:
• From within Internet Explorer click on the Tools menu and then click on Options.
• Click once on the Security tab
• Click once on the Internet icon so it becomes highlighted.
• Click once on the Custom Level button.
• Change the Download signed ActiveX controls to Prompt
  
• Change the Download unsigned ActiveX controls to Disable
  
• Change the Initialize and script ActiveX controls not marked as safe to Disable
  
• Change the Installation of desktop items to Prompt
  
• Change the Launching programs and files in an IFRAME to Prompt
  
• Change the Navigate sub-frames across different domains to Prompt
  
• When all these settings have been made, click on the OK button.
  
• If it prompts you as to whether or not you want to save the settings, press the Yes button.
• Next press the Apply button and then the OK to exit the Internet Properties page.

• Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  
• Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
• Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.
  
  This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:
  
  Instructions for Spybot S & D
  
• Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
  
  A tutorial on installing & using this product can be found here:
  
  Using SpywareBlaster to protect your computer from Spyware and Malware
  
• Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• Google Toolbar <= Get the free google toolbar to help stop pop up windows.
• Comodo BOCLEAN <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
• Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
  Using Winpatrol to protect your computer from malicious software

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

Happy surfing and stay clean!