1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved DRIVER_IRQL_NOT_LESS_OR_EQUAL DDS logs

Discussion in 'Malware and Virus Removal Archive' started by Sanctus, 2009/08/16.

  1. 2009/08/16
    Sanctus

    Sanctus Inactive Thread Starter

    Joined:
    2008/12/10
    Messages:
    25
    Likes Received:
    0
    [Resolved] DRIVER_IRQL_NOT_LESS_OR_EQUAL DDS logs

    Previous thread: http://www.windowsbbs.com/windows-xp/86372-driver_irql_not_less_or_equal.html#post471873

    DDS:


    DDS (Ver_09-07-30.01) - NTFSx86 MINIMAL
    Run by Administrator at 17:40:28.46 on Sun 08/16/2009
    Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_12
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.264 [GMT -4:00]


    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
    C:\Documents and Settings\Administrator\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uInternet Settings,ProxyOverride = *.local
    mSearchAssistant = hxxp://www.google.com/ie
    mWinlogon: UIHost=c:\windows\system32\logonui.exe
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - d:\adobe\/Adobe Contribute CS4/contributeieplugin.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: WormRadar.com IESiteBlocker.NavFilter: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - AVG Safe Search
    BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
    BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - d:\adobe\/Adobe Contribute CS4/contributeieplugin.dll
    TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
    TB: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - No File
    uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
    uRun: [SpybotSD TeaTimer] "c:\program files\spybot - search & destroy\TeaTimer.exe "
    uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
    mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    mRun: [PHIME2002ASync] "c:\windows\system32\ime\tintlgnt\TINTSETP.EXE" /SYNC
    mRun: [PHIME2002A] "c:\windows\system32\ime\tintlgnt\TINTSETP.EXE" /IMEName
    mRun: [Broadcom Wireless Manager UI] "c:\windows\system32\WLTRAY.exe "
    mRun: [NvCplDaemon] "c:\windows\system32\rundll32.exe" c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [nwiz] "c:\windows\system32\nwiz.exe" /installquiet
    mRun: [HPDJ Taskbar Utility] "c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe "
    mRun: [HPHmon04] "c:\windows\system32\hphmon04.exe "
    mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
    mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UpdaterUI.exe" /StartedFromRunKey
    mRun: [<NO NAME>]
    mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe "
    mRun: [DMXLauncher] "c:\program files\roxio\media experience\DMXLauncher.exe "
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe "
    mRun: [Ad-Watch] "c:\program files\lavasoft\ad-aware\AAWTray.exe "
    mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe "
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe "
    mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
    mRun: [Acrobat Assistant 8.0] "d:\adobe\acrobat 9.0\acrobat\Acrotray.exe "
    mRun: [Adobe_ID0ENQBO] "c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE "
    mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
    mRun: [RestartNeroSetup] "g:\installation\Setupx.exe" StartedFromMI= "1 "
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\spywar~1.lnk - c:\program files\spywareguard\sgmain.exe
    IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
    IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
    IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
    DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1236914398375
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
    SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll
    LSA: Authentication Packages = msv1_0 relog_ap

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\4g70v25r.default\
    FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\4g70v25r.default\extensions\{81bf1d23-5f17-408d-ac6b-bd6df7caf670}\components\XpcomOpusConnector.dll
    FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
    FF - plugin: c:\program files\microsoft\office live\npOLW.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----

    ============= SERVICES / DRIVERS ===============

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-29 64160]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456]
    S2 ASKService;ASKService;c:\program files\askbardis\bar\bin\AskService.exe [2009-8-8 464264]
    S2 ASKUpgrade;ASKUpgrade;c:\program files\askbardis\bar\bin\ASKUpgrade.exe [2009-8-8 234888]
    S2 HssSrv;Hotspot Shield Routing Service;c:\program files\hotspot shield\hsswpr\hsssrv.exe [2009-6-1 331312]
    S2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2009-3-13 102463]
    S2 McShield;Network Associates McShield;c:\program files\network associates\virusscan\Mcshield.exe [2003-9-29 237657]
    S2 McTaskManager;Network Associates Task Manager;c:\program files\network associates\virusscan\VsTskMgr.exe [2003-9-29 69706]
    S2 RPCHGM;Remote Procedure Call (HGM);c:\program files\netmeeting\secedit.exe [2009-8-7 22863560]
    S2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2009-5-25 604416]
    S2 WinFLdrv;WinFLdrv;c:\windows\system32\WinFLdrv.sys [2009-5-3 10752]
    S2 wwEngineSvc;Window Washer Engine;c:\program files\webroot\washer\WasherSvc.exe [2009-3-19 598856]
    S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 284016]
    S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\magix\common\database\bin\fbserver.exe [2009-6-25 1527900]
    S3 HssTrayService;Hotspot Shield Tray Service;c:\program files\hotspot shield\bin\HssTrayService.exe [2009-6-1 34352]
    S3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2003-9-29 83008]
    S3 netskt;netskt;c:\windows\system32\netskt.sys [2004-8-4 2304]

    =============== Created Last 30 ================

    2009-08-08 18:08 <DIR> --d----- c:\program files\TuneUpMedia
    2009-08-08 18:08 <DIR> --d----- c:\docume~1\admini~1\applic~1\TuneUpMedia
    2009-08-08 18:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\TuneUpMedia
    2009-08-08 18:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Azureus
    2009-08-08 18:03 <DIR> --d----- c:\docume~1\admini~1\applic~1\Azureus
    2009-08-08 17:59 <DIR> --d----- c:\program files\AskBarDis
    2009-08-08 17:20 140,800 a------- c:\windows\system32\tm20dec.ax
    2009-08-08 16:14 87,608 a------- c:\docume~1\admini~1\applic~1\inst.exe
    2009-08-08 16:14 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
    2009-08-08 16:14 47,360 a------- c:\docume~1\admini~1\applic~1\pcouffin.sys
    2009-08-08 16:14 217,127 a------- c:\windows\system32\drv43260.dll
    2009-08-08 16:14 208,935 a------- c:\windows\system32\drv33260.dll
    2009-08-08 16:14 176,165 a------- c:\windows\system32\drv23260.dll
    2009-08-08 16:14 102,439 a------- c:\windows\system32\sipr3260.dll
    2009-08-08 16:14 65,602 a------- c:\windows\system32\cook3260.dll
    2009-08-08 16:14 <DIR> --d----- c:\program files\VSO
    2009-08-07 10:34 <DIR> --d----- c:\program files\VS Revo Group
    2009-08-05 18:23 <DIR> --d----- c:\program files\AviSynth 2.5
    2009-08-05 18:22 <DIR> --d----- c:\program files\eRightSoft

    ==================== Find3M ====================

    2009-08-08 17:29 31,643 a------- c:\windows\system32\nvModes.dat
    2009-08-07 15:59 4,224 a------- c:\windows\system32\drivers\beep.sys
    2009-07-11 21:21 2,320,640 a------- c:\windows\system32\TUKernel.exe
    2009-07-07 18:11 141,612 a------- c:\windows\system32\drivers\dump_wmimmc.sys
    2009-06-27 14:28 441,760 a------- c:\windows\system32\drivers\timntr.sys
    2009-06-27 14:28 44,384 a------- c:\windows\system32\drivers\tifsfilt.sys
    2009-06-27 14:28 129,248 a------- c:\windows\system32\drivers\snapman.sys
    2009-06-27 14:27 368,544 a------- c:\windows\system32\drivers\tdrpman.sys
    2009-06-17 22:52 7,028 a--sh--- c:\windows\system32\sys_drv.dat
    2009-06-17 22:52 6,024 a--sh--- c:\windows\system32\sys_drv_2.dat
    2009-06-14 00:30 15,688 a------- c:\windows\system32\lsdelete.exe
    2009-06-05 11:42 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
    2009-05-25 23:30 604,416 a------- c:\windows\system32\TUProgSt.exe
    2009-05-25 23:30 361,216 a------- c:\windows\system32\TuneUpDefragService.exe
    2006-05-03 05:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
    2007-02-21 06:47 31,232 ---shr-- c:\windows\system32\msfDX.dll
    2008-03-16 08:30 216,064 ---shr-- c:\windows\system32\nbDX.dll

    ============= FINISH: 17:43:31.60 ===============


    Attach:


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_09-07-30.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 3/12/2009 9:55:31 PM
    System Uptime: 8/16/2009 5:37:46 PM (0 hours ago)

    Motherboard: Dell Computer Corporation | | 0W0941
    Processor: Genuine Intel(R) CPU 3.06GHz | Microprocessor | 3056/133mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 29 GiB total, 7.853 GiB free.
    D: is FIXED (NTFS) - 27 GiB total, 3.047 GiB free.
    E: is CDROM ()
    F: is FIXED (NTFS) - 279 GiB total, 232.621 GiB free.
    G: is CDROM ()
    H: is Removable

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP49: 8/15/2009 2:53:32 PM - Installed Windows Media Format Runtime
    RP50: 8/15/2009 2:53:39 PM - System Checkpoint
    RP51: 8/15/2009 2:53:48 PM - System Checkpoint
    RP52: 8/15/2009 2:53:51 PM - System Checkpoint
    RP53: 8/15/2009 2:53:54 PM - Revo Uninstaller's restore point - ConvertXtoDVD 3.3.4.106e
    RP54: 8/15/2009 2:53:55 PM - Revo Uninstaller's restore point - Sothink iPod Video Converter
    RP55: 8/15/2009 2:53:58 PM - Revo Uninstaller's restore point - Final Fantasy VII - Ultima Edition
    RP56: 8/15/2009 2:54:07 PM - Revo Uninstaller's restore point - Vuze
    RP57: 8/15/2009 2:54:10 PM - Revo Uninstaller's restore point - Vuze Toolbar
    RP58: 8/15/2009 2:54:12 PM - Revo Uninstaller's restore point - QuickTime
    RP59: 8/15/2009 2:54:15 PM - Removed QuickTime
    RP60: 8/15/2009 2:54:23 PM - Revo Uninstaller's restore point - iTunes
    RP61: 8/15/2009 2:54:26 PM - Removed iTunes
    RP62: 8/15/2009 4:36:31 PM - System Checkpoint

    ==== Installed Programs ======================

    µTorrent
    Acrobat.com
    Acronis?rue?mage?ome
    Ad-Aware
    Adobe Acrobat 9 Pro - English, Fran?is, Deutsch
    Adobe Acrobat 9.1.2 - CPSID_49166
    Adobe After Effects CS4
    Adobe After Effects CS4 Presets
    Adobe After Effects CS4 Third Party Content
    Adobe AIR
    Adobe Anchor Service CS4
    Adobe Asset Services CS4
    Adobe Bridge CS4
    Adobe CMaps CS4
    Adobe Color - Photoshop Specific CS4
    Adobe Color EU Extra Settings CS4
    Adobe Color JA Extra Settings CS4
    Adobe Color NA Recommended Settings CS4
    Adobe Color Video Profiles AE CS4
    Adobe Color Video Profiles CS CS4
    Adobe Contribute CS4
    Adobe Creative Suite 4 Master Collection
    Adobe CS4 American English Speech Analysis Models
    Adobe CSI CS4
    Adobe Default Language CS4
    Adobe Device Central CS4
    Adobe Dreamweaver CS4
    Adobe Drive CS4
    Adobe Dynamiclink Support
    Adobe Encore CS4
    Adobe Encore CS4 Codecs
    Adobe ExtendScript Toolkit CS4
    Adobe Extension Manager CS4
    Adobe Fireworks CS4
    Adobe Flash CS4
    Adobe Flash CS4 Extension - Flash Lite STI en
    Adobe Flash CS4 STI-en
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Fonts All
    Adobe Illustrator CS4
    Adobe InDesign CS4
    Adobe InDesign CS4 Application Feature Set Files (Roman)
    Adobe InDesign CS4 Common Base Files
    Adobe InDesign CS4 Icon Handler
    Adobe Linguistics CS4
    Adobe Media Encoder CS4
    Adobe Media Encoder CS4 Additional Exporter
    Adobe Media Encoder CS4 Dolby
    Adobe Media Encoder CS4 Exporter
    Adobe Media Encoder CS4 Importer
    Adobe Media Player
    Adobe MotionPicture Color Files CS4
    Adobe OnLocation CS4
    Adobe Output Module
    Adobe PDF Library Files CS4
    Adobe Photoshop CS4
    Adobe Photoshop CS4 Support
    Adobe Premiere Pro CS4
    Adobe Premiere Pro CS4 Functional Content
    Adobe Premiere Pro CS4 Third Party Content
    Adobe Reader 7.0.5
    Adobe Search for Help
    Adobe Service Manager Extension
    Adobe Setup
    Adobe SGM CS4
    Adobe Shockwave Player 11.5
    Adobe SING CS4
    Adobe Soundbooth CS4
    Adobe Soundbooth CS4 Codecs
    Adobe Type Support CS4
    Adobe Update Manager CS4
    Adobe Version Cue CS4 Server
    Adobe WinSoft Linguistics Plugin
    Adobe XMP Panels CS4
    AdobeColorCommonSetCMYK
    AdobeColorCommonSetRGB
    AMI Up2Date
    Apple Mobile Device Support
    Apple Software Update
    Bonjour
    Broadcom 440x 10/100 Integrated Controller
    C-Major Audio
    Choice Guard
    ConcealedStory
    Conexant D480 MDC V.9x Modem
    Connect
    Dell Wireless WLAN Card
    DivX
    Finale 2009
    Firebird SQL Server - MAGIX Edition
    Folder Lock
    Folder Lock 6.2.1
    Foxit PDF Suite
    Fraps (remove only)
    Free Studio version 4.1
    Garritan Instruments for Finale 2009
    Google Toolbar for Internet Explorer
    GUT reaction
    Hotspot Shield 1.17
    Hybrid Downloader 1,0,2,6
    IsoBuster 2.5
    Java(TM) 6 Update 12
    kuler
    LimeWire PRO 5.1.2
    Mabinogi
    Macromedia Flash Player 8
    Magic ISO Maker v5.3 (build 0221)
    MAGIX Music Maker 15 Premium Download version 15.0.1.5 (UK)
    MAGIX Screenshare 4.3.6.1987 (UK)
    Malwarebytes' Anti-Malware
    McAfee VirusScan Enterprise
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 2.0
    Microsoft Application Error Reporting
    Microsoft AppLocale
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office Live Add-in 1.3
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft Software Update for Web Folders (English) 12
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Windows Application Compatibility Database
    Mozilla Firefox (3.0.13)
    MSVCRT
    MSXML 6.0 Parser
    NVIDIA Drivers
    Pando Media Booster
    PDF Settings CS4
    Photoshop Camera Raw
    Photosmart 130,230,7150,7345,7350,7550 (Remove only)
    Pixel Bender Toolkit
    Revo Uninstaller 1.83
    Roxio Content 9
    Roxio Drag-to-Disc
    Roxio Easy Media Creator 9 Suite
    Security Update for Windows XP (KB958644)
    Segoe UI
    Sibelius Scorch (Firefox, Opera, Netscape only)
    SightSpeed
    Spybot - Search & Destroy
    SpywareBlaster 4.1
    SpywareGuard v2.2
    Suite Shared Configuration CS4
    SUPER © Version 2009.bld.36 (June 10, 2009)
    Text-To-Speech-Runtime
    Trickster Online
    Trojan Remover 6.6.5
    TuneUp Companion 1.5.7
    TuneUp Utilities 2009
    Uninstall 1.0.0.1
    Unlocker 1.8.7
    Update for Windows XP (KB898461)
    VIA Register Tool
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    WebFldrs XP
    Window Washer
    Windows Installer 3.1 (KB893803)
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Messenger
    Windows Live Sign-in Assistant
    Windows Live Upload Tool
    Windows Media Format 11 runtime
    WinRAR archiver
    WinZip
    Xfire (remove only)

    ==== Event Viewer Messages From Past Week ========

    8/16/2009 8:28:17 AM, error: Service Control Manager [7034] - The Remote Procedure Call (HGM) service terminated unexpectedly. It has done this 1 time(s).
    8/16/2009 8:27:38 AM, error: DCOM [10021] - The launch and activation security descriptor for the COM Server application with CLSID {2A6D72F1-6E7E-4702-B99C-E40D3DED33C3} is invalid. It contains Access Control Entries with permissions that are invalid. The requested action was therefore not performed. This security permission can be corrected using the Component Services administrative tool.
    8/16/2009 12:49:52 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments " " in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    8/16/2009 12:49:17 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments " " in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    8/16/2009 12:49:07 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
    8/16/2009 12:49:07 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    8/16/2009 12:49:07 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    8/16/2009 12:49:07 PM, error: Service Control Manager [7001] - The Hotspot Shield Service service depends on the DHCP Client service which failed to start because of the following error: The dependency service or group failed to start.
    8/16/2009 12:49:07 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    8/16/2009 12:49:07 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    8/16/2009 12:49:07 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    8/16/2009 12:49:07 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    8/16/2009 12:02:01 PM, error: System Error [1003] - Error code 100000d1, parameter1 e1c29000, parameter2 00000002, parameter3 00000000, parameter4 f60f9225.
    8/16/2009 1:40:48 PM, error: System Error [1003] - Error code 100000d1, parameter1 e1c41000, parameter2 00000002, parameter3 00000000, parameter4 f6091225.
    8/15/2009 2:53:12 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the NVSvc service.
    8/15/2009 2:53:00 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Media Center Receiver Server service to connect.

    ==== End Of File ===========================
     
    Sanctus,
    #1
  2. 2009/08/16
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE. If Combofix asks you to install Recovery Console, please allow it.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

    ==============================================================

    Download HijackThis:
    http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
    by clicking on Download HijackThis Installer
    Install, and run it.
    Post HijackTHis log.
    Do NOT attempt to fix anything!

    NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator
     
    broni,
    #2
    Sanctus likes this.


  3. to hide this advert.

  4. 2009/08/17
    Sanctus

    Sanctus Inactive Thread Starter

    Joined:
    2008/12/10
    Messages:
    25
    Likes Received:
    0
    I ended up with a ComboFix - quaratined - files as well, so I'll put that after the ComboFix log.

    ComboFix 09-08-10.06 - Administrator 08/17/2009 9:28.1.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.299 [GMT -4:00]
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    .

    Overlay aborted ... Please run ComboFix once more
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Administrator\Application Data\.#
    c:\documents and settings\Administrator\Application Data\.#\MBX@3A0@14537C8.###
    c:\documents and settings\Administrator\Application Data\.#\MBX@3A0@14537D8.###
    c:\documents and settings\Administrator\Application Data\.#\MBX@3A0@14537E8.###
    c:\documents and settings\Administrator\Application Data\inst.exe
    c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
    c:\windows\system32\6to4v32.dll
    c:\windows\system32\AVSredirect.dll
    c:\windows\system32\certstore.dat
    D:\install.exe

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_6TO4
    -------\Service_6to4


    ((((((((((((((((((((((((( Files Created from 2009-07-17 to 2009-08-17 )))))))))))))))))))))))))))))))
    .

    2009-08-16 21:49 . 2009-08-16 21:49 -------- d-----w- c:\program files\trend micro
    2009-08-16 21:49 . 2009-08-16 21:49 -------- d-----w- C:\rsit
    2009-08-08 22:08 . 2009-08-09 09:20 -------- d-----w- c:\program files\TuneUpMedia
    2009-08-08 22:08 . 2009-08-09 09:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\TuneUpMedia
    2009-08-08 22:08 . 2009-08-08 22:09 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\TuneUpMedia
    2009-08-08 22:04 . 2009-08-08 22:04 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Azureus
    2009-08-08 22:03 . 2009-08-08 22:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Azureus
    2009-08-08 21:59 . 2009-08-08 22:31 -------- d-----w- c:\program files\AskBarDis
    2009-08-08 20:14 . 2009-08-08 20:14 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
    2009-08-08 20:14 . 2009-08-08 20:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\Vso
    2009-08-08 20:14 . 2007-03-19 00:37 65602 ----a-w- c:\windows\system32\cook3260.dll
    2009-08-08 20:14 . 2006-09-29 16:26 176165 ----a-w- c:\windows\system32\drv23260.dll
    2009-08-08 20:14 . 2006-09-29 16:25 208935 ----a-w- c:\windows\system32\drv33260.dll
    2009-08-08 20:14 . 2006-09-29 16:24 217127 ----a-w- c:\windows\system32\drv43260.dll
    2009-08-08 20:14 . 2002-12-10 06:20 102439 ----a-w- c:\windows\system32\sipr3260.dll
    2009-08-08 20:14 . 2009-08-08 20:20 -------- d-----w- c:\program files\VSO
    2009-08-07 19:58 . 2009-08-16 16:33 -------- d-----w- c:\program files\Warcraft III
    2009-08-07 14:34 . 2009-08-07 14:34 -------- d-----w- c:\program files\VS Revo Group
    2009-08-05 22:23 . 2007-05-17 21:30 318976 ----a-w- c:\windows\system32\avisynth.dll
    2009-08-05 22:23 . 2004-02-22 14:11 719872 ----a-w- c:\windows\system32\devil.dll
    2009-08-05 22:23 . 2004-01-25 04:00 70656 ----a-w- c:\windows\system32\yv12vfw.dll
    2009-08-05 22:23 . 2004-01-25 04:00 70656 ----a-w- c:\windows\system32\i420vfw.dll
    2009-08-05 22:23 . 2009-08-05 22:23 -------- d-----w- c:\program files\AviSynth 2.5
    2009-08-05 22:23 . 2008-03-16 12:30 216064 --sh--r- c:\windows\system32\nbDX.dll
    2009-08-05 22:23 . 2007-02-21 10:47 31232 --sh--r- c:\windows\system32\msfDX.dll
    2009-08-05 22:23 . 2006-05-03 09:06 163328 --sh--r- c:\windows\system32\flvDX.dll
    2009-08-05 22:22 . 2009-08-05 22:22 -------- d-----w- c:\program files\eRightSoft

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-08-16 16:38 . 2009-03-19 23:54 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
    2009-08-09 09:36 . 2009-06-09 02:39 -------- d-----w- c:\program files\iTunes
    2009-08-09 09:36 . 2009-04-23 01:32 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Apple Computer
    2009-08-09 09:36 . 2009-04-23 01:29 -------- d-----w- c:\program files\Common Files\Apple
    2009-08-08 21:29 . 2009-03-13 03:09 31643 ----a-w- c:\windows\system32\nvModes.dat
    2009-08-08 20:19 . 2009-08-08 20:14 47360 ----a-w- c:\documents and settings\Administrator\Application Data\pcouffin.sys
    2009-08-07 19:59 . 2004-08-04 12:00 4224 ----a-w- c:\windows\system32\drivers\beep.sys
    2009-08-07 18:40 . 2009-04-13 00:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\LimeWire
    2009-08-05 21:41 . 2009-07-13 02:26 -------- d-----w- c:\program files\AVS4YOU
    2009-08-05 21:40 . 2009-07-13 02:29 -------- d-----w- c:\program files\Common Files\AVSMedia
    2009-07-13 02:33 . 2009-07-13 02:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVS4YOU
    2009-07-13 02:33 . 2009-07-13 02:33 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\AVS4YOU
    2009-07-12 17:51 . 2009-03-13 04:24 -------- d---a-w- c:\docume~1\ALLUSE~1\APPLIC~1\TEMP
    2009-07-12 13:36 . 2009-07-12 13:30 -------- d-----w- c:\program files\Winamp
    2009-07-12 11:30 . 2009-07-11 21:51 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\avg8ls
    2009-07-12 01:41 . 2009-07-12 01:41 39800 ----a-w- c:\windows\Fonts\Square 721 extended bt.ttf
    2009-07-12 01:21 . 2009-07-12 01:21 2320640 ----a-w- c:\windows\system32\TUKernel.exe
    2009-07-11 21:51 . 2009-07-11 21:51 -------- d-----w- c:\program files\AVG
    2009-07-11 21:30 . 2009-07-11 21:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\Torrent Episode Downloader
    2009-07-11 20:37 . 2009-07-11 20:37 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Sixxpack
    2009-07-07 22:11 . 2009-07-07 05:54 141612 ----a-w- c:\windows\system32\drivers\dump_wmimmc.sys
    2009-07-07 21:19 . 2009-03-13 03:04 -------- d--h--w- c:\program files\InstallShield Installation Information
    2009-07-07 03:23 . 2009-07-07 03:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Xfire
    2009-07-07 03:23 . 2009-07-07 03:23 -------- d-s---w- c:\program files\Xfire
    2009-07-07 00:04 . 2009-07-07 00:04 -------- d-----w- c:\program files\Persona
    2009-06-30 12:53 . 2009-03-14 02:49 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\PMB Files
    2009-06-29 19:38 . 2009-03-13 04:21 150264 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-06-27 18:28 . 2009-06-27 18:28 44384 ----a-w- c:\windows\system32\drivers\tifsfilt.sys
    2009-06-27 18:28 . 2009-06-27 18:28 441760 ----a-w- c:\windows\system32\drivers\timntr.sys
    2009-06-27 18:28 . 2009-06-27 18:28 129248 ----a-w- c:\windows\system32\drivers\snapman.sys
    2009-06-27 18:27 . 2009-06-27 18:27 368544 ----a-w- c:\windows\system32\drivers\tdrpman.sys
    2009-06-27 18:26 . 2009-06-27 18:24 -------- d-----w- c:\program files\Common Files\Acronis
    2009-06-27 18:24 . 2009-06-27 18:24 -------- d-----w- c:\program files\Acronis
    2009-06-26 02:49 . 2009-06-26 01:15 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\MAGIX
    2009-06-26 02:49 . 2009-06-26 02:45 -------- d-----w- c:\program files\MAGIX
    2009-06-26 01:24 . 2009-06-26 01:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\MAGIX
    2009-06-21 05:46 . 2009-06-21 05:46 -------- d-----w- c:\program files\VALVe
    2009-06-18 02:52 . 2009-05-04 00:19 7028 --sha-w- c:\windows\system32\sys_drv.dat
    2009-06-18 02:52 . 2009-05-04 00:19 6024 --sha-w- c:\windows\system32\sys_drv_2.dat
    2009-06-14 04:30 . 2009-03-29 20:27 15688 ----a-w- c:\windows\system32\lsdelete.exe
    2009-06-06 20:50 . 2009-06-06 20:50 0 ----a-w- c:\windows\system32\cd.dat
    2009-06-06 19:00 . 2004-08-04 12:00 12400 ----a-w- c:\windows\system32\drivers\secdrv.sys
    2009-06-06 17:57 . 2009-06-06 17:57 502 ----a-w- c:\windows\eReg.dat
    2009-06-05 15:42 . 2009-04-23 01:30 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
    2009-06-05 15:42 . 2009-04-23 01:30 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
    2009-06-01 18:13 . 2009-06-01 18:13 33840 ----a-w- c:\windows\system32\drivers\HssDrv.sys
    2009-05-26 03:30 . 2009-05-26 03:30 604416 ----a-w- c:\windows\system32\TUProgSt.exe
    2009-05-26 03:30 . 2009-05-26 03:30 361216 ----a-w- c:\windows\system32\TuneUpDefragService.exe
    2009-03-10 13:30 . 2009-03-10 13:30 5817072 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
    2006-05-03 09:06 . 2009-08-05 22:23 163328 --sh--r- c:\windows\system32\flvDX.dll
    2007-02-21 10:47 . 2009-08-05 22:23 31232 --sh--r- c:\windows\system32\msfDX.dll
    2008-03-16 12:30 . 2009-08-05 22:23 216064 --sh--r- c:\windows\system32\nbDX.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpybotSD TeaTimer "= "c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
    "msnmsgr "= "c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
    "ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1 "= "c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
    "PHIME2002ASync "= "c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "PHIME2002A "= "c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "Broadcom Wireless Manager UI "= "c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
    "NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2004-10-26 4632576]
    "nwiz "= "c:\windows\system32\nwiz.exe" [2004-10-26 921600]
    "HPDJ Taskbar Utility "= "c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2006-01-06 188416]
    "HPHmon04 "= "c:\windows\system32\hphmon04.exe" [2006-01-06 348160]
    "ShStatEXE "= "c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2003-09-29 81990]
    "McAfeeUpdaterUI "= "c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-04-07 135224]
    "RoxWatchTray "= "c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-08-10 221184]
    "DMXLauncher "= "c:\program files\Roxio\Media Experience\DMXLauncher.exe" [2006-08-14 102400]
    "SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-03-14 148888]
    "Ad-Watch "= "c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-07-12 520024]
    "UnlockerAssistant "= "c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
    "GrooveMonitor "= "c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
    "AdobeCS4ServiceManager "= "c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
    "Acrobat Assistant 8.0 "= "d:\adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-02-27 640376]
    "AcronisTimounterMonitor "= "c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-10-31 909208]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE "= "c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

    c:\documents and settings\Administrator\Start Menu\Programs\Startup\
    SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "UIHost "= "c:\windows\system32\logonui.exe "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @= "Service "

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "msnmsgr "= "c:\program files\Windows Live\Messenger\msnmsgr.exe" /background

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "Adobe Acrobat Speed Launcher "= "d:\adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe "
    "RoxioDragToDisc "= "c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe "
    "TrueImageMonitor.exe "=c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe
    "Acronis Scheduler2 Service "= "c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe "
    "DAEMON Tools "= "c:\program files\DAEMON Tools\daemon.exe" -lang 1033

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "c:\\Program Files\\SightSpeed\\SightSpeed.exe "=
    "c:\\Program Files\\uTorrent\\uTorrent.exe "=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe "=
    "c:\\Program Files\\Foxit Software\\PDF Editor\\PDFEdit.exe "=
    "c:\\Program Files\\LimeWire\\LimeWire.exe "=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE "=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE "=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
    "c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe "=
    "c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe "=
    "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe "=
    "c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe "=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
    "c:\\Program Files\\Persona\\Persona.exe "=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "58806:TCP "= 58806:TCP:pando Media Booster
    "58806:UDP "= 58806:UDP:pando Media Booster
    "5353:TCP "= 5353:TCP:Adobe CSI CS4
    "3703:TCP "= 3703:TCP:Adobe Version Cue CS4 Server
    "3704:TCP "= 3704:TCP:Adobe Version Cue CS4 Server
    "51000:TCP "= 51000:TCP:Adobe Version Cue CS4 Server
    "51001:TCP "= 51001:TCP:Adobe Version Cue CS4 Server
    "18000:TCP "= 18000:TCP:UTorrent port
    "57927:TCP "= 57927:TCP:pando Media Booster
    "57927:UDP "= 57927:UDP:pando Media Booster

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/29/2009 1:29 AM 64160]
    R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [8/8/2009 5:59 PM 464264]
    R2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [8/8/2009 6:00 PM 234888]
    R2 HssSrv;Hotspot Shield Routing Service;c:\program files\Hotspot Shield\HssWPR\hsssrv.exe [6/1/2009 2:13 PM 331312]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1029456]
    R2 WinFLdrv;WinFLdrv;c:\windows\system32\WinFLdrv.sys [5/3/2009 8:18 PM 10752]
    S2 RPCHGM;Remote Procedure Call (HGM);c:\program files\NetMeeting\secedit.exe [8/7/2009 3:59 PM 22863560]
    S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 5:46 AM 284016]
    S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [6/25/2009 10:48 PM 1527900]
    S3 HssTrayService;Hotspot Shield Tray Service;c:\program files\Hotspot Shield\bin\HssTrayService.exe [6/1/2009 2:58 PM 34352]
    S3 netskt;netskt;c:\windows\system32\netskt.sys [8/4/2004 8:00 AM 2304]

    --- Other Services/Drivers In Memory ---

    *Deregistered* - project

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    UxTuneUp
    .
    - - - - ORPHANS REMOVED - - - -

    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    Toolbar-{3041d03e-fd4b-44e0-b742-2d9b88305f98} - (no file)


    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = *.local
    IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
    IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
    IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
    IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
    IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
    IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
    FF - ProfilePath - c:\docume~1\ADMINI~1\APPLIC~1\Mozilla\Firefox\Profiles\4g70v25r.default\
    FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4g70v25r.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}\components\XpcomOpusConnector.dll
    FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
    FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll

    ---- FIREFOX POLICIES ----
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-08-17 09:50
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files:

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(908)
    c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
    c:\windows\System32\BCMLogon.dll

    - - - - - - - > 'lsass.exe'(1080)
    c:\windows\system32\relog_ap.dll

    - - - - - - - > 'explorer.exe'(2680)
    c:\windows\system32\nview.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\nvwddi.dll
    c:\program files\Roxio\Drag-to-Disc\Shellex.dll
    c:\windows\system32\DLAAPI_W.DLL
    c:\windows\system32\CDRTC.DLL
    c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    c:\windows\system32\msi.dll
    c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\WLTRYSVC.EXE
    c:\windows\system32\BCMWLTRY.EXE
    c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Hotspot Shield\bin\openvpnas.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Network Associates\Common Framework\FrameworkService.exe
    c:\program files\Network Associates\VirusScan\Mcshield.exe
    c:\progra~1\NETWOR~1\COMMON~1\naPrdMgr.exe
    c:\program files\Network Associates\VirusScan\VsTskMgr.exe
    c:\windows\system32\nvsvc32.exe
    c:\program files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
    c:\windows\system32\TUProgSt.exe
    c:\program files\Webroot\Washer\WasherSvc.exe
    c:\windows\system32\rundll32.exe
    c:\windows\system32\wbem\unsecapp.exe
    c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
    .
    **************************************************************************
    .
    Completion time: 2009-08-17 9:59 - machine was rebooted
    ComboFix-quarantined-files.txt 2009-08-17 13:58

    Pre-Run: 11,046,522,880 bytes free
    Post-Run: 11,178,057,728 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Professional" /noexecute=optin /fastdetect /TUTag=RVM8YN

    288

    Quarantined Files:

    2009-08-17 13:55:16 . 2009-08-17 13:55:16 116 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Toolbar-{3041d03e-fd4b-44e0-b742-2d9b88305f98}.reg.dat
    2009-08-17 13:55:14 . 2009-08-17 13:55:14 132 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829}.reg.dat
    2009-08-17 13:40:07 . 2009-08-17 13:40:07 4,028 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_6to4.reg.dat
    2009-08-17 13:40:05 . 2009-08-17 13:40:05 990 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_6TO4.reg.dat
    2009-08-17 13:39:07 . 2009-08-17 13:39:07 9,077 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
    2009-08-17 13:15:30 . 2009-08-17 13:24:24 102 ----a-w- C:\Qoobox\Quarantine\catchme.log
    2009-08-08 20:14:54 . 2009-08-08 20:19:38 87,608 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Application Data\inst.exe.vir
    2009-08-05 22:23:40 . 2005-07-14 16:31:20 27,648 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\AVSredirect.dll.vir
    2009-06-18 02:45:12 . 2009-06-18 02:45:12 2,048 ----atw- C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Application Data\.#\MBX@3A0@14537C8.###.vir
    2009-06-18 02:45:09 . 2009-06-18 02:45:09 2,048 ----atw- C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Application Data\.#\MBX@3A0@14537E8.###.vir
    2009-06-18 02:45:09 . 2009-06-18 02:45:09 2,048 ----atw- C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Application Data\.#\MBX@3A0@14537D8.###.vir
    2009-03-15 21:57:26 . 2003-06-13 22:23:00 4,304 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb.vir
    2004-08-04 12:00:00 . 2004-08-04 12:00:00 57,344 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\6to4v32.dll.vir
    2004-08-04 12:00:00 . 2004-08-04 12:00:00 41,631 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\certstore.dat.vir

    HiJackThis Log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:04:53 AM, on 8/17/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\AskBarDis\bar\bin\AskService.exe
    C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Hotspot Shield\bin\openvpnas.exe
    C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\TUProgSt.exe
    C:\Program Files\Webroot\Washer\WasherSvc.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
    C:\Program Files\Roxio\Media Experience\DMXLauncher.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    D:\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
    C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - D:\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - D:\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] "C:\WINDOWS\system32\WLTRAY.exe "
    O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] "C:\WINDOWS\system32\nwiz.exe" /installquiet
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe "
    O4 - HKLM\..\Run: [HPHmon04] "C:\WINDOWS\system32\hphmon04.exe "
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe "
    O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\Media Experience\DMXLauncher.exe "
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
    O4 - HKLM\..\Run: [Ad-Watch] "C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe "
    O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe "
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe "
    O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
    O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "D:\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe "
    O4 - HKLM\..\Run: [Adobe_ID0ENQBO] "C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE "
    O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe "
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1236914398375
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
    O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    O23 - Service: Adobe Version Cue CS4 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
    O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
    O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe
    O23 - Service: Hotspot Shield Routing Service (HssSrv) - AnchorFree Inc. - C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
    O23 - Service: Hotspot Shield Tray Service (HssTrayService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
    O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
    O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
    O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    O23 - Service: Remote Procedure Call (HGM) (RPCHGM) - Unknown owner - C:\Program Files\NetMeeting\secedit.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
    O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
    O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
    O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

    --
    End of file - 13760 bytes
     
    Sanctus,
    #3
  5. 2009/08/17
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Uninstall Combofix:
    Go Start > Run
    Type in:
    combofix /u
    Note the space between the "combofix" and the "/u "
    Restart computer.

    ===============================================================

    Print these instructions out.

    NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

    ***VERY IMPORTANT! Make sure, you update Superantispyware, and Malwarebytes before running the scans.***

    STEP 1. Download SUPERAntiSpyware Free for Home Users:
    http://www.superantispyware.com/

    * Double-click SUPERAntiSpyware.exe and use the default settings for installation.
    * An icon will be created on your desktop. Double-click that icon to launch the program.
    * If asked to update the program definitions, click "Yes ". If not, update the definitions before scanning by selecting "Check for Updates ". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
    * Close SUPERAntiSpyware.

    PHYSICALLY DISCONNECT FROM THE INTERNET

    Restart computer in Safe Mode.
    To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen

    * Open SUPERAntiSpyware.
    * Click Scan your Computer... button.
    * Click Scanning Preferences/Control Center... button.
    * Under General and Startup tab, make sure, Start SUPERAntiSpyware when Windows starts option is UN-checked.
    * Click the Scanning Control tab.
    * Under Scanner Options make sure the following are checked (leave all others unchecked):
    - Close browsers before scanning.
    - Terminate memory threats before quarantining.
    * Click the Close button to leave the control center screen.
    * On the left, make sure you check C:\Fixed Drive.
    * On the right, choose Perform Complete Scan.
    * Click Next to start the scan. Please be patient while it scans your computer.
    * After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
    * Make sure everything has a checkmark next to it and click Next.
    * A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
    * If asked if you want to reboot, click Yes.
    * To retrieve the removal information after reboot, launch SUPERAntispyware again.
    - Click Preferences, then click the Statistics/Logs tab.
    - Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    - If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    - Please copy and paste the Scan Log results in your next reply.
    * Click Close to exit the program.
    Post SUPERAntiSpyware log.

    RECONNECT TO THE INTERNET

    RESTART COMPUTER!

    STEP 2. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
    (Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform full scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    RESTART COMPUTER!



    STEP 3.
    Post fresh HijackThis log.
    Do NOT attempt to "fix" anything!


    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #4
  6. 2009/08/18
    Sanctus

    Sanctus Inactive Thread Starter

    Joined:
    2008/12/10
    Messages:
    25
    Likes Received:
    0
    SuperAntiSpyware log:

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 08/18/2009 at 02:07 AM

    Application Version : 4.27.1002

    Core Rules Database Version : 4060
    Trace Rules Database Version: 2000

    Scan type : Complete Scan
    Total Scan Time : 03:47:00

    Memory items scanned : 252
    Memory threats detected : 0
    Registry items scanned : 7079
    Registry threats detected : 6
    File items scanned : 109111
    File threats detected : 1

    Rootkit.Agent/Gen-NetCard
    HKLM\System\ControlSet001\Services\netskt
    C:\WINDOWS\SYSTEM32\NETSKT.SYS
    HKLM\System\ControlSet001\Enum\Root\LEGACY_netskt
    HKLM\System\ControlSet002\Services\netskt
    HKLM\System\ControlSet002\Enum\Root\LEGACY_netskt
    HKLM\System\CurrentControlSet\Services\netskt
    HKLM\System\CurrentControlSet\Enum\Root\LEGACY_netskt

    MalwareBytes Log:

    Malwarebytes' Anti-Malware 1.40
    Database version: 2648
    Windows 5.1.2600 Service Pack 2

    8/18/2009 12:10:35 PM
    mbam-log-2009-08-18 (12-10-35).txt

    Scan type: Full Scan (C:\|D:\|F:\|)
    Objects scanned: 468821
    Time elapsed: 1 hour(s), 20 minute(s), 17 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 4
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 2

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RPCHGM (Trojan.Keylogger) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_RPCHGM (Trojan.Keylogger) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rpchgm (Trojan.Keylogger) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\rpchgm (Trojan.Keylogger) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    F:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP96\A0017670.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\Program Files\NetMeeting\secedit.exe (Trojan.Keylogger) -> Delete on reboot.

    HiJackThis Log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:59:50 PM, on 8/18/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\AskBarDis\bar\bin\AskService.exe
    C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Hotspot Shield\bin\openvpnas.exe
    C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
    C:\WINDOWS\system32\hphmon04.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
    C:\Program Files\Roxio\Media Experience\DMXLauncher.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Program Files\Unlocker\UnlockerAssistant.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\WINDOWS\system32\rundll32.exe
    D:\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
    C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
    C:\WINDOWS\System32\TUProgSt.exe
    C:\Program Files\Webroot\Washer\WasherSvc.exe
    C:\WINDOWS\system32\dwwin.exe
    C:\Program Files\Hotspot Shield\bin\openvpntray.exe
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\trend micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - D:\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - D:\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] "C:\WINDOWS\system32\WLTRAY.exe "
    O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] "C:\WINDOWS\system32\nwiz.exe" /installquiet
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe "
    O4 - HKLM\..\Run: [HPHmon04] "C:\WINDOWS\system32\hphmon04.exe "
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe "
    O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\Media Experience\DMXLauncher.exe "
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
    O4 - HKLM\..\Run: [Ad-Watch] "C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe "
    O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe "
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe "
    O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
    O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "D:\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe "
    O4 - HKLM\..\Run: [Adobe_ID0ENQBO] "C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE "
    O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe "
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1236914398375
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    O23 - Service: Adobe Version Cue CS4 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
    O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
    O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe
    O23 - Service: Hotspot Shield Routing Service (HssSrv) - AnchorFree Inc. - C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
    O23 - Service: Hotspot Shield Tray Service (HssTrayService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
    O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
    O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
    O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
    O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
    O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
    O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

    --
    End of file - 14028 bytes
     
    Sanctus,
    #5
  7. 2009/08/18
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Download Dr.Web CureIt to the desktop:
    ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
    • Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in pop-up window to allow scan.
    • This will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
    • Once the short scan has finished, select Complete scan.
    • Click the green arrow [​IMG] at the right, and the scan will start.
    • Click Yes to all if it asks if you want to cure/move the file.
    • When the scan has finished, in the menu, click File and choose Save report list
    • Save the report to your desktop. The report will be called DrWeb.csv
    • Close Dr.Web Cureit.
    • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
    • Copy and paste that log in the next reply. You can use Notepad to open the DrWeb.cvs report.

    NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.


    Post fresh HijackThis log as well.
     
    broni,
    #6
  8. 2009/08/19
    Sanctus

    Sanctus Inactive Thread Starter

    Joined:
    2008/12/10
    Messages:
    25
    Likes Received:
    0
    Dr. Web report:

    askservice.exe;c:\program files\askbardis\bar\bin;Probably BACKDOOR.Trojan;Incurable.Deleted.;
    RegUBP2b-Administrator.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
    pskill.exe;C:\WINDOWS\system32;Tool.Prockill;Incurable.Moved.;
    A0000200.exe/data002/AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/mbk/mcinst.cab\McInst.exe;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3\A0000200.exe/data002/AutoPlay/Docs/Mcafee TOTAL;Probably BACKDOOR.Trojan;;
    AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/mbk/mcinst.cab;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3;Archive contains infected objects;;
    A0000200.exe/data002\AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/mbk/McInst.exe;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3\A0000200.exe/data002;Probably BACKDOOR.Trojan;;
    A0000200.exe/data002/AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/mhn/mcinst.cab\McInst.exe;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3\A0000200.exe/data002/AutoPlay/Docs/Mcafee TOTAL;Probably BACKDOOR.Trojan;;
    AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/mhn/mcinst.cab;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3;Archive contains infected objects;;
    A0000200.exe/data002\AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/mhn/McInst.exe;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3\A0000200.exe/data002;Probably BACKDOOR.Trojan;;
    A0000200.exe/data002/AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/MPF/mcinst.cab\McInst.exe;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3\A0000200.exe/data002/AutoPlay/Docs/Mcafee TOTAL;Probably BACKDOOR.Trojan;;
    AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/MPF/mcinst.cab;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3;Archive contains infected objects;;
    A0000200.exe/data002\AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/MPF/McInst.exe;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3\A0000200.exe/data002;Probably BACKDOOR.Trojan;;
    A0000200.exe/data002/AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/MPF/mpfmisp.cab\MpfMisp.dll;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3\A0000200.exe/data002/AutoPlay/Docs/Mcafee TOTAL;Probably DLOADER.Trojan;;
    AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/MPF/mpfmisp.cab;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3;Archive contains infected objects;;
    A0000200.exe/data002/AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/mps/mcinst.cab\McInst.exe;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3\A0000200.exe/data002/AutoPlay/Docs/Mcafee TOTAL;Probably BACKDOOR.Trojan;;
    AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/mps/mcinst.cab;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3;Archive contains infected objects;;
    A0000200.exe/data002\AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/mps/McInst.exe;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3\A0000200.exe/data002;Probably BACKDOOR.Trojan;;
    A0000200.exe/data002/AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/MSAD/mcinst.cab\McInst.exe;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3\A0000200.exe/data002/AutoPlay/Docs/Mcafee TOTAL;Probably BACKDOOR.Trojan;;
    AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/MSAD/mcinst.cab;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3;Archive contains infected objects;;
    A0000200.exe/data002\AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/MSAD/McInst.exe;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3\A0000200.exe/data002;Probably BACKDOOR.Trojan;;
    A0000200.exe/data002/AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/MSC/mcinst.cab\McInst.exe;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3\A0000200.exe/data002/AutoPlay/Docs/Mcafee TOTAL;Probably BACKDOOR.Trojan;;
    AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/MSC/mcinst.cab;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3;Archive contains infected objects;;
    A0000200.exe/data002\AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/MSC/McInst.exe;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3\A0000200.exe/data002;Probably BACKDOOR.Trojan;;
    A0000200.exe/data002/AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/MSC/mscupd.cab\McUpdMgr.exe;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3\A0000200.exe/data002/AutoPlay/Docs/Mcafee TOTAL;Probably DLOADER.Trojan;;
    AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/MSC/mscupd.cab;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3;Archive contains infected objects;;
    A0000200.exe/data002/AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/msk/mcinst.cab\McInst.exe;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3\A0000200.exe/data002/AutoPlay/Docs/Mcafee TOTAL;Probably BACKDOOR.Trojan;;
    AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/msk/mcinst.cab;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3;Archive contains infected objects;;
    A0000200.exe/data002\AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/msk/McInst.exe;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3\A0000200.exe/data002;Probably BACKDOOR.Trojan;;
    A0000200.exe/data002/AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/mwl/mcinst.cab\McInst.exe;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3\A0000200.exe/data002/AutoPlay/Docs/Mcafee TOTAL;Probably BACKDOOR.Trojan;;
    AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/mwl/mcinst.cab;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3;Archive contains infected objects;;
    A0000200.exe/data002\AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/mwl/McInst.exe;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3\A0000200.exe/data002;Probably BACKDOOR.Trojan;;
    A0000200.exe/data002/AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/VSO/mcinst.cab\McInst.exe;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3\A0000200.exe/data002/AutoPlay/Docs/Mcafee TOTAL;Probably BACKDOOR.Trojan;;
    AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/VSO/mcinst.cab;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3;Archive contains infected objects;;
    A0000200.exe/data002\AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/VSO/McInst.exe;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3\A0000200.exe/data002;Probably BACKDOOR.Trojan;;
    data002;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3;Archive contains infected objects;;
    A0000200.exe;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3;Container contains infected objects;Moved.;
    A0000275.exe/data002/AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/mbk/mcinst.cab\McInst.exe;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3\A0000275.exe/data002/AutoPlay/Docs/Mcafee TOTAL;Probably BACKDOOR.Trojan;;
    AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/mbk/mcinst.cab;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3;Archive contains infected objects;;
    A0000275.exe/data002\AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/mbk/McInst.exe;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3\A0000275.exe/data002;Probably BACKDOOR.Trojan;;
    A0000275.exe/data002/AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/mhn/mcinst.cab\McInst.exe;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3\A0000275.exe/data002/AutoPlay/Docs/Mcafee TOTAL;Probably BACKDOOR.Trojan;;
    AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/mhn/mcinst.cab;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3;Archive contains infected objects;;
    A0000275.exe/data002\AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/mhn/McInst.exe;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3\A0000275.exe/data002;Probably BACKDOOR.Trojan;;
    A0000275.exe/data002/AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/MPF/mcinst.cab\McInst.exe;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3\A0000275.exe/data002/AutoPlay/Docs/Mcafee TOTAL;Probably BACKDOOR.Trojan;;
    AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/MPF/mcinst.cab;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3;Archive contains infected objects;;
    A0000275.exe/data002\AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/MPF/McInst.exe;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3\A0000275.exe/data002;Probably BACKDOOR.Trojan;;
    A0000275.exe/data002/AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/MPF/mpfmisp.cab\MpfMisp.dll;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3\A0000275.exe/data002/AutoPlay/Docs/Mcafee TOTAL;Probably DLOADER.Trojan;;
    AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/MPF/mpfmisp.cab;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3;Archive contains infected objects;;
    A0000275.exe/data002/AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/mps/mcinst.cab\McInst.exe;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3\A0000275.exe/data002/AutoPlay/Docs/Mcafee TOTAL;Probably BACKDOOR.Trojan;;
    AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/mps/mcinst.cab;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3;Archive contains infected objects;;
    A0000275.exe/data002\AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/mps/McInst.exe;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3\A0000275.exe/data002;Probably BACKDOOR.Trojan;;
    A0000275.exe/data002/AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/MSAD/mcinst.cab\McInst.exe;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3\A0000275.exe/data002/AutoPlay/Docs/Mcafee TOTAL;Probably BACKDOOR.Trojan;;
    AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/MSAD/mcinst.cab;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3;Archive contains infected objects;;
    A0000275.exe/data002\AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/MSAD/McInst.exe;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3\A0000275.exe/data002;Probably BACKDOOR.Trojan;;
    A0000275.exe/data002/AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/MSC/mcinst.cab\McInst.exe;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3\A0000275.exe/data002/AutoPlay/Docs/Mcafee TOTAL;Probably BACKDOOR.Trojan;;
    AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/MSC/mcinst.cab;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3;Archive contains infected objects;;
    A0000275.exe/data002\AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/MSC/McInst.exe;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3\A0000275.exe/data002;Probably BACKDOOR.Trojan;;
    A0000275.exe/data002/AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/MSC/mscupd.cab\McUpdMgr.exe;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3\A0000275.exe/data002/AutoPlay/Docs/Mcafee TOTAL;Probably DLOADER.Trojan;;
    AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/MSC/mscupd.cab;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3;Archive contains infected objects;;
    A0000275.exe/data002/AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/msk/mcinst.cab\McInst.exe;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3\A0000275.exe/data002/AutoPlay/Docs/Mcafee TOTAL;Probably BACKDOOR.Trojan;;
    AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/msk/mcinst.cab;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3;Archive contains infected objects;;
    A0000275.exe/data002\AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/msk/McInst.exe;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3\A0000275.exe/data002;Probably BACKDOOR.Trojan;;
    A0000275.exe/data002/AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/mwl/mcinst.cab\McInst.exe;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3\A0000275.exe/data002/AutoPlay/Docs/Mcafee TOTAL;Probably BACKDOOR.Trojan;;
    AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/mwl/mcinst.cab;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3;Archive contains infected objects;;
    A0000275.exe/data002\AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/mwl/McInst.exe;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3\A0000275.exe/data002;Probably BACKDOOR.Trojan;;
    A0000275.exe/data002/AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/VSO/mcinst.cab\McInst.exe;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3\A0000275.exe/data002/AutoPlay/Docs/Mcafee TOTAL;Probably BACKDOOR.Trojan;;
    AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/VSO/mcinst.cab;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3;Archive contains infected objects;;
    A0000275.exe/data002\AutoPlay/Docs/Mcafee TOTAL PROTECTION 10 in 1 EN/en-US/Apps/VSO/McInst.exe;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3\A0000275.exe/data002;Probably BACKDOOR.Trojan;;
    data002;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3;Archive contains infected objects;;
    A0000275.exe;F:\System Volume Information\_restore{47038061-0EAD-4B97-82BD-750002C08798}\RP3;Container contains infected objects;Moved.;

    HiJackThis Log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:58:52 AM, on 8/19/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Hotspot Shield\bin\openvpnas.exe
    C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
    C:\WINDOWS\System32\TUProgSt.exe
    C:\Program Files\Webroot\Washer\WasherSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\WLTRAY.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
    C:\WINDOWS\system32\hphmon04.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\Program Files\Roxio\Media Experience\DMXLauncher.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Unlocker\UnlockerAssistant.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    D:\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
    C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\WINDOWS\system32\dwwin.exe
    C:\Program Files\Hotspot Shield\bin\openvpntray.exe
    C:\Program Files\trend micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - D:\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - D:\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] "C:\WINDOWS\system32\WLTRAY.exe "
    O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] "C:\WINDOWS\system32\nwiz.exe" /installquiet
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe "
    O4 - HKLM\..\Run: [HPHmon04] "C:\WINDOWS\system32\hphmon04.exe "
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe "
    O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\Media Experience\DMXLauncher.exe "
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
    O4 - HKLM\..\Run: [Ad-Watch] "C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe "
    O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe "
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe "
    O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
    O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "D:\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe "
    O4 - HKLM\..\Run: [Adobe_ID0ENQBO] "C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE "
    O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe "
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1236914398375
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    O23 - Service: Adobe Version Cue CS4 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
    O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe
    O23 - Service: Hotspot Shield Routing Service (HssSrv) - AnchorFree Inc. - C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
    O23 - Service: Hotspot Shield Tray Service (HssTrayService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
    O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
    O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
    O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
    O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
    O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
    O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

    --
    End of file - 13731 bytes
     
    Sanctus,
    #7
  9. 2009/08/19
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.
    • Open JavaRa.exe again and select Search For Updates.
    • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    ================================================================

    Please, uninstall AskBarDis through Add\Remove (if present).

    =================================================================

    Disable TeaTimer, as it'll interfere with the cleaning process:
    Right click Spybot's TeaTimer System Tray Icon.
    Click Exit Spybot-S&D Resident.
    TeaTimer closes.
    NOTE. If on re-boot, Spybot inquires about registry change(s), allow it.

    ==============================================================

    Print this post out, since you won't have an access to it, at some point.

    1. Open HijackThis.

    2. Close all windows, except for HijackThis.

    3. Put checkmarks next to the following HijackThis entries:

    - O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)


    4. You should also checkmark following entries (these are unnecessary startups; no actual programs will be removed):

    - O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    - O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
    - O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
    - O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
    - O4 - HKLM\..\Run: [nwiz] "C:\WINDOWS\system32\nwiz.exe" /installquiet
    - O4 - HKLM\..\Run: [HPDJ Taskbar Utility] "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe "
    - O4 - HKLM\..\Run: [HPHmon04] "C:\WINDOWS\system32\hphmon04.exe "
    - O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe "
    - O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
    - O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe "
    - O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    - O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    - O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    5. Click on Fix checked button.

    6. Go Start>Run (Vista users - "Start search "), type in:
    cmd
    Click OK (Vista users - hold CTRL, and SHIFT keys, press Enter).

    Command Prompt window will open.
    Type in:
    sc stop ASKUpgrade
    Press Enter.
    Wait for the service to be stopped.

    Type in:
    sc delete ASKUpgrade
    Press Enter.
    Wait for confirmation.


    7. Restart computer.

    8. Post new HijackThis log.
     
    broni,
    #8
  10. 2009/08/20
    Sanctus

    Sanctus Inactive Thread Starter

    Joined:
    2008/12/10
    Messages:
    25
    Likes Received:
    0
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:15:04 PM, on 8/20/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Hotspot Shield\bin\openvpnas.exe
    C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
    C:\WINDOWS\System32\TUProgSt.exe
    C:\Program Files\Webroot\Washer\WasherSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\WLTRAY.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\Program Files\Roxio\Media Experience\DMXLauncher.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Program Files\Unlocker\UnlockerAssistant.exe
    D:\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\Hotspot Shield\bin\openvpntray.exe
    C:\Program Files\trend micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - D:\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - D:\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] "C:\WINDOWS\system32\WLTRAY.exe "
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\Media Experience\DMXLauncher.exe "
    O4 - HKLM\..\Run: [Ad-Watch] "C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe "
    O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe "
    O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
    O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "D:\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe "
    O4 - HKLM\..\Run: [Adobe_ID0ENQBO] "C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE "
    O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe "
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1236914398375
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
    O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    O23 - Service: Adobe Version Cue CS4 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
    O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe
    O23 - Service: Hotspot Shield Routing Service (HssSrv) - AnchorFree Inc. - C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
    O23 - Service: Hotspot Shield Tray Service (HssTrayService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
    O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
    O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
    O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
    O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
    O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
    O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

    --
    End of file - 12184 bytes
     
    Sanctus,
    #9
  11. 2009/08/20
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Run HJT one more time, and checkmark:
    - O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
    Click "Fix checked" button.

    When done....


    Your computer is clean :)

    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.

    2. Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore ".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C: ")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    3. Restart computer.

    4. Turn System Restore on.

    5. Make sure, Windows Updates are current.

    [SIZE= "4"]6. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately![/SIZE]

    7. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    8. Run defrag at your convenience.

    9. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    10. Please, let me know, how is your computer doing.
     
    broni,
    #10
  12. 2009/08/22
    Sanctus

    Sanctus Inactive Thread Starter

    Joined:
    2008/12/10
    Messages:
    25
    Likes Received:
    0
    Thanks SO much for the help this past week. I'm glad my computer is fixed. A few notes though.

    1. There was no '- O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)'

    2. Funnily enough, I already have WOT and am usually pretty cautious with web browsing. Hm...

    3. For the Windows update, I have to update to SP3, however, I've heard that SP3 can cause alot of problems. Is it worth it?

    Thanks!
     
    Sanctus,
    #11
  13. 2009/08/22
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    You're very welcome :)

    1. That's fine.
    2. Good :)
    3. If you keep all updates current, don't worry about SP3. It's merely all updates in one shot.

    Happy surfing :)
     
    broni,
    #12
  14. 2009/08/23
    Sanctus

    Sanctus Inactive Thread Starter

    Joined:
    2008/12/10
    Messages:
    25
    Likes Received:
    0
    Hm...One more thing. I was using my computer, when I had to restart my computer. After I restarted, I got the BSOD again. When I restarted again. Same. However, the third time, it worked.
     
    Sanctus,
    #13
  15. 2009/08/23
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Since your computer is clean, I suggest you start new topic under Windows section.
    Make sure to provide BSOD info.
     
    broni,
    #14

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...