Solved internet access problems with explorer.exe turn on

[Resolved] internet access problems with explorer.exe turn on

hi,

am having problems with slow (to unable) internet access.
have previous found vundo virus about 2 weeks back and had use spyware doctor to remove and repair my system.

since then, i have problems accessing internet. i had tired to turn-off explorer.exe thru the task manager and it helped in restoring internet speed.
but once i turn on the explorer.exe, the same problem arises.

wondering if you might be able to help.
many thanks!

my log file are as follows


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:00:24 PM, on 6/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\ppfilm\jfCacheMgr.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/ap/ap/en/gen/default.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = ftp://tiintinnrepublic.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: QQToolbar - {29CF293A-1E7D-4069-9E11-E39698D0AF95} - C:\Program Files\Tencent\QQToolbar\IEBar.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8EA86503-476F-476A-A55A-7225082DF3EB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {DB6A3B27-0551-4CA0-AFFB-D736DB8A7501} - C:\WINDOWS\system32\urqNeeCr.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: QQToolbar - {29CF293A-1E7D-4069-9E11-E39698D0AF95} - C:\Program Files\Tencent\QQToolbar\IEBar.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe "
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe "
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe "
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe "
O4 - HKLM\..\Run: [jfproc] C:\Program Files\ppfilm\jfCacheMgr.exe
O4 - HKLM\..\Run: [BMe3d9d80d] Rundll32.exe "C:\WINDOWS\system32\vqcyifhh.dll ",s
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-au/4,0,0,90/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-au/1,0,0,23/mcgdmgr.cab
O20 - Winlogon Notify: yaywvtuS - yaywvtuS.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 11660 bytes

thanks again
david

 

Welcome to WindowsBBS David

First we need to get another log for a closer look at things. Download Deckard's System Scanner (dss.exe) and save it to your desktop.

• Close all applications and windows.
• Double click on dss.exe to run it and follow the prompts.
• When the scan is complete, two text files will open; main.txt, which will be maximized and extra.txt, which will be minimized.

Post the contents of main.txt only for now.

 

log file from dss

hi noahdfear,

thank you for the prompt reply.
below is the log file main.txt after running dss.exe

Deckard's System Scanner v20071014.68
Run by david ng on 2008-06-23 10:12:28
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
51: 2008-06-23 02:12:34 UTC - RP668 - Deckard's System Scanner Restore Point
50: 2008-06-23 01:31:05 UTC - RP667 - Software Distribution Service 3.0
49: 2008-06-22 07:10:12 UTC - RP666 - Software Distribution Service 3.0
48: 2008-06-22 07:07:52 UTC - RP665 - Installed Windows Internet Explorer 7.
47: 2008-06-22 07:06:30 UTC - RP664 - Installed Windows IDNMitigationAPIs.


-- First Restore Point --
1: 2008-06-11 01:03:01 UTC - RP618 - Software Distribution Service 3.0


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as david ng.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:16:18 AM, on 6/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ppfilm\jfCacheMgr.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\david ng\Application Data\U3\0000060416034761\LaunchPad.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\david ng\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\david ng.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/ap/ap/en/gen/default.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = ftp://tiintinnrepublic.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: QQToolbar - {29CF293A-1E7D-4069-9E11-E39698D0AF95} - C:\Program Files\Tencent\QQToolbar\IEBar.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8EA86503-476F-476A-A55A-7225082DF3EB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {DB6A3B27-0551-4CA0-AFFB-D736DB8A7501} - C:\WINDOWS\system32\urqNeeCr.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: QQToolbar - {29CF293A-1E7D-4069-9E11-E39698D0AF95} - C:\Program Files\Tencent\QQToolbar\IEBar.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe "
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe "
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe "
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [jfproc] C:\Program Files\ppfilm\jfCacheMgr.exe
O4 - HKLM\..\Run: [BMe3d9d80d] Rundll32.exe "C:\WINDOWS\system32\vqcyifhh.dll ",s
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-au/4,0,0,90/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-au/1,0,0,23/mcgdmgr.cab
O20 - Winlogon Notify: yaywvtuS - yaywvtuS.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 11615 bytes

-- File Associations -----------------------------------------------------------

.ini - inifile - shell\open\command - C:\WINDOWS\SYSTEM32\NOTEPAD.EXE %1
.js - unable to read key
.js - unable to read key
.txt - txtfile - shell\open\command - C:\WINDOWS\SYSTEM32\NOTEPAD.EXE %1


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>

S1 InCDPass - c:\windows\system32\drivers\incdpass.sys (file missing)
S1 InCDRm (InCD Reader) - c:\windows\system32\drivers\incdrm.sys (file missing)
S2 npkcrypt - c:\program files\wizet\maplestory\npkcrypt.sys (file missing)
S3 npkcusb - c:\program files\wizet\maplestory\npkcusb.sys (file missing)
S3 WRSWanDD (iVasion PoET Adapter) - c:\windows\system32\drivers\wrkpoetnic2000.sys
S4 InCDFs (InCD File System) - c:\windows\system32\drivers\incdfs.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>
R2 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe <Not Verified; Canon Inc.; >
R3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-06-10 09:06:04 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-05-23 and 2008-06-23 -----------------------------

2008-06-23 09:27:43 0 d-------- C:\WINDOWS\LastGood
2008-06-22 15:59:46 0 d-------- C:\Program Files\Trend Micro
2008-06-16 21:48:04 90112 --a------ C:\WINDOWS\system32\vqcyifhh.dll
2008-06-15 21:51:51 81408 -----n--- C:\WINDOWS\system32\lsdgnaxa.dll
2008-06-15 21:48:52 90112 --a------ C:\WINDOWS\system32\uaaptpki.dll
2008-06-14 21:46:17 89600 --a------ C:\WINDOWS\system32\fmtxttnr.dll
2008-06-13 13:31:21 89600 --a------ C:\WINDOWS\system32\uyhaflyf.dll
2008-06-12 13:29:41 89600 --a------ C:\WINDOWS\system32\pkpfxavf.dll
2008-06-11 09:04:09 157184 --a------ C:\WINDOWS\system32\ndjsavpt.dll
2008-06-11 09:02:49 480496 --ahs---- C:\WINDOWS\system32\rCeeNqru.ini2
2008-06-11 08:56:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-06-10 17:49:27 347136 --a------ C:\WINDOWS\system32\efcYPjIc.dll
2008-06-10 16:49:26 347136 --a------ C:\WINDOWS\system32\efcAQHXq.dll
2008-06-10 15:49:24 347136 --a------ C:\WINDOWS\system32\ljJYpPjk.dll
2008-06-10 14:49:26 347136 --a------ C:\WINDOWS\system32\iifedeff.dll
2008-06-10 12:44:28 347136 --a------ C:\WINDOWS\system32\pmnmKecd.dll
2008-06-10 11:44:28 347136 --a------ C:\WINDOWS\system32\tuvTjgGX.dll
2008-06-10 08:18:30 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-10 08:16:30 0 d-------- C:\Program Files\Common Files\PC Tools
2008-06-10 08:16:01 0 d-------- C:\Program Files\Spyware Doctor
2008-06-10 08:16:01 0 d-------- C:\Documents and Settings\david ng\Application Data\PC Tools
2008-06-10 08:16:01 0 d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-06-10 07:10:02 347136 --a------ C:\WINDOWS\system32\iiffeBUo.dll
2008-06-10 06:10:03 347136 --a------ C:\WINDOWS\system32\byXPFxWQ.dll
2008-06-10 05:10:02 347136 --a------ C:\WINDOWS\system32\byXQGwUm.dll
2008-06-10 04:10:01 347136 --a------ C:\WINDOWS\system32\fcccbxus.dll
2008-06-10 03:09:57 347136 --a------ C:\WINDOWS\system32\tuvVLbXn.dll
2008-06-10 02:09:59 347136 --a------ C:\WINDOWS\system32\fccaXNfd.dll
2008-06-10 01:09:55 347136 --a------ C:\WINDOWS\system32\awtRjiJC.dll
2008-06-10 00:10:04 347136 --a------ C:\WINDOWS\system32\jkkKCsQK.dll
2008-06-08 23:16:01 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-08 13:14:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-08 12:42:42 145 --a------ C:\WINDOWS\system32\winver.bat
2008-06-08 12:42:41 19456 --a------ C:\WINDOWS\system32\drvxek.dll
2008-06-08 12:28:11 36868 --a------ C:\Program Files\uninst-SoundKeys.exe


-- Find3M Report ---------------------------------------------------------------

2008-06-23 09:59:16 0 d-------- C:\Documents and Settings\david ng\Application Data\U3
2008-06-23 09:22:49 0 d-------- C:\Program Files\ppfilm
2008-06-22 13:37:05 0 d-------- C:\Program Files\Common Files\Real
2008-06-22 13:36:57 0 d-------- C:\Program Files\Common Files
2008-06-22 13:36:47 0 d-------- C:\Documents and Settings\david ng\Application Data\Real
2008-06-22 11:39:54 0 d-------- C:\Documents and Settings\david ng\Application Data\Mozilla
2008-06-08 23:19:08 0 d-------- C:\Program Files\Lavasoft
2008-06-08 23:15:19 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-31 17:58:19 0 d-------- C:\Documents and Settings\david ng\Application Data\Adobe
2008-05-22 10:47:50 0 d-------- C:\Program Files\Messenger Plus! Live
2008-05-22 10:35:34 0 d-------- C:\Program Files\Windows Live
2008-05-22 10:35:17 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-27 11:33:32 0 d-------- C:\Program Files\San11 Tc
2008-04-27 11:12:47 0 d-------- C:\Program Files\DAEMON Tools Lite
2008-04-27 11:07:20 0 d-------- C:\Documents and Settings\david ng\Application Data\DAEMON Tools
2008-04-26 12:10:09 0 d--h----- C:\Program Files\InstallShield Installation Information


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{29CF293A-1E7D-4069-9E11-E39698D0AF95}]
C:\Program Files\Tencent\QQToolbar\IEBar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8EA86503-476F-476A-A55A-7225082DF3EB}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DB6A3B27-0551-4CA0-AFFB-D736DB8A7501}]
C:\WINDOWS\system32\urqNeeCr.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"SigmatelSysTrayApp "= "stsystra.exe" [03/22/2005 11:20 PM C:\WINDOWS\STSYSTRA.EXE]
"ATIPTA "= "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [03/29/2005 09:05 PM]
"DVDLauncher "= "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [02/23/2005 04:19 PM]
"DMXLauncher "= "C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [01/27/2005 01:02 AM]
"ISUSPM Startup "= "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [07/27/2004 04:50 PM]
"ISUSScheduler "= "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [07/27/2004 04:50 PM]
"IMJPMIG8.1 "= "C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [08/04/2004 05:00 AM]
"MSPY2002 "= "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [08/04/2004 05:00 AM]
"PHIME2002ASync "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/04/2004 05:00 AM]
"PHIME2002A "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/04/2004 05:00 AM]
"NeroFilterCheck "= "C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 10:50 AM]
"dla "= "C:\WINDOWS\system32\dla\tfswctrl.exe" [05/31/2005 05:33 AM]
"Logitech Utility "= "Logi_MwX.Exe" [12/17/2003 09:50 AM C:\WINDOWS\LOGI_MWX.EXE]
"HP Software Update "= "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [02/19/2006 02:41 AM]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [09/12/2006 01:58 AM]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [09/01/2006 03:57 PM]
"Acrobat Assistant 8.0 "= "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [05/10/2007 10:46 PM]
"@ "=" " []
"Adobe_ID0EYTHM "= "C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [03/20/2007 04:40 PM]
"NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [06/29/2007 12:43 AM]
"nwiz "= "nwiz.exe" [06/29/2007 12:43 AM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [06/29/2007 12:43 AM]
"jfproc "= "C:\Program Files\ppfilm\jfCacheMgr.exe" [02/02/2008 03:19 PM]
"BMe3d9d80d "= "C:\WINDOWS\system32\vqcyifhh.dll" [06/16/2008 09:48 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} "= "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [11/24/2005 03:38 PM]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 05:00 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator "=Narrator.exe

C:\Documents and Settings\david ng\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [9/11/2005 11:36:50 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yaywvtuS]
yaywvtuS.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages "= msv1_0 C:\WINDOWS\system32\urqNeeCr

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice "


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3f920abd-ed44-11db-b6d1-00123fa04d32}]
AutoRun\command- ntde1ect.com
explore\Command- ntde1ect.com
open\Command- ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56165e78-e126-11db-9d5b-00123fa04d32}]
AutoRun\command- ntde1ect.com
explore\Command- ntde1ect.com
open\Command- ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a9bd7e5e-7d74-11dc-b7b5-00123fa04d32}]
AutoRun\command- E:\LaunchU3.exe -a




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8713 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-06-23 10:16:56 ------------

awaiting your advise.
thanks
david

 

Download ComboFix by sUBs from here, saving the file to your desktop.


Please disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

 

log from comboFix

hi, please see below for the log file from combo fix.
thanks again

ComboFix 08-06-20.4 - david ng 2008-06-23 12:03:52.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.507 [GMT 8:00]
Running from: C:\Documents and Settings\david ng\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMe3d9d80d.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\abvyqhyd.ini
C:\WINDOWS\system32\ajhmwnut.ini
C:\WINDOWS\system32\awtRjiJC.dll
C:\WINDOWS\system32\axangdsl.ini
C:\WINDOWS\system32\byXPFxWQ.dll
C:\WINDOWS\system32\byXQGwUm.dll
C:\WINDOWS\system32\drvxek.dll
C:\WINDOWS\system32\efcAQHXq.dll
C:\WINDOWS\system32\efcYPjIc.dll
C:\WINDOWS\system32\fccaXNfd.dll
C:\WINDOWS\system32\fcccbxus.dll
C:\WINDOWS\system32\fmtxttnr.dll
C:\WINDOWS\system32\hvgiujiq.ini
C:\WINDOWS\system32\iifedeff.dll
C:\WINDOWS\system32\iiffeBUo.dll
C:\WINDOWS\system32\jkkKCsQK.dll
C:\WINDOWS\system32\ljJYpPjk.dll
C:\WINDOWS\system32\lsdgnaxa.dll
C:\WINDOWS\system32\ndjsavpt.dll
C:\WINDOWS\system32\pkpfxavf.dll
C:\WINDOWS\system32\pmnmKecd.dll
C:\WINDOWS\system32\rCeeNqru.ini
C:\WINDOWS\system32\rCeeNqru.ini2
C:\WINDOWS\system32\sqmbtxwu.ini
C:\WINDOWS\system32\swdmyeca.ini
C:\WINDOWS\system32\tuvTjgGX.dll
C:\WINDOWS\system32\tuvVLbXn.dll
C:\WINDOWS\system32\uaaptpki.dll
C:\WINDOWS\system32\uyhaflyf.dll
C:\WINDOWS\system32\vqcyifhh.dll
Z:\RECYCLER\.DS_Store

.
((((((((((((((((((((((((( Files Created from 2008-05-23 to 2008-06-23 )))))))))))))))))))))))))))))))
.

2008-06-23 10:12 . 2008-06-23 10:12 <DIR> d-------- C:\Deckard
2008-06-22 15:59 . 2008-06-22 15:59 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-11 08:56 . 2008-06-11 08:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-06-11 08:38 . 2008-06-13 21:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 08:38 . 2008-06-13 21:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-10 08:18 . 2008-06-23 12:02 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-10 08:17 . 2008-04-10 15:14 159,880 --a------ C:\WINDOWS\system32\drivers\pctfw2.sys
2008-06-10 08:16 . 2008-06-23 12:01 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-06-10 08:16 . 2008-06-10 08:16 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-06-10 08:16 . 2008-06-10 08:16 <DIR> d-------- C:\Documents and Settings\david ng\Application Data\PC Tools
2008-06-10 08:16 . 2008-06-10 08:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-06-10 08:16 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-06-10 08:16 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-06-10 08:16 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-06-10 08:16 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-06-08 23:16 . 2008-06-08 23:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-08 13:14 . 2008-06-11 09:15 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-08 13:14 . 2008-06-11 09:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-08 12:42 . 2008-06-08 12:42 145 --a------ C:\WINDOWS\system32\winver.bat
2008-06-08 12:28 . 2008-06-08 12:28 36,868 --a------ C:\Program Files\uninst-SoundKeys.exe
2008-06-07 22:12 . 2008-06-17 14:26 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-07 22:12 . 2008-06-07 22:12 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-23 01:59 --------- d-----w C:\Documents and Settings\david ng\Application Data\U3
2008-06-23 01:22 --------- d-----w C:\Program Files\ppfilm
2008-06-22 05:37 --------- d-----w C:\Program Files\Common Files\Real
2008-06-11 05:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-06-08 15:19 --------- d-----w C:\Program Files\Lavasoft
2008-06-08 15:15 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-22 02:47 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-05-22 02:35 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-05-22 02:35 --------- d-----w C:\Program Files\Windows Live
2008-05-22 02:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-29 03:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 03:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 03:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-27 03:33 --------- d-----w C:\Program Files\San11 Tc
2008-04-27 03:12 --------- d-----w C:\Program Files\DAEMON Tools Lite
2008-04-27 03:07 717,296 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-04-27 03:07 --------- d-----w C:\Documents and Settings\david ng\Application Data\DAEMON Tools
2008-04-26 04:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2006-12-11 03:26 1,279,488 ----a-w C:\Program Files\UMDGen.exe
2006-01-28 09:36 98 ---h--w C:\Documents and Settings\david ng\Application Data\srfvdo.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{29CF293A-1E7D-4069-9E11-E39698D0AF95}]
C:\Program Files\Tencent\QQToolbar\IEBar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DB6A3B27-0551-4CA0-AFFB-D736DB8A7501}]
C:\WINDOWS\system32\urqNeeCr.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{29CF293A-1E7D-4069-9E11-E39698D0AF95} "= "C:\Program Files\Tencent\QQToolbar\IEBar.dll" [ ]

[HKEY_CLASSES_ROOT\clsid\{29cf293a-1e7d-4069-9e11-e39698d0af95}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} "= "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-11-24 15:38 94208]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"SigmatelSysTrayApp "= "stsystra.exe" [2005-03-22 23:20 339968 C:\WINDOWS\STSYSTRA.EXE]
"ATIPTA "= "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-29 21:05 339968]
"DVDLauncher "= "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 16:19 53248]
"DMXLauncher "= "C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 01:02 86016]
"ISUSPM Startup "= "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50 221184]
"ISUSScheduler "= "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920]
"IMJPMIG8.1 "= "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 05:00 208952]
"MSPY2002 "= "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00 59392]
"PHIME2002ASync "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 05:00 455168]
"PHIME2002A "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 05:00 455168]
"NeroFilterCheck "= "C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"dla "= "C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 05:33 122941]
"Logitech Utility "= "Logi_MwX.Exe" [2003-12-17 09:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
"HP Software Update "= "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41 49152]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2006-09-12 01:58 229952]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57 282624]
"Acrobat Assistant 8.0 "= "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 22:46 624248]
"Adobe_ID0EYTHM "= "C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 16:40 1884160]
"NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [2007-06-29 00:43 8466432]
"nwiz "= "nwiz.exe" [2007-06-29 00:43 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [2007-06-29 00:43 81920]
"jfproc "= "C:\Program Files\ppfilm\jfCacheMgr.exe" [2008-02-02 15:19 708608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator "= "Narrator.exe" [2004-08-04 05:00 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\david ng\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [2005-09-11 11:36:50 3450608]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yaywvtuS]
yaywvtuS.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm "= C:\Program Files\WIZET\MapleStory\l3codeca.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"C:\\Program Files\\Messenger\\msmsgs.exe "=
"C:\\Program Files\\miFiles\\miFiles.exe "=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe "=
"C:\\Program Files\\iTunes\\iTunes.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"C:\\Program Files\\Trillian\\trillian.exe "=
"C:\\Program Files\\Electric Rain\\Swift 3D\\Version 4.50\\Program\\Swift3D.exe "=
"C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe "=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe "=
"C:\\WINDOWS\\system32\\winver.exe "=
"C:\\Program Files\\ppfilm\\jfCacheMgr.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP "= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP "= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP "= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP "= 50901:TCP:Adobe Version Cue CS3 Server

R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-04-10 15:14]
S3 WRSWanDD;iVasion PoET Adapter;C:\WINDOWS\system32\DRIVERS\WrKPoETNic2000.sys [2002-07-17 13:53]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3f920abd-ed44-11db-b6d1-00123fa04d32}]
\Shell\AutoRun\command - ntde1ect.com
\Shell\explore\Command - ntde1ect.com
\Shell\open\Command - ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56165e78-e126-11db-9d5b-00123fa04d32}]
\Shell\AutoRun\command - ntde1ect.com
\Shell\explore\Command - ntde1ect.com
\Shell\open\Command - ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a9bd7e5e-7d74-11dc-b7b5-00123fa04d32}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-06-10 01:06:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-23 12:13:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-06-23 12:22:28 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-23 04:21:42

Pre-Run: 24,689,274,880 bytes free
Post-Run: 24,586,063,872 bytes free

218 --- E O F --- 2008-06-23 01:32:00

 

new log file from HijackThis

hi, below is the new log from HijackThis.
appreciate your help ")

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:29:00 PM, on 6/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ppfilm\jfCacheMgr.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = ftp://tiintinnrepublic.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: QQToolbar - {29CF293A-1E7D-4069-9E11-E39698D0AF95} - C:\Program Files\Tencent\QQToolbar\IEBar.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {DB6A3B27-0551-4CA0-AFFB-D736DB8A7501} - C:\WINDOWS\system32\urqNeeCr.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: QQToolbar - {29CF293A-1E7D-4069-9E11-E39698D0AF95} - C:\Program Files\Tencent\QQToolbar\IEBar.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe "
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe "
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe "
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [jfproc] C:\Program Files\ppfilm\jfCacheMgr.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe "
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-au/4,0,0,90/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-au/1,0,0,23/mcgdmgr.cab
O20 - Winlogon Notify: yaywvtuS - yaywvtuS.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 11280 bytes

 

Please download Flash_Disinfector by sUBs and save it to your desktop:

NOTE: In the event you already have Flash_Disinfector, this is a new version that I need you to download.

• Plug in your USB flash drive.
• Double-click Flash_Disinfector.exe to run it.
• Follow any prompts that may appear.
• Your desktop will vanish for a while, and then reappear. This is normal.
• Wait until the program has finished scanning, then please exit the program. If you use more than 1 flash drive, run the tool with each plugged in.

Then, once again, please disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DB6A3B27-0551-4CA0-AFFB-D736DB8A7501}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yaywvtuS]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3f920abd-ed44-11db-b6d1-00123fa04d32}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56165e78-e126-11db-9d5b-00123fa04d32}]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar]
 "{BA52B914-B692-46c4-B683-905236F6F655} "=-

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log along with another fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

 

combofix log files

hi,

please see below for the log file from combofix. i have run Flash_Disinfector on one of mine usb flash drive. the other drive is not with me now and might take abt 2-3 days to get back. will this affect the results of the log?

thanks again for your kind help
david


ComboFix 08-06-20.4 - david ng 2008-06-24 19:16:15.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.617 [GMT 8:00]
Running from: C:\Documents and Settings\david ng\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\david ng\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-05-24 to 2008-06-24 )))))))))))))))))))))))))))))))
.

2008-06-23 10:12 . 2008-06-23 10:12 <DIR> d-------- C:\Deckard
2008-06-22 15:59 . 2008-06-22 15:59 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-11 08:56 . 2008-06-11 08:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-06-11 08:38 . 2008-06-13 21:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 08:38 . 2008-06-13 21:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-10 08:18 . 2008-06-24 19:13 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-10 08:17 . 2008-04-10 15:14 159,880 --a------ C:\WINDOWS\system32\drivers\pctfw2.sys
2008-06-10 08:16 . 2008-06-24 19:13 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-06-10 08:16 . 2008-06-10 08:16 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-06-10 08:16 . 2008-06-10 08:16 <DIR> d-------- C:\Documents and Settings\david ng\Application Data\PC Tools
2008-06-10 08:16 . 2008-06-10 08:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-06-10 08:16 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-06-10 08:16 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-06-10 08:16 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-06-10 08:16 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-06-08 23:16 . 2008-06-08 23:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-08 13:14 . 2008-06-11 09:15 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-08 13:14 . 2008-06-11 09:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-08 12:42 . 2008-06-08 12:42 145 --a------ C:\WINDOWS\system32\winver.bat
2008-06-08 12:28 . 2008-06-08 12:28 36,868 --a------ C:\Program Files\uninst-SoundKeys.exe
2008-06-07 22:12 . 2008-06-17 14:26 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-07 22:12 . 2008-06-07 22:12 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-23 01:59 --------- d-----w C:\Documents and Settings\david ng\Application Data\U3
2008-06-23 01:22 --------- d-----w C:\Program Files\ppfilm
2008-06-22 05:37 --------- d-----w C:\Program Files\Common Files\Real
2008-06-11 05:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-06-08 15:19 --------- d-----w C:\Program Files\Lavasoft
2008-06-08 15:15 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-22 02:47 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-05-22 02:35 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-05-22 02:35 --------- d-----w C:\Program Files\Windows Live
2008-05-22 02:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-05-16 03:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 12:28 202,752 ------w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-29 03:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 03:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 03:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-27 03:33 --------- d-----w C:\Program Files\San11 Tc
2008-04-27 03:12 --------- d-----w C:\Program Files\DAEMON Tools Lite
2008-04-27 03:07 717,296 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-04-27 03:07 --------- d-----w C:\Documents and Settings\david ng\Application Data\DAEMON Tools
2008-04-26 04:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-23 14:16 3,591,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-22 07:40 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-04-22 07:39 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-22 07:39 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-21 07:04 474,112 ----a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
2008-04-21 07:04 1,494,528 ----a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
2008-04-21 07:03 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
2008-04-21 07:03 1,054,208 ------w C:\WINDOWS\system32\dllcache\danim.dll
2008-04-21 07:03 1,023,488 ----a-w C:\WINDOWS\system32\dllcache\browseui.dll
2008-04-20 05:07 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\dllcache\msjint40.dll
2006-12-11 03:26 1,279,488 ----a-w C:\Program Files\UMDGen.exe
2006-01-28 09:36 98 ---h--w C:\Documents and Settings\david ng\Application Data\srfvdo.dat
.

((((((((((((((((((((((((((((( snapshot@2008-06-23_12.21.29.75 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-23 04:13:02 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-24 08:49:22 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{29CF293A-1E7D-4069-9E11-E39698D0AF95}]
C:\Program Files\Tencent\QQToolbar\IEBar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DB6A3B27-0551-4CA0-AFFB-D736DB8A7501}]
C:\WINDOWS\system32\urqNeeCr.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{29CF293A-1E7D-4069-9E11-E39698D0AF95} "= "C:\Program Files\Tencent\QQToolbar\IEBar.dll" [ ]

[HKEY_CLASSES_ROOT\clsid\{29cf293a-1e7d-4069-9e11-e39698d0af95}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} "= "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-11-24 15:38 94208]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"SigmatelSysTrayApp "= "stsystra.exe" [2005-03-22 23:20 339968 C:\WINDOWS\STSYSTRA.EXE]
"ATIPTA "= "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-29 21:05 339968]
"DVDLauncher "= "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 16:19 53248]
"DMXLauncher "= "C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 01:02 86016]
"ISUSPM Startup "= "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50 221184]
"ISUSScheduler "= "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920]
"IMJPMIG8.1 "= "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 05:00 208952]
"MSPY2002 "= "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00 59392]
"PHIME2002ASync "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 05:00 455168]
"PHIME2002A "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 05:00 455168]
"NeroFilterCheck "= "C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"dla "= "C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 05:33 122941]
"Logitech Utility "= "Logi_MwX.Exe" [2003-12-17 09:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
"HP Software Update "= "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41 49152]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2006-09-12 01:58 229952]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57 282624]
"Acrobat Assistant 8.0 "= "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 22:46 624248]
"Adobe_ID0EYTHM "= "C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 16:40 1884160]
"NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [2007-06-29 00:43 8466432]
"nwiz "= "nwiz.exe" [2007-06-29 00:43 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [2007-06-29 00:43 81920]
"jfproc "= "C:\Program Files\ppfilm\jfCacheMgr.exe" [2008-02-02 15:19 708608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator "= "Narrator.exe" [2004-08-04 05:00 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\david ng\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [2005-09-11 11:36:50 3450608]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yaywvtuS]
yaywvtuS.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm "= C:\Program Files\WIZET\MapleStory\l3codeca.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"C:\\Program Files\\Messenger\\msmsgs.exe "=
"C:\\Program Files\\miFiles\\miFiles.exe "=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe "=
"C:\\Program Files\\iTunes\\iTunes.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"C:\\Program Files\\Trillian\\trillian.exe "=
"C:\\Program Files\\Electric Rain\\Swift 3D\\Version 4.50\\Program\\Swift3D.exe "=
"C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe "=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe "=
"C:\\WINDOWS\\system32\\winver.exe "=
"C:\\Program Files\\ppfilm\\jfCacheMgr.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP "= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP "= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP "= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP "= 50901:TCP:Adobe Version Cue CS3 Server

R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-04-10 15:14]
S3 WRSWanDD;iVasion PoET Adapter;C:\WINDOWS\system32\DRIVERS\WrKPoETNic2000.sys [2002-07-17 13:53]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3f920abd-ed44-11db-b6d1-00123fa04d32}]
\Shell\AutoRun\command - ntde1ect.com
\Shell\explore\Command - ntde1ect.com
\Shell\open\Command - ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56165e78-e126-11db-9d5b-00123fa04d32}]
\Shell\AutoRun\command - ntde1ect.com
\Shell\explore\Command - ntde1ect.com
\Shell\open\Command - ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a9bd7e5e-7d74-11dc-b7b5-00123fa04d32}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-06-10 01:06:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-24 19:21:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-24 19:26:09
ComboFix-quarantined-files.txt 2008-06-24 11:25:17
ComboFix2.txt 2008-06-23 04:22:29

Pre-Run: 24,556,036,096 bytes free
Post-Run: 24,543,666,176 bytes free

192 --- E O F --- 2008-06-23 01:32:00

 

No problem. Just run Flash_Disinfector on it when you get a chance.

Once again, please disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DB6A3B27-0551-4CA0-AFFB-D736DB8A7501}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yaywvtuS]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3f920abd-ed44-11db-b6d1-00123fa04d32}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56165e78-e126-11db-9d5b-00123fa04d32}]

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log along with a fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

 

new log from combofix

hi noahdfear,

below is the new log file from combofix.
thanks for ur help

ComboFix 08-06-20.4 - david ng 2008-06-27 0:17:43.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.621 [GMT 8:00]
Running from: C:\Documents and Settings\david ng\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\david ng\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-05-26 to 2008-06-26 )))))))))))))))))))))))))))))))
.

2008-06-23 10:12 . 2008-06-23 10:12 <DIR> d-------- C:\Deckard
2008-06-22 15:59 . 2008-06-22 15:59 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-11 08:56 . 2008-06-11 08:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-06-11 08:38 . 2008-06-13 21:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 08:38 . 2008-06-13 21:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-10 08:18 . 2008-06-27 00:15 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-10 08:17 . 2008-04-10 15:14 159,880 --a------ C:\WINDOWS\system32\drivers\pctfw2.sys
2008-06-10 08:16 . 2008-06-27 00:15 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-06-10 08:16 . 2008-06-10 08:16 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-06-10 08:16 . 2008-06-10 08:16 <DIR> d-------- C:\Documents and Settings\david ng\Application Data\PC Tools
2008-06-10 08:16 . 2008-06-10 08:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-06-10 08:16 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-06-10 08:16 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-06-10 08:16 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-06-10 08:16 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-06-08 23:16 . 2008-06-08 23:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-08 13:14 . 2008-06-11 09:15 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-08 13:14 . 2008-06-11 09:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-08 12:42 . 2008-06-08 12:42 145 --a------ C:\WINDOWS\system32\winver.bat
2008-06-08 12:28 . 2008-06-08 12:28 36,868 --a------ C:\Program Files\uninst-SoundKeys.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-23 01:59 --------- d-----w C:\Documents and Settings\david ng\Application Data\U3
2008-06-22 05:37 --------- d-----w C:\Program Files\Common Files\Real
2008-06-11 05:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-06-08 15:19 --------- d-----w C:\Program Files\Lavasoft
2008-06-08 15:15 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-22 02:47 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-05-22 02:35 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-05-22 02:35 --------- d-----w C:\Program Files\Windows Live
2008-05-22 02:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-05-16 03:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 12:28 202,752 ------w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-29 03:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 03:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 03:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-27 03:33 --------- d-----w C:\Program Files\San11 Tc
2008-04-27 03:12 --------- d-----w C:\Program Files\DAEMON Tools Lite
2008-04-27 03:07 717,296 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-04-27 03:07 --------- d-----w C:\Documents and Settings\david ng\Application Data\DAEMON Tools
2008-04-26 04:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-23 14:16 3,591,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-22 07:40 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-04-22 07:39 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-22 07:39 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-21 07:04 474,112 ----a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
2008-04-21 07:04 1,494,528 ----a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
2008-04-21 07:03 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
2008-04-21 07:03 1,054,208 ------w C:\WINDOWS\system32\dllcache\danim.dll
2008-04-21 07:03 1,023,488 ----a-w C:\WINDOWS\system32\dllcache\browseui.dll
2008-04-20 05:07 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\dllcache\msjint40.dll
2006-12-11 03:26 1,279,488 ----a-w C:\Program Files\UMDGen.exe
2006-01-28 09:36 98 ---h--w C:\Documents and Settings\david ng\Application Data\srfvdo.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{29CF293A-1E7D-4069-9E11-E39698D0AF95}]
C:\Program Files\Tencent\QQToolbar\IEBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{29CF293A-1E7D-4069-9E11-E39698D0AF95} "= "C:\Program Files\Tencent\QQToolbar\IEBar.dll" [ ]

[HKEY_CLASSES_ROOT\clsid\{29cf293a-1e7d-4069-9e11-e39698d0af95}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} "= "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-11-24 15:38 94208]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"SigmatelSysTrayApp "= "stsystra.exe" [2005-03-22 23:20 339968 C:\WINDOWS\STSYSTRA.EXE]
"ATIPTA "= "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-29 21:05 339968]
"DVDLauncher "= "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 16:19 53248]
"DMXLauncher "= "C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 01:02 86016]
"ISUSPM Startup "= "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50 221184]
"ISUSScheduler "= "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920]
"IMJPMIG8.1 "= "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 05:00 208952]
"MSPY2002 "= "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00 59392]
"PHIME2002ASync "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 05:00 455168]
"PHIME2002A "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 05:00 455168]
"NeroFilterCheck "= "C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"dla "= "C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 05:33 122941]
"Logitech Utility "= "Logi_MwX.Exe" [2003-12-17 09:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
"HP Software Update "= "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41 49152]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2006-09-12 01:58 229952]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57 282624]
"Acrobat Assistant 8.0 "= "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 22:46 624248]
"Adobe_ID0EYTHM "= "C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 16:40 1884160]
"NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [2007-06-29 00:43 8466432]
"nwiz "= "nwiz.exe" [2007-06-29 00:43 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [2007-06-29 00:43 81920]
"jfproc "= "C:\Program Files\ppfilm\jfCacheMgr.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator "= "Narrator.exe" [2004-08-04 05:00 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\david ng\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [2005-09-11 11:36:50 3450608]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm "= C:\Program Files\WIZET\MapleStory\l3codeca.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"C:\\Program Files\\Messenger\\msmsgs.exe "=
"C:\\Program Files\\miFiles\\miFiles.exe "=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe "=
"C:\\Program Files\\iTunes\\iTunes.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"C:\\Program Files\\Trillian\\trillian.exe "=
"C:\\Program Files\\Electric Rain\\Swift 3D\\Version 4.50\\Program\\Swift3D.exe "=
"C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe "=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe "=
"C:\\WINDOWS\\system32\\winver.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP "= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP "= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP "= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP "= 50901:TCP:Adobe Version Cue CS3 Server

R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-04-10 15:14]
S3 WRSWanDD;iVasion PoET Adapter;C:\WINDOWS\system32\DRIVERS\WrKPoETNic2000.sys [2002-07-17 13:53]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a9bd7e5e-7d74-11dc-b7b5-00123fa04d32}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-06-10 01:06:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-27 00:22:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-27 0:27:41
ComboFix-quarantined-files.txt 2008-06-26 16:26:53
ComboFix2.txt 2008-06-24 11:26:09
ComboFix3.txt 2008-06-23 04:22:29

Pre-Run: 24,489,091,072 bytes free
Post-Run: 24,475,160,576 bytes free

172 --- E O F --- 2008-06-23 01:32:00

 

Please do an online scan with Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs.
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


Post the Kaspersky log and one more fresh HijackThis log.

 

kaspersky report log

hi noadhfear,

the kaspersky log is as follows, seems like there are items infected..

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, June 29, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, June 28, 2008 08:44:45
Records in database: 894810
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
Y:\
Z:\

Scan statistics:
Files scanned: 194616
Threat name: 11
Infected objects: 25
Suspicious objects: 0
Duration of the scan: 06:33:11


File name / Threat name / Threats count
C:\Deckard\System Scanner\backup\DOCUME~1\DAVIDN~1\LOCALS~1\Temp\gos3FD.tmp Infected: Trojan-Downloader.Win32.Injecter.vc 1
C:\Deckard\System Scanner\backup\DOCUME~1\DAVIDN~1\LOCALS~1\Temp\gos406.tmp Infected: Trojan.Win32.Pakes.cyw 1
C:\QooBox\Quarantine\C\WINDOWS\system32\awtRjiJC.dll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\byXPFxWQ.dll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\byXQGwUm.dll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\drvxek.dll.vir Infected: Trojan.Win32.Pakes.cyw 1
C:\QooBox\Quarantine\C\WINDOWS\system32\efcAQHXq.dll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\efcYPjIc.dll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\fccaXNfd.dll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\fcccbxus.dll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\fmtxttnr.dll.vir Infected: Trojan.Win32.Monder.qg 1
C:\QooBox\Quarantine\C\WINDOWS\system32\iifedeff.dll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\iiffeBUo.dll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\jkkKCsQK.dll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\ljJYpPjk.dll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\lsdgnaxa.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.yuv 1
C:\QooBox\Quarantine\C\WINDOWS\system32\ndjsavpt.dll.vir Infected: Trojan.Win32.Monder.mx 1
C:\QooBox\Quarantine\C\WINDOWS\system32\pkpfxavf.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.apjl 1
C:\QooBox\Quarantine\C\WINDOWS\system32\pmnmKecd.dll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\tuvTjgGX.dll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\tuvVLbXn.dll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\uaaptpki.dll.vir Infected: Trojan.Win32.Monder.qx 1
C:\QooBox\Quarantine\C\WINDOWS\system32\uyhaflyf.dll.vir Infected: Trojan.Win32.Monder.nb 1
C:\QooBox\Quarantine\C\WINDOWS\system32\vqcyifhh.dll.vir Infected: Trojan.Win32.Monder.uu 1
C:\WINDOWS\FlyakiteOSX\Tools\pskill.exe Infected: not-a-virus:NetTool.Win32.PsKill.a 1

The selected area was scanned.

 

new hijackthis report log

hey a new hijackthis report log,

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:12:25 AM, on 6/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\david ng\Local Settings\Temp\jkos-david ng\binaries\ScanningProcess.exe
C:\Documents and Settings\david ng\Local Settings\Temp\jkos-david ng\binaries\ScanningProcess.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = ftp://tiintinnrepublic.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: QQToolbar - {29CF293A-1E7D-4069-9E11-E39698D0AF95} - C:\Program Files\Tencent\QQToolbar\IEBar.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: QQToolbar - {29CF293A-1E7D-4069-9E11-E39698D0AF95} - C:\Program Files\Tencent\QQToolbar\IEBar.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe "
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe "
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe "
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [jfproc] C:\Program Files\ppfilm\jfCacheMgr.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-au/4,0,0,90/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-au/1,0,0,23/mcgdmgr.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 11084 bytes

 

You're in good shaped. All infected items are in quarantine. Lets clean em up.

Scan again with HijackThis and place a check next to the following entry.

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)


Close all other windows then click fix Checked.
Close HijackThis.

Download ATF Cleaner by Atribune and save it to your Desktop.

• Double click ATF-Cleaner.exe to run the program.
• Check the boxes to the left of:
  
  
  • Windows Temp
  • Current User Temp
  • All Users Temp
  • Temporary Internet Files
  • Prefetch
  • Java Cache
  • Recycle bin
  
  
• The rest are optional - if you want it to remove everything check "Select All ".
• Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Reboot


Now, click Start>Run and type ComboFix /u then hit Enter to uninstall ComboFix and remove the files it has quarantined. This action will also reset the System Restore points, removing the infected files there as well. The C:\Deckard's folder will also be removed. You can delete any logs that were created/saved too.


Let me know if you're having anymore problems.

 

just a little qns

hi noahdfear,

many thanks for walking through the whole process with me.
can never thank you enugh.

just noted a weird thing, when i was run Combo /u, a window pop out that says pv.cfexe cant be execute. at the same time, the spyware prompted that a trojan is tryin to gain access thru to internet, subsequently i have block the trojan. wondering if this might be normal?

ever grateful
david

 

another trojan found

hi noahdfear,

i just ran my spydoctor and it found

Trojan.Generic (1 infection)
registry key - HKEY_USERS\S-1-5-21-3509715389-4189775410-2786306530-1006\Software\Wget

Applications.NirCmd (26 infections)
Registry Value
HKEY_LOCAL_MACHINE\SOFTWARE\smearware, combofix_wow
HKEY_LOCAL_MACHINE\SOFTWARE\smearware, Runs
HKEY_LOCAL_MACHINE\SOFTWARE\smearware, snapshot
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME, NextInstance
E\smearware, snapshot
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, Service
E\smearware, snapshot
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, Legacy
E\smearware, snapshot
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, CofigFlags
E\smearware, snapshot
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, Class
E\smearware, snapshot
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, ClassGUID
E\smearware, snapshot
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, DeviceDesc
E\smearware, snapshot
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, Capabilities
E\smearware, snapshot
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme, Type
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme, ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme, Start
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme, ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme, Group
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum, 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum, Count
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum, NextInstance

Registry Key
HKEY_LOCAL_MACHINE\SOFTWARE\swearware
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme

Folder c:\ComboFix\

is there anything to worry about?

 

Thanks for the info. That is all related to ComboFix, and it's all safe. Had Spyware Doctor not blocked the uninstallation process, it likely would have been removed. Please download a fresh copy of ComboFix, temporarily disable Spyware Doctor, then run the ComboFix /u command again.

Run Spyware Doctor again when done and let me know what it finds.

 

another scanning from spydoctor

hi noahdfear,

have done as per instructed,it have found the following

Application.NirCmd (4 infection)
Registry Value
HKEY_LOCAL_MACHINE\SOFTWARE\swearware, combofix_wow
HKEY_LOCAL_MACHINE\SOFTWARE\swearware, Runs
HKEY_LOCAL_MACHINE\SOFTWARE\swearware, snapshot

Registry Key
HKEY_LOCAL_MACHINE\SOFTWARE\swearware


Trojan.Generic (1 infection)
Registry Key
HKEY_USERS\S-15-21-3509715389-4189775410-2786306530-1006\Software\Wget

have just spydoctor to fixed the above problems
will this then complete the removal of all problems?

sorry again for the trouble.

 

Highlight and copy the contents of the code box below.

Code:

reg delete  "HKLM\SOFTWARE\swearware /f
reg delete  "HKCU\Software\Wget /f
exit
cls

Click Start>Run and type cmd then hit enter to open a command window. Right click in the command window and select paste. The command window will close on it's own.

Scan with Spyware Doctor and let me know if anything is found, and how your computer is behaving now.

 

its clear!

hi noahdfear,

have did the steps and re run spydoctor.
there is no more error!

many many thanks!
you have been a great help!
kudos to you and windowsBBs!

thanks again
david