Solved Multiple problems - possible trojan?

[Resolved] Multiple problems - possible trojan?

Hey there. I have been experiencing some problems with my PC for a while. These are as follows:

-my antivirus/spyware software cannot update
-I cannot acess any antivirus or anti-spyware site with any browser

I suspect what kind of trojan I'm dealing with, but I need help removing it.

The logs are as follows:

DDS LOG:


DDS (Ver_09-03-16.01) - NTFSx86
Run by Administrator at 23:07:35.11 on Sun 05/03/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1023.585 [GMT 3:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\vsnpstd.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\Administrator\Desktop\Total Commander.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\alg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ro/
uWindow Title = WINDOWS XP RED
mWinlogon: UIHost=SKULL.exe
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\smart web printing\hpswp_printenhancer.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2009\ievkbd.dll
BHO: PCTools Site Guard: {5c8b2a36-3db1-42a4-a3cb-d426709bbfeb} - c:\progra~1\spywar~1\tools\iesdsg.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: SnapFlash Class: {a44cbb0b-c77d-4bf5-87cc-b4ee79ad1b7e} - c:\program files\common files\justdo\Jd2002.dll
BHO: PCTools Browser Monitor: {b56a7d7d-6927-48c8-a975-17df180c71ac} - c:\progra~1\spywar~1\tools\iesdpb.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} -
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [snpstd] c:\windows\vsnpstd.exe
mRun: [Virtual PDF Printer] c:\program files\virtual pdf printer\VirtualPDFPrinter.exe
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe "
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [Spyware Doctor]
dRunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll "
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
uPolicies-explorer: NoInternetIcon = 1 (0x1)
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: NoInstrumentation = 1 (0x1)
uPolicies-explorer: NoSMMyDocs = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: NoInternetIcon = 1 (0x1)
dPolicies-explorer: NoResolveTrack = 1 (0x1)
dPolicies-explorer: NoInstrumentation = 1 (0x1)
dPolicies-explorer: NoSMMyDocs = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: Save Flash with Flash Catcher - c:\program files\common files\justdo\IECatcher.DLL/FlashCatcher.htm
IE: {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - res://c:\program files\common files\justdo\IECatcher.DLL/FlashCatcher.htm
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 2009\SCIEPlgn.dll
IE: {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - {A1EDC4A1-940F-48E0-8DFD-E38F1D501021} - c:\progra~1\spywar~1\tools\iesdpb.dll
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office11\REFIEBAR.DLL
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
TCP: {BD3367CC-EF77-4368-BE28-60D8F3A12104} = 213.154.124.1 193.231.252.1
Notify: klogon - c:\windows\system32\klogon.dll

============= SERVICES / DRIVERS ===============

R0 mv614x;mv614x;c:\windows\system32\drivers\mv614x.sys [2008-3-30 61184]
R1 ikhfile;File Security Kernel Anti-Spyware Driver;c:\windows\system32\drivers\ikhfile.sys [2008-3-30 30592]
R1 ikhlayer;Kernel Anti-Spyware Driver;c:\windows\system32\drivers\ikhlayer.sys [2008-3-30 51072]
R2 avp;avp;c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe [2008-6-23 206088]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Adapter;c:\windows\system32\drivers\atl01_xp.sys [2008-7-23 31104]
S2 giokmoh;Security Image;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2008-11-1 16512]
S3 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2008-7-4 210960]
S3 MobileAdapter;Huawei Mobile Adapter USB Modem and USB Serial;c:\windows\system32\drivers\hmumdm.sys [2008-4-1 88960]

=============== Created Last 30 ================

2009-05-03 22:03 <DIR> --d----- C:\Atti
2009-05-03 21:22 <DIR> --d----- c:\program files\AVG
2009-05-03 20:19 315,574 a------- C:\IMG_0815.JPG
2009-05-03 20:16 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-05-03 20:16 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-03 20:16 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-03 20:16 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-03 20:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-03 18:38 51,803 a------- C:\vlcsnap-23761.JPG
2009-05-03 18:29 567,426 a------- C:\YTard_Emoticons_by_Dumnezeu.exe
2009-05-03 18:26 110,301 a------- C:\xmassmileys.zip
2009-05-03 18:01 18,358 a------- C:\Literature.rtf
2009-05-03 18:01 40,960 a------- C:\The Teaching of Listening.doc
2009-05-03 17:58 76,290 a------- C:\skimming.pdf
2009-05-03 17:56 32,256 a------- C:\Active Learning.doc
2009-05-03 16:17 277,457 a------- C:\IMG_2747.JPG
2009-05-03 15:45 68,155 a------- C:\Lista de preturi cadastru si taxe cadastru.PDF
2009-05-03 15:44 10,240 a------- c:\windows\system32\virport.dll
2009-05-03 15:44 <DIR> --d----- c:\program files\Virtual PDF Printer
2009-05-03 15:41 103,936 a------- C:\Lista de preturi cadastru si taxe cadastru.xls
2009-05-02 21:57 <DIR> --d----- C:\xyz
2009-05-02 21:32 15,549 a------- C:\fara linii.JPG
2009-05-02 20:55 31,866,688 a------- C:\Produce.mpg
2009-05-02 20:54 15,203,525 a------- C:\_Lily_Lily_Rose__ORANGE_BLOSSOM.rar
2009-04-30 21:03 51,329,024 a------- C:\Placebo - Protege Moi.avi
2009-04-30 01:48 54,156 a---h--- c:\windows\QTFont.qfn
2009-04-30 01:48 1,409 a------- c:\windows\QTFont.for
2009-04-25 21:30 <DIR> --d----- C:\Kaspersky AV 2009 Update April 09
2009-04-25 15:12 <DIR> --d----- C:\AAV8.5.287.1483
2009-04-22 22:40 <DIR> --d----- C:\Deya
2009-04-19 18:34 398,416 a------- c:\windows\VBRUN300.DLL
2009-04-19 18:34 99,888 a------- c:\windows\SAMBORA.SCR
2009-04-18 16:45 <DIR> --d----- c:\program files\justDo Software
2009-04-18 16:45 <DIR> --d----- c:\program files\common files\justDo

==================== Find3M ====================

2009-03-17 22:33 141,199 a------- c:\windows\hpoins14.dat
2003-09-16 01:19 99,544 a------- c:\windows\inf\virprn.exe
2003-09-16 01:19 18,950 a------- c:\windows\inf\virpntd.dll
2003-09-16 01:19 10,240 a------- c:\windows\inf\virport.dll
2003-09-16 01:19 90,624 a------- c:\windows\inf\prtproc.dll
2004-08-04 15:00 159,140 a--shr-- c:\windows\system32\cveqhr.dll
2008-07-04 13:23 32 a--sh--- c:\windows\system32\drivers\fidbox.dat
2008-07-04 13:23 114,720 a--sh--- c:\windows\system32\drivers\fidbox2.dat

============= FINISH: 23:07:52.55 ===============


Attach log:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 3/30/2008 6:42:48 PM
System Uptime: 5/3/2009 10:54:22 PM (1 hours ago)

Motherboard: ASUSTeK Computer INC. | | M2V
Processor: AMD Athlon(tm) 64 Processor 3000+ | SOCKET AM2 | 1799/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 20 GiB total, 1.29 GiB free.
D: is FIXED (NTFS) - 130 GiB total, 6.117 GiB free.
E: is FIXED (NTFS) - 130 GiB total, 1.083 GiB free.
F: is CDROM (CDFS)
G: is CDROM ()
H: is CDROM ()
I: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: System Interrupt Controller
Device ID: PCI\VEN_1106&DEV_5351&SUBSYS_00000000&REV_00\3&267A616A&0&05
Manufacturer:
Name: System Interrupt Controller
PNP Device ID: PCI\VEN_1106&DEV_5351&SUBSYS_00000000&REV_00\3&267A616A&0&05
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ACPI\AWY0001\2&DABA3FF&0
Manufacturer:
Name:
PNP Device ID: ACPI\AWY0001\2&DABA3FF&0
Service:

==== System Restore Points ===================

RP37: 4/30/2009 9:11:30 AM - System Checkpoint
RP38: 5/2/2009 11:12:12 PM - System Checkpoint
RP39: 5/3/2009 3:44:35 PM - Printer Driver Virtual PDF Printer Installed
RP40: 5/3/2009 9:22:49 PM - Installed AVG 8.5
RP41: 5/3/2009 10:38:55 PM - Removed ABBYY FineReader 9.0 Professional Edition
RP42: 5/3/2009 10:40:30 PM - Removed AVG 8.5

==== Installed Programs ======================

32 Bit HP CIO Components Installer
ACDSee
ACE Mega CoDecS Pack
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0
Advanced GIF Animator 3.0
AIO_Scan
AnalogX Vocal Remover (WinAmp)
Athlon 64 Processor Driver
Attansic Ethernet Utility
Attansic L1 Gigabit Ethernet Driver
Big Fish Games Client
BitLord 1.1
BufferChm
Camtasia Studio 5
CDisplay 1.8
Copy
CustomerResearchQFolder
Destination Component
DeviceDiscovery
DeviceManagementQFolder
DivX Codec
DJ_AIO_ProductContext
DJ_AIO_Software
DJ_AIO_Software_min
Easy Video Splitter 1.28
eMule
eSupportQFolder
F2100
F2100_doccd
F2100_Help
FlashCatcher
Free Video Flip and Rotate version 1.4
High Definition Audio Driver Package - KB888111
HP Customer Participation Program 9.0
HP Deskjet All-In-One Software 9.0
HP Imaging Device Functions 9.0
HP Photosmart Essential 2.01
HP Photosmart Essential2.01
HP Smart Web Printing
HP Solution Center 9.0
HP Update
HPProductAssistant
HPSSupply
Java(TM) 6 Update 5
Kaspersky Internet Security 2009 Beta
Malwarebytes' Anti-Malware
MarketResearch
MCF Return To Ravenhearst 1.01
Microsoft .NET Framework 2.0
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2005 Redistributable
mIRC
Mixed In Key 2.5
MobTime Cell Phone Manager 2007 V6.2.1
MP3 TAG REMOVER!
Mpeg2Decoder 1.3
Mystery Case Files Huntsville
Mystery Case Files Prime Suspects
Nero 6 Ultra Edition
Opera 9.26
PowerDirector
PowerISO
PowerProducer
PSSWCORE
QuickTime
Realtek High Definition Audio Driver
Scan
SHOUTcast Source DSP 1.9.0 (remove only)
SnadBoy's Revelation v2
SolutionCenter
Spyware Doctor 4.0
Status
TeamViewer 3
The Secret of Margrave Manor
Thrustmaster Force Feedback Driver
Toolbox
TrayApp
TuneUp Utilities 2007
UnloadSupport
VideoLAN VLC media player 0.8.6c
VideoToolkit01
Virtual DJ - Atomix Productions
Virtual PDF Printer 1.01
WebFldrs XP
WebReg
Winamp (remove only)
WinFast(R) Display Driver
WinRAR archiver
Yahoo! Messenger

==== Event Viewer Messages From Past Week ========

5/2/2009 12:47:03 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
4/30/2009 9:10:16 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000034' while processing the file '_filelst.cfg' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
4/26/2009 1:26:00 PM, error: Service Control Manager [7023] - The Security Image service terminated with the following error: A dynamic link library (DLL) initialization routine failed.

==== End Of File ===========================


Thank you very much.

 

Hi and welcome

Let's try to get a few tools on the computer, if we run into problems please go to a clean computer and download > Transfer over by USB/Flash drive.



Please download RegQuery by Noviciate to your desktop

• Copy the following registry keypath by highlighting the text and pressing CTRL and C at the same time
  • [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
• Double click RegQuery.exe to run the program
• Paste the text you have copied using CRTL and V, into the textbox
• Click the Query button
• A Notepad file will open. Please paste the contents in your next reply
• You may now close the RegQuery program

NEXT**

Download worksnow from HERE:

[color= "purple"]* IMPORTANT !!! Save worksnow to your Desktop[/color]

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  
  
• Double click on worksnow & follow the prompts.
  
  Note: worksnow will run without the Recovery Console installed.
  
• As part of it's process, combofix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

[color= "blue"]**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.[/color]

​

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
"copy/paste" a new HijackThis log file into this thread as well.

Notes:

1.[color= "red"]Do not mouse-click Combofix's window while it is running. That may cause it to stall.[/color]
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.




In your next reply post:
RegQuery log
ComboFix.txt

 

Hello. Posting the logs as requested:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midimapper "= "midimap.dll "
"wavemapper "= "msacm32.drv "
"msacm.iac2 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Intel\\iac25_32.ax "
"midi "= "wdmaud.drv "
"aux "= "wdmaud.drv "
"vidc.avrn "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\AVIDAV~1.DLL "
"vidc.advj "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\AVIDAV~1.DLL "
"vidc.mszh "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\avimszh.dll "
"vidc.zlib "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\avizlib.dll "
"vidc.cscd "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\camcodec.dll "
"vidc.cvid "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\iccvid.dll "
"msacm.trspch "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\tssoft32.acm "
"vidc.em2v "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\etxcodec.dll "
"vidc.mkvc "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\kmvidc32.dll "
"vidc.hfyu "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\huffyuv.dll "
"msacm.lameacm "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\lameacm.acm "
"msacm.lhacm "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\lhacm.acm "
"msacm.l3acm "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\l3codecp.acm "
"vidc.sjpg "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\pmjpeg32.dll "
"vidc.dmb2 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\pmjpeg32.dll "
"vidc.gepj "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\pmjpeg32.dll "
"vidc.qpeg "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Qpeg32.dll "
"vidc.q1.0 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Qpeg32.dll "
"msacm.sl_anet "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\sl_anet.acm "
"vidc.tscc "= "tsccvid.dll "
"vidc.vifp "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\vfcodec.dll "
"vidc.wrpr "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\aviwrap.dll "
"vidc.wnv1 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\wnvplay1.dll "
"vidc.advs "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Adaptec\\Dvc.dll "
"vidc.aflc "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Autodesk\\FLCCOD~1.DLL "
"vidc.afli "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Autodesk\\FLCCOD~1.DLL "
"vidc.aasc "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Autodesk\\Aasc32.dll "
"vidc.aas4 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Autodesk\\Aasc32.dll "
"vidc.asv1 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\ASUS\\asusasv1.dll "
"vidc.asv2 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\ASUS\\asusasv2.dll "
"vidc.asvx "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\ASUS\\asusasv2.dll "
"vidc.vcr1 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\ATI\\ativcr1.dll "
"vidc.vcr2 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\ATI\\ativcr2.dll "
"vidc.yv12 "= "DivX.dll "
"vidc.mwv1 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Aware\\icmw_32.dll "
"vidc.bt20 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\BROOKT~1\\btvvc32.drv "
"vidc.y41p "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\BROOKT~1\\btvvc32.drv "
"msacm.pcdv "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Canopus\\pcdv.acm "
"vidc.cdvc "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Canopus\\CSCCDVC.DLL "
"vidc.ddvc "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Canopus\\CSCdvsd.DLL "
"vidc.png1 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Core\\COREPN~1.DLL "
"msacm.CoreFLAC_ACM "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Core\\COREFL~1.ACM "
"vidc.davc "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\dicas\\davcvfw.dll "
"vidc.div3 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\DivX\\DivXc32.dll "
"vidc.div5 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\DivX\\DivXc32.dll "
"vidc.mpg3 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\DivX\\DivXc32.dll "
"vidc.div4 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\DivX\\DivXc32f.dll "
"vidc.div6 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\DivX\\DivXc32f.dll "
"vidc.ap41 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\DivX\\DivXc32f.dll "
"vidc.dvx4 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\DivX\\divx4.dll "
"msacm.divxa32 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\DivX\\divxa32.acm "
"vidc.frwd "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Forward\\frwd.dll "
"vidc.frwt "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Forward\\frwd.dll "
"vidc.frwa "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Forward\\frwt.dll "
"vidc.frwu "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Forward\\frwu.dll "
"vidc.glzw "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Gabest\\GLZW.dll "
"vidc.gpeg "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Gabest\\GPEG.dll "
"vidc.i263 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Intel\\i263_32.drv "
"vidc.iv30 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Intel\\ir32_32.dll "
"vidc.iv31 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Intel\\ir32_32.dll "
"vidc.iv32 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Intel\\ir32_32.dll "
"vidc.iv33 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Intel\\ir32_32.dll "
"vidc.iv34 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Intel\\ir32_32.dll "
"vidc.iv35 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Intel\\ir32_32.dll "
"vidc.iv36 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Intel\\ir32_32.dll "
"vidc.iv37 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Intel\\ir32_32.dll "
"vidc.iv38 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Intel\\ir32_32.dll "
"vidc.iv39 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Intel\\ir32_32.dll "
"vidc.iv40 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Intel\\ir41_32.dll "
"vidc.iv41 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Intel\\ir41_32.dll "
"vidc.iv42 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Intel\\ir41_32.dll "
"vidc.iv43 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Intel\\ir41_32.dll "
"vidc.iv44 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Intel\\ir41_32.dll "
"vidc.iv45 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Intel\\ir41_32.dll "
"vidc.iv46 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Intel\\ir41_32.dll "
"vidc.iv47 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Intel\\ir41_32.dll "
"vidc.iv48 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Intel\\ir41_32.dll "
"vidc.iv49 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Intel\\ir41_32.dll "
"vidc.iv50 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Intel\\ir50_32.dll "
"VIDC.IYUV "= "iyuv_32.dll "
"VIDC.YVU9 "= "tsbyuv.dll "
"vidc.ir21 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Intel\\IR21_R.DLL "
"vidc.rt21 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Intel\\IR21_R.DLL "
"msacm.imc "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Intel\\IMC32.ACM "
"vidc.lead "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\LEAD\\LCODCCMP.DLL "
"vidc.dvsd "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\MAINCO~1\\MCDVD_32.DLL "
"vidc.dvc "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\MAINCO~1\\MCDVD_32.DLL "
"vidc.dvcs "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\MAINCO~1\\MCDVD_32.DLL "
"vidc.dcmj "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\MAINCO~1\\MCMJPG32.DLL "
"vidc.avi1 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\MAINCO~1\\MCMJPG32.DLL "
"vidc.avi2 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\MAINCO~1\\MCMJPG32.DLL "
"vidc.dv25 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Matrox\\DigiVCap.dll "
"vidc.dv50 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Matrox\\DigiVCap.dll "
"vidc.msmc "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Matrox\\DigiVCap.dll "
"vidc.mmjp "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Matrox\\DigiVCap.dll "
"vidc.mtx1 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Matrox\\DigiVCap.dll "
"vidc.mtx2 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Matrox\\DigiVCap.dll "
"vidc.mtx3 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Matrox\\DigiVCap.dll "
"vidc.mtx4 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Matrox\\DigiVCap.dll "
"vidc.mtx5 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Matrox\\DigiVCap.dll "
"vidc.mtx6 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Matrox\\DigiVCap.dll "
"vidc.mtx7 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Matrox\\DigiVCap.dll "
"vidc.mtx8 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Matrox\\DigiVCap.dll "
"vidc.mtx9 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Matrox\\DigiVCap.dll "
"vidc.mmes "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Matrox\\DigiVCap.dll "
"msacm.msadpcm "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\MICROS~1\\msadp32.acm "
"msacm.imaadpcm "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\MICROS~1\\imaadp32.acm "
"msacm.msg711 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\MICROS~1\\msg711.acm "
"msacm.msg723 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\MICROS~1\\msg723.acm "
"msacm.msgsm610 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\MICROS~1\\msgsm32.acm "
"vidc.m261 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\MICROS~1\\msh261.drv "
"vidc.m263 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\MICROS~1\\msh263.drv "
"VIDC.I420 "= "msh263.drv "
"vidc.mrle "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\MICROS~1\\msrle32.dll "
"VIDC.UYVY "= "msyuv.dll "
"VIDC.YUY2 "= "msyuv.dll "
"VIDC.YVYU "= "msyuv.dll "
"vidc.msvc "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\MICROS~1\\msvidc32.dll "
"vidc.cram "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\MICROS~1\\msvidc32.dll "
"vidc.mpg4 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\MICROS~1\\mpg4c32.dll "
"vidc.mp41 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\MICROS~1\\mpg4c32.dll "
"vidc.mp42 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\MICROS~1\\mpg4c32.dll "
"vidc.mp43 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\MICROS~1\\mpg4c32.dll "
"vidc.mp4s "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\MICROS~1\\mpg4c32.dll "
"vidc.mp4v "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\MICROS~1\\mpg4c32.dll "
"vidc.wmv3 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\MICROS~1\\WMV9VCM.dll "
"msacm.msaudio1 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\MICROS~1\\msaud32.acm "
"vidc.vixl "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Miro\\miroxl32.dll "
"vidc.nt00 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Newtek\\ntcodec.dll "
"msacm.vorbis "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\OGG\\vorbis.acm "
"vidc.vp30 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\ON2TEC~1\\vp31vfw.dll "
"vidc.vp31 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\ON2TEC~1\\vp31vfw.dll "
"vidc.vp60 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\ON2TEC~1\\vp6vfw.dll "
"vidc.vp61 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\ON2TEC~1\\vp6vfw.dll "
"vidc.pdvc "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\PANASO~1\\idvcodec.dll "
"vidc.ipdv "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\PANASO~1\\idvcodec.dll "
"vidc.pvw2 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Pegasus\\pvwv220.dll "
"vidc.pimj "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Pegasus\\pvljpg20.dll "
"vidc.mjpx "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Pegasus\\pvmjpg21.dll "
"vidc.miro "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Pinnacle\\MIRODV~1.DLL "
"vidc.dcap "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Pinnacle\\MIRODV~1.DLL "
"vidc.mjpa "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Pinnacle\\RTMJPG~1.DLL "
"vidc.gpjm "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Pinnacle\\RTMJPG~1.DLL "
"vidc.pim1 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Pinnacle\\pclepim1.dll "
"msacm.qmpeg "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\QDesign\\qmpeg.acm "
"vidc.rmp4 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\REALMA~1\\rmp4.dll "
"vidc.rud0 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Rududu\\rududu.dll "
"msacm.at3 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\SONY\\atrac3.acm "
"vidc.sony "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\SONY\\sonydv.dll "
"vidc.dvcp "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\SONY\\sonydv.dll "
"vidc.s422 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Tekram\\tekyuv.dll "
"vidc.t420 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Toshiba\\tsbyuv.dll "
"vidc.y411 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Toshiba\\tsbyuv.dll "
"vidc.vssv "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\VANGUA~1\\vsscodec.dll "
"msacm.voxacm160 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\VoxWare\\vct3216.acm "
"vidc.xvid "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\XviD\\xvidvfw.dll "
"vidc.DIVX "= "DivX.dll "
"MSVideo8 "= "VfWWDM32.dll "
"mixer "= "wdmaud.drv "
"mixer1 "= "wdmaud.drv "
"wave "= "wdmaud.drv "
"wave1 "= "wdmaud.drv "

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\Terminal Server]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\Terminal Server\RDP]
"wave "= "rdpsnd.dll "
"mixer "= "rdpsnd.dll "
"MaxBandwidth "=dword:000056b9
"wavemapper "= "msacm32.drv "
"EnableMP3Codec "=dword:00000001
"midimapper "= "midimap.dll "

ComboFix 09-05-15.06 - Administrator 05/16/2009 16:20.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1023.518 [GMT 3:00]
Running from: D:\3453.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\AutoRun.inf
c:\windows\system32\tmp.reg

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF


((((((((((((((((((((((((( Files Created from 2009-04-16 to 2009-05-16 )))))))))))))))))))))))))))))))
.

2009-05-16 13:14 . 2009-05-16 13:15 -------- d-----w C:\worksnow
2009-05-15 18:58 . 2009-05-15 19:13 -------- d-----w C:\Games
2009-05-12 17:15 . 2009-05-12 17:22 -------- d-----w C:\garf2
2009-05-11 14:36 . 2009-05-11 14:36 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-11 14:36 . 2009-05-14 20:10 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-11 14:36 . 2009-05-11 14:36 -------- d-----w c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-05-09 20:47 . 2009-05-09 20:47 -------- d-----w C:\Vlad
2009-05-08 17:12 . 2009-05-09 20:47 -------- d-----w C:\Alexandra
2009-05-05 20:00 . 2009-05-05 20:00 -------- d-----w c:\program files\Common Files\ABBYY
2009-05-05 19:57 . 2009-05-05 20:05 -------- d-----w c:\program files\ABBYY FineReader 9.0
2009-05-05 17:53 . 2009-05-09 14:27 -------- d-----w C:\garf
2009-05-03 23:48 . 2009-05-03 23:50 -------- d-----w c:\documents and settings\Administrator\SmitfraudFix
2009-05-03 23:41 . 2009-05-03 23:41 -------- d-----w C:\ClamWinPortable
2009-05-03 18:22 . 2009-05-03 18:22 -------- d-----w c:\program files\AVG
2009-05-03 17:16 . 2009-05-03 17:16 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-03 17:16 . 2009-04-06 12:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-03 17:16 . 2009-04-06 12:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-03 17:16 . 2009-05-03 17:16 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-03 17:16 . 2009-05-03 17:16 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-03 12:44 . 2003-09-15 22:19 10240 ----a-w c:\windows\system32\virport.dll
2009-05-03 12:44 . 2009-05-03 12:44 -------- d-----w c:\program files\Virtual PDF Printer
2009-04-25 12:12 . 2009-04-28 15:26 -------- d-----w C:\AAV8.5.287.1483
2009-04-22 19:40 . 2009-05-15 17:15 -------- d-----w C:\Deya
2009-04-19 15:34 . 1996-10-01 08:48 99888 ----a-w c:\windows\SAMBORA.SCR
2009-04-19 15:34 . 1993-05-12 03:30 398416 ----a-w c:\windows\VBRUN300.DLL
2009-04-18 13:45 . 2009-04-18 13:45 -------- d-----w c:\program files\justDo Software
2009-04-18 13:45 . 2009-04-18 13:45 -------- d-----w c:\program files\Common Files\justDo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-11 14:36 . 2008-03-30 15:30 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-03 19:36 . 2009-02-03 17:04 -------- d-----w c:\program files\vgif
2009-05-03 00:52 . 2008-03-30 17:11 -------- d-----w c:\program files\Progz Without Install
2009-04-26 11:05 . 2008-03-30 16:39 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-02 17:40 . 2009-04-02 17:40 -------- d-----w c:\program files\Mixed In Key
2009-03-17 19:33 . 2008-04-28 11:56 141199 ----a-w c:\windows\hpoins14.dat
2004-08-04 12:00 . 2004-08-04 12:00 159140 --sha-r c:\windows\system32\cveqhr.dll
2008-07-04 10:23 . 2008-07-04 10:21 32 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-07-04 10:23 . 2008-07-04 10:21 114720 --sha-w c:\windows\system32\drivers\fidbox2.dat
.

------- Sigcheck -------

[-] 2006-01-26 20:14 359040 27A5959C94EE173A063CA06BD14F021A c:\windows\system32\drivers\tcpip.sys

[-] 2006-01-25 15:24 2321152 F2E56B0097FC24C1E892D819C67F6A0E c:\windows\system32\ntoskrnl.exe

[-] 2006-02-07 21:06 1172992 47976471B190898D95130737E3FBBE27 c:\windows\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware "= "c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-04-28 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2006-06-01 7618560]
"snpstd "= "c:\windows\vsnpstd.exe" [2005-10-11 339968]
"Virtual PDF Printer "= "c:\program files\Virtual PDF Printer\VirtualPDFPrinter.exe" [2003-09-29 688128]
"Malwarebytes' Anti-Malware "= "c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-04-06 401040]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2008-05-24 282624]
"NvMediaCenter "= "NvMCTray.dll" - c:\windows\system32\nvmctray.dll [2006-06-01 86016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf "= "move" [X]
"tscuninstall "= "c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]
"RunNarrator "= "Narrator.exe" - c:\windows\system32\narrator.exe [2004-08-04 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel "= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack "= 1 (0x1)
"NoSMMyDocs "= 1 (0x1)
"NoSMConfigurePrograms "= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoInternetIcon "= 1 (0x1)
"NoResolveTrack "= 1 (0x1)
"NoSMMyDocs "= 1 (0x1)
"NoSMConfigurePrograms "= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost "= "SKULL.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 09:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Alcmtr "=ALCMTR.EXE
"NeroFilterCheck "=c:\windows\system32\NeroCheck.exe
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" -atboottime
"HP Software Update "=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"SunJavaUpdateSched "= "c:\program files\Java\jre1.6.0_05\bin\jusched.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "= "0x00000000 "
"UpdatesDisableNotify "= "0x00000000 "

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.321\\English\\setup.exe "=
"d:\\Programs\\BitLord\\BitLord.exe "=
"c:\\Program Files\\mIRC\\mirc.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
"d:\\DC\\DCPlusPlus.exe "=
"c:\\Documents and Settings\\Administrator\\Desktop\\Total Commander.exe "=
"c:\\Program Files\\CyberLink\\PowerDirector\\PDR.exe "=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.323\\English\\setup.exe "=
"c:\\Program Files\\Kaspersky Lab\\Kaspersky Internet Security 2009\\avp.exe "=
"c:\\Program Files\\SUPERAntiSpyware\\RUNSAS.EXE "=
"c:\\Program Files\\eMule\\emule.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP "= 3389:TCPxpsp2res.dll,-22009
"6392:TCP "= 6392:TCP:yfgeac

R0 mv614x;mv614x;c:\windows\system32\drivers\mv614x.sys [3/30/2008 7:59 PM 61184]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [4/28/2009 11:33 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/28/2009 11:33 AM 72944]
R2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service;c:\program files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe [12/6/2007 9:03 PM 660768]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/3/2009 8:16 PM 179856]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Adapter;c:\windows\system32\drivers\atl01_xp.sys [7/23/2008 3:02 AM 31104]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/3/2009 8:16 PM 15504]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/28/2009 11:33 AM 7408]
S2 giokmoh;Security Image;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 3:00 PM 14336]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [11/1/2008 10:53 PM 16512]
S3 MobileAdapter;Huawei Mobile Adapter USB Modem and USB Serial;c:\windows\system32\drivers\hmumdm.sys [4/1/2008 7:27 PM 88960]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
giokmoh
.
Contents of the 'Scheduled Tasks' folder

2009-05-15 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2006-12-19 15:53]
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-Spyware Doctor - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Save Flash with Flash Catcher - c:\program files\Common Files\justDo\IECatcher.DLL/FlashCatcher.htm
IE: {{90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - res://c:\program files\Common Files\justDo\IECatcher.DLL/FlashCatcher.htm
TCP: {BD3367CC-EF77-4368-BE28-60D8F3A12104} = 213.154.124.1 193.231.252.1
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-16 16:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\mchInjDrv]
"ImagePath "= "\??\c:\windows\TEMP\mc21.tmp "

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\giokmoh]
"ServiceDll "= "c:\windows\system32\cveqhr.dll "
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-725345543-1563985344-854245398-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3878A484-FFFF-977D-6C8F-6BEBDC013B96}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(824)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\klogon.dll

- - - - - - - > 'explorer.exe'(5036)
c:\windows\system32\msi.dll
c:\program files\SUPERAntiSpyware\SASSEH.DLL
c:\progra~1\MICROS~1\OFFICE11\MCPS.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\savedump.exe
c:\windows\system32\rundll32.exe
c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
c:\windows\system32\nvsvc32.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Spyware Doctor\sdhelp.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\documents and settings\Administrator\Desktop\Total Commander.exe
.
**************************************************************************
.
Completion time: 2009-05-16 16:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-16 13:28

Pre-Run: 3,455,078,400 bytes free
Post-Run: 3,404,091,392 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,3,4,5,6
221

 

RegQuery Log:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midimapper "= "midimap.dll "
"wavemapper "= "msacm32.drv "
"msacm.iac2 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Intel\\iac25_32.ax "
"midi "= "wdmaud.drv "
"aux "= "wdmaud.drv "
"vidc.avrn "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\AVIDAV~1.DLL "
"vidc.advj "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\AVIDAV~1.DLL "
"vidc.mszh "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\avimszh.dll "
"vidc.zlib "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\avizlib.dll "
"vidc.cscd "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\camcodec.dll "
"vidc.cvid "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\iccvid.dll "
"msacm.trspch "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\tssoft32.acm "
"vidc.em2v "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\etxcodec.dll "
"vidc.mkvc "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\kmvidc32.dll "
"vidc.hfyu "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\huffyuv.dll "
"msacm.lameacm "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\lameacm.acm "
"msacm.lhacm "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\lhacm.acm "
"msacm.l3acm "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\l3codecp.acm "
"vidc.sjpg "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\pmjpeg32.dll "
"vidc.dmb2 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\pmjpeg32.dll "
"vidc.gepj "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\pmjpeg32.dll "
"vidc.qpeg "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Qpeg32.dll "
"vidc.q1.0 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Qpeg32.dll "
"msacm.sl_anet "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\sl_anet.acm "
"vidc.tscc "= "tsccvid.dll "
"vidc.vifp "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\vfcodec.dll "
"vidc.wrpr "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\aviwrap.dll "
"vidc.wnv1 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\wnvplay1.dll "
"vidc.advs "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Adaptec\\Dvc.dll "
"vidc.aflc "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Autodesk\\FLCCOD~1.DLL "
"vidc.afli "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Autodesk\\FLCCOD~1.DLL "
"vidc.aasc "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Autodesk\\Aasc32.dll "
"vidc.aas4 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Autodesk\\Aasc32.dll "
"vidc.asv1 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\ASUS\\asusasv1.dll "
"vidc.asv2 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\ASUS\\asusasv2.dll "
"vidc.asvx "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\ASUS\\asusasv2.dll "
"vidc.vcr1 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\ATI\\ativcr1.dll "
"vidc.vcr2 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\ATI\\ativcr2.dll "
"vidc.yv12 "= "DivX.dll "
"vidc.mwv1 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Aware\\icmw_32.dll "
"vidc.bt20 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\BROOKT~1\\btvvc32.drv "
"vidc.y41p "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\BROOKT~1\\btvvc32.drv "
"msacm.pcdv "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Canopus\\pcdv.acm "
"vidc.cdvc "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Canopus\\CSCCDVC.DLL "
"vidc.ddvc "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Canopus\\CSCdvsd.DLL "
"vidc.png1 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Core\\COREPN~1.DLL "
"msacm.CoreFLAC_ACM "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Core\\COREFL~1.ACM "
"vidc.davc "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\dicas\\davcvfw.dll "
"vidc.div3 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\DivX\\DivXc32.dll "
"vidc.div5 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\DivX\\DivXc32.dll "
"vidc.mpg3 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\DivX\\DivXc32.dll "
"vidc.div4 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\DivX\\DivXc32f.dll "
"vidc.div6 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\DivX\\DivXc32f.dll "
"vidc.ap41 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\DivX\\DivXc32f.dll "
"vidc.dvx4 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\DivX\\divx4.dll "
"msacm.divxa32 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\DivX\\divxa32.acm "
"vidc.frwd "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Forward\\frwd.dll "
"vidc.frwt "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Forward\\frwd.dll "
"vidc.frwa "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Forward\\frwt.dll "
"vidc.frwu "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Forward\\frwu.dll "
"vidc.glzw "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Gabest\\GLZW.dll "
"vidc.gpeg "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Gabest\\GPEG.dll "
"vidc.i263 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Intel\\i263_32.drv "
"vidc.iv30 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Intel\\ir32_32.dll "
"vidc.iv31 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Intel\\ir32_32.dll "
"vidc.iv32 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Intel\\ir32_32.dll "
"vidc.iv33 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Intel\\ir32_32.dll "
"vidc.iv34 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Intel\\ir32_32.dll "
"vidc.iv35 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Intel\\ir32_32.dll "
"vidc.iv36 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Intel\\ir32_32.dll "
"vidc.iv37 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Intel\\ir32_32.dll "
"vidc.iv38 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Intel\\ir32_32.dll "
"vidc.iv39 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Intel\\ir32_32.dll "
"vidc.iv40 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Intel\\ir41_32.dll "
"vidc.iv41 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Intel\\ir41_32.dll "
"vidc.iv42 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Intel\\ir41_32.dll "
"vidc.iv43 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Intel\\ir41_32.dll "
"vidc.iv44 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Intel\\ir41_32.dll "
"vidc.iv45 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Intel\\ir41_32.dll "
"vidc.iv46 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Intel\\ir41_32.dll "
"vidc.iv47 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Intel\\ir41_32.dll "
"vidc.iv48 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Intel\\ir41_32.dll "
"vidc.iv49 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Intel\\ir41_32.dll "
"vidc.iv50 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Intel\\ir50_32.dll "
"VIDC.IYUV "= "iyuv_32.dll "
"VIDC.YVU9 "= "tsbyuv.dll "
"vidc.ir21 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Intel\\IR21_R.DLL "
"vidc.rt21 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Intel\\IR21_R.DLL "
"msacm.imc "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Intel\\IMC32.ACM "
"vidc.lead "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\LEAD\\LCODCCMP.DLL "
"vidc.dvsd "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\MAINCO~1\\MCDVD_32.DLL "
"vidc.dvc "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\MAINCO~1\\MCDVD_32.DLL "
"vidc.dvcs "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\MAINCO~1\\MCDVD_32.DLL "
"vidc.dcmj "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\MAINCO~1\\MCMJPG32.DLL "
"vidc.avi1 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\MAINCO~1\\MCMJPG32.DLL "
"vidc.avi2 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\MAINCO~1\\MCMJPG32.DLL "
"vidc.dv25 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Matrox\\DigiVCap.dll "
"vidc.dv50 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Matrox\\DigiVCap.dll "
"vidc.msmc "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Matrox\\DigiVCap.dll "
"vidc.mmjp "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Matrox\\DigiVCap.dll "
"vidc.mtx1 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Matrox\\DigiVCap.dll "
"vidc.mtx2 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Matrox\\DigiVCap.dll "
"vidc.mtx3 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Matrox\\DigiVCap.dll "
"vidc.mtx4 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Matrox\\DigiVCap.dll "
"vidc.mtx5 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Matrox\\DigiVCap.dll "
"vidc.mtx6 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Matrox\\DigiVCap.dll "
"vidc.mtx7 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Matrox\\DigiVCap.dll "
"vidc.mtx8 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Matrox\\DigiVCap.dll "
"vidc.mtx9 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Matrox\\DigiVCap.dll "
"vidc.mmes "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Matrox\\DigiVCap.dll "
"msacm.msadpcm "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\MICROS~1\\msadp32.acm "
"msacm.imaadpcm "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\MICROS~1\\imaadp32.acm "
"msacm.msg711 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\MICROS~1\\msg711.acm "
"msacm.msg723 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\MICROS~1\\msg723.acm "
"msacm.msgsm610 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\MICROS~1\\msgsm32.acm "
"vidc.m261 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\MICROS~1\\msh261.drv "
"vidc.m263 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\MICROS~1\\msh263.drv "
"VIDC.I420 "= "msh263.drv "
"vidc.mrle "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\MICROS~1\\msrle32.dll "
"VIDC.UYVY "= "msyuv.dll "
"VIDC.YUY2 "= "msyuv.dll "
"VIDC.YVYU "= "msyuv.dll "
"vidc.msvc "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\MICROS~1\\msvidc32.dll "
"vidc.cram "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\MICROS~1\\msvidc32.dll "
"vidc.mpg4 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\MICROS~1\\mpg4c32.dll "
"vidc.mp41 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\MICROS~1\\mpg4c32.dll "
"vidc.mp42 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\MICROS~1\\mpg4c32.dll "
"vidc.mp43 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\MICROS~1\\mpg4c32.dll "
"vidc.mp4s "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\MICROS~1\\mpg4c32.dll "
"vidc.mp4v "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\MICROS~1\\mpg4c32.dll "
"vidc.wmv3 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\MICROS~1\\WMV9VCM.dll "
"msacm.msaudio1 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\MICROS~1\\msaud32.acm "
"vidc.vixl "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Miro\\miroxl32.dll "
"vidc.nt00 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Newtek\\ntcodec.dll "
"msacm.vorbis "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\OGG\\vorbis.acm "
"vidc.vp30 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\ON2TEC~1\\vp31vfw.dll "
"vidc.vp31 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\ON2TEC~1\\vp31vfw.dll "
"vidc.vp60 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\ON2TEC~1\\vp6vfw.dll "
"vidc.vp61 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\ON2TEC~1\\vp6vfw.dll "
"vidc.pdvc "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\PANASO~1\\idvcodec.dll "
"vidc.ipdv "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\PANASO~1\\idvcodec.dll "
"vidc.pvw2 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Pegasus\\pvwv220.dll "
"vidc.pimj "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Pegasus\\pvljpg20.dll "
"vidc.mjpx "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Pegasus\\pvmjpg21.dll "
"vidc.miro "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Pinnacle\\MIRODV~1.DLL "
"vidc.dcap "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Pinnacle\\MIRODV~1.DLL "
"vidc.mjpa "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Pinnacle\\RTMJPG~1.DLL "
"vidc.gpjm "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Pinnacle\\RTMJPG~1.DLL "
"vidc.pim1 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Pinnacle\\pclepim1.dll "
"msacm.qmpeg "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\QDesign\\qmpeg.acm "
"vidc.rmp4 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\REALMA~1\\rmp4.dll "
"vidc.rud0 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Rududu\\rududu.dll "
"msacm.at3 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\SONY\\atrac3.acm "
"vidc.sony "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\SONY\\sonydv.dll "
"vidc.dvcp "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\SONY\\sonydv.dll "
"vidc.s422 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Tekram\\tekyuv.dll "
"vidc.t420 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Toshiba\\tsbyuv.dll "
"vidc.y411 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\Toshiba\\tsbyuv.dll "
"vidc.vssv "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\VANGUA~1\\vsscodec.dll "
"msacm.voxacm160 "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\VoxWare\\vct3216.acm "
"vidc.xvid "= "C:\\PROGRA~1\\ACEMEG~1\\SystemS\\XviD\\xvidvfw.dll "
"vidc.DIVX "= "DivX.dll "
"MSVideo8 "= "VfWWDM32.dll "
"mixer "= "wdmaud.drv "
"mixer1 "= "wdmaud.drv "
"wave "= "wdmaud.drv "
"wave1 "= "wdmaud.drv "

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\Terminal Server]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\Terminal Server\RDP]
"wave "= "rdpsnd.dll "
"mixer "= "rdpsnd.dll "
"MaxBandwidth "=dword:000056b9
"wavemapper "= "msacm32.drv "
"EnableMP3Codec "=dword:00000001
"midimapper "= "midimap.dll "

ComboFix Log:

ComboFix 09-05-15.06 - Administrator 05/16/2009 16:20.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1023.518 [GMT 3:00]
Running from: D:\3453.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\AutoRun.inf
c:\windows\system32\tmp.reg

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF


((((((((((((((((((((((((( Files Created from 2009-04-16 to 2009-05-16 )))))))))))))))))))))))))))))))
.

2009-05-16 13:14 . 2009-05-16 13:15 -------- d-----w C:\worksnow
2009-05-15 18:58 . 2009-05-15 19:13 -------- d-----w C:\Games
2009-05-12 17:15 . 2009-05-12 17:22 -------- d-----w C:\garf2
2009-05-11 14:36 . 2009-05-11 14:36 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-11 14:36 . 2009-05-14 20:10 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-11 14:36 . 2009-05-11 14:36 -------- d-----w c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-05-09 20:47 . 2009-05-09 20:47 -------- d-----w C:\Vlad
2009-05-08 17:12 . 2009-05-09 20:47 -------- d-----w C:\Alexandra
2009-05-05 20:00 . 2009-05-05 20:00 -------- d-----w c:\program files\Common Files\ABBYY
2009-05-05 19:57 . 2009-05-05 20:05 -------- d-----w c:\program files\ABBYY FineReader 9.0
2009-05-05 17:53 . 2009-05-09 14:27 -------- d-----w C:\garf
2009-05-03 23:48 . 2009-05-03 23:50 -------- d-----w c:\documents and settings\Administrator\SmitfraudFix
2009-05-03 23:41 . 2009-05-03 23:41 -------- d-----w C:\ClamWinPortable
2009-05-03 18:22 . 2009-05-03 18:22 -------- d-----w c:\program files\AVG
2009-05-03 17:16 . 2009-05-03 17:16 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-03 17:16 . 2009-04-06 12:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-03 17:16 . 2009-04-06 12:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-03 17:16 . 2009-05-03 17:16 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-03 17:16 . 2009-05-03 17:16 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-03 12:44 . 2003-09-15 22:19 10240 ----a-w c:\windows\system32\virport.dll
2009-05-03 12:44 . 2009-05-03 12:44 -------- d-----w c:\program files\Virtual PDF Printer
2009-04-25 12:12 . 2009-04-28 15:26 -------- d-----w C:\AAV8.5.287.1483
2009-04-22 19:40 . 2009-05-15 17:15 -------- d-----w C:\Deya
2009-04-19 15:34 . 1996-10-01 08:48 99888 ----a-w c:\windows\SAMBORA.SCR
2009-04-19 15:34 . 1993-05-12 03:30 398416 ----a-w c:\windows\VBRUN300.DLL
2009-04-18 13:45 . 2009-04-18 13:45 -------- d-----w c:\program files\justDo Software
2009-04-18 13:45 . 2009-04-18 13:45 -------- d-----w c:\program files\Common Files\justDo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-11 14:36 . 2008-03-30 15:30 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-03 19:36 . 2009-02-03 17:04 -------- d-----w c:\program files\vgif
2009-05-03 00:52 . 2008-03-30 17:11 -------- d-----w c:\program files\Progz Without Install
2009-04-26 11:05 . 2008-03-30 16:39 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-02 17:40 . 2009-04-02 17:40 -------- d-----w c:\program files\Mixed In Key
2009-03-17 19:33 . 2008-04-28 11:56 141199 ----a-w c:\windows\hpoins14.dat
2004-08-04 12:00 . 2004-08-04 12:00 159140 --sha-r c:\windows\system32\cveqhr.dll
2008-07-04 10:23 . 2008-07-04 10:21 32 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-07-04 10:23 . 2008-07-04 10:21 114720 --sha-w c:\windows\system32\drivers\fidbox2.dat
.

------- Sigcheck -------

[-] 2006-01-26 20:14 359040 27A5959C94EE173A063CA06BD14F021A c:\windows\system32\drivers\tcpip.sys

[-] 2006-01-25 15:24 2321152 F2E56B0097FC24C1E892D819C67F6A0E c:\windows\system32\ntoskrnl.exe

[-] 2006-02-07 21:06 1172992 47976471B190898D95130737E3FBBE27 c:\windows\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware "= "c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-04-28 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2006-06-01 7618560]
"snpstd "= "c:\windows\vsnpstd.exe" [2005-10-11 339968]
"Virtual PDF Printer "= "c:\program files\Virtual PDF Printer\VirtualPDFPrinter.exe" [2003-09-29 688128]
"Malwarebytes' Anti-Malware "= "c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-04-06 401040]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2008-05-24 282624]
"NvMediaCenter "= "NvMCTray.dll" - c:\windows\system32\nvmctray.dll [2006-06-01 86016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf "= "move" [X]
"tscuninstall "= "c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]
"RunNarrator "= "Narrator.exe" - c:\windows\system32\narrator.exe [2004-08-04 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel "= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack "= 1 (0x1)
"NoSMMyDocs "= 1 (0x1)
"NoSMConfigurePrograms "= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoInternetIcon "= 1 (0x1)
"NoResolveTrack "= 1 (0x1)
"NoSMMyDocs "= 1 (0x1)
"NoSMConfigurePrograms "= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost "= "SKULL.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 09:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Alcmtr "=ALCMTR.EXE
"NeroFilterCheck "=c:\windows\system32\NeroCheck.exe
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" -atboottime
"HP Software Update "=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"SunJavaUpdateSched "= "c:\program files\Java\jre1.6.0_05\bin\jusched.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "= "0x00000000 "
"UpdatesDisableNotify "= "0x00000000 "

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.321\\English\\setup.exe "=
"d:\\Programs\\BitLord\\BitLord.exe "=
"c:\\Program Files\\mIRC\\mirc.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
"d:\\DC\\DCPlusPlus.exe "=
"c:\\Documents and Settings\\Administrator\\Desktop\\Total Commander.exe "=
"c:\\Program Files\\CyberLink\\PowerDirector\\PDR.exe "=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.323\\English\\setup.exe "=
"c:\\Program Files\\Kaspersky Lab\\Kaspersky Internet Security 2009\\avp.exe "=
"c:\\Program Files\\SUPERAntiSpyware\\RUNSAS.EXE "=
"c:\\Program Files\\eMule\\emule.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP "= 3389:TCPxpsp2res.dll,-22009
"6392:TCP "= 6392:TCP:yfgeac

R0 mv614x;mv614x;c:\windows\system32\drivers\mv614x.sys [3/30/2008 7:59 PM 61184]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [4/28/2009 11:33 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/28/2009 11:33 AM 72944]
R2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service;c:\program files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe [12/6/2007 9:03 PM 660768]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/3/2009 8:16 PM 179856]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Adapter;c:\windows\system32\drivers\atl01_xp.sys [7/23/2008 3:02 AM 31104]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/3/2009 8:16 PM 15504]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/28/2009 11:33 AM 7408]
S2 giokmoh;Security Image;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 3:00 PM 14336]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [11/1/2008 10:53 PM 16512]
S3 MobileAdapter;Huawei Mobile Adapter USB Modem and USB Serial;c:\windows\system32\drivers\hmumdm.sys [4/1/2008 7:27 PM 88960]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
giokmoh
.
Contents of the 'Scheduled Tasks' folder

2009-05-15 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2006-12-19 15:53]
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-Spyware Doctor - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Save Flash with Flash Catcher - c:\program files\Common Files\justDo\IECatcher.DLL/FlashCatcher.htm
IE: {{90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - res://c:\program files\Common Files\justDo\IECatcher.DLL/FlashCatcher.htm
TCP: {BD3367CC-EF77-4368-BE28-60D8F3A12104} = 213.154.124.1 193.231.252.1
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-16 16:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\mchInjDrv]
"ImagePath "= "\??\c:\windows\TEMP\mc21.tmp "

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\giokmoh]
"ServiceDll "= "c:\windows\system32\cveqhr.dll "
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-725345543-1563985344-854245398-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3878A484-FFFF-977D-6C8F-6BEBDC013B96}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(824)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\klogon.dll

- - - - - - - > 'explorer.exe'(5036)
c:\windows\system32\msi.dll
c:\program files\SUPERAntiSpyware\SASSEH.DLL
c:\progra~1\MICROS~1\OFFICE11\MCPS.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\savedump.exe
c:\windows\system32\rundll32.exe
c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
c:\windows\system32\nvsvc32.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Spyware Doctor\sdhelp.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\documents and settings\Administrator\Desktop\Total Commander.exe
.
**************************************************************************
.
Completion time: 2009-05-16 16:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-16 13:28

Pre-Run: 3,455,078,400 bytes free
Post-Run: 3,404,091,392 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,3,4,5,6
221


Thank You!

 

Welcome back

Please move ComboFix from this location and ensure it is placed on desktop.
If this doesn't go well let me know and I'll give you links to reinstall.

Print this topic or save to notepad, it will make it easier for you to follow the instructions and complete all of the necessary steps as we will need to close all windows that are open later in the fix.



Go to My Computer->Tools->Folder Options->View tab:

• Under the Hidden files and folders heading:
• Select - Show hidden files and folders.
• Uncheck- Hide protected operating system files (recommended) option.
• Also, make sure there is no checkmark beside Hide file extensions for known file types.
• Click OK. (Remember to Hide files and folders once done)

Please go to: VirusTotal

• 
  
  
  
  
  
• Click the Browse button and search for the following file: c:\windows\system32\drivers\tcpip.sys
  
• Click Open
• Then click Send File
• Please be patient while the file is scanned.
• Once the scan results appear, please provide them in your next reply.

If it says already scanned -- click "reanalyze now "


Also please have the next files scanned.
c:\windows\system32\ntoskrnl.exe
c:\windows\explorer.exe




NEXT**
Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the CODE box below:
Save this as "CFScript.txt " including quotes and change the "Save as type" to "All Files" and place it on your desktop.

Code:

RegLockDel::
[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\giokmoh]
RegNULL::
[HKEY_USERS\S-1-5-21-725345543-1563985344-854245398-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3878A484-FFFF-977D-6C8F-6BEBDC013B96}*]
File:: 
c:\windows\system32\cveqhr.dll
Driver::
giokmoh
NetSvc::
giokmoh

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.




Please download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
Accept any prompts.
Open JavaRa.exe again and select Search For Updates.
Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

~~~~~~~~~~~~~~~~~~~~~~~~~`

Please download ATF Cleaner by Atribune From Here and save it to your Desktop.
Follow the instructions for the browser you use.
Read the instructions about the cookies. Delete what you do not need.

Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Java Cache
The rest are optional - if you want to remove the lot, check "Select All ".
Finally click Empty Selected. When you get the "Done Cleaning " message, click OK.
If you use the Firefox or Opera browsers, you can use this program
as a quick way to tidy those up as well.
When you have finished, click on the Exit button in the Main menu.
========================



NEXT**
I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
The below scan can take up to an hour or longer, please be patient.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.


Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Other available links
Kaspersky Online Scanner or from here
http://www.kaspersky.com/virusscanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

• The program will install and then begin downloading the latest definition
  files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer.
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run. (At times it may appear to stall)
  * Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  * Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  * Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  
• Once the scan is complete, click on View scan report To obtain the report:

Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:
Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in
your reply.

Animated tutorial
http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif

(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
Or use Firefox with IE-Tab plugin
https://addons.mozilla.org/en-US/firefox/addon/1419


In your next reply post:
Files requested scanned
ComboFix.txt
Kaspersky log
New HJT log taken after the above scans have run


You may need several replies to post the requested logs, otherwise they might get cut off.




How's your computer now?

 

Can't access any antivirus or anti-malware website... ergo, I can't acess any of these. I tried accessing VirusTotal on another machine but either the site is down or the url is invalid... hmmm? ATF Cleaner I do have and use on a regular basis. Any alternative suggestions?

I will however post the combofix log.

The Log:

ComboFix 09-05-15.06 - Administrator 05/16/2009 17:31.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1023.622 [GMT 3:00]
Running from: c:\documents and settings\Administrator\Desktop\3453.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\cfscript.txt

FILE ::
c:\windows\system32\cveqhr.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\cveqhr.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GIOKMOH
-------\Service_giokmoh


((((((((((((((((((((((((( Files Created from 2009-04-16 to 2009-05-16 )))))))))))))))))))))))))))))))
.

2009-05-16 13:14 . 2009-05-16 13:15 -------- d-----w C:\worksnow
2009-05-15 18:58 . 2009-05-15 19:13 -------- d-----w C:\Games
2009-05-12 17:15 . 2009-05-12 17:22 -------- d-----w C:\garf2
2009-05-11 14:36 . 2009-05-11 14:36 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-11 14:36 . 2009-05-14 20:10 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-11 14:36 . 2009-05-11 14:36 -------- d-----w c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-05-09 20:47 . 2009-05-09 20:47 -------- d-----w C:\Vlad
2009-05-08 17:12 . 2009-05-09 20:47 -------- d-----w C:\Alexandra
2009-05-05 20:00 . 2009-05-05 20:00 -------- d-----w c:\program files\Common Files\ABBYY
2009-05-05 19:57 . 2009-05-05 20:05 -------- d-----w c:\program files\ABBYY FineReader 9.0
2009-05-05 17:53 . 2009-05-09 14:27 -------- d-----w C:\garf
2009-05-03 23:48 . 2009-05-03 23:50 -------- d-----w c:\documents and settings\Administrator\SmitfraudFix
2009-05-03 23:41 . 2009-05-03 23:41 -------- d-----w C:\ClamWinPortable
2009-05-03 18:22 . 2009-05-03 18:22 -------- d-----w c:\program files\AVG
2009-05-03 17:16 . 2009-05-03 17:16 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-03 17:16 . 2009-04-06 12:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-03 17:16 . 2009-04-06 12:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-03 17:16 . 2009-05-03 17:16 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-03 17:16 . 2009-05-03 17:16 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-03 12:44 . 2003-09-15 22:19 10240 ----a-w c:\windows\system32\virport.dll
2009-05-03 12:44 . 2009-05-03 12:44 -------- d-----w c:\program files\Virtual PDF Printer
2009-04-25 12:12 . 2009-04-28 15:26 -------- d-----w C:\AAV8.5.287.1483
2009-04-22 19:40 . 2009-05-15 17:15 -------- d-----w C:\Deya
2009-04-19 15:34 . 1996-10-01 08:48 99888 ----a-w c:\windows\SAMBORA.SCR
2009-04-19 15:34 . 1993-05-12 03:30 398416 ----a-w c:\windows\VBRUN300.DLL
2009-04-18 13:45 . 2009-04-18 13:45 -------- d-----w c:\program files\justDo Software
2009-04-18 13:45 . 2009-04-18 13:45 -------- d-----w c:\program files\Common Files\justDo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-11 14:36 . 2008-03-30 15:30 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-03 19:36 . 2009-02-03 17:04 -------- d-----w c:\program files\vgif
2009-05-03 00:52 . 2008-03-30 17:11 -------- d-----w c:\program files\Progz Without Install
2009-04-26 11:05 . 2008-03-30 16:39 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-02 17:40 . 2009-04-02 17:40 -------- d-----w c:\program files\Mixed In Key
2009-03-17 19:33 . 2008-04-28 11:56 141199 ----a-w c:\windows\hpoins14.dat
2008-07-04 10:23 . 2008-07-04 10:21 32 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-07-04 10:23 . 2008-07-04 10:21 114720 --sha-w c:\windows\system32\drivers\fidbox2.dat
.

------- Sigcheck -------

[-] 2006-01-26 20:14 359040 27A5959C94EE173A063CA06BD14F021A c:\windows\system32\drivers\tcpip.sys

[-] 2006-01-25 15:24 2321152 F2E56B0097FC24C1E892D819C67F6A0E c:\windows\system32\ntoskrnl.exe

[-] 2006-02-07 21:06 1172992 47976471B190898D95130737E3FBBE27 c:\windows\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware "= "c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-04-28 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2006-06-01 7618560]
"snpstd "= "c:\windows\vsnpstd.exe" [2005-10-11 339968]
"Virtual PDF Printer "= "c:\program files\Virtual PDF Printer\VirtualPDFPrinter.exe" [2003-09-29 688128]
"Malwarebytes' Anti-Malware "= "c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-04-06 401040]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2008-05-24 282624]
"NvMediaCenter "= "NvMCTray.dll" - c:\windows\system32\nvmctray.dll [2006-06-01 86016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf "= "move" [X]
"tscuninstall "= "c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]
"RunNarrator "= "Narrator.exe" - c:\windows\system32\narrator.exe [2004-08-04 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel "= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack "= 1 (0x1)
"NoSMMyDocs "= 1 (0x1)
"NoSMConfigurePrograms "= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoInternetIcon "= 1 (0x1)
"NoResolveTrack "= 1 (0x1)
"NoSMMyDocs "= 1 (0x1)
"NoSMConfigurePrograms "= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost "= "SKULL.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 09:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Alcmtr "=ALCMTR.EXE
"NeroFilterCheck "=c:\windows\system32\NeroCheck.exe
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" -atboottime
"HP Software Update "=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"SunJavaUpdateSched "= "c:\program files\Java\jre1.6.0_05\bin\jusched.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "= "0x00000000 "
"UpdatesDisableNotify "= "0x00000000 "

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.321\\English\\setup.exe "=
"d:\\Programs\\BitLord\\BitLord.exe "=
"c:\\Program Files\\mIRC\\mirc.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
"d:\\DC\\DCPlusPlus.exe "=
"c:\\Documents and Settings\\Administrator\\Desktop\\Total Commander.exe "=
"c:\\Program Files\\CyberLink\\PowerDirector\\PDR.exe "=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.323\\English\\setup.exe "=
"c:\\Program Files\\Kaspersky Lab\\Kaspersky Internet Security 2009\\avp.exe "=
"c:\\Program Files\\SUPERAntiSpyware\\RUNSAS.EXE "=
"c:\\Program Files\\eMule\\emule.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP "= 3389:TCPxpsp2res.dll,-22009
"6392:TCP "= 6392:TCP:yfgeac

R0 mv614x;mv614x;c:\windows\system32\drivers\mv614x.sys [3/30/2008 7:59 PM 61184]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [4/28/2009 11:33 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/28/2009 11:33 AM 72944]
R2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service;c:\program files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe [12/6/2007 9:03 PM 660768]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/3/2009 8:16 PM 179856]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Adapter;c:\windows\system32\drivers\atl01_xp.sys [7/23/2008 3:02 AM 31104]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/3/2009 8:16 PM 15504]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/28/2009 11:33 AM 7408]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [11/1/2008 10:53 PM 16512]
S3 MobileAdapter;Huawei Mobile Adapter USB Modem and USB Serial;c:\windows\system32\drivers\hmumdm.sys [4/1/2008 7:27 PM 88960]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-05-15 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2006-12-19 15:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Save Flash with Flash Catcher - c:\program files\Common Files\justDo\IECatcher.DLL/FlashCatcher.htm
IE: {{90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - res://c:\program files\Common Files\justDo\IECatcher.DLL/FlashCatcher.htm
TCP: {BD3367CC-EF77-4368-BE28-60D8F3A12104} = 213.154.124.1 193.231.252.1
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-16 17:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\mchInjDrv]
"ImagePath "= "\??\c:\windows\TEMP\mc21.tmp "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(820)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\klogon.dll

- - - - - - - > 'explorer.exe'(4128)
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
c:\windows\system32\nvsvc32.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Spyware Doctor\sdhelp.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2009-05-16 17:40 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-16 14:39
ComboFix2.txt 2009-05-16 13:28

Pre-Run: 3,347,042,304 bytes free
Post-Run: 3,403,317,248 bytes free

Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,3,4,5,6
201

Plus I installed the Java update.
My CPU can access antivirus sites now, so I think I can post the next logs as well.


The three files you asked to be analysed by VirusTotal are clean.



The Kaspersky scan and the last ComboFix run to go.

 

Good deal

 

It's still going to take a while for the following two logs to be created (awfully big HD). Until then, could you tell me what my problem was (until now)?

[I did a little research on a virus combofix killed for me (on kaspersky's virus database), seems I had that infamous autorun.inf virus. But I wasn't aware it could do such things to my PC. Could this have been my only problem?]

Note:

 

Well, autorun was there yes but, you ran scans before running the tools I suggested so I can't tell what all was actually involved.

And sometimes as far as having the name of what it was exactly is hard to do.
The different antivirus vendors give infections different names.

Also if you had your machine up to date with all the Microsoft security updates the patch would had been installed.(Autoruns)


Take your time and post the logs when you can.

 

Double post. Sorry... weird connection.

 

So...

KOS Log:

Scan statistics
Files scanned 160936
Threat name 1
Infected objects 1
Suspicious objects 0
Duration of the scan 01:43:58

File name Threat name Threats count

C:\Qoobox\Quarantine\C\WINDOWS\system32\_cveqhr_.dll.zip Infected: Net-Worm.Win32.Kido.ih 1

The selected area was scanned.


Combofix log:

ComboFix 09-05-15.08 - Administrator 05/16/2009 20:32.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1023.684 [GMT 3:00]
Running from: c:\documents and settings\Administrator\Desktop\3453.exe
.

((((((((((((((((((((((((( Files Created from 2009-04-16 to 2009-05-16 )))))))))))))))))))))))))))))))
.

2009-05-16 16:37 . 2009-05-16 16:37 -------- d-----w c:\windows\LastGood
2009-05-16 14:43 . 2009-05-16 14:42 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-16 13:14 . 2009-05-16 13:15 -------- d-----w C:\worksnow
2009-05-15 18:58 . 2009-05-15 19:13 -------- d-----w C:\Games
2009-05-12 17:15 . 2009-05-12 17:22 -------- d-----w C:\garf2
2009-05-11 14:36 . 2009-05-11 14:36 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-11 14:36 . 2009-05-16 16:50 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-11 14:36 . 2009-05-11 14:36 -------- d-----w c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-05-09 20:47 . 2009-05-09 20:47 -------- d-----w C:\Vlad
2009-05-08 17:12 . 2009-05-16 16:03 -------- d-----w C:\Alexandra
2009-05-05 20:00 . 2009-05-05 20:00 -------- d-----w c:\program files\Common Files\ABBYY
2009-05-05 19:57 . 2009-05-05 20:05 -------- d-----w c:\program files\ABBYY FineReader 9.0
2009-05-05 17:53 . 2009-05-09 14:27 -------- d-----w C:\garf
2009-05-03 23:48 . 2009-05-03 23:50 -------- d-----w c:\documents and settings\Administrator\SmitfraudFix
2009-05-03 23:41 . 2009-05-03 23:41 -------- d-----w C:\ClamWinPortable
2009-05-03 18:22 . 2009-05-03 18:22 -------- d-----w c:\program files\AVG
2009-05-03 17:16 . 2009-05-03 17:16 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-03 17:16 . 2009-04-06 12:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-03 17:16 . 2009-04-06 12:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-03 17:16 . 2009-05-03 17:16 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-03 17:16 . 2009-05-03 17:16 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-03 12:44 . 2003-09-15 22:19 10240 ----a-w c:\windows\system32\virport.dll
2009-05-03 12:44 . 2009-05-03 12:44 -------- d-----w c:\program files\Virtual PDF Printer
2009-04-25 12:12 . 2009-04-28 15:26 -------- d-----w C:\AAV8.5.287.1483
2009-04-22 19:40 . 2009-05-15 17:15 -------- d-----w C:\Deya
2009-04-19 15:34 . 1996-10-01 08:48 99888 ----a-w c:\windows\SAMBORA.SCR
2009-04-19 15:34 . 1993-05-12 03:30 398416 ----a-w c:\windows\VBRUN300.DLL
2009-04-18 13:45 . 2009-04-18 13:45 -------- d-----w c:\program files\justDo Software
2009-04-18 13:45 . 2009-04-18 13:45 -------- d-----w c:\program files\Common Files\justDo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-16 16:49 . 2008-03-30 15:32 -------- d-----w c:\program files\Spyware Doctor
2009-05-16 14:59 . 2008-03-30 15:22 -------- d-----w c:\program files\Kaspersky Lab
2009-05-16 14:42 . 2008-04-27 19:03 -------- d-----w c:\program files\Java
2009-05-11 14:36 . 2008-03-30 15:30 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-03 19:36 . 2009-02-03 17:04 -------- d-----w c:\program files\vgif
2009-05-03 00:52 . 2008-03-30 17:11 -------- d-----w c:\program files\Progz Without Install
2009-04-26 11:05 . 2008-03-30 16:39 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-02 17:40 . 2009-04-02 17:40 -------- d-----w c:\program files\Mixed In Key
2009-03-17 19:33 . 2008-04-28 11:56 141199 ----a-w c:\windows\hpoins14.dat
2008-07-04 10:23 . 2008-07-04 10:21 32 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-07-04 10:23 . 2008-07-04 10:21 114720 --sha-w c:\windows\system32\drivers\fidbox2.dat
.

------- Sigcheck -------

[-] 2006-01-26 20:14 359040 27A5959C94EE173A063CA06BD14F021A c:\windows\system32\drivers\tcpip.sys

[-] 2006-01-25 15:24 2321152 F2E56B0097FC24C1E892D819C67F6A0E c:\windows\system32\ntoskrnl.exe

[-] 2006-02-07 21:06 1172992 47976471B190898D95130737E3FBBE27 c:\windows\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-05-16_13.25.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-16 15:02 . 2009-05-16 15:02 16384 c:\windows\temp\Perflib_Perfdata_748.dat
+ 2008-10-16 11:09 . 2008-10-16 11:09 43544 c:\windows\system32\wups2.dll
+ 2008-03-30 15:40 . 2008-10-16 11:09 51224 c:\windows\system32\wuauclt.exe
+ 2009-05-16 16:37 . 2008-10-16 11:08 34328 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.2.6001.788\wups.dll
+ 2008-03-30 15:40 . 2008-10-16 11:09 51224 c:\windows\system32\dllcache\wuauclt.exe
+ 2004-08-04 12:00 . 2008-10-16 11:09 92696 c:\windows\system32\dllcache\cdm.dll
+ 2004-08-04 12:00 . 2008-10-16 11:09 92696 c:\windows\system32\cdm.dll
+ 2009-05-16 16:37 . 2004-08-04 12:00 36864 c:\windows\LastGood\system32\wups.dll
+ 2009-05-16 16:37 . 2004-08-04 12:00 66560 c:\windows\LastGood\system32\cdm.dll
+ 2008-03-30 15:40 . 2008-10-16 11:13 202776 c:\windows\system32\wuweb.dll
+ 2008-03-30 15:40 . 2008-10-16 11:12 323608 c:\windows\system32\wucltui.dll
+ 2008-03-30 15:40 . 2008-10-16 11:12 561688 c:\windows\system32\wuapi.dll
+ 2008-04-27 19:04 . 2009-05-16 14:42 148888 c:\windows\system32\javaws.exe
+ 2008-04-27 19:04 . 2009-05-16 14:42 144792 c:\windows\system32\javaw.exe
+ 2008-04-27 19:04 . 2009-05-16 14:42 144792 c:\windows\system32\java.exe
+ 2008-03-30 15:40 . 2008-10-16 11:13 202776 c:\windows\system32\dllcache\wuweb.dll
+ 2008-03-30 15:40 . 2008-10-16 11:12 323608 c:\windows\system32\dllcache\wucltui.dll
+ 2008-03-30 15:40 . 2008-10-16 11:12 561688 c:\windows\system32\dllcache\wuapi.dll
+ 2009-05-16 16:37 . 2004-08-04 12:00 120320 c:\windows\LastGood\system32\wuweb.dll
+ 2009-05-16 16:37 . 2004-08-04 12:00 112640 c:\windows\LastGood\system32\wucltui.dll
+ 2009-05-16 16:37 . 2004-08-04 12:00 111104 c:\windows\LastGood\system32\wuauclt.exe
+ 2009-05-16 16:37 . 2004-08-04 12:00 430592 c:\windows\LastGood\system32\wuapi.dll
+ 2008-03-30 15:40 . 2008-10-16 11:13 1809944 c:\windows\system32\wuaueng.dll
+ 2008-03-30 15:40 . 2008-10-16 11:13 1809944 c:\windows\system32\dllcache\wuaueng.dll
+ 2009-05-16 16:37 . 2004-08-04 12:00 1134592 c:\windows\LastGood\system32\wuaueng.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2006-06-01 7618560]
"snpstd "= "c:\windows\vsnpstd.exe" [2005-10-11 339968]
"Virtual PDF Printer "= "c:\program files\Virtual PDF Printer\VirtualPDFPrinter.exe" [2003-09-29 688128]
"NvMediaCenter "= "NvMCTray.dll" - c:\windows\system32\nvmctray.dll [2006-06-01 86016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf "= "move" [X]
"tscuninstall "= "c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]
"RunNarrator "= "Narrator.exe" - c:\windows\system32\narrator.exe [2004-08-04 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel "= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack "= 1 (0x1)
"NoSMMyDocs "= 1 (0x1)
"NoSMConfigurePrograms "= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoInternetIcon "= 1 (0x1)
"NoResolveTrack "= 1 (0x1)
"NoSMMyDocs "= 1 (0x1)
"NoSMConfigurePrograms "= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost "= "SKULL.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 09:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SUPERAntiSpyware "=c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Alcmtr "=ALCMTR.EXE
"NeroFilterCheck "=c:\windows\system32\NeroCheck.exe
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" -atboottime
"HP Software Update "=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe "
"Virtual PDF Printer "=c:\program files\Virtual PDF Printer\VirtualPDFPrinter.exe
"Malwarebytes' Anti-Malware "= "c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "= "0x00000000 "
"UpdatesDisableNotify "= "0x00000000 "

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.321\\English\\setup.exe "=
"d:\\Programs\\BitLord\\BitLord.exe "=
"c:\\Program Files\\mIRC\\mirc.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
"d:\\DC\\DCPlusPlus.exe "=
"c:\\Documents and Settings\\Administrator\\Desktop\\Total Commander.exe "=
"c:\\Program Files\\CyberLink\\PowerDirector\\PDR.exe "=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.323\\English\\setup.exe "=
"c:\\Program Files\\SUPERAntiSpyware\\RUNSAS.EXE "=
"c:\\Program Files\\eMule\\emule.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP "= 3389:TCPxpsp2res.dll,-22009
"6392:TCP "= 6392:TCP:yfgeac

R0 mv614x;mv614x;c:\windows\system32\drivers\mv614x.sys [3/30/2008 7:59 PM 61184]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [4/28/2009 11:33 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/28/2009 11:33 AM 72944]
R2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service;c:\program files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe [12/6/2007 9:03 PM 660768]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Adapter;c:\windows\system32\drivers\atl01_xp.sys [7/23/2008 3:02 AM 31104]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/3/2009 8:16 PM 15504]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/28/2009 11:33 AM 7408]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/3/2009 8:16 PM 179856]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [11/1/2008 10:53 PM 16512]
S3 MobileAdapter;Huawei Mobile Adapter USB Modem and USB Serial;c:\windows\system32\drivers\hmumdm.sys [4/1/2008 7:27 PM 88960]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-05-15 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2006-12-19 15:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Save Flash with Flash Catcher - c:\program files\Common Files\justDo\IECatcher.DLL/FlashCatcher.htm
IE: {{90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - res://c:\program files\Common Files\justDo\IECatcher.DLL/FlashCatcher.htm
TCP: {BD3367CC-EF77-4368-BE28-60D8F3A12104} = 213.154.124.1 193.231.252.1
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-16 20:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\mchInjDrv]
"ImagePath "= "\??\c:\windows\TEMP\mc2B.tmp "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(816)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(12648)
c:\windows\system32\msi.dll
.
Completion time: 2009-05-16 20:35
ComboFix-quarantined-files.txt 2009-05-16 17:35
ComboFix2.txt 2009-05-16 14:40
ComboFix3.txt 2009-05-16 13:28

Pre-Run: 3,382,091,776 bytes free
Post-Run: 3,448,344,576 bytes free

Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,3,4,5,6
208


After having given your sentence on the above logs, could you help me by answering a question? (If you have the time, of course)

Here goes:

I seem to have gotten this autorun virus from a portable USB memory stick. Would it be safe to re-insert this stick and run some scans on it (With the autorun featured disabled, of course) or to just simply format it?

 

First:
Don't worry over what Kaspersky found we can takecare of that in final cleanup.

Yes.
It's called a flash drive infection. Also, if someone else used their flash/usb drive on your machine they should use this as well.


Print this topic or save to notepad, it will make it easier for you to follow the instructions and complete all of the necessary steps as we will need to close all windows that are open later in the fix.

Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.

• Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
• The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
• Your desktop will vanish for a while, and then reappear. This is normal.
  
• Wait until it has finished scanning and then exit the program. If you use more than 1 flash drive, run the tool with each plugged in.
• Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.



NEXT**
I'd like to see a HJT log.

Download Trend Micro Hijack Thisâ„¢ and save to desktop.
It is important that you uninstall any previous versions by using Add/Remove programs in your control panel before installing a newer version.
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.

It will look like this

Accept the license agreement by clicking the "I Accept" button.
Click on the "Do a system scan and save a log file button. It will scan and then ask you to save the log.
Click "Save log" to save the log file and then the log will open in Notepad.
Click on Edit-> Select All then click on "Edit -> Copy " to copy the entire contents of the log.


How's your computer now?

 

HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:49:48, on 5/16/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\vsnpstd.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
D:\Programs\BitLord\BitLord.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SnapFlash Class - {A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E} - C:\Program Files\Common Files\justDo\Jd2002.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe "
O4 - HKLM\..\Run: [Virtual PDF Printer] C:\Program Files\Virtual PDF Printer\VirtualPDFPrinter.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Save Flash with Flash Catcher - res://C:\Program Files\Common Files\justDo\IECatcher.DLL/FlashCatcher.htm
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Flash Catcher - {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - C:\Program Files\Common Files\justDo\IECatcher.DLL
O9 - Extra 'Tools' menuitem: Flash Catcher - {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - C:\Program Files\Common Files\justDo\IECatcher.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD3367CC-EF77-4368-BE28-60D8F3A12104}: NameServer = 213.154.124.1 193.231.252.1
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~2\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~2\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~2\adialhk.dll,C:\PROGRA~1\KASPER~1\KASPER~2\kloehk.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ABBYY FineReader 9.0 PE Licensing Service (ABBYY.Licensing.FineReader.Professional.9.0) - ABBYY (BIT Software) - C:\Program Files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe
O23 - Service: avp - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: CiSvc - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: WinFast(R) Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Virtual PDF Printer (Service1) - Unknown owner - C:\Program Files\Virtual PDF Printer\VirtualPrinting.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 8497 bytes


My computer is okay now, thanks! It does hate KAV every now and then, but that's natural... how does the log look?

 

Good deal, and your log is fine.


Spyware Doctor's OnGuard protective functionality may interfere with certain HijackThis fixes we need to make. Please follow these instructions to disable it:

To deactivate Spyware Doctor's OnGuard Tools
1. From within Spyware Doctor, click the "OnGuard" button on the left side.
2. Uncheck "Activate OnGuard ".
You can reenable it once your system is clean.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

RegQuery by Noviciate <--delete
RegQuery txt <--delete
C:\Program Files\PartyGaming\PartyPoker <--delete this folder
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

A reboot is required.




Don't miss or skip this next step, this will remove malicious files from quarantine and set a clean restore point.

• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there.

Example below








Thats it, your good to go now....good job!


Please take the time to read over a few of my preventive tips.


Please navigate to Microsoft Windows Updates and download all the "Critical Updates " for Windows.


Firefox 3
The award-winning Web browser is now faster, more secure, and fully customizable to your online life. With Firefox 2, added powerful new features that make your online experience even better. It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
*NoScript - Addon for Firefox that stops all scripts from running on websites. Stops malicious software from invading via flash, java, javascript, and many other entry points.

How to prevent Malware: Created by Miekiemoes

Here are some additional utilities that will further enhance your safety.
# http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)


Read this article 'Safe Computing Practices'.
So how did I get infected in the first place.

Secure My Computer: A Layered Approach

Strong passwords: How to create and use them

Free Antivirus-AntiSpyware-Firewall Software
Slow Computer May Not Be Malware Related, Help! My computer is slow!
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html


PC Safety and Security--What Do I Need?
http://www.techsupportforum.com/sec...115548-pc-safety-security-what-do-i-need.html

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!
This site offers people who have been (or are) victims of malware the opportunity to document their story.

Extra note:
Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan. http://secunia.com/software_inspector/

 

Acknowledged, Juliet. Once I get home I'll do what you've recommended. I will also re-edit this post.

 

That'll work!

 

Glad we could help.

Since this issue appears resolved ... this Topic is closed.