Solved same problem, please help [winupdate.exe]

clarabelle · 2008/02/17

[Resolved]same problem, please help [winupdate.exe]

hello, there. i found this post while i was searching to fix my problem which is similar.
I get the same notification when i start up my laptop about the eaccessviolation and so on, then it says something about the winupdate.exe that it's not a win32 application. when i shut down, i always have the java EE 5 SDK application saying that it could not shut down, so i always have to chose the End Now button.
i did thw scan with hijack this software and here is my log. Please Help!!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:42:16, on 17/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\svcd\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
D:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\MICROSOFT SQL SERVER\MSSQL$CTSQL\Binn\sqlservr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\MICROSOFT SQL SERVER\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Java\jdk1.5.0_14\bin\javaw.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Clarabelle\My Documents\My Progs\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.finderg.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
F3 - REG:win.ini: run= "C:\WINDOWS\system32\winupdate.exe "
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe "
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [PD0630 STISvc] RunDLL32.exe P0630Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe "
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe "
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Policies\Explorer\Run: [{C091719B-0724-1033-0508-06040706002c}] "C:\Program Files\Common Files\{C091719B-0724-1033-0508-06040706002c}\Update.exe" te-110-12-0000081
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: SDK Tray Menu.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\MICROSOFT SQL SERVER\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://clarabele2006.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Security Service (EQIB) - Unknown owner - C:\WINDOWS\system32\svcd\svchost.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - D:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe

--
End of file - 10258 bytes

Geri · 2008/02/17

Hi clarabelle

Please do the following.

Spybot S&D's tea timer normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.

First step:

Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)

If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.

If you have Version 1.4, Click on Exit Spybot S&D Resident

Second step, For Either Version :

Open Spybot S&D

Click Mode, choose Advanced Mode

Go To the bottom of the Vertical Panel on the Left, Click Tools

then, also in left panel, click Resident shows a red/white shield.

If your firewall raises a question, say OK

In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer "(Protection of over-all system settings) active

OK any prompts.

Use File, Exit to terminate Spybot

Reboot your machine for the changes to take effect.

Don't forget to re-enable it, when your computer is clean.

Download ComboFix from [color= "Red"]Here[/color] to your Desktop.
It's best to disable realtime protection applications as they sometimes interfere with the tool. Check this link for any applicable programs you may have.

Close all open programs and windows

Double click combofix.exe and follow the prompts.

Vista users right click Combofix.exe and select Run As Administrator.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Please post the Combofix log.

Thanks
Geri

clarabelle · 2008/02/18

combo fix and highjack this logs

thank you so much for giving a hand
ok i did all that (however i did the combo fix thing twice, cause the 1st time i had a message saying "Toshiba power saver had a problem and needs to shut down ", so just in case i did the checking from the top.
so combo fix log:
ComboFix 08-02-18.1 - Clarabelle 2008-02-18 8:08:42.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1253.1.1033.18.493 [GMT 2:00]
Running from: C:\Documents and Settings\Clarabelle\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-18 to 2008-02-18 )))))))))))))))))))))))))))))))
.

2008-02-17 21:28 . 2008-02-17 21:28 <DIR> d-------- C:\Program Files\AnswerWorks 4.0
2008-02-17 21:23 . 2008-02-17 21:31 <DIR> d-------- C:\Program Files\AutoCAD 2007
2008-02-16 18:15 . 2008-02-16 18:15 34,816 --ahs---- C:\WINDOWS\Thumbs.db
2008-02-16 18:15 . 2008-02-16 18:15 6,144 --ahs---- C:\WINDOWS\system32\Thumbs.db
2008-02-14 07:37 . 2008-02-14 23:02 <DIR> d-------- C:\Documents and Settings\Clarabelle\Application Data\Winamp
2008-02-14 03:02 . 2008-02-14 03:06 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-02-06 23:38 . 2008-02-06 23:38 <DIR> d-------- C:\WINDOWS\system32\svcd
2008-02-06 23:38 . 2008-02-06 23:38 87,552 --a------ C:\WINDOWS\system32\TmpX.exe
2008-02-06 23:38 . 2008-02-06 23:38 34,816 --a------ C:\info.exe
2008-02-06 23:38 . 2008-02-18 07:41 114 --a------ C:\WINDOWS\system32\url3
2008-02-06 23:38 . 2008-02-18 07:41 102 --a------ C:\WINDOWS\system32\url2
2008-02-06 23:38 . 2008-02-18 07:41 102 --a------ C:\WINDOWS\system32\url1
2008-02-06 23:38 . 2008-02-18 07:41 8 --a------ C:\WINDOWS\system32\CID
2008-02-06 23:38 . 2008-02-06 23:38 4 --a------ C:\WINDOWS\system32\SvcNm
2008-02-03 23:17 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-03 14:39 . 2008-02-03 14:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-02 21:01 . 2008-02-02 21:01 0 --a------ C:\WINDOWS\mngui.INI
2008-02-02 20:38 . 2008-02-02 20:38 <DIR> d-------- C:\Documents and Settings\Clarabelle\workspace
2008-02-02 20:36 . 2008-02-02 20:36 <DIR> d-------- C:\Program Files\Intalio
2008-02-02 20:31 . 2008-02-02 20:34 23,071 --a------ C:\WINDOWS\system32\productregistry
2008-02-02 20:28 . 2008-02-02 20:29 <DIR> d-------- C:\Program Files\NetBeans 6.0
2008-02-02 20:19 . 2008-02-02 20:29 <DIR> d-------- C:\Documents and Settings\Clarabelle\.nbi
2008-02-02 19:34 . 2008-02-02 19:34 <DIR> d-------- C:\Sun
2008-01-30 16:21 . 2008-01-30 16:34 <DIR> d-------- C:\Program Files\AutoCAD Architecture 2008
2008-01-25 18:18 . 2008-01-25 18:18 <DIR> d-------- C:\Documents and Settings\Clarabelle\Application Data\Leadertech
2008-01-25 18:17 . 2008-02-14 07:41 <DIR> d-------- C:\Program Files\CCleaner
2008-01-25 15:42 . 2007-02-08 12:56 90,800 -ra------ C:\WINDOWS\system32\drivers\sea1unic.sys
2008-01-25 15:42 . 2007-02-08 12:56 88,624 -ra------ C:\WINDOWS\system32\drivers\sea1mgmt.sys
2008-01-25 15:42 . 2007-02-08 12:56 18,704 -ra------ C:\WINDOWS\system32\drivers\sea1nd5.sys
2008-01-25 15:42 . 2007-02-08 12:55 4,128 -ra------ C:\WINDOWS\system32\drivers\sea1cr.sys
2008-01-25 15:41 . 2008-01-25 15:42 <DIR> d-------- C:\Documents and Settings\Clarabelle\Application Data\Teleca
2008-01-25 15:41 . 2007-02-08 12:55 97,088 -ra------ C:\WINDOWS\system32\drivers\sea1mdm.sys
2008-01-25 15:41 . 2007-02-08 12:56 86,432 -ra------ C:\WINDOWS\system32\drivers\sea1obex.sys
2008-01-25 15:41 . 2007-02-08 12:55 61,536 -ra------ C:\WINDOWS\system32\drivers\sea1bus.sys
2008-01-25 15:41 . 2007-02-08 12:55 9,360 -ra------ C:\WINDOWS\system32\drivers\sea1mdfl.sys
2008-01-25 15:41 . 2007-02-08 12:55 6,240 -ra------ C:\WINDOWS\system32\drivers\sea1cmnt.sys
2008-01-25 15:41 . 2007-02-08 12:55 6,240 -ra------ C:\WINDOWS\system32\drivers\sea1cm.sys
2008-01-25 15:41 . 2007-02-08 12:56 5,872 -ra------ C:\WINDOWS\system32\drivers\sea1whnt.sys
2008-01-25 15:41 . 2007-02-08 12:56 5,872 -ra------ C:\WINDOWS\system32\drivers\sea1wh.sys
2008-01-25 15:40 . 2008-01-25 15:40 <DIR> d-------- C:\Program Files\Disc2Phone
2008-01-25 15:37 . 2008-01-25 15:37 <DIR> d-------- C:\Documents and Settings\Clarabelle\Application Data\Sony Ericsson
2008-01-25 15:32 . 2008-01-25 15:32 <DIR> d-------- C:\Program Files\Common Files\Sony Ericsson Shared
2008-01-25 15:32 . 2008-01-25 15:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2008-01-25 15:31 . 2008-01-25 15:31 <DIR> d-------- C:\Program Files\Sony Ericsson
2008-01-25 15:31 . 2008-01-25 15:32 <DIR> d-------- C:\Program Files\Common Files\Teleca Shared
2008-01-25 15:31 . 2008-01-25 15:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Teleca
2008-01-22 01:37 . 2004-11-10 11:10 778,240 --a------ C:\WINDOWS\system32\hasp_com_windows.dll
2008-01-22 01:36 . 2004-11-10 11:10 27,728 --a------ C:\WINDOWS\system32\hasp_com_windows.tlb
2008-01-22 01:08 . 2000-03-28 10:18 1,822,720 --a------ C:\WINDOWS\system32\ODX.dll
2008-01-22 01:08 . 2000-08-04 15:24 397,312 --a------ C:\WINDOWS\system32\avImageX.dll
2008-01-22 01:08 . 2004-04-15 16:57 126,976 --a------ C:\WINDOWS\system32\avaxgrph.dll
2008-01-22 00:56 . 2008-01-22 00:56 <DIR> d-------- C:\Program Files\Common Files\gvjava
2008-01-22 00:56 . 2008-01-22 00:56 <DIR> d-------- C:\Program Files\Common Files\Data Dynamics
2008-01-22 00:48 . 2008-02-03 14:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-22 00:03 . 2008-01-22 00:03 0 --a------ C:\WINDOWS\system32\VDM1DD.tmp
2008-01-22 00:03 . 2008-01-22 00:03 0 --a------ C:\WINDOWS\system32\VDM1DC.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-18 05:38 --------- d-----w C:\Documents and Settings\Clarabelle\Application Data\uTorrent
2008-02-17 19:28 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-02-17 19:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2008-02-17 09:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-02-17 09:08 --------- d-----w C:\Program Files\WinPolis
2008-02-17 09:08 --------- d-----w C:\Program Files\LimeWire
2008-02-14 05:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\scar5
2008-02-14 05:38 --------- d-----w C:\Program Files\Winamp
2008-02-12 16:11 --------- d-----w C:\Program Files\uTorrent
2008-02-06 21:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-03 21:17 --------- d-----w C:\Program Files\Java
2008-02-03 12:42 --------- d-----w C:\Program Files\Lavasoft
2008-02-03 12:41 --------- d-----w C:\Documents and Settings\Clarabelle\Application Data\Lavasoft
2008-01-21 23:44 --------- d-----w C:\Program Files\Common Files\CivilTech
2008-01-06 11:38 --------- d-----w C:\Program Files\Common Files\business objects
2007-12-22 11:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2007-12-22 11:49 --------- d-----w C:\Program Files\Azureus
2007-12-22 11:45 --------- d-----w C:\Documents and Settings\Clarabelle\Application Data\Azureus
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-14 09:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-07 00:44 666,112 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ------w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
1996-03-21 17:03 13,568 -c--a-w C:\WINDOWS\Fonts\GR FONTS\GREEK1\TTFONTS.100\PATTFFON\SETUP.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh "= "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-17 01:32 761945]
"RTHDCPL "= "RTHDCPL.EXE" [2005-12-10 00:49 15691264 C:\WINDOWS\RTHDCPL.exe]
"AGRSMMSG "= "AGRSMMSG.exe" [2005-10-15 15:29 88203 C:\WINDOWS\agrsmmsg.exe]
"TPSMain "= "TPSMain.exe" [2005-08-03 16:26 266240 C:\WINDOWS\system32\TPSMain.exe]
"TFncKy "= "TFncKy.exe" []
"TDispVol "= "TDispVol.exe" [2005-03-11 17:03 73728 C:\WINDOWS\system32\TDispVol.exe]
"IntelZeroConfig "= "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 13:37 667718]
"IntelWireless "= "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 12:41 602182]
"NDSTray.exe "= "NDSTray.exe" []
"PD0630 STISvc "= "P0630Pin.dll" [2005-06-05 19:01 36864 C:\WINDOWS\system32\P0630Pin.dll]
"WrtMon.exe "= "C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 07:35 20480]
"avast! "= "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 15:00 79224]
"Sony Ericsson PC Suite "= "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-01-26 13:36 495616]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"WinampAgent "= "C:\Program Files\Winamp\winampa.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360]

C:\Documents and Settings\Clarabelle\Start Menu\Programs\Startup\
SDK Tray Menu.lnk - C:\Program Files\Java\jdk1.5.0_14\bin\javaw.exe [2008-02-02 20:23:00 53346]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart17.exe [2006-03-05 04:43:54 11000]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2006-06-26 21:53:31 155648]
Service Manager.lnk - C:\Program Files\MICROSOFT SQL SERVER\80\Tools\Binn\sqlmangr.exe [2002-12-17 17:23:32 74308]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{C091719B-0724-1033-0508-06040706002c} "= "C:\Program Files\Common Files\{C091719B-0724-1033-0508-06040706002c}\Update.exe" te-110-12-0000081

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Clarabelle^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=C:\Documents and Settings\Clarabelle\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
--a------ 2005-08-12 16:43 45056 C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2006-11-16 19:04 139264 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CONNECTScheduler]
C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2006-11-12 12:48 157592 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 15:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
--a------ 2006-10-11 11:45 75304 C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
--a------ 2006-09-28 12:16 185896 C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SweetIM]
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\windows]
c:\\windows_e51.exe

R2 EQIB;Security Service;C:\WINDOWS\system32\svcd\svchost.exe [2008-02-06 23:38]
R2 MSSQL$CTSQL;MSSQL$CTSQL;C:\Program Files\MICROSOFT SQL SERVER\MSSQL$CTSQL\Binn\sqlservr.exe [2002-12-17 17:26]
R3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2005-09-09 16:47]
S3 P0630VID;Creative WebCam Live!;C:\WINDOWS\system32\DRIVERS\P0630Vid.sys [2005-06-06 03:44]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2004-08-04 15:00]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2004-08-04 15:00]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2004-08-04 15:00]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2004-08-04 15:00]
S3 sea1bus;Sony Ericsson Device 0A1 driver (WDM);C:\WINDOWS\system32\DRIVERS\sea1bus.sys [2007-02-08 12:55]
S3 sea1mdfl;Sony Ericsson Device 0A1 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\sea1mdfl.sys [2007-02-08 12:55]
S3 sea1mdm;Sony Ericsson Device 0A1 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\sea1mdm.sys [2007-02-08 12:55]
S3 sea1mgmt;Sony Ericsson Device 0A1 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\sea1mgmt.sys [2007-02-08 12:56]
S3 sea1nd5;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (NDIS);C:\WINDOWS\system32\DRIVERS\sea1nd5.sys [2007-02-08 12:56]
S3 sea1obex;Sony Ericsson Device 0A1 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\sea1obex.sys [2007-02-08 12:56]
S3 sea1unic;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (WDM);C:\WINDOWS\system32\DRIVERS\sea1unic.sys [2007-02-08 12:56]
S3 SQLAgent$CTSQL;SQLAgent$CTSQL;C:\Program Files\MICROSOFT SQL SERVER\MSSQL$CTSQL\Binn\sqlagent.EXE [2002-12-17 17:23]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{07069350-35f3-11dc-ae5e-00130229faed}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{449b00d2-868a-11da-a583-00a0d1df1b4d}]
\Shell\AutoRun\command - browser.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{99ec8a1d-6352-11dc-aeb5-00130229faed}]
\Shell\Auto\command - H:\Autorun.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{99ec8a1e-6352-11dc-aeb5-00130229faed}]
\Shell\Auto\command - I:\Autorun.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Autorun.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-18 08:09:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-18 8:10:39
ComboFix-quarantined-files.txt 2008-02-18 06:10:30
ComboFix2.txt 2008-02-18 06:02:14
.
2008-02-14 01:07:41 --- E O F ---

and highjack this log is:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:14:07, on 18/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\svcd\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
D:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\MICROSOFT SQL SERVER\MSSQL$CTSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\ctfmon.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Clarabelle\My Documents\My Progs\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.finderg.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe "
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [PD0630 STISvc] RunDLL32.exe P0630Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe "
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe "
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Policies\Explorer\Run: [{C091719B-0724-1033-0508-06040706002c}] "C:\Program Files\Common Files\{C091719B-0724-1033-0508-06040706002c}\Update.exe" te-110-12-0000081
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: SDK Tray Menu.lnk = ?
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\MICROSOFT SQL SERVER\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://clarabele2006.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Security Service (EQIB) - Unknown owner - C:\WINDOWS\system32\svcd\svchost.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - D:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe

--
End of file - 9515 bytes

waiting for the reply

Geri · 2008/02/18

Hi clarabelle

Please check in this folder for the first Combofix log and post it if it's there.

C:\Qoobox

Now please do this.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer

After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;

Instead of Windows loading as normal, the Advanced Options Menu should appear;

Select the first option, to run Windows in Safe Mode, then press Enter.

Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.

Type Y to begin the cleanup process.

It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.

Press any Key and it will restart the PC.

When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.

Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).

Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Please post the first CF log if it was there, and the SDFix log.

Thanks
Geri

clarabelle · 2008/02/18

thank you for being so prompt getting back to me.
okay, so i got the combo fix original log and it's the following:
ComboFix 08-02-18.1 - Clarabelle 2008-02-18 7:48:42.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1253.1.1033.18.431 [GMT 2:00]
Running from: C:\Documents and Settings\Clarabelle\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Program Files\Common Files\{30917~1
C:\Program Files\Common Files\{C0917~1
C:\WINDOWS\keyboard1.dat
C:\WINDOWS\system32\ntload.sys
C:\WINDOWS\system32\winupdate.exe

----- BITS: Possible infected sites -----

hxxp://au.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_IPRIP
-------\Iprip
-------\ntload

((((((((((((((((((((((((( Files Created from 2008-01-18 to 2008-02-18 )))))))))))))))))))))))))))))))
.

2008-02-17 21:28 . 2008-02-17 21:28 <DIR> d-------- C:\Program Files\AnswerWorks 4.0
2008-02-17 21:23 . 2008-02-17 21:31 <DIR> d-------- C:\Program Files\AutoCAD 2007
2008-02-16 18:15 . 2008-02-16 18:15 34,816 --ahs---- C:\WINDOWS\Thumbs.db
2008-02-16 18:15 . 2008-02-16 18:15 6,144 --ahs---- C:\WINDOWS\system32\Thumbs.db
2008-02-14 07:37 . 2008-02-14 23:02 <DIR> d-------- C:\Documents and Settings\Clarabelle\Application Data\Winamp
2008-02-14 03:02 . 2008-02-14 03:04 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-02-06 23:38 . 2008-02-06 23:38 <DIR> d-------- C:\WINDOWS\system32\svcd
2008-02-06 23:38 . 2008-02-06 23:38 87,552 --a------ C:\WINDOWS\system32\TmpX.exe
2008-02-06 23:38 . 2008-02-06 23:38 34,816 --a------ C:\info.exe
2008-02-06 23:38 . 2008-02-18 07:41 114 --a------ C:\WINDOWS\system32\url3
2008-02-06 23:38 . 2008-02-18 07:41 102 --a------ C:\WINDOWS\system32\url2
2008-02-06 23:38 . 2008-02-18 07:41 102 --a------ C:\WINDOWS\system32\url1
2008-02-06 23:38 . 2008-02-18 07:41 8 --a------ C:\WINDOWS\system32\CID
2008-02-06 23:38 . 2008-02-06 23:38 4 --a------ C:\WINDOWS\system32\SvcNm
2008-02-03 23:17 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-03 14:39 . 2008-02-03 14:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-02 21:01 . 2008-02-02 21:01 0 --a------ C:\WINDOWS\mngui.INI
2008-02-02 20:38 . 2008-02-02 20:38 <DIR> d-------- C:\Documents and Settings\Clarabelle\workspace
2008-02-02 20:36 . 2008-02-02 20:36 <DIR> d-------- C:\Program Files\Intalio
2008-02-02 20:31 . 2008-02-02 20:34 23,071 --a------ C:\WINDOWS\system32\productregistry
2008-02-02 20:28 . 2008-02-02 20:29 <DIR> d-------- C:\Program Files\NetBeans 6.0
2008-02-02 20:19 . 2008-02-02 20:29 <DIR> d-------- C:\Documents and Settings\Clarabelle\.nbi
2008-02-02 19:34 . 2008-02-02 19:34 <DIR> d-------- C:\Sun
2008-01-30 16:21 . 2008-01-30 16:34 <DIR> d-------- C:\Program Files\AutoCAD Architecture 2008
2008-01-25 18:18 . 2008-01-25 18:18 <DIR> d-------- C:\Documents and Settings\Clarabelle\Application Data\Leadertech
2008-01-25 18:17 . 2008-02-14 07:41 <DIR> d-------- C:\Program Files\CCleaner
2008-01-25 15:42 . 2007-02-08 12:56 90,800 -ra------ C:\WINDOWS\system32\drivers\sea1unic.sys
2008-01-25 15:42 . 2007-02-08 12:56 88,624 -ra------ C:\WINDOWS\system32\drivers\sea1mgmt.sys
2008-01-25 15:42 . 2007-02-08 12:56 18,704 -ra------ C:\WINDOWS\system32\drivers\sea1nd5.sys
2008-01-25 15:42 . 2007-02-08 12:55 4,128 -ra------ C:\WINDOWS\system32\drivers\sea1cr.sys
2008-01-25 15:41 . 2008-01-25 15:42 <DIR> d-------- C:\Documents and Settings\Clarabelle\Application Data\Teleca
2008-01-25 15:41 . 2007-02-08 12:55 97,088 -ra------ C:\WINDOWS\system32\drivers\sea1mdm.sys
2008-01-25 15:41 . 2007-02-08 12:56 86,432 -ra------ C:\WINDOWS\system32\drivers\sea1obex.sys
2008-01-25 15:41 . 2007-02-08 12:55 61,536 -ra------ C:\WINDOWS\system32\drivers\sea1bus.sys
2008-01-25 15:41 . 2007-02-08 12:55 9,360 -ra------ C:\WINDOWS\system32\drivers\sea1mdfl.sys
2008-01-25 15:41 . 2007-02-08 12:55 6,240 -ra------ C:\WINDOWS\system32\drivers\sea1cmnt.sys
2008-01-25 15:41 . 2007-02-08 12:55 6,240 -ra------ C:\WINDOWS\system32\drivers\sea1cm.sys
2008-01-25 15:41 . 2007-02-08 12:56 5,872 -ra------ C:\WINDOWS\system32\drivers\sea1whnt.sys
2008-01-25 15:41 . 2007-02-08 12:56 5,872 -ra------ C:\WINDOWS\system32\drivers\sea1wh.sys
2008-01-25 15:40 . 2008-01-25 15:40 <DIR> d-------- C:\Program Files\Disc2Phone
2008-01-25 15:37 . 2008-01-25 15:37 <DIR> d-------- C:\Documents and Settings\Clarabelle\Application Data\Sony Ericsson
2008-01-25 15:32 . 2008-01-25 15:32 <DIR> d-------- C:\Program Files\Common Files\Sony Ericsson Shared
2008-01-25 15:32 . 2008-01-25 15:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2008-01-25 15:31 . 2008-01-25 15:31 <DIR> d-------- C:\Program Files\Sony Ericsson
2008-01-25 15:31 . 2008-01-25 15:32 <DIR> d-------- C:\Program Files\Common Files\Teleca Shared
2008-01-25 15:31 . 2008-01-25 15:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Teleca
2008-01-22 01:37 . 2004-11-10 11:10 778,240 --a------ C:\WINDOWS\system32\hasp_com_windows.dll
2008-01-22 01:36 . 2004-11-10 11:10 27,728 --a------ C:\WINDOWS\system32\hasp_com_windows.tlb
2008-01-22 01:08 . 2000-03-28 10:18 1,822,720 --a------ C:\WINDOWS\system32\ODX.dll
2008-01-22 01:08 . 2000-08-04 15:24 397,312 --a------ C:\WINDOWS\system32\avImageX.dll
2008-01-22 01:08 . 2004-04-15 16:57 126,976 --a------ C:\WINDOWS\system32\avaxgrph.dll
2008-01-22 00:56 . 2008-01-22 00:56 <DIR> d-------- C:\Program Files\Common Files\gvjava
2008-01-22 00:56 . 2008-01-22 00:56 <DIR> d-------- C:\Program Files\Common Files\Data Dynamics
2008-01-22 00:48 . 2008-02-03 14:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-22 00:03 . 2008-01-22 00:03 0 --a------ C:\WINDOWS\system32\VDM1DD.tmp
2008-01-22 00:03 . 2008-01-22 00:03 0 --a------ C:\WINDOWS\system32\VDM1DC.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-18 05:38 --------- d-----w C:\Documents and Settings\Clarabelle\Application Data\uTorrent
2008-02-17 19:28 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-02-17 19:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2008-02-17 09:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-02-17 09:08 --------- d-----w C:\Program Files\WinPolis
2008-02-17 09:08 --------- d-----w C:\Program Files\LimeWire
2008-02-14 05:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\scar5
2008-02-14 05:38 --------- d-----w C:\Program Files\Winamp
2008-02-12 16:11 --------- d-----w C:\Program Files\uTorrent
2008-02-06 21:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-03 21:17 --------- d-----w C:\Program Files\Java
2008-02-03 12:42 --------- d-----w C:\Program Files\Lavasoft
2008-02-03 12:41 --------- d-----w C:\Documents and Settings\Clarabelle\Application Data\Lavasoft
2008-01-21 23:44 --------- d-----w C:\Program Files\Common Files\CivilTech
2008-01-06 11:38 --------- d-----w C:\Program Files\Common Files\business objects
2007-12-22 11:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2007-12-22 11:49 --------- d-----w C:\Program Files\Azureus
2007-12-22 11:45 --------- d-----w C:\Documents and Settings\Clarabelle\Application Data\Azureus
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
1996-03-21 17:03 13,568 -c--a-w C:\WINDOWS\Fonts\GR FONTS\GREEK1\TTFONTS.100\PATTFFON\SETUP.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh "= "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-17 01:32 761945]
"RTHDCPL "= "RTHDCPL.EXE" [2005-12-10 00:49 15691264 C:\WINDOWS\RTHDCPL.exe]
"AGRSMMSG "= "AGRSMMSG.exe" [2005-10-15 15:29 88203 C:\WINDOWS\agrsmmsg.exe]
"TPSMain "= "TPSMain.exe" [2005-08-03 16:26 266240 C:\WINDOWS\system32\TPSMain.exe]
"TFncKy "= "TFncKy.exe" []
"TDispVol "= "TDispVol.exe" [2005-03-11 17:03 73728 C:\WINDOWS\system32\TDispVol.exe]
"IntelZeroConfig "= "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 13:37 667718]
"IntelWireless "= "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 12:41 602182]
"NDSTray.exe "= "NDSTray.exe" []
"PD0630 STISvc "= "P0630Pin.dll" [2005-06-05 19:01 36864 C:\WINDOWS\system32\P0630Pin.dll]
"WrtMon.exe "= "C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 07:35 20480]
"avast! "= "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 15:00 79224]
"Sony Ericsson PC Suite "= "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-01-26 13:36 495616]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"WinampAgent "= "C:\Program Files\Winamp\winampa.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360]

C:\Documents and Settings\Clarabelle\Start Menu\Programs\Startup\
SDK Tray Menu.lnk - C:\Program Files\Java\jdk1.5.0_14\bin\javaw.exe [2008-02-02 20:23:00 53346]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart17.exe [2006-03-05 04:43:54 11000]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2006-06-26 21:53:31 155648]
Service Manager.lnk - C:\Program Files\MICROSOFT SQL SERVER\80\Tools\Binn\sqlmangr.exe [2002-12-17 17:23:32 74308]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{C091719B-0724-1033-0508-06040706002c} "= "C:\Program Files\Common Files\{C091719B-0724-1033-0508-06040706002c}\Update.exe" te-110-12-0000081

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Clarabelle^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=C:\Documents and Settings\Clarabelle\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
--a------ 2005-08-12 16:43 45056 C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2006-11-16 19:04 139264 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CONNECTScheduler]
C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2006-11-12 12:48 157592 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 15:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
--a------ 2006-10-11 11:45 75304 C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
--a------ 2006-09-28 12:16 185896 C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SweetIM]
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\windows]
c:\\windows_e51.exe

R2 EQIB;Security Service;C:\WINDOWS\system32\svcd\svchost.exe [2008-02-06 23:38]
R2 MSSQL$CTSQL;MSSQL$CTSQL;C:\Program Files\MICROSOFT SQL SERVER\MSSQL$CTSQL\Binn\sqlservr.exe [2002-12-17 17:26]
R3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2005-09-09 16:47]
S3 P0630VID;Creative WebCam Live!;C:\WINDOWS\system32\DRIVERS\P0630Vid.sys [2005-06-06 03:44]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2004-08-04 15:00]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2004-08-04 15:00]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2004-08-04 15:00]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2004-08-04 15:00]
S3 sea1bus;Sony Ericsson Device 0A1 driver (WDM);C:\WINDOWS\system32\DRIVERS\sea1bus.sys [2007-02-08 12:55]
S3 sea1mdfl;Sony Ericsson Device 0A1 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\sea1mdfl.sys [2007-02-08 12:55]
S3 sea1mdm;Sony Ericsson Device 0A1 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\sea1mdm.sys [2007-02-08 12:55]
S3 sea1mgmt;Sony Ericsson Device 0A1 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\sea1mgmt.sys [2007-02-08 12:56]
S3 sea1nd5;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (NDIS);C:\WINDOWS\system32\DRIVERS\sea1nd5.sys [2007-02-08 12:56]
S3 sea1obex;Sony Ericsson Device 0A1 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\sea1obex.sys [2007-02-08 12:56]
S3 sea1unic;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (WDM);C:\WINDOWS\system32\DRIVERS\sea1unic.sys [2007-02-08 12:56]
S3 SQLAgent$CTSQL;SQLAgent$CTSQL;C:\Program Files\MICROSOFT SQL SERVER\MSSQL$CTSQL\Binn\sqlagent.EXE [2002-12-17 17:23]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{07069350-35f3-11dc-ae5e-00130229faed}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{449b00d2-868a-11da-a583-00a0d1df1b4d}]
\Shell\AutoRun\command - browser.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{99ec8a1d-6352-11dc-aeb5-00130229faed}]
\Shell\Auto\command - H:\Autorun.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{99ec8a1e-6352-11dc-aeb5-00130229faed}]
\Shell\Auto\command - I:\Autorun.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Autorun.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-18 07:56:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
D:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2008-02-18 8:02:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-18 06:02:09
.
2008-02-14 01:07:41 --- E O F ---

the log from sdfix is this one:

SDFix: Version 1.143

Run by Clarabelle on Δευ 18/02/2008 at 22:56

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Checking Files:

Trojan Files Found:

C:\VDM1DC.TMP - Deleted
C:\VDM1DD.TMP - Deleted
C:\VDM5B.TMP - Deleted
C:\VDM5C.TMP - Deleted
C:\WINDOWS\system32\CID - Deleted
C:\WINDOWS\system32\svcd\svchost.exe - Deleted
C:\WINDOWS\system32\SvcNm - Deleted
C:\WINDOWS\system32\TmpX.exe - Deleted
C:\WINDOWS\system32\upds.log - Deleted
C:\WINDOWS\system32\url1 - Deleted
C:\WINDOWS\system32\url2 - Deleted
C:\WINDOWS\system32\url3 - Deleted

Folder C:\WINDOWS\system32\svcd - Removed

Removing Temp Files...

ADS Check:

Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-18 23:06:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0 "= "C:\Program Files\DAEMON Tools\ "
"h0 "=dword:00000000
"khjeh "=hex:2c,2e,f8,22,da,d7,2c,55,fc,33,e9,21,1d,0d,a5,5c,1e,38,d8,c7,e1,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0 "=hex:20,01,00,00,c6,1c,7c,07,8f,f6,5e,1f,72,a2,dd,d9,96,47,46,fb,a8,..
"khjeh "=hex:49,30,ea,1b,98,3a,42,79,ff,d0,e8,67,d3,60,31,20,46,20,37,e4,6e,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh "=hex:a9,42,c1,2a,9f,2a,50,14,d4,4a,d2,a0,ad,88,1d,9e,bb,3b,9b,31,1a,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0 "= "C:\Program Files\DAEMON Tools\ "
"h0 "=dword:00000000
"khjeh "=hex:2c,2e,f8,22,da,d7,2c,55,fc,33,e9,21,1d,0d,a5,5c,1e,38,d8,c7,e1,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0 "=hex:20,01,00,00,c6,1c,7c,07,8f,f6,5e,1f,72,a2,dd,d9,96,47,46,fb,a8,..
"khjeh "=hex:49,30,ea,1b,98,3a,42,79,ff,d0,e8,67,d3,60,31,20,46,20,37,e4,6e,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh "=hex:dc,92,9a,a3,dc,ed,6f,1d,c7,d7,7f,9b,7c,47,5c,c5,02,9a,1a,dc,35,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1 "=dword:96e7e118
"s2 "=dword:1f8a2e93
"h0 "=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0 "= "C:\Program Files\DAEMON Tools\ "
"h0 "=dword:00000000
"khjeh "=hex:2c,2e,f8,22,da,d7,2c,55,fc,33,e9,21,1d,0d,a5,5c,1e,38,d8,c7,e1,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0 "=hex:20,01,00,00,c6,1c,7c,07,8f,f6,5e,1f,72,a2,dd,d9,96,47,46,fb,a8,..
"khjeh "=hex:49,30,ea,1b,98,3a,42,79,ff,d0,e8,67,d3,60,31,20,46,20,37,e4,6e,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh "=hex:dc,92,9a,a3,dc,ed,6f,1d,c7,d7,7f,9b,7c,47,5c,c5,02,9a,1a,dc,35,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\\x8c\3\x398\3\xb7\3 ]
"SlowInfoCache "=hex:28,02,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,b0,9a,6d,ed,88,..
"Changed "=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\\x2018\3\x2015\3\x394\3\xb7\3\x393\3\xb7\3-]
"SlowInfoCache "=hex:28,02,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,b0,9a,6d,ed,88,..
"Changed "=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\\x2018\3\x2019\3\x2018\3\x9e\3 ]
"SlowInfoCache "=hex:28,02,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,b0,9a,6d,ed,88,..
"Changed "=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\\x201d\3\x391\3\xb1\3\x397\3\x38c\3\xae\3 ]
"SlowInfoCache "=hex:28,02,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,c2,b4,67,ea,5b,..
"Changed "=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\\x2022\3\x9a\3\x9a\3\x9f\3 ]
"SlowInfoCache "=hex:28,02,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,b0,9a,6d,ed,88,..
"Changed "=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\\x2022\3\x38a\3\x394\3\x39c\3\x392\3 ]
"SlowInfoCache "=hex:28,02,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,b0,9a,6d,ed,88,..
"Changed "=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\\x2022\3\x38a\3\x394\3\x39c\3\x392\3 ]
"SlowInfoCache "=hex:28,02,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,b0,9a,6d,ed,88,..
"Changed "=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\\x2022\3\x38a\3\x394\3\x39c\3\x392\3 ]
"SlowInfoCache "=hex:28,02,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,b0,9a,6d,ed,88,..
"Changed "=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\\x9a\3\xa4\3\x2122\3\xa3\3\x9c\3\x2018\3 ]
"SlowInfoCache "=hex:28,02,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,b0,9a,6d,ed,88,..
"Changed "=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\\x9c\3\xad\3\x394\3\x391\3\xb1\3 ]
"SlowInfoCache "=hex:28,02,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,b0,9a,6d,ed,88,..
"Changed "=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\\xa0\3\x39c\3\xbb\3\xb7\3 ]
"SlowInfoCache "=hex:28,02,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,b0,9a,6d,ed,88,..
"Changed "=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\\xa0\3\x38f\3\xbb\3\xb5\3\x38f\3\x384\3\x38f\3\x38c\3\x2015\3\xb1\3 ]
"SlowInfoCache "=hex:28,02,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,b0,9a,6d,ed,88,..
"Changed "=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\\xa0\3\x395\3\x391\0031]
"SlowInfoCache "=hex:28,02,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,b0,9a,6d,ed,88,..
"Changed "=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\\x8c\3\x398\3\xb7\3 ]
"DisplayName "= "\x38c\x3c8\x3b7 \x3b3\x3b9\x3b1 Windows "
"UninstallString "= "C:\PROGRA~1\WinPolis\Opsi\\UNWISE.EXE C:\PROGRA~1\WinPolis\Opsi\\INSTALL.LOG "
"DisplayIcon "= "C:\Program Files\WinPolis\Opsi\\wOpsi.exe "
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\\x2018\3\x2015\3\x394\3\xb7\3\x393\3\xb7\3-]
"DisplayName "= "\x391\x3af\x3c4\x3b7\x3c3\x3b7-\x394\x3ae\x3bb\x3c9\x3c3\x3b7 \x3b3\x3b9\x3b1 Windows "
"UninstallString "= "C:\PROGRA~1\WinPolis\AITD\UNWISE.EXE C:\PROGRA~1\WinPolis\AITD\INSTALL.LOG "
"DisplayIcon "= "C:\PROGRA~1\WinPolis\AITD\wAITD.exe "
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\\x2018\3\x2019\3\x2018\3\x9e\3 ]
"DisplayName "= "\x391\x392\x391\x39e \x3b3\x3b9\x3b1 Windows "
"UninstallString "= "C:\PROGRA~1\WinPolis\Avax\UNWISE.EXE C:\PROGRA~1\WinPolis\Avax\INSTALL.LOG "
"DisplayIcon "= "C:\PROGRA~1\WinPolis\Avax\wAvax.exe "
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\\x201d\3\x391\3\xb1\3\x397\3\x38c\3\xae\3 ]
"DisplayName "= "\x394\x3c1\x3b1\x3c7\x3bc\x3ae \x3b3\x3b9\x3b1 Windows "
"UninstallString "= "C:\PROGRA~1\WinPolis\DRX\UNWISE.EXE C:\PROGRA~1\WinPolis\DRX\INSTALL.LOG "
"DisplayIcon "= "C:\Program Files\WinPolis\DRX\wDrx.exe "
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\\x2022\3\x9a\3\x9a\3\x9f\3 ]
"DisplayName "= "\x395\x39a\x39a\x39f \x3b3\x3b9\x3b1 Windows "
"UninstallString "= "C:\PROGRA~1\WinPolis\EKKO\UNWISE.EXE C:\PROGRA~1\WinPolis\EKKO\INSTALL.LOG "
"DisplayIcon "= "C:\Program Files\WinPolis\EKKO\wEkko.exe "
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\\x2022\3\x38a\3\x394\3\x39c\3\x392\3 ]
"DisplayName "= "\x395\x3ba\x3c4\x3cc\x3c2 2004 \x3b3\x3b9\x3b1 Windows "
"UninstallString "= "C:\PROGRA~1\WinPolis\Ektos04\UNWISE.EXE C:\PROGRA~1\WinPolis\Ektos04\INSTALL.LOG "
"DisplayIcon "= "C:\PROGRA~1\WinPolis\Ektos04\wEktos04.exe "
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\\x2022\3\x38a\3\x394\3\x39c\3\x392\3 ]
"DisplayName "= "\x395\x3ba\x3c4\x3cc\x3c2 98 \x3b3\x3b9\x3b1 Windows "
"UninstallString "= "C:\PROGRA~1\WinPolis\Ektos98\UNWISE.EXE C:\PROGRA~1\WinPolis\Ektos98\INSTALL.LOG "
"DisplayIcon "= "C:\PROGRA~1\WinPolis\Ektos98\wEktos98.exe "
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\\x2022\3\x38a\3\x394\3\x39c\3\x392\3 ]
"DisplayName "= "\x395\x3ba\x3c4\x3cc\x3c2 \x3b3\x3b9\x3b1 Windows "
"UninstallString "= "C:\PROGRA~1\WinPolis\Ektos\UNWISE.EXE C:\PROGRA~1\WinPolis\Ektos\INSTALL.LOG "
"DisplayIcon "= "C:\PROGRA~1\WinPolis\Ektos\wEktos.exe "
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\\x9a\3\xa4\3\x2122\3\xa3\3\x9c\3\x2018\3 ]
"DisplayName "= "\x39a\x3a4\x399\x3a3\x39c\x391 \x3b3\x3b9\x3b1 Windows "
"UninstallString "= "C:\PROGRA~1\WinPolis\Ktisma\UNWISE.EXE C:\PROGRA~1\WinPolis\Ktisma\INSTALL.LOG "
"DisplayIcon "= "C:\PROGRA~1\WinPolis\Ktisma\wKtisma.exe "
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\\x9c\3\xad\3\x394\3\x391\3\xb1\3 ]
"DisplayName "= "\x39c\x3ad\x3c4\x3c1\x3b1 \x3b1\x3c3\x3c6\x3ac\x3bb\x3b5\x3b9\x3b1\x3c2 \x3b3\x3b9\x3b1 Windows "
"UninstallString "= "C:\PROGRA~1\WinPolis\Asfaleia\\UNWISE.EXE C:\PROGRA~1\WinPolis\Asfaleia\\INSTALL.LOG "
"DisplayIcon "= "C:\Program Files\WinPolis\Asfaleia\\wAsfaleia.exe "
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\\xa0\3\x39c\3\xbb\3\xb7\3 ]
"DisplayName "= "\x3a0\x3cc\x3bb\x3b7 2007 \x3b3\x3b9\x3b1 Windows "
"UninstallString "= "C:\PROGRA~1\WinPolis\UNWISE.EXE C:\PROGRA~1\WinPolis\INSTALL.LOG "
"DisplayIcon "= "C:\Program Files\WinPolis\wPolis.exe "
"HelpTelephone "= "210 6003034 "
"Publisher "= "CivilTech "
"URLInfoAbout "= "www.civiltech.gr "
"DisplayVersion "= "2007 "
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\\xa0\3\x38f\3\xbb\3\xb5\3\x38f\3\x384\3\x38f\3\x38c\3\x2015\3\xb1\3 ]
"DisplayName "= "\x3a0\x3bf\x3bb\x3b5\x3bf\x3b4\x3bf\x3bc\x3af\x3b1 \x3b3\x3b9\x3b1 Windows "
"UninstallString "= "C:\PROGRA~1\WinPolis\ADEIA\UNWISE.EXE C:\PROGRA~1\WinPolis\ADEIA\INSTALL.LOG "
"DisplayIcon "= "C:\PROGRA~1\WinPolis\ADEIA\wADEIA.exe "
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\\xa0\3\x395\3\x391\0031]
"DisplayName "= "\x3a0\x3c5\x03c1199 \x3b3\x3b9\x3b1 Windows "
"UninstallString "= "C:\PROGRA~1\WinPolis\PYR199\UNWISE.EXE C:\PROGRA~1\WinPolis\PYR199\INSTALL.LOG "
"DisplayIcon "= "C:\PROGRA~1\WinPolis\PYR199\wPyr199.exe "
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed "=dword:00000037
"TracesSuccessful "=dword:00000007
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CVL\OpenWithProgids]
"\x2018\3\x391\3\x397\3\xb5\3\x2015\3\x38f\3 ?C?i?v?i?l? "=hex(0):
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\xa0\3\x39c\3\xbb\3\xb7\3 ]
"Order "=hex:08,00,00,00,02,00,00,00,f8,0e,00,00,01,00,00,00,1e,00,00,00,76,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\xa0\3\x39c\3\xbb\3\xb7\3 \\x9f\3\x384\3\xb7\3\xb3\3\x38f\3\x2015\3 ]
"Order "=hex:08,00,00,00,02,00,00,00,60,03,00,00,01,00,00,00,06,00,00,00,8c,..

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 21

Remaining Services:

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Wed 4 Aug 2004 93,184 A.SH. --- "C:\Program Files\Internet Explorer\IEXPLORE.EXE "
Wed 13 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe "
Wed 4 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe "
Wed 28 Jun 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak "
Tue 4 Jul 2006 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv10.bak "
Tue 19 Sep 2006 304,736 A..H. --- "C:\Program Files\Canon\MP Navigator 2.2\Maint.exe "
Mon 19 Dec 2005 61,440 A..H. --- "C:\Program Files\Canon\MP Navigator 2.2\uinstrsc.dll "
Sun 1 Apr 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp "
Mon 18 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0a67b6c406b1d7e0f5c1e6f6d44a3f6e\BIT7.tmp "
Mon 18 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\26924cbc8132a10b438ce6e2b49d4652\BIT5.tmp "
Mon 18 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2769b111678c52099a3b3123b12f2325\BIT9.tmp "
Wed 23 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\585dc2612ebcefc90e7dee4c276ee95e\BIT1.tmp "
Mon 18 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\585dc2612ebcefc90e7dee4c276ee95e\BIT2.tmp "
Mon 18 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ad42352b748801d7e80461ea9fbebfef\BIT4.tmp "
Mon 18 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b69c46c5109d0f8b0dee9fab84906813\BIT8.tmp "
Mon 18 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\cf7ced0e70c80a1e476f1abf49afecb1\BIT3.tmp "
Mon 18 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d77b9b5b8fed23dd91f50d167cce60d3\BITA.tmp "
Mon 18 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fa6c916bb150f8a929e7a4ffdfbc120f\BIT6.tmp "
Sun 30 Jul 2006 3,389,440 ...H. --- "C:\Documents and Settings\Clarabelle\Application Data\Microsoft\Word\~WRL0005.tmp "
Tue 12 Sep 2006 97,792 ...H. --- "C:\Documents and Settings\Clarabelle\Application Data\Microsoft\Word\~WRL0361.tmp "
Tue 12 Sep 2006 134,656 ...H. --- "C:\Documents and Settings\Clarabelle\Application Data\Microsoft\Word\~WRL2494.tmp "
Sun 19 Nov 2006 45,073,408 ...H. --- "C:\Documents and Settings\Clarabelle\Application Data\Microsoft\Word\~WRL3749.tmp "
Tue 12 Sep 2006 112,640 ...H. --- "C:\Documents and Settings\Clarabelle\Application Data\Microsoft\Word\~WRL3974.tmp "
Wed 4 Oct 2006 3,072,000 A..H. --- "C:\Documents and Settings\Clarabelle\Application Data\U3\temp\Launchpad Removal.exe "

Finished!

clarabelle · 2008/02/18

and finally hijack this came back with this:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:13:56, on 18/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
D:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\MICROSOFT SQL SERVER\MSSQL$CTSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\MICROSOFT SQL SERVER\80\Tools\Binn\sqlmangr.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Java\jdk1.5.0_14\bin\javaw.exe
C:\Documents and Settings\Clarabelle\My Documents\My Progs\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.finderg.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe "
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [PD0630 STISvc] RunDLL32.exe P0630Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe "
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe "
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: SDK Tray Menu.lnk = ?
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\MICROSOFT SQL SERVER\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://clarabele2006.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Security Service (EQIB) - Unknown owner - C:\WINDOWS\system32\svcd\svchost.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - D:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe

--
End of file - 9618 bytes

thanx again gerri, waiting for your next reply

Geri · 2008/02/18

Hi clarabelle

Having any p2p file sharing apps such as Limewire, BitTorrent uTorrent etc.. is almost like inviting malware into your computer. There is absolutely no way for you to know which of the hundreds of thousands of users you are sharing files with are infected or not.
I strongly recommend removing any P2P applications.

I'd like some files scanned.

Jotti File Submission:

Please go to Jotti's malware scan

Copy and paste the following file path into *the * "File to upload & scan "box on the top of the page: one at a time

C:\WINDOWS\system32\hasp_com_windows.dll
C:\WINDOWS\system32\avImageX.dll
C:\WINDOWS\system32\avaxgrph.dll

Click on the submit button

Please post the results in your next reply.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
Click here to see how to use CFScript.txt
Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and another fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.
Code:
File::
C:\WINDOWS\Thumbs.db
C:\WINDOWS\system32\Thumbs.db
C:\WINDOWS\imsins.BAK
C:\info.exe

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
 "{C091719B-0724-1033-0508-06040706002c} "= -
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\windows]
Please post the CFScript log and the Jotti results.

Thanks
Geri

clarabelle · 2008/02/19

here i go again, the log after the online scan is:
Service load:
0% 100%
File: hasp_com_windows.dll
Status:
OK
MD5: 6364104df7100b7b83c0681175970df0
Packers detected:
-
Bit9 reports: No threat detected (more info)

Scan taken on 19 Feb 2008 05:43:22 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Service load:
0% 100%
File: avImageX.dll
Status:
OK
MD5: 8e35dca6df4ca5cd6faa65d42f939fb3
Packers detected:
-
Bit9 reports: No threat detected (more info)
Scan taken on 19 Feb 2008 05:48:13 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Service load:
0% 100%
File: avaxgrph.dll
Status:
OK
MD5: f51885d3e89135d755224556e73b669c
Packers detected:
-
Bit9 reports: No threat detected (more info)

Scan taken on 19 Feb 2008 05:52:32 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

and the new log of combo fix:

ComboFix 08-02-18.1 - Clarabelle 2008-02-19 8:11:11.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1253.1.1033.18.538 [GMT 2:00]
Running from: C:\Documents and Settings\Clarabelle\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Clarabelle\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\info.exe
C:\WINDOWS\imsins.BAK
C:\WINDOWS\system32\Thumbs.db
C:\WINDOWS\Thumbs.db
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\info.exe
C:\WINDOWS\imsins.BAK
C:\WINDOWS\system32\Thumbs.db
C:\WINDOWS\Thumbs.db

.
((((((((((((((((((((((((( Files Created from 2008-01-19 to 2008-02-19 )))))))))))))))))))))))))))))))
.

2008-02-18 22:52 . 2008-02-18 22:53 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-18 22:47 . 2008-02-18 23:12 <DIR> d-------- C:\SDFix
2008-02-17 21:28 . 2008-02-17 21:28 <DIR> d-------- C:\Program Files\AnswerWorks 4.0
2008-02-17 21:23 . 2008-02-17 21:31 <DIR> d-------- C:\Program Files\AutoCAD 2007
2008-02-14 07:37 . 2008-02-14 23:02 <DIR> d-------- C:\Documents and Settings\Clarabelle\Application Data\Winamp
2008-02-03 23:17 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-03 14:39 . 2008-02-03 14:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-02 21:01 . 2008-02-02 21:01 0 --a------ C:\WINDOWS\mngui.INI
2008-02-02 20:38 . 2008-02-02 20:38 <DIR> d-------- C:\Documents and Settings\Clarabelle\workspace
2008-02-02 20:36 . 2008-02-02 20:36 <DIR> d-------- C:\Program Files\Intalio
2008-02-02 20:31 . 2008-02-02 20:34 23,071 --a------ C:\WINDOWS\system32\productregistry
2008-02-02 20:28 . 2008-02-02 20:29 <DIR> d-------- C:\Program Files\NetBeans 6.0
2008-02-02 20:19 . 2008-02-02 20:29 <DIR> d-------- C:\Documents and Settings\Clarabelle\.nbi
2008-02-02 19:34 . 2008-02-02 19:34 <DIR> d-------- C:\Sun
2008-01-30 16:21 . 2008-01-30 16:34 <DIR> d-------- C:\Program Files\AutoCAD Architecture 2008
2008-01-25 18:18 . 2008-01-25 18:18 <DIR> d-------- C:\Documents and Settings\Clarabelle\Application Data\Leadertech
2008-01-25 18:17 . 2008-02-14 07:41 <DIR> d-------- C:\Program Files\CCleaner
2008-01-25 15:42 . 2007-02-08 12:56 90,800 -ra------ C:\WINDOWS\system32\drivers\sea1unic.sys
2008-01-25 15:42 . 2007-02-08 12:56 88,624 -ra------ C:\WINDOWS\system32\drivers\sea1mgmt.sys
2008-01-25 15:42 . 2007-02-08 12:56 18,704 -ra------ C:\WINDOWS\system32\drivers\sea1nd5.sys
2008-01-25 15:42 . 2007-02-08 12:55 4,128 -ra------ C:\WINDOWS\system32\drivers\sea1cr.sys
2008-01-25 15:41 . 2008-01-25 15:42 <DIR> d-------- C:\Documents and Settings\Clarabelle\Application Data\Teleca
2008-01-25 15:41 . 2007-02-08 12:55 97,088 -ra------ C:\WINDOWS\system32\drivers\sea1mdm.sys
2008-01-25 15:41 . 2007-02-08 12:56 86,432 -ra------ C:\WINDOWS\system32\drivers\sea1obex.sys
2008-01-25 15:41 . 2007-02-08 12:55 61,536 -ra------ C:\WINDOWS\system32\drivers\sea1bus.sys
2008-01-25 15:41 . 2007-02-08 12:55 9,360 -ra------ C:\WINDOWS\system32\drivers\sea1mdfl.sys
2008-01-25 15:41 . 2007-02-08 12:55 6,240 -ra------ C:\WINDOWS\system32\drivers\sea1cmnt.sys
2008-01-25 15:41 . 2007-02-08 12:55 6,240 -ra------ C:\WINDOWS\system32\drivers\sea1cm.sys
2008-01-25 15:41 . 2007-02-08 12:56 5,872 -ra------ C:\WINDOWS\system32\drivers\sea1whnt.sys
2008-01-25 15:41 . 2007-02-08 12:56 5,872 -ra------ C:\WINDOWS\system32\drivers\sea1wh.sys
2008-01-25 15:40 . 2008-01-25 15:40 <DIR> d-------- C:\Program Files\Disc2Phone
2008-01-25 15:37 . 2008-01-25 15:37 <DIR> d-------- C:\Documents and Settings\Clarabelle\Application Data\Sony Ericsson
2008-01-25 15:32 . 2008-01-25 15:32 <DIR> d-------- C:\Program Files\Common Files\Sony Ericsson Shared
2008-01-25 15:32 . 2008-01-25 15:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2008-01-25 15:31 . 2008-01-25 15:31 <DIR> d-------- C:\Program Files\Sony Ericsson
2008-01-25 15:31 . 2008-01-25 15:32 <DIR> d-------- C:\Program Files\Common Files\Teleca Shared
2008-01-25 15:31 . 2008-01-25 15:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Teleca
2008-01-22 01:37 . 2004-11-10 11:10 778,240 --a------ C:\WINDOWS\system32\hasp_com_windows.dll
2008-01-22 01:36 . 2004-11-10 11:10 27,728 --a------ C:\WINDOWS\system32\hasp_com_windows.tlb
2008-01-22 01:08 . 2000-03-28 10:18 1,822,720 --a------ C:\WINDOWS\system32\ODX.dll
2008-01-22 01:08 . 2000-08-04 15:24 397,312 --a------ C:\WINDOWS\system32\avImageX.dll
2008-01-22 01:08 . 2004-04-15 16:57 126,976 --a------ C:\WINDOWS\system32\avaxgrph.dll
2008-01-22 00:56 . 2008-01-22 00:56 <DIR> d-------- C:\Program Files\Common Files\gvjava
2008-01-22 00:56 . 2008-01-22 00:56 <DIR> d-------- C:\Program Files\Common Files\Data Dynamics
2008-01-22 00:48 . 2008-02-03 14:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-22 00:03 . 2008-01-22 00:03 0 --a------ C:\WINDOWS\system32\VDM1DD.tmp
2008-01-22 00:03 . 2008-01-22 00:03 0 --a------ C:\WINDOWS\system32\VDM1DC.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-19 05:56 --------- d-----w C:\Documents and Settings\Clarabelle\Application Data\uTorrent
2008-02-17 19:28 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-02-17 19:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2008-02-17 09:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-02-17 09:08 --------- d-----w C:\Program Files\WinPolis
2008-02-17 09:08 --------- d-----w C:\Program Files\LimeWire
2008-02-14 05:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\scar5
2008-02-14 05:38 --------- d-----w C:\Program Files\Winamp
2008-02-12 16:11 --------- d-----w C:\Program Files\uTorrent
2008-02-06 21:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-03 21:17 --------- d-----w C:\Program Files\Java
2008-02-03 12:42 --------- d-----w C:\Program Files\Lavasoft
2008-02-03 12:41 --------- d-----w C:\Documents and Settings\Clarabelle\Application Data\Lavasoft
2008-01-21 23:44 --------- d-----w C:\Program Files\Common Files\CivilTech
2008-01-06 11:38 --------- d-----w C:\Program Files\Common Files\business objects
2007-12-22 11:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2007-12-22 11:49 --------- d-----w C:\Program Files\Azureus
2007-12-22 11:45 --------- d-----w C:\Documents and Settings\Clarabelle\Application Data\Azureus
2007-12-14 09:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-07 00:44 666,112 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ------w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
1996-03-21 17:03 13,568 -c--a-w C:\WINDOWS\Fonts\GR FONTS\GREEK1\TTFONTS.100\PATTFFON\SETUP.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360]
"SpybotSD TeaTimer "= "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04 1415824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh "= "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-17 01:32 761945]
"RTHDCPL "= "RTHDCPL.EXE" [2005-12-10 00:49 15691264 C:\WINDOWS\RTHDCPL.exe]
"AGRSMMSG "= "AGRSMMSG.exe" [2005-10-15 15:29 88203 C:\WINDOWS\agrsmmsg.exe]
"TPSMain "= "TPSMain.exe" [2005-08-03 16:26 266240 C:\WINDOWS\system32\TPSMain.exe]
"TFncKy "= "TFncKy.exe" []
"TDispVol "= "TDispVol.exe" [2005-03-11 17:03 73728 C:\WINDOWS\system32\TDispVol.exe]
"IntelZeroConfig "= "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 13:37 667718]
"IntelWireless "= "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 12:41 602182]
"NDSTray.exe "= "NDSTray.exe" []
"PD0630 STISvc "= "P0630Pin.dll" [2005-06-05 19:01 36864 C:\WINDOWS\system32\P0630Pin.dll]
"WrtMon.exe "= "C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 07:35 20480]
"avast! "= "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 15:00 79224]
"Sony Ericsson PC Suite "= "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-01-26 13:36 495616]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"WinampAgent "= "C:\Program Files\Winamp\winampa.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360]

C:\Documents and Settings\Clarabelle\Start Menu\Programs\Startup\
SDK Tray Menu.lnk - C:\Program Files\Java\jdk1.5.0_14\bin\javaw.exe [2008-02-02 20:23:00 53346]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart17.exe [2006-03-05 04:43:54 11000]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2006-06-26 21:53:31 155648]
Service Manager.lnk - C:\Program Files\MICROSOFT SQL SERVER\80\Tools\Binn\sqlmangr.exe [2002-12-17 17:23:32 74308]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Clarabelle^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=C:\Documents and Settings\Clarabelle\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
--a------ 2005-08-12 16:43 45056 C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2006-11-16 19:04 139264 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CONNECTScheduler]
C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2006-11-12 12:48 157592 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 15:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
--a------ 2006-10-11 11:45 75304 C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
--a------ 2006-09-28 12:16 185896 C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SweetIM]
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe

R2 MSSQL$CTSQL;MSSQL$CTSQL;C:\Program Files\MICROSOFT SQL SERVER\MSSQL$CTSQL\Binn\sqlservr.exe [2002-12-17 17:26]
R3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2005-09-09 16:47]
S2 EQIB;Security Service;C:\WINDOWS\system32\svcd\svchost.exe []
S3 P0630VID;Creative WebCam Live!;C:\WINDOWS\system32\DRIVERS\P0630Vid.sys [2005-06-06 03:44]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2004-08-04 15:00]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2004-08-04 15:00]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2004-08-04 15:00]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2004-08-04 15:00]
S3 sea1bus;Sony Ericsson Device 0A1 driver (WDM);C:\WINDOWS\system32\DRIVERS\sea1bus.sys [2007-02-08 12:55]
S3 sea1mdfl;Sony Ericsson Device 0A1 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\sea1mdfl.sys [2007-02-08 12:55]
S3 sea1mdm;Sony Ericsson Device 0A1 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\sea1mdm.sys [2007-02-08 12:55]
S3 sea1mgmt;Sony Ericsson Device 0A1 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\sea1mgmt.sys [2007-02-08 12:56]
S3 sea1nd5;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (NDIS);C:\WINDOWS\system32\DRIVERS\sea1nd5.sys [2007-02-08 12:56]
S3 sea1obex;Sony Ericsson Device 0A1 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\sea1obex.sys [2007-02-08 12:56]
S3 sea1unic;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (WDM);C:\WINDOWS\system32\DRIVERS\sea1unic.sys [2007-02-08 12:56]
S3 SQLAgent$CTSQL;SQLAgent$CTSQL;C:\Program Files\MICROSOFT SQL SERVER\MSSQL$CTSQL\Binn\sqlagent.EXE [2002-12-17 17:23]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{07069350-35f3-11dc-ae5e-00130229faed}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{449b00d2-868a-11da-a583-00a0d1df1b4d}]
\Shell\AutoRun\command - browser.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{99ec8a1d-6352-11dc-aeb5-00130229faed}]
\Shell\Auto\command - H:\Autorun.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{99ec8a1e-6352-11dc-aeb5-00130229faed}]
\Shell\Auto\command - I:\Autorun.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Autorun.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-19 08:15:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-19 8:15:48
ComboFix-quarantined-files.txt 2008-02-19 06:15:47
ComboFix2.txt 2008-02-18 06:10:40
ComboFix3.txt 2008-02-18 06:02:14
.
2008-02-14 01:07:41 --- E O F ---

clarabelle · 2008/02/19

and last but not least the highjack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:19:27, on 19/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
D:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\MICROSOFT SQL SERVER\MSSQL$CTSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\MICROSOFT SQL SERVER\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Java\jdk1.5.0_14\bin\javaw.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Clarabelle\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.finderg.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe "
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [PD0630 STISvc] RunDLL32.exe P0630Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe "
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe "
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: SDK Tray Menu.lnk = ?
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\MICROSOFT SQL SERVER\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://clarabele2006.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Security Service (EQIB) - Unknown owner - C:\WINDOWS\system32\svcd\svchost.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - D:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe

--
End of file - 9672 bytes

Geri · 2008/02/19

Hi clarabelle
OK Things are looking good.

Please re-open HiJackThis and scan only. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Now close all windows other than HiJackThis, then click Fix Checked.

Close HJT.

Now lets get a on-line scan.

Please do an online scan with Kaspersky WebScanner

Click on "Accept" If your pop "“up blocker blocks the ActiveX download, allow it, click on "Accept" again

You will be promted to install an ActiveX component from Kaspersky, Click Yes or Install.

The program will launch and then begin downloading the latest definition files:

Once the files have been downloaded click on NEXT

Now click on Scan Settings

In the scan settings make that the following are selected:

Scan using the following Anti-Virus database:

Extended (if available otherwise Standard)

Scan Options:

Scan Archives
Scan Mail Bases

Click OK

Now under select a target to scan:

Select My Computer

This will start the program and scan your system.

The scan will take a while so be patient and let it run.

Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:

Save the file to your desktop.

Copy and paste that information in your next post.

Please post the Kaspersky results.

How are things running?

Thanks
Geri

clarabelle · 2008/02/20

hello there.
i did the high jack this scan and everything's okay, but i cannot do the kaspersky scan cause i don't have the internet explorer browser, i use mozilla....
now what? do i have to install it again?

Geri · 2008/02/20

Hi clarabelle
Are you sure you uninstalled it?

Look in your Program list.
Start > All Programs

I would really like to see a on-line scan. But it is ultimately your choice.

Geri

clarabelle · 2008/02/21

okay good thing i did the scan, it seems i still have problems...here is the result from kaspersky:
KASPERSKY ONLINE SCANNER REPORT
Thursday, February 21, 2008 11:22:14 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 21/02/2008
Kaspersky Anti-Virus database records: 574609
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
E:\
F:\
G:\
H:\
Scan Statistics
Total number of scanned objects 157909
Number of viruses found 2
Number of infected objects 7
Number of suspicious objects 0
Duration of the scan process 03:37:44

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Clarabelle\Application Data\Mozilla\Firefox\Profiles\u2rwvkos.default\cert8.db Object is locked skipped
C:\Documents and Settings\Clarabelle\Application Data\Mozilla\Firefox\Profiles\u2rwvkos.default\history.dat Object is locked skipped
C:\Documents and Settings\Clarabelle\Application Data\Mozilla\Firefox\Profiles\u2rwvkos.default\key3.db Object is locked skipped
C:\Documents and Settings\Clarabelle\Application Data\Mozilla\Firefox\Profiles\u2rwvkos.default\parent.lock Object is locked skipped
C:\Documents and Settings\Clarabelle\Application Data\Mozilla\Firefox\Profiles\u2rwvkos.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Clarabelle\Application Data\Mozilla\Firefox\Profiles\u2rwvkos.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Clarabelle\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Clarabelle\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Clarabelle\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Clarabelle\Local Settings\Application Data\Mozilla\Firefox\Profiles\u2rwvkos.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Clarabelle\Local Settings\Application Data\Mozilla\Firefox\Profiles\u2rwvkos.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Clarabelle\Local Settings\Application Data\Mozilla\Firefox\Profiles\u2rwvkos.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Clarabelle\Local Settings\Application Data\Mozilla\Firefox\Profiles\u2rwvkos.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Clarabelle\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Clarabelle\Local Settings\History\History.IE5\MSHist012008022120080222\index.dat Object is locked skipped
C:\Documents and Settings\Clarabelle\Local Settings\Temp\hsperfdata_Clarabelle\2480 Object is locked skipped
C:\Documents and Settings\Clarabelle\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Clarabelle\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Clarabelle\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\MICROSOFT SQL SERVER\MSSQL$CTSQL\Data\master.mdf Object is locked skipped
C:\Program Files\MICROSOFT SQL SERVER\MSSQL$CTSQL\Data\mastlog.ldf Object is locked skipped
C:\Program Files\MICROSOFT SQL SERVER\MSSQL$CTSQL\Data\model.mdf Object is locked skipped
C:\Program Files\MICROSOFT SQL SERVER\MSSQL$CTSQL\Data\modellog.ldf Object is locked skipped
C:\Program Files\MICROSOFT SQL SERVER\MSSQL$CTSQL\Data\tempdb.mdf Object is locked skipped
C:\Program Files\MICROSOFT SQL SERVER\MSSQL$CTSQL\Data\templog.ldf Object is locked skipped
C:\Program Files\MICROSOFT SQL SERVER\MSSQL$CTSQL\LOG\ERRORLOG Object is locked skipped
C:\QooBox\Quarantine\C\info.exe.vir Infected: Trojan-Proxy.Win32.Fackemo.l skipped
C:\SDFix\backups\backups.zip/backups/svchost.exe Infected: Trojan-Proxy.Win32.Fackemo.l skipped
C:\SDFix\backups\backups.zip ZIP: infected - 1 skipped
C:\System Volume Information\_restore{1D66B0B6-AF06-40DB-BDC4-5E827C43D6E6}\RP686\A0191707.sys Infected: Backdoor.Win32.Delf.azr skipped
C:\System Volume Information\_restore{1D66B0B6-AF06-40DB-BDC4-5E827C43D6E6}\RP686\A0191827.exe Infected: Trojan-Proxy.Win32.Fackemo.l skipped
C:\System Volume Information\_restore{1D66B0B6-AF06-40DB-BDC4-5E827C43D6E6}\RP686\A0191837.exe Infected: Trojan-Proxy.Win32.Fackemo.l skipped
C:\System Volume Information\_restore{1D66B0B6-AF06-40DB-BDC4-5E827C43D6E6}\RP687\A0191975.exe Infected: Trojan-Proxy.Win32.Fackemo.l skipped
C:\System Volume Information\_restore{1D66B0B6-AF06-40DB-BDC4-5E827C43D6E6}\RP688\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\hlktmp Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_1dc.dat Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_33c.dat Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_378.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{1D66B0B6-AF06-40DB-BDC4-5E827C43D6E6}\RP688\change.log Object is locked skipped
F:\System Volume Information\_restore{1D66B0B6-AF06-40DB-BDC4-5E827C43D6E6}\RP688\change.log Object is locked skipped
H:\System Volume Information\_restore{1D66B0B6-AF06-40DB-BDC4-5E827C43D6E6}\RP688\change.log Object is locked skipped
Scan process completed.

Geri · 2008/02/21

Hi clarabelle
OK That looks good.

Please do the following.

Click Start>Run in the run box copy and paste or type ComboFix /u then hit Enter to uninstall ComboFix and remove the files/folders it created.

Delete these.

This Tool.
SDFix.exe

This folder
C:\SDFix

Your system restore is infected so lets clean that. Folow the instruction here.

This would be a good time to set a new system restore point for your machine.
Set New System Restore Point Windows XP. - Set New System Restore Point Windows Vista
Do not do this unless there are no other user accounts to be diagnosed.

If there are any other user accounts on this machine, they too, must be cleaned with AdAware and Spybot S&D. Not all infections are global, nor are all fixes global.
Log onto that user account, Run HJT and save log, post each user account here into this thread, but please, do only one at a time to avoid confusion. Please let us know that it is a different account.

If there are no other user accounts, then after doing the above run another Kaspersky scan and make sure you see this...

Number of viruses found 0
Number of infected objects 0
Number of suspicious objects 0

If anything else then post the log.

Let me know how things are running.

Thanks
Geri

clarabelle · 2008/02/22

goodmorning
you said my system restore is infected and i should fix it. the link you sent my describes how to turn on the system restore function which was on anyway, so i only set a new system restore point, but is that enough? i thought i had to scan or delete something, cause now the point i set is with my hard drive still infected
Btw, there are no other accounts, it's just me
i think i should say here that i still have the javaw.exe thing asking me to end now the task when i want to shut down my laptop (or is this something unrelated to the virus i have?)

Geri · 2008/02/22

Hi clarabelle

System restore needs to be turned off then on. Here's how...

To turn off Windows XP System Restore:
NOTE: These instructions assume that you are using the default Windows XP Start Menu and have not changed to the Classic Start menu. To re-enable the default menu, right-click Start, click Properties, click Start menu (not Classic) and then click OK.
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore" or "Turn off System Restore on all drives"
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
8. Restart the computer and follow the instructions in the next section to turn on System Restore.

To turn on Windows XP System Restore:
1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives. "
5. Click Apply, and then click OK
6. Make a new restore point.
7. Click Start, All Programs, Accessories, System Tools, System Restore.
Chose Create a restore point and clicked Next, Under "Type a description for your restore pointâ€¦â€put a name in the box,. Click Create. In the next window click Close.

Let's update your Java.

Updating Java and Clearing Cache

Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.

It will say "Java Plug-in" under the icon.
Please find the update button or tab in the Java Control Panel. Update your Java then reboot.

If you are unable to update you can manually update by going here:

http://www.java.com/en/download/manual.jsp

After the reboot, go back into the Control Panel and double-click the Java Icon.

On the general tab, at the bottom it has "temporary internet files "

Click the settings button. Then the Delete files button.

There are two options in the window to clear the cache - Leave both Checked

Applications and Applets
Trace and Log files

Click OK
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

Click OK to leave the Java Control Panel.

Delete older versions from Add/Remove list.

Let me know if this helped.

Geri

clarabelle · 2008/02/26

ok i set the restore point, thanks for that
i tried to update my java, but it said no available updates at the moment.
i check the add/remove list to see for older versions, and there i had a problem...
i have listed there the following:
J2SE development kit 5.0 udate 14
J2SE runtime environment 5.0 update 14
Java platform enterprise edition 5 SDK
Java 6 update 3
so which ones should i remove? keep in mind i use the intalio designer software and architecture 2008 and 3d studio max 10, so i wouldn't want them to stop working properly (though not too sure if they have anything to do, aside the intalio designer)

so what do you think?

Geri · 2008/02/26

Hi clarabelle

i check the add/remove list to see for older versions
Click to expand...

OK, Well I'm not sure with those programs, so lets leave them, If you get updates for them make sure you delete the older version.

i still have the javaw.exe thing asking me to end now the task when i want to shut down my laptop
Click to expand...

No this is not a virus problem.

I would post this in the "Other Software" section here at bbs, someone there may have a better idea then I would, because of the programs you have.
Make sure you post these in your reply so they know what to look for.
intalio designer software and architecture 2008 and 3d studio max 10.

How did the Kaspersky scan turn out?

Is everything running OK, if so we'll finish up.

Geri

clarabelle · 2008/02/27

it said there is no malware, but just to be sure check out the log and let me know -------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, February 27, 2008 6:40:42 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 27/02/2008
Kaspersky Anti-Virus database records: 583839
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\

Scan Statistics:
Total number of scanned objects: 145217
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 03:18:41

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Clarabelle\Application Data\Mozilla\Firefox\Profiles\u2rwvkos.default\cert8.db Object is locked skipped
C:\Documents and Settings\Clarabelle\Application Data\Mozilla\Firefox\Profiles\u2rwvkos.default\history.dat Object is locked skipped
C:\Documents and Settings\Clarabelle\Application Data\Mozilla\Firefox\Profiles\u2rwvkos.default\key3.db Object is locked skipped
C:\Documents and Settings\Clarabelle\Application Data\Mozilla\Firefox\Profiles\u2rwvkos.default\parent.lock Object is locked skipped
C:\Documents and Settings\Clarabelle\Application Data\Mozilla\Firefox\Profiles\u2rwvkos.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Clarabelle\Application Data\Mozilla\Firefox\Profiles\u2rwvkos.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Clarabelle\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Clarabelle\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Clarabelle\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Clarabelle\Local Settings\Application Data\Mozilla\Firefox\Profiles\u2rwvkos.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Clarabelle\Local Settings\Application Data\Mozilla\Firefox\Profiles\u2rwvkos.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Clarabelle\Local Settings\Application Data\Mozilla\Firefox\Profiles\u2rwvkos.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Clarabelle\Local Settings\Application Data\Mozilla\Firefox\Profiles\u2rwvkos.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Clarabelle\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Clarabelle\Local Settings\History\History.IE5\MSHist012008022720080228\index.dat Object is locked skipped
C:\Documents and Settings\Clarabelle\Local Settings\Temp\hsperfdata_Clarabelle\2928 Object is locked skipped
C:\Documents and Settings\Clarabelle\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Clarabelle\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Clarabelle\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\MICROSOFT SQL SERVER\MSSQL$CTSQL\Data\master.mdf Object is locked skipped
C:\Program Files\MICROSOFT SQL SERVER\MSSQL$CTSQL\Data\mastlog.ldf Object is locked skipped
C:\Program Files\MICROSOFT SQL SERVER\MSSQL$CTSQL\Data\model.mdf Object is locked skipped
C:\Program Files\MICROSOFT SQL SERVER\MSSQL$CTSQL\Data\modellog.ldf Object is locked skipped
C:\Program Files\MICROSOFT SQL SERVER\MSSQL$CTSQL\Data\tempdb.mdf Object is locked skipped
C:\Program Files\MICROSOFT SQL SERVER\MSSQL$CTSQL\Data\templog.ldf Object is locked skipped
C:\Program Files\MICROSOFT SQL SERVER\MSSQL$CTSQL\LOG\ERRORLOG Object is locked skipped
C:\System Volume Information\_restore{1D66B0B6-AF06-40DB-BDC4-5E827C43D6E6}\RP696\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\hlktmp Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_2d4.dat Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_378.dat Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_6e4.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

Geri · 2008/02/27

Hi clarabelle

Perfect ! Your system is clean. Good Job.

Please look at this link for some preventive recommendations, It could keep you from ending up back here to the Spyware and Virus Removal Forms.
http://www.windowsbbs.com/showthread.php?t=67958

Let me know if everything is working OK, and I'll mark this one resolved.

Please post your Java problem in the "Other Software" fourm give them details on what the window says and when it happens, there are good people over there that could help you with it.
Let them know that you were here and your system is clean.

Here is some info on javaw.exe

Processlibrary.com
http://www.processlibrary.com/directory/?files=javaw.exe

javaw.exe is a process by Sun Microsystems which gives functionality to this Internet protocol. Often works together with Internet Explorer. This program is a non-essential system process, but should not be terminated unless suspected to be causing problems.

Answers That Work.
http://www.answersthatwork.com/

Part of Sun’s Java for Windows.
Recommendation :
Leave alone – Sun’s Java is used by all Internet browsers (Netscape, Internet Explorer, Mozilla, Opera) and is essential to their ability to display many websites.

This is why I just did not have you stop it from starting at boot up. They may have other ideas or opinions.

Surf Safely
Geri

Log in or Sign up

Solved same problem, please help [winupdate.exe]

clarabelle Inactive Thread Starter

Geri Inactive Alumni

clarabelle Inactive Thread Starter

Geri Inactive Alumni

clarabelle Inactive Thread Starter

clarabelle Inactive Thread Starter

Geri Inactive Alumni

clarabelle Inactive Thread Starter

clarabelle Inactive Thread Starter

Geri Inactive Alumni

clarabelle Inactive Thread Starter

Geri Inactive Alumni

clarabelle Inactive Thread Starter

Geri Inactive Alumni

clarabelle Inactive Thread Starter

Geri Inactive Alumni

clarabelle Inactive Thread Starter

Geri Inactive Alumni

clarabelle Inactive Thread Starter

Geri Inactive Alumni

Share This Page

Log in or Sign up

Solved same problem, please help [winupdate.exe]

clarabelle Inactive Thread Starter

Geri Inactive Alumni

clarabelle Inactive Thread Starter

Geri Inactive Alumni

clarabelle Inactive Thread Starter

clarabelle Inactive Thread Starter

Geri Inactive Alumni

clarabelle Inactive Thread Starter

clarabelle Inactive Thread Starter

Geri Inactive Alumni

clarabelle Inactive Thread Starter

Geri Inactive Alumni

clarabelle Inactive Thread Starter

Geri Inactive Alumni

clarabelle Inactive Thread Starter

Geri Inactive Alumni

clarabelle Inactive Thread Starter

Geri Inactive Alumni

clarabelle Inactive Thread Starter

Geri Inactive Alumni

Share This Page

Useful Searches