Help2Go
Free Computer Help.
Powered by Volunteers.
- Home
- Tutorials
- Computer Help
- Spyware Help
- All Forums


- Home
- Forums Home
- Tutorials
- Get Computer Help
- Spyware Help
- Help2Go Detective
- SuperAntiSpyware
- Software Picks
- Newsletter
- Testimonials
- Donate
- Search Tutorials
- Search Forums


Home

These forums have moved!

Click here to view the new, updated Help2Go

I know I have a rootkit somewhere
   Help2Go Forum Index -> Spyware Help
View previous topic :: View next topic  
Author Message
Lisentia
Member


Joined: 18 May 2008
Posts: 9
Points: 0

usa.gif
Posted: Sun 05/18/2008 5:22pm [Post #1]
Hey guys.

Been through all the steps and scanned with Panda and Housecall, used SuperANTISpyware, Malwarebytes. I've tried to install all critical updates for Windows but not all of them can or do finish. I get an error with a majority of them stating that this update could not be installed. Not only that but in My Computer in normal mode C:\ is denoted by a large red X, but is the normal HD icon in Safe Mode. Thank you in advance for any and all assistance you are able to render.

I've already used SDFix and Combofix as well. The logs will follow starting with my Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:13:11 PM, on 5/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\ULI5289\ALi5289.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\UniUploader\UniUploader.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Temp\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adultfriendfinder.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: {3036b85a-b92a-06cb-45d4-320f08a2af98} - {89fa2a80-f023-4d54-bc60-a29ba58b6303} - C:\WINDOWS\system32\vnseayye.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Mega Manager\MegaIEMn.dll
O4 - HKLM\..\Run: [ALi5289] C:\Program Files\ULI5289\ALi5289.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UniUploader] C:\Program Files\UniUploader\UniUploader.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe /SCB
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html /native/x86/win32/activex/hcImpl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.c ab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scan ner/wlscbase9563.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Contro ls/en/x86/client/wuweb_site.cab?1149325762468
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Contro ls/en/x86/client/muweb_site.cab?1149325756921
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst. cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/fl ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EC55D340-C93A-45A8-A 4B1-DA69084CEB7D}: NameServer = 216.144.193.115,216.144.204.141
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7359 bytes

SDFix Log:


SDFix: Version 1.183
Run by Administrator on Sun 05/18/2008 at 02:46 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-18 14:57:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\ Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:dc,76,82,eb,00,3b,d6,78,49,5d,6c,be,b9,71,d 7,b8,9b,78,c9,5d,bf,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\ Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,c2,5e,19,8f,eb,55,b1,72,86,7a,3c,d b,e2,3e,00,22,74,..
"khjeh"=hex:3f,4b,f0,03,39,27,6b,49,fe,67,45,5a,29,5c,e f,21,6a,07,a1,20,7d,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\ Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:c1,42,9c,76,0b,56,92,8e,30,c0,c9,a0,a7,4d,f f,3d,ca,f2,cf,45,fc,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\ Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:dc,76,82,eb,00,3b,d6,78,49,5d,6c,be,b9,71,d 7,b8,9b,78,c9,5d,bf,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\ Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,c2,5e,19,8f,eb,55,b1,72,86,7a,3c,d b,e2,3e,00,22,74,..
"khjeh"=hex:3f,4b,f0,03,39,27,6b,49,fe,67,45,5a,29,5c,e f,21,6a,07,a1,20,7d,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\ Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:cb,47,eb,14,d2,60,33,5b,d0,f3,bd,af,9f,e4,d 4,7e,ad,69,be,74,9f,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\ Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:dc,76,82,eb,00,3b,d6,78,49,5d,6c,be,b9,71,d 7,b8,9b,78,c9,5d,bf,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\ Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,c2,5e,19,8f,eb,55,b1,72,86,7a,3c,d b,e2,3e,00,22,74,..
"khjeh"=hex:3f,4b,f0,03,39,27,6b,49,fe,67,45,5a,29,5c,e f,21,6a,07,a1,20,7d,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\ Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:c1,42,9c,76,0b,56,92,8e,30,c0,c9,a0,a7,4d,f f,3d,ca,f2,cf,45,fc,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\s ptd\Cfg]
"s0"=dword:d1718c72
"s1"=dword:dfdef000
"s2"=dword:e2038433
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\s ptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:dc,76,82,eb,00,3b,d6,78,49,5d,6c,be,b9,71,d 7,b8,9b,78,c9,5d,bf,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\s ptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,c2,5e,19,8f,eb,55,b1,72,86,7a,3c,d b,e2,3e,00,22,74,..
"khjeh"=hex:3f,4b,f0,03,39,27,6b,49,fe,67,45,5a,29,5c,e f,21,6a,07,a1,20,7d,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\s ptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40  ]
"khjeh"=hex:c1,42,9c,76,0b,56,92,8e,30,c0,c9,a0,a7,4d,f f,3d,ca,f2,cf,45,fc,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\ Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:dc,76,82,eb,00,3b,d6,78,49,5d,6c,be,b9,71,d 7,b8,9b,78,c9,5d,bf,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\ Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,c2,5e,19,8f,eb,55,b1,72,86,7a,3c,d b,e2,3e,00,22,74,..
"khjeh"=hex:3f,4b,f0,03,39,27,6b,49,fe,67,45,5a,29,5c,e f,21,6a,07,a1,20,7d,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\ Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:c1,42,9c,76,0b,56,92,8e,30,c0,c9,a0,a7,4d,f f,3d,ca,f2,cf,45,fc,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\sptd\ Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:dc,76,82,eb,00,3b,d6,78,49,5d,6c,be,b9,71,d 7,b8,9b,78,c9,5d,bf,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\sptd\ Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,c2,5e,19,8f,eb,55,b1,72,86,7a,3c,d b,e2,3e,00,22,74,..
"khjeh"=hex:3f,4b,f0,03,39,27,6b,49,fe,67,45,5a,29,5c,e f,21,6a,07,a1,20,7d,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\sptd\ Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:c1,42,9c,76,0b,56,92,8e,30,c0,c9,a0,a7,4d,f f,3d,ca,f2,cf,45,fc,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\sptd\ Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:dc,76,82,eb,00,3b,d6,78,49,5d,6c,be,b9,71,d 7,b8,9b,78,c9,5d,bf,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\sptd\ Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,c2,5e,19,8f,eb,55,b1,72,86,7a,3c,d b,e2,3e,00,22,74,..
"khjeh"=hex:3f,4b,f0,03,39,27,6b,49,fe,67,45,5a,29,5c,e f,21,6a,07,a1,20,7d,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\sptd\ Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:c1,42,9c,76,0b,56,92,8e,30,c0,c9,a0,a7,4d,f f,3d,ca,f2,cf,45,fc,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\s haredaccess\parameters\firewallpolicy\standardprofile\a uthorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\ sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Spacial Audio\\SAMBC.exe"="C:\\Program Files\\Spacial Audio\\SAMBC.exe:*:Enabled:SAMBC"
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe:*:Enabled:SmartFTP Client 2.0"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Outlook Express\\msimn.exe"="C:\\Program Files\\Outlook Express\\msimn.exe:*:Enabled:msimn.exe"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Program Files\\ABC\\abc.exe"="C:\\Program Files\\ABC\\abc.exe:*:Enabled:abc"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\SHOUTcast\\sc_serv.exe"="C:\\Program Files\\SHOUTcast\\sc_serv.exe:*:Enabled:sc_serv"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Prog ram Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled: Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"="C:\\Pr ogram Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe:*:Enable d:LaunchPad"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\sys tem32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\Program Files\\Skype\\Skype.exe"="C:\\Program Files\\Skype\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype. Take a deep breath "
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Dungeons & Dragons Online\\dndclient.exe"="C:\\Program Files\\Dungeons & Dragons Online\\dndclient.exe:*:Enabled:dndclient"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\s haredaccess\parameters\firewallpolicy\domainprofile\aut horizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\ sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Fri 12 May 2006 22,487 A..H. --- "C:\Program Files\WS_FTP Pro\wsftpgui.exe-CommandBars"
Sat 17 Feb 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 31 Mar 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sat 5 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ab59ac72525ea 90a47679441587835c9\BIT6.tmp"
Mon 29 May 2006 2,668 A..H. --- "C:\Program Files\Adobe\Photoshop 7.0\Plug-Ins\Adobe Photoshop Only\KPT6\MetaImage.dll"

Finished!

Combofix log:

ComboFix 08-05-15.3 - Layna 2008-05-18 14:07:02.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.499 [GMT -7:00]
Running from: C:\Temp\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Layna\Application Data\DOBE~1
C:\Documents and Settings\Layna\Application Data\PPATCH~1
C:\Documents and Settings\Layna\Application Data\PPATCH~1\??pPatch\
C:\WINDOWS\system32\ikypljnr.ini
C:\WINDOWS\system32\install.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2008-04-18 to 2008-05-18 )))))))))))))))))))))))))))))))
.

2008-05-18 14:05 . 2008-05-18 14:05 1,916,951 --a------ C:\Temp\ComboFix.exe
2008-05-18 12:58 . 2008-05-18 12:58 d-------- C:\WINDOWS\system32\en
2008-05-18 12:51 . 2008-05-18 12:51 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-18 11:25 . 2008-05-18 13:15 d-------- C:\WINDOWS\system32\scripting
2008-05-18 11:25 . 2008-05-18 13:14 d-------- C:\WINDOWS\l2schemas
2008-05-18 11:15 . 2008-05-18 13:52 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-05-18 11:11 . 2004-08-04 03:00 4,190,352 --a------ C:\WINDOWS\system32\dllcache\ luna.mst
2008-05-18 11:10 . 2007-04-18 09:12 2,854,400 --a--c--- C:\WINDOWS\system32\dllcache\ msi.dll
2008-05-18 11:09 . 2007-10-25 20:36 8,454,656 --a------ C:\WINDOWS\system32\dllcache\ shell32.dll
2008-05-18 11:08 . 2007-02-28 02:53 2,137,600 --a------ C:\WINDOWS\system32\ntoskrnl. exe
2008-05-18 10:53 . 2006-12-28 12:01 19,569 --a------ C:\WINDOWS\003036_.tmp
2008-05-18 01:05 . 2008-05-18 12:51 d-------- C:\Program Files\SUPERAntiSpyware
2008-05-18 01:05 . 2008-05-18 01:05 d-------- C:\Documents and Settings\Layna\Application Data\SUPERAntiSpyware.com
2008-05-18 00:56 . 2008-05-18 00:56 401,720 --a------ C:\Temp\HiJackThis.exe
2008-05-18 00:55 . 2008-05-18 12:48 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-18 00:55 . 2008-05-18 00:55 d-------- C:\Documents and Settings\Layna\Application Data\Malwarebytes
2008-05-18 00:55 . 2008-05-18 00:55 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-18 00:55 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbam catchme.sys
2008-05-18 00:55 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam .sys
2008-05-18 00:53 . 2008-05-18 00:53 6,342,680 --a------ C:\Temp\SUPERAntiSpyware.exe
2008-05-18 00:53 . 2008-05-18 00:53 1,649,976 --a------ C:\Temp\mbam-setup.exe
2008-05-17 23:36 . 2007-08-01 22:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmc omm.sys
2008-05-16 21:47 . 2008-05-18 12:49 d-------- C:\Documents and Settings\Layna\.housecall6.6
2008-05-16 20:30 . 2008-05-16 20:30 d-------- C:\Program Files\Panda Security
2008-05-15 17:15 . 2008-05-16 08:53 d-------- C:\Program Files\Windows Live Safety Center
2008-05-14 19:08 . 2008-05-14 19:39 d-------- C:\Program Files\UniUploader
2008-05-13 20:54 . 2008-05-18 13:52 d--h----- C:\WINDOWS\$hf_mig$
2008-05-09 20:39 . 2008-05-09 20:39 d-------- C:\Program Files\Ventrilo
2008-05-09 20:39 . 2008-05-18 12:16 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-09 20:38 . 2008-05-09 20:38 2,732,032 --a------ C:\Temp\ventrilo-3.0.1-Window s-i386.exe
2008-04-22 20:07 . 2008-04-22 20:07 d-------- C:\Documents and Settings\Layna\Application Data\Move Networks
2008-04-19 03:39 . 2008-04-28 22:05 d-------- C:\Program Files\Dungeons & Dragons Online
2008-04-19 02:57 . 2008-04-19 03:39 d-------- C:\Documents and Settings\Layna\Application Data\GetRightToGo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-18 19:51 --------- d-----w C:\Program Files\AVG Anti-Spyware 7.5
2008-05-18 19:50 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-18 19:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-18 19:50 --------- d-----w C:\Documents and Settings\Administrator.RU2K5-TQXDZZOCD\Application Data\Lavasoft
2008-05-18 19:49 --------- d-----w C:\Program Files\Anarchy Online
2008-05-15 02:39 --------- d-----w C:\Program Files\World of Warcraft
2008-04-26 22:49 --------- d-----w C:\Program Files\MishBuddy
2008-04-24 08:47 --------- d-----w C:\Program Files\Paint Shop Pro 7
2008-04-21 03:21 --------- d-----w C:\Program Files\ClamWin
2008-04-14 00:12 7,680 ----a-w C:\WINDOWS\system32\spdwnwxp.exe
2008-04-13 10:46 --------- d-----w C:\Program Files\SecondLife
2008-04-01 04:00 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-01 04:00 --------- d-----w C:\Program Files\Windows Live
2008-04-01 04:00 --------- d-----w C:\Program Files\MSN Messenger
2008-04-01 03:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\dllcache\msji nt40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\dllcache\wi n32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-21 03:56 32 -c--a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\dllcache\gdi3 2.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dllcache\dnsrs lvr.dll
2008-02-20 05:32 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsa pi.dll
2008-02-18 09:24 286,720 ----a-w C:\WINDOWS\iun507.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{89fa2a80-f023-4d54-bc60-a29ba58b6303}]
C:\WINDOWS\system32\vnseayye.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentv ersion\explorer\shelliconoverlayidentifiers\1TortoiseSV N]
@={30351346-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentv ersion\explorer\shelliconoverlayidentifiers\2TortoiseSV N]
@={30351347-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentv ersion\explorer\shelliconoverlayidentifiers\3TortoiseSV N]
@={30351348-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentv ersion\explorer\shelliconoverlayidentifiers\4TortoiseSV N]
@={3035134B-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentv ersion\explorer\shelliconoverlayidentifiers\5TortoiseSV N]
@={3035134C-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentv ersion\explorer\shelliconoverlayidentifiers\6TortoiseSV N]
@={3035134D-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentv ersion\explorer\shelliconoverlayidentifiers\7TortoiseSV N]
@={3035134E-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_CLASSES_ROOT\CLSID\{30351346-7B7D-4FCC-81B4-1E394 CA267EB}]
2006-04-05 17:17 442368 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{30351347-7B7D-4FCC-81B4-1E394 CA267EB}]
2006-04-05 17:17 442368 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{30351348-7B7D-4FCC-81B4-1E394 CA267EB}]
2006-04-05 17:17 442368 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134B-7B7D-4FCC-81B4-1E394 CA267EB}]
2006-04-05 17:17 442368 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134C-7B7D-4FCC-81B4-1E394 CA267EB}]
2006-04-05 17:17 442368 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134D-7B7D-4FCC-81B4-1E394 CA267EB}]
2006-04-05 17:17 442368 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134E-7B7D-4FCC-81B4-1E394 CA267EB}]
2006-04-05 17:17 442368 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVe rsion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 14:22 3739648]
"Creative MediaSource Go"="C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe" [2003-08-12 13:48 131072]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-27 15:22 4670968]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentV ersion\Run]
"ALi5289"="C:\Program Files\ULI5289\ALi5289.exe" [2005-03-10 14:56 405504]
"POINTER"="point32.exe" []
"ClamWin"="C:\Program Files\ClamWin\bin\ClamTray.exe" [2008-04-19 16:35 77824]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 20:20 866584]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-03-12 22:58 7630848]
"UniUploader"="C:\Program Files\UniUploader\UniUploader.exe" [2007-06-26 14:53 454656]

[hkey_local_machine\software\microsoft\windows\currentv ersion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\ls a]
Notification Packages REG_MULTI_SZ scecli scecli

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\28ba92cf]
C:\WINDOWS\system32\tfmejgfp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-r------- 2005-05-03 03:43 69632 C:\WINDOWS\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
-r------- 2006-05-04 01:26 2808832 C:\WINDOWS\alcwzrd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative MediaSource Go]
--a------ 2003-08-12 13:48 131072 C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 03:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
--a--c--- 2003-09-17 10:43 57344 C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2005-11-08 15:00 128920 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]
C:\Program Files\Diskeeper\DkIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
--a------ 2007-03-05 13:57 1103480 C:\Program Files\IGN\Download Manager\dlm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 10:36 256576 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lhshystz]
C:\Documents and Settings\Layna\Application Data\?dobe\l?backside.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mirabilis ICQ]
C:\Program Files\ICQ\ICQ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 02:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-03-12 22:58 7630848 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-03-12 22:58 86016 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-03-12 22:58 1519616 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Onde]
C:\DOCUME~1\Layna\APPLIC~1\PPATCH~1\msdtc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
--a------ 2005-05-03 20:38 64512 C:\WINDOWS\system32\P17.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule10]
C:\Program Files\QdrModule\QdrModule10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2006-09-01 16:57 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r------- 2006-12-18 20:12 16062464 C:\WINDOWS\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu72.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
-r------- 2006-05-16 03:04 2879488 C:\WINDOWS\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
-r------- 2006-07-21 01:14 86016 C:\WINDOWS\SoundMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2005-04-13 03:48 36975 C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\THGuard]
--a------ 2007-09-09 10:31 1046688 C:\Program Files\TrojanHunter 5.0\THGuard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
--a--c--- 2006-03-30 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--a------ 2000-05-11 01:00 90112 C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
C:\WINDOWS\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAble]
C:\Program Files\WinAble\winable.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
--a------ 2003-12-01 11:38 892928 C:\Program Files\Logitech\iTouch\iTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy \standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Spacial Audio\\SAMBC.exe"=
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Outlook Express\\msimn.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\ABC\\abc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\SHOUTcast\\sc_serv.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Skype\\Skype.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Dungeons & Dragons Online\\dndclient.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy \standardprofile\GloballyOpenPorts\List]
"6994:TCP"= 6994:TCP:1
"2104:TCP"= 2104:TCP:2
"2106:TCP"= 2106:TCP:3
"3724:TCP"= 3724:TCP:4
"6112:TCP"= 6112:TCP:5

R0 m5289;m5289;C:\WINDOWS\system32\drivers\m5289.sys [2004-12-01 10:49]
R0 uliagpkx;ULi AGP Bus Filter Driver;C:\WINDOWS\system32\DRIVERS\agpkx.sys [2004-07-08 15:58]
R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys  [2006-02-23 04:38]
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-02-23 04:39]
R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe [2004-12-13 01:05]
R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe [2004-12-13 01:05]
S2 {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM;C:\Progr am Files\VMLaunch\BuddyVM.sys []
S2 ALIEHCD;ULi PCI to USB Enhanced Host Controller;C:\WINDOWS\system32\Drivers\ALIEHCI.sys [2005-02-21 15:09]
S3 aliroothub;USB 2.0 Root Hub;C:\WINDOWS\system32\DRIVERS\AliRtHub.sys [2005-02-21 15:12]
S3 PciCon;PciCon;D:\PciCon.sys []
S3 ULI5261;ULi Based Ethernet NT Driver;C:\WINDOWS\system32\DRIVERS\ULILAN.SYS [2004-12-31 15:24]

[HKEY_CURRENT_USER\software\microsoft\windows\currentve rsion\explorer\mountpoints2\{43b2dbcd-f9bd-11da-97fa-00 15f2c26ab5}]
\Shell\AutoRun\command - D:\JDSecure\Windows\JDSecure20.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-05-18 21:16:46 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
******************************************************* *******************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-18 14:14:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

******************************************************* *******************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
.
******************************************************* *******************
.
Completion time: 2008-05-18 14:25:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-18 21:24:32

Pre-Run: 26,928,173,056 bytes free
Post-Run: 26,845,315,072 bytes free

290 --- E O F --- 2008-05-16 00:13:22
 
This post has: 0 recommendations

Back to top
evilfantasy
Spyware Fighter


Joined: 18 Jan 2008
Posts: 31
Points: 10
Location: Tulsa, OK
usa.gif
Posted: Mon 05/19/2008 12:21pm [Post #2]
Why is everything running from a Temp folder?

The directions explicitly say to not do that.
_________________
sǝƃɐd slıʌǝ
 
This post has: 0 recommendations

Back to top
Lisentia
Member


Joined: 18 May 2008
Posts: 9
Points: 0

usa.gif
Posted: Mon 05/19/2008 8:25pm [Post #3]
Better? Not really sure what the difference would be. I just prefer to keep a nice tidy desktop.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:22:54 PM, on 5/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\ULI5289\ALi5289.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\UniUploader\UniUploader.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Layna\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adultfriendfinder.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: {3036b85a-b92a-06cb-45d4-320f08a2af98} - {89fa2a80-f023-4d54-bc60-a29ba58b6303} - C:\WINDOWS\system32\vnseayye.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Mega Manager\MegaIEMn.dll
O4 - HKLM\..\Run: [ALi5289] C:\Program Files\ULI5289\ALi5289.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UniUploader] C:\Program Files\UniUploader\UniUploader.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe /SCB
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html /native/x86/win32/activex/hcImpl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.c ab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scan ner/wlscbase9563.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Contro ls/en/x86/client/wuweb_site.cab?1149325762468
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Contro ls/en/x86/client/muweb_site.cab?1149325756921
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst. cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/fl ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EC55D340-C93A-45A8-A 4B1-DA69084CEB7D}: NameServer = 216.144.193.115,216.144.204.141
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7391 bytes


SDFix log:

SDFix: Version 1.183
Run by Administrator on Sun 05/18/2008 at 02:46 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-18 14:57:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\ Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:dc,76,82,eb,00,3b,d6,78,49,5d,6c,be,b9,71,d 7,b8,9b,78,c9,5d,bf,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\ Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,c2,5e,19,8f,eb,55,b1,72,86,7a,3c,d b,e2,3e,00,22,74,..
"khjeh"=hex:3f,4b,f0,03,39,27,6b,49,fe,67,45,5a,29,5c,e f,21,6a,07,a1,20,7d,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\ Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:c1,42,9c,76,0b,56,92,8e,30,c0,c9,a0,a7,4d,f f,3d,ca,f2,cf,45,fc,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\ Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:dc,76,82,eb,00,3b,d6,78,49,5d,6c,be,b9,71,d 7,b8,9b,78,c9,5d,bf,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\ Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,c2,5e,19,8f,eb,55,b1,72,86,7a,3c,d b,e2,3e,00,22,74,..
"khjeh"=hex:3f,4b,f0,03,39,27,6b,49,fe,67,45,5a,29,5c,e f,21,6a,07,a1,20,7d,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\ Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:cb,47,eb,14,d2,60,33,5b,d0,f3,bd,af,9f,e4,d 4,7e,ad,69,be,74,9f,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\ Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:dc,76,82,eb,00,3b,d6,78,49,5d,6c,be,b9,71,d 7,b8,9b,78,c9,5d,bf,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\ Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,c2,5e,19,8f,eb,55,b1,72,86,7a,3c,d b,e2,3e,00,22,74,..
"khjeh"=hex:3f,4b,f0,03,39,27,6b,49,fe,67,45,5a,29,5c,e f,21,6a,07,a1,20,7d,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\ Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:c1,42,9c,76,0b,56,92,8e,30,c0,c9,a0,a7,4d,f f,3d,ca,f2,cf,45,fc,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\s ptd\Cfg]
"s0"=dword:d1718c72
"s1"=dword:dfdef000
"s2"=dword:e2038433
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\s ptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:dc,76,82,eb,00,3b,d6,78,49,5d,6c,be,b9,71,d 7,b8,9b,78,c9,5d,bf,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\s ptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,c2,5e,19,8f,eb,55,b1,72,86,7a,3c,d b,e2,3e,00,22,74,..
"khjeh"=hex:3f,4b,f0,03,39,27,6b,49,fe,67,45,5a,29,5c,e f,21,6a,07,a1,20,7d,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\s ptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40  ]
"khjeh"=hex:c1,42,9c,76,0b,56,92,8e,30,c0,c9,a0,a7,4d,f f,3d,ca,f2,cf,45,fc,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\ Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:dc,76,82,eb,00,3b,d6,78,49,5d,6c,be,b9,71,d 7,b8,9b,78,c9,5d,bf,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\ Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,c2,5e,19,8f,eb,55,b1,72,86,7a,3c,d b,e2,3e,00,22,74,..
"khjeh"=hex:3f,4b,f0,03,39,27,6b,49,fe,67,45,5a,29,5c,e f,21,6a,07,a1,20,7d,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\ Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:c1,42,9c,76,0b,56,92,8e,30,c0,c9,a0,a7,4d,f f,3d,ca,f2,cf,45,fc,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\sptd\ Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:dc,76,82,eb,00,3b,d6,78,49,5d,6c,be,b9,71,d 7,b8,9b,78,c9,5d,bf,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\sptd\ Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,c2,5e,19,8f,eb,55,b1,72,86,7a,3c,d b,e2,3e,00,22,74,..
"khjeh"=hex:3f,4b,f0,03,39,27,6b,49,fe,67,45,5a,29,5c,e f,21,6a,07,a1,20,7d,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\sptd\ Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:c1,42,9c,76,0b,56,92,8e,30,c0,c9,a0,a7,4d,f f,3d,ca,f2,cf,45,fc,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\sptd\ Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:dc,76,82,eb,00,3b,d6,78,49,5d,6c,be,b9,71,d 7,b8,9b,78,c9,5d,bf,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\sptd\ Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,c2,5e,19,8f,eb,55,b1,72,86,7a,3c,d b,e2,3e,00,22,74,..
"khjeh"=hex:3f,4b,f0,03,39,27,6b,49,fe,67,45,5a,29,5c,e f,21,6a,07,a1,20,7d,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\sptd\ Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:c1,42,9c,76,0b,56,92,8e,30,c0,c9,a0,a7,4d,f f,3d,ca,f2,cf,45,fc,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\s haredaccess\parameters\firewallpolicy\standardprofile\a uthorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\ sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Spacial Audio\\SAMBC.exe"="C:\\Program Files\\Spacial Audio\\SAMBC.exe:*:Enabled:SAMBC"
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe:*:Enabled:SmartFTP Client 2.0"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Outlook Express\\msimn.exe"="C:\\Program Files\\Outlook Express\\msimn.exe:*:Enabled:msimn.exe"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Program Files\\ABC\\abc.exe"="C:\\Program Files\\ABC\\abc.exe:*:Enabled:abc"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\SHOUTcast\\sc_serv.exe"="C:\\Program Files\\SHOUTcast\\sc_serv.exe:*:Enabled:sc_serv"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Prog ram Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled: Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"="C:\\Pr ogram Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe:*:Enable d:LaunchPad"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\sys tem32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\Program Files\\Skype\\Skype.exe"="C:\\Program Files\\Skype\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype. Take a deep breath "
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Dungeons & Dragons Online\\dndclient.exe"="C:\\Program Files\\Dungeons & Dragons Online\\dndclient.exe:*:Enabled:dndclient"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\s haredaccess\parameters\firewallpolicy\domainprofile\aut horizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\ sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Fri 12 May 2006 22,487 A..H. --- "C:\Program Files\WS_FTP Pro\wsftpgui.exe-CommandBars"
Sat 17 Feb 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 31 Mar 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sat 5 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ab59ac72525ea 90a47679441587835c9\BIT6.tmp"
Mon 29 May 2006 2,668 A..H. --- "C:\Program Files\Adobe\Photoshop 7.0\Plug-Ins\Adobe Photoshop Only\KPT6\MetaImage.dll"

Finished!

I'll add Combofix as soon as its done.
 
This post has: 0 recommendations

Back to top
evilfantasy
Spyware Fighter


Joined: 18 Jan 2008
Posts: 31
Points: 10
Location: Tulsa, OK
usa.gif
Posted: Mon 05/19/2008 8:40pm [Post #4]
It's important because there are certain steps that call for the program (combofix) to be on the desktop. Hijackthis makes backups of what is deleted and without it installed properly those backups can easily be lost.

What antivirus do you use?

Open Hijackthis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: {3036b85a-b92a-06cb-45d4-320f08a2af98} - {89fa2a80-f023-4d54-bc60-a29ba58b6303} - C:\WINDOWS\system32\vnseayye.dll (file missing)

Important: Close all windows except for Hijackthis and then click Fix checked.

Exit Hijackthis.

----------

I don't see any malware in the log, just the 2 empty entries that needed fixed.
_________________
sǝƃɐd slıʌǝ
 
This post has: 0 recommendations

Back to top
Lisentia
Member


Joined: 18 May 2008
Posts: 9
Points: 0

usa.gif
Posted: Mon 05/19/2008 8:49pm [Post #5]
Combofix log:

ComboFix 08-05-15.3 - Layna 2008-05-19 18:26:03.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.494 [GMT -7:00]
Running from: C:\Documents and Settings\Layna\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-04-20 to 2008-05-20 )))))))))))))))))))))))))))))))
.

2008-05-18 14:40 . 2008-05-18 14:40 d-------- C:\WINDOWS\ERUNT
2008-05-18 14:33 . 2008-05-18 15:03 d-------- C:\SDFix
2008-05-18 12:58 . 2008-05-18 12:58 d-------- C:\WINDOWS\system32\en
2008-05-18 12:51 . 2008-05-18 12:51 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-18 11:25 . 2008-05-18 13:15 d-------- C:\WINDOWS\system32\scripting
2008-05-18 11:25 . 2008-05-18 13:14 d-------- C:\WINDOWS\l2schemas
2008-05-18 11:15 . 2008-05-18 13:52 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-05-18 11:11 . 2004-08-04 03:00 4,190,352 --a------ C:\WINDOWS\system32\dllcache\ luna.mst
2008-05-18 11:10 . 2007-04-18 09:12 2,854,400 --a--c--- C:\WINDOWS\system32\dllcache\ msi.dll
2008-05-18 11:09 . 2007-10-25 20:36 8,454,656 --a------ C:\WINDOWS\system32\dllcache\ shell32.dll
2008-05-18 11:08 . 2007-02-28 02:53 2,137,600 --a------ C:\WINDOWS\system32\ntoskrnl. exe
2008-05-18 10:53 . 2006-12-28 12:01 19,569 --a------ C:\WINDOWS\003036_.tmp
2008-05-18 01:05 . 2008-05-18 12:51 d-------- C:\Program Files\SUPERAntiSpyware
2008-05-18 01:05 . 2008-05-18 01:05 d-------- C:\Documents and Settings\Layna\Application Data\SUPERAntiSpyware.com
2008-05-18 00:55 . 2008-05-18 12:48 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-18 00:55 . 2008-05-18 00:55 d-------- C:\Documents and Settings\Layna\Application Data\Malwarebytes
2008-05-18 00:55 . 2008-05-18 00:55 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-18 00:55 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbam catchme.sys
2008-05-18 00:55 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam .sys
2008-05-18 00:53 . 2008-05-18 00:53 6,342,680 --a------ C:\Temp\SUPERAntiSpyware.exe
2008-05-18 00:53 . 2008-05-18 00:53 1,649,976 --a------ C:\Temp\mbam-setup.exe
2008-05-17 23:36 . 2007-08-01 22:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmc omm.sys
2008-05-16 21:47 . 2008-05-18 12:49 d-------- C:\Documents and Settings\Layna\.housecall6.6
2008-05-16 20:30 . 2008-05-16 20:30 d-------- C:\Program Files\Panda Security
2008-05-15 17:15 . 2008-05-16 08:53 d-------- C:\Program Files\Windows Live Safety Center
2008-05-14 19:08 . 2008-05-14 19:39 d-------- C:\Program Files\UniUploader
2008-05-13 20:54 . 2008-05-18 13:52 d--h----- C:\WINDOWS\$hf_mig$
2008-05-09 20:39 . 2008-05-09 20:39 d-------- C:\Program Files\Ventrilo
2008-05-09 20:39 . 2008-05-18 12:16 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-09 20:38 . 2008-05-09 20:38 2,732,032 --a------ C:\Temp\ventrilo-3.0.1-Window s-i386.exe
2008-04-22 20:07 . 2008-04-22 20:07 d-------- C:\Documents and Settings\Layna\Application Data\Move Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-18 19:51 --------- d-----w C:\Program Files\AVG Anti-Spyware 7.5
2008-05-18 19:50 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-18 19:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-18 19:50 --------- d-----w C:\Documents and Settings\Administrator.RU2K5-TQXDZZOCD\Application Data\Lavasoft
2008-05-18 19:49 --------- d-----w C:\Program Files\Anarchy Online
2008-05-15 02:39 --------- d-----w C:\Program Files\World of Warcraft
2008-04-29 05:05 --------- d-----w C:\Program Files\Dungeons & Dragons Online
2008-04-26 22:49 --------- d-----w C:\Program Files\MishBuddy
2008-04-24 08:47 --------- d-----w C:\Program Files\Paint Shop Pro 7
2008-04-21 03:21 --------- d-----w C:\Program Files\ClamWin
2008-04-19 10:39 --------- d-----w C:\Documents and Settings\Layna\Application Data\GetRightToGo
2008-04-14 00:12 7,680 ----a-w C:\WINDOWS\system32\spdwnwxp.exe
2008-04-13 10:46 --------- d-----w C:\Program Files\SecondLife
2008-04-01 04:00 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-01 04:00 --------- d-----w C:\Program Files\Windows Live
2008-04-01 04:00 --------- d-----w C:\Program Files\MSN Messenger
2008-04-01 03:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\dllcache\msji nt40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\dllcache\wi n32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-21 03:56 32 -c--a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\dllcache\gdi3 2.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dllcache\dnsrs lvr.dll
2008-02-20 05:32 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsa pi.dll
.

((((((((((((((((((((((((((((( snapshot@2008-05-18_14.24.16.45 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-18 21:13:36 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-20 01:33:59 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-17 09:22:37 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.E XE
+ 2008-05-18 21:40:30 753,664 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\0 0000001\NTUSER.DAT
+ 2008-05-18 21:40:30 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\000 00002\UsrClass.dat
+ 2008-05-17 09:22:37 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_R un\ERDNT.EXE
+ 2008-05-18 21:40:21 753,664 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_R un\Users\00000001\NTUSER.DAT
+ 2008-05-18 21:40:21 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run \Users\00000002\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{89fa2a80-f023-4d54-bc60-a29ba58b6303}]
C:\WINDOWS\system32\vnseayye.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentv ersion\explorer\shelliconoverlayidentifiers\1TortoiseSV N]
@={30351346-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentv ersion\explorer\shelliconoverlayidentifiers\2TortoiseSV N]
@={30351347-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentv ersion\explorer\shelliconoverlayidentifiers\3TortoiseSV N]
@={30351348-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentv ersion\explorer\shelliconoverlayidentifiers\4TortoiseSV N]
@={3035134B-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentv ersion\explorer\shelliconoverlayidentifiers\5TortoiseSV N]
@={3035134C-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentv ersion\explorer\shelliconoverlayidentifiers\6TortoiseSV N]
@={3035134D-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentv ersion\explorer\shelliconoverlayidentifiers\7TortoiseSV N]
@={3035134E-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_CLASSES_ROOT\CLSID\{30351346-7B7D-4FCC-81B4-1E394 CA267EB}]
2006-04-05 17:17 442368 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{30351347-7B7D-4FCC-81B4-1E394 CA267EB}]
2006-04-05 17:17 442368 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{30351348-7B7D-4FCC-81B4-1E394 CA267EB}]
2006-04-05 17:17 442368 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134B-7B7D-4FCC-81B4-1E394 CA267EB}]
2006-04-05 17:17 442368 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134C-7B7D-4FCC-81B4-1E394 CA267EB}]
2006-04-05 17:17 442368 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134D-7B7D-4FCC-81B4-1E394 CA267EB}]
2006-04-05 17:17 442368 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134E-7B7D-4FCC-81B4-1E394 CA267EB}]
2006-04-05 17:17 442368 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVe rsion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 14:22 3739648]
"Creative MediaSource Go"="C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe" [2003-08-12 13:48 131072]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-27 15:22 4670968]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentV ersion\Run]
"ALi5289"="C:\Program Files\ULI5289\ALi5289.exe" [2005-03-10 14:56 405504]
"POINTER"="point32.exe" []
"ClamWin"="C:\Program Files\ClamWin\bin\ClamTray.exe" [2008-04-19 16:35 77824]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 20:20 866584]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-03-12 22:58 7630848]
"UniUploader"="C:\Program Files\UniUploader\UniUploader.exe" [2007-06-26 14:53 454656]

[hkey_local_machine\software\microsoft\windows\currentv ersion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\ls a]
Notification Packages REG_MULTI_SZ scecli scecli

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\28ba92cf]
C:\WINDOWS\system32\tfmejgfp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-r------- 2005-05-03 03:43 69632 C:\WINDOWS\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
-r------- 2006-05-04 01:26 2808832 C:\WINDOWS\alcwzrd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative MediaSource Go]
--a------ 2003-08-12 13:48 131072 C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 03:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
--a--c--- 2003-09-17 10:43 57344 C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2005-11-08 15:00 128920 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]
C:\Program Files\Diskeeper\DkIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
--a------ 2007-03-05 13:57 1103480 C:\Program Files\IGN\Download Manager\dlm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 10:36 256576 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lhshystz]
C:\Documents and Settings\Layna\Application Data\?dobe\l?backside.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mirabilis ICQ]
C:\Program Files\ICQ\ICQ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 02:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-03-12 22:58 7630848 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-03-12 22:58 86016 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-03-12 22:58 1519616 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Onde]
C:\DOCUME~1\Layna\APPLIC~1\PPATCH~1\msdtc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
--a------ 2005-05-03 20:38 64512 C:\WINDOWS\system32\P17.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule10]
C:\Program Files\QdrModule\QdrModule10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2006-09-01 16:57 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r------- 2006-12-18 20:12 16062464 C:\WINDOWS\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu72.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
-r------- 2006-05-16 03:04 2879488 C:\WINDOWS\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
-r------- 2006-07-21 01:14 86016 C:\WINDOWS\SoundMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2005-04-13 03:48 36975 C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\THGuard]
--a------ 2007-09-09 10:31 1046688 C:\Program Files\TrojanHunter 5.0\THGuard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
--a--c--- 2006-03-30 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--a------ 2000-05-11 01:00 90112 C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
C:\WINDOWS\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAble]
C:\Program Files\WinAble\winable.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
--a------ 2003-12-01 11:38 892928 C:\Program Files\Logitech\iTouch\iTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy \standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Spacial Audio\\SAMBC.exe"=
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Outlook Express\\msimn.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\ABC\\abc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\SHOUTcast\\sc_serv.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Skype\\Skype.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Dungeons & Dragons Online\\dndclient.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy \standardprofile\GloballyOpenPorts\List]
"6994:TCP"= 6994:TCP:1
"2104:TCP"= 2104:TCP:2
"2106:TCP"= 2106:TCP:3
"3724:TCP"= 3724:TCP:4
"6112:TCP"= 6112:TCP:5

R0 m5289;m5289;C:\WINDOWS\system32\drivers\m5289.sys [2004-12-01 10:49]
R0 uliagpkx;ULi AGP Bus Filter Driver;C:\WINDOWS\system32\DRIVERS\agpkx.sys [2004-07-08 15:58]
R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys  [2006-02-23 04:38]
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-02-23 04:39]
R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe [2004-12-13 01:05]
R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe [2004-12-13 01:05]
S2 {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM;C:\Progr am Files\VMLaunch\BuddyVM.sys []
S2 ALIEHCD;ULi PCI to USB Enhanced Host Controller;C:\WINDOWS\system32\Drivers\ALIEHCI.sys [2005-02-21 15:09]
S3 aliroothub;USB 2.0 Root Hub;C:\WINDOWS\system32\DRIVERS\AliRtHub.sys [2005-02-21 15:12]
S3 PciCon;PciCon;D:\PciCon.sys []
S3 ULI5261;ULi Based Ethernet NT Driver;C:\WINDOWS\system32\DRIVERS\ULILAN.SYS [2004-12-31 15:24]

[HKEY_CURRENT_USER\software\microsoft\windows\currentve rsion\explorer\mountpoints2\{43b2dbcd-f9bd-11da-97fa-00 15f2c26ab5}]
\Shell\AutoRun\command - D:\JDSecure\Windows\JDSecure20.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-05-20 01:37:16 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
******************************************************* *******************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-19 18:34:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

******************************************************* *******************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
.
******************************************************* *******************
.
Completion time: 2008-05-19 18:45:11 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-20 01:44:31

Pre-Run: 27,999,178,752 bytes free
Post-Run: 27,986,460,672 bytes free

288 --- E O F --- 2008-05-16 00:13:22
 
This post has: 0 recommendations

Back to top
Lisentia
Member


Joined: 18 May 2008
Posts: 9
Points: 0

usa.gif
Posted: Mon 05/19/2008 8:53pm [Post #6]
I'm looking for the reason why I am unable to install all critical windows updates, and why my C:/ is listed as a red X icon, instead of a HD icon like its supposed to be in normal mode.

New Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:50:53 PM, on 5/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ULI5289\ALi5289.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\UniUploader\UniUploader.exe
C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Layna\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adultfriendfinder.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Mega Manager\MegaIEMn.dll
O4 - HKLM\..\Run: [ALi5289] C:\Program Files\ULI5289\ALi5289.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UniUploader] C:\Program Files\UniUploader\UniUploader.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe /SCB
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html /native/x86/win32/activex/hcImpl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.c ab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scan ner/wlscbase9563.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Contro ls/en/x86/client/wuweb_site.cab?1149325762468
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Contro ls/en/x86/client/muweb_site.cab?1149325756921
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst. cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/fl ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EC55D340-C93A-45A8-A 4B1-DA69084CEB7D}: NameServer = 216.144.193.115,216.144.204.141
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7130 bytes
 
This post has: 0 recommendations

Back to top
evilfantasy
Spyware Fighter


Joined: 18 Jan 2008
Posts: 31
Points: 10
Location: Tulsa, OK
usa.gif
Posted: Mon 05/19/2008 8:57pm [Post #7]
I'm looking at the logs, do you know what these are?

C:\WINDOWS\system32\scripting
C:\WINDOWS\l2schemas
_________________
sǝƃɐd slıʌǝ
 
This post has: 0 recommendations

Back to top
Lisentia
Member


Joined: 18 May 2008
Posts: 9
Points: 0

usa.gif
Posted: Mon 05/19/2008 9:13pm [Post #8]
evilfantasy wrote:
I'm looking at the logs, do you know what these are?

C:\WINDOWS\system32\scripting
C:\WINDOWS\l2schemas


I looked and they were both empty folders, so I deleted them.
 
This post has: 0 recommendations

Back to top
evilfantasy
Spyware Fighter


Joined: 18 Jan 2008
Posts: 31
Points: 10
Location: Tulsa, OK
usa.gif
Posted: Mon 05/19/2008 9:20pm [Post #9]
OK, that's good. I think they were left overs from some malware.

I don't know if all of the problems are malware related or not but there are a few malicious files/reg keys to get rid of.

Now download The Avenger by Swandog46 and save it to your Desktop.
  • Extract avenger.exe from the Zip file and save it to your desktop
  • Run avenger.exe by double-click