Find your solution!

axelmadden · 17-Sep-2009, 11:50 AM #1

So yesterday i was on my computer andi got some screen that pops up when im online. The screen that poped up says that my computer is at risk and to run some virus scan on a program that doesnt exist on my computer. So i tried closing it but it will not close. I did scans with avast and can't find the issue with this, but i restart my computer and each time this thing pops right back up and i can close the program anyhow. I'm not sure what to do or what this is, anyone?

lunarlander · 17-Sep-2009, 02:31 PM #2

This type of program has been labeled 'scareware'. And since you say it pops up upon reboot, then it must have gotten installed. Malwarebytes is said to be good at removing these programs. Try it.

http://www.malwarebytes.org/mbam.php

flavallee · 17-Sep-2009, 02:46 PM #3

axelmadden:

Do the following in the order listed:

Go here and click the green icon to download Malwarebytes Anti-Malware 1.41

Just download and save it for now. Don't install it nor do anything with it yet.

Go here and click the green icon to download HijackThis 2.0.2.

Close all open windows, then install it. Make sure to install it in its default location, C:\Program Files\Trend Micro\HijackThis.

Run a scan with it - which will take 30 seconds or less.

Save the resulting log in Notepad.

Return here to your thread, then copy-and-paste the entire log here.

------------------------------------------------------------

axelmadden · 18-Sep-2009, 11:08 AM #4

okay i'll do this as soon as i get home from work today. Thanks for the help!

flavallee · 18-Sep-2009, 04:39 PM #5

You're welcome.

I'll be waiting to see a log.

------------------------------------------------------------------

axelmadden · 18-Sep-2009, 05:40 PM #6

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:39:16 PM, on 9/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\MpcStar\Codecs\QuickTime\QTSystem\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll (file missing)
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll (file missing)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: MSN helper - {0807E106-6C65-41B7-B2A5-B1FE103BFEBC} - xhl0.dll (file missing)
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.3.3.2.dll
O2 - BHO: AOL Search Enhancement - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll (file missing)
O2 - BHO: ICQSys (IE PlugIn) - {77DC0B63-1535-4ba9-8BE8-D59EB676FA02} - C:\WINDOWS\system32\dddesot.dll
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll (file missing)
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll (file missing)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\MpcStar\Codecs\QuickTime\QTSystem\qttask.exe" -atboottime
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\autochk.dll,_IWMPEvents@0
O4 - HKLM\..\Run: [19375154] C:\Documents and Settings\All Users\Application Data\19375154\19375154.exe
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" /tray
O4 - HKCU\..\Run: [AdobeBridge] "C:\Program Files\Adobe\Adobe Bridge CS4\Bridge.exe" -stealth
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [autochk] rundll32.exe C:\DOCUME~1\User\protect.dll,_IWMPEvents@0
O4 - Startup: ChkDisk.dll
O4 - Startup: ChkDisk.lnk = ?
O4 - Startup: DesktopVideoPlayer.LNK = C:\Program Files\vghd\vghd.exe
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll (file missing)
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.3.3.2.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: ,C:\WINDOWS\TEMP\34168kou.dll
O23 - Service: AntiPol (AntipPolice_) - Unknown owner - C:\WINDOWS\svchast.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: sofatnet Service (sofatnet) - Sigma Designs In - C:\WINDOWS\system32\sofatnet.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7103 bytes

flavallee · 06:06 PM

Your log has several suspicious entries which indicates an infection.

I've requested a malware expert to look at your log.

BitComet is being used, so that may be part of the problem.

-------------------------------------------------------------

This log entry indicates a password stealer.

O2 - BHO: MSN helper - {0807E106-6C65-41B7-B2A5-B1FE103BFEBC} - xhl0.dll (file missing

http://www.systemlookup.com/lists.ph...1FE103BFEBC&s=

This log entry indicates a rogue security program.

O2 - BHO: ICQSys (IE PlugIn) - {77DC0B63-1535-4ba9-8BE8-D59EB676FA02} - C:\WINDOWS\system32\dddesot.dll

http://www.systemlookup.com/lists.ph...59EB676FA02&s=

These log entries indicate a trojan.

O4 - HKLM\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\autochk.dll,_IWMPEvents@0

O4 - HKCU\..\Run: [autochk] rundll32.exe C:\DOCUME~1\User\protect.dll,_IWMPEvents@0

http://www.systemlookup.com/lists.ph...rch=autochk&s=

This log entry indicates a rogue security program.

O23 - Service: AntiPol (AntipPolice_) - Unknown owner - C:\WINDOWS\svchast.exe

http://www.systemlookup.com/lists.ph...svchast.exe&s=

The list goes on, but I'll stop here.

-------------------------------------------------------------

**Cookiegal** · 18-Sep-2009, 06:03 PM #8

Please visit Combofix Guide & Instructions for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to Combo-Fix.exe please.

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read HERE for an article written by dvk01 on why we disable autoruns.

Note: During this process, it would help a great deal and be very much appreciated if you would refrain from installing any new software or hardware on this machine, unless absolutely necessary, until the clean up process is finished as it makes our job more tedious, with additional new files that may have to be researched, which is very time consuming.

Also, please do not run any security programs or fixes on your own as doing so may compromise what we will be doing. It is important that you wait for instructions.

axelmadden · 18-Sep-2009, 06:59 PM #9

combofix log:

ComboFix 09-09-18.02 - User 09/18/2009 16:35.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1589 [GMT -6:00]
Running from: c:\documents and settings\User\Desktop\Combo-Fix.exe
AV: avast! antivirus 4.8.1351 [VPS 090918-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\19375154
c:\documents and settings\All Users\Application Data\19375154\19375154
c:\documents and settings\All Users\Application Data\19375154\19375154.exe
c:\documents and settings\All Users\Application Data\19375154\pc19375154ins
c:\documents and settings\User\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}
c:\documents and settings\User\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\CurrentVersion.xml
c:\documents and settings\User\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\Data\ProductInfo.mx
c:\documents and settings\User\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\productinfo.dll
c:\documents and settings\User\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\Setup.exe
c:\documents and settings\User\protect.dll
c:\documents and settings\User\Start Menu\Programs\Startup\ChkDisk.dll
c:\documents and settings\User\Start Menu\Programs\Startup\ChkDisk.lnk
c:\program files\Windows Police Pro
c:\program files\Windows Police Pro\msvcm80.dll
c:\program files\Windows Police Pro\msvcp80.dll
c:\program files\Windows Police Pro\msvcr80.dll
c:\program files\Windows Police Pro\tmp\dbsinit.exe
c:\program files\Windows Police Pro\tmp\images\i1.gif
c:\program files\Windows Police Pro\tmp\images\i2.gif
c:\program files\Windows Police Pro\tmp\images\i3.gif
c:\program files\Windows Police Pro\tmp\images\j1.gif
c:\program files\Windows Police Pro\tmp\images\j2.gif
c:\program files\Windows Police Pro\tmp\images\j3.gif
c:\program files\Windows Police Pro\tmp\images\jj1.gif
c:\program files\Windows Police Pro\tmp\images\jj2.gif
c:\program files\Windows Police Pro\tmp\images\jj3.gif
c:\program files\Windows Police Pro\tmp\images\l1.gif
c:\program files\Windows Police Pro\tmp\images\l2.gif
c:\program files\Windows Police Pro\tmp\images\l3.gif
c:\program files\Windows Police Pro\tmp\images\pix.gif
c:\program files\Windows Police Pro\tmp\images\t1.gif
c:\program files\Windows Police Pro\tmp\images\t2.gif
c:\program files\Windows Police Pro\tmp\images\up1.gif
c:\program files\Windows Police Pro\tmp\images\up2.gif
c:\program files\Windows Police Pro\tmp\images\w1.gif
c:\program files\Windows Police Pro\tmp\images\w11.gif
c:\program files\Windows Police Pro\tmp\images\w2.gif
c:\program files\Windows Police Pro\tmp\images\w3.gif
c:\program files\Windows Police Pro\tmp\images\w3.jpg
c:\program files\Windows Police Pro\tmp\images\wt1.gif
c:\program files\Windows Police Pro\tmp\images\wt2.gif
c:\program files\Windows Police Pro\tmp\images\wt3.gif
c:\program files\Windows Police Pro\tmp\wispex.html
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013
c:\recycler\S-1-5-21-29417024-933668401-2230675278-500
C:\sfknsfknf.exe
c:\windows\kb913800.exe
c:\windows\ppp3.dat
c:\windows\ppp4.dat
c:\windows\svchast.exe
c:\windows\system32\6to4v32.dll
c:\windows\system32\autochk.dll
c:\windows\system32\bennuar.old
c:\windows\system32\bincd32.dat
c:\windows\system32\certstore.dat
c:\windows\system32\config\systemprofile\Start Menu\Programs\Total Security
c:\windows\system32\config\systemprofile\Start Menu\Programs\Total Security\Total Security 2009.lnk
c:\windows\system32\dddesot.dll
c:\windows\system32\drivers\gasfkydnmxejer.sys
c:\windows\system32\drivers\ringowhfzke.sys
c:\windows\system32\drivers\str.sys
c:\windows\system32\FInstall.sys
c:\windows\system32\gasfkydvwpjurq.dll
c:\windows\system32\gasfkykjejtakg.dat
c:\windows\system32\gasfkyklmctqmv.dll
c:\windows\system32\gasfkypphjjyow.dll
c:\windows\system32\gasfkytuunfvak.dat
c:\windows\system32\Install.txt
c:\windows\system32\mndisk.sys
c:\windows\system32\sonhelp.htm
c:\windows\system32\sysnet.dat
c:\windows\system32\wiwow64.exe
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
c:\windows\TEMP\mta50652.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gasfkyoyrddxrx
-------\Legacy_gasfkyoyrddxrx
-------\Legacy_6TO4
-------\Legacy_MNDISK
-------\Legacy_SPEXTOCJ
-------\Service_6to4
-------\Service_mndisk
-------\Legacy_AntipPolice_
-------\Service_AntipPolice_

((((((((((((((((((((((((( Files Created from 2009-08-18 to 2009-09-18 )))))))))))))))))))))))))))))))
.

2009-09-18 22:49 . 2009-09-18 22:49 131072 ----a-w- c:\windows\system32\wiwow64.exe
2009-09-18 21:36 . 2009-09-18 21:36 -------- d-----w- c:\program files\Trend Micro
2009-09-17 13:28 . 2009-09-17 13:28 2198 ----a-w- C:\Cvw02b.bat
2009-09-17 04:28 . 2009-09-17 04:28 0 ----a-w- c:\windows\nsreg.dat
2009-09-17 04:28 . 2009-09-17 04:28 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Mozilla
2009-09-17 04:00 . 2009-09-17 04:00 1 ----a-w- c:\windows\system32\xd.dat
2009-09-17 04:00 . 2009-09-17 04:00 1 ----a-w- c:\windows\system32\q1.dat
2009-09-17 04:00 . 2009-09-17 04:00 1 ----a-w- c:\windows\system32\idm.dat
2009-09-17 04:00 . 2009-09-17 04:00 1 ----a-w- c:\windows\system32\c2d.dat
2009-09-16 22:29 . 2009-09-16 22:29 38400 ----a-w- c:\windows\system32\xhl0.dll
2009-09-16 15:24 . 2009-09-16 15:24 -------- d-----w- c:\documents and settings\User\Application Data\MixMeister Technology
2009-09-16 15:23 . 2009-09-16 15:24 -------- d-----w- c:\program files\MixMeister Express 6 Demo
2009-09-16 13:09 . 2009-09-16 13:12 -------- d-----w- c:\documents and settings\User\Application Data\NCH Swift Sound
2009-09-16 13:09 . 2009-09-16 13:12 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-09-16 13:09 . 2009-09-16 13:12 -------- d-----w- c:\program files\NCH Swift Sound
2009-09-16 12:49 . 2009-09-16 12:49 -------- d-----w- c:\documents and settings\User\Application Data\NCH Software
2009-09-16 12:49 . 2009-09-16 12:49 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software
2009-09-16 12:49 . 2009-09-16 12:49 -------- d-----w- c:\program files\NCH Software
2009-09-16 01:06 . 2009-09-16 01:06 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Ahead
2009-09-13 18:03 . 2009-09-13 18:03 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2009-09-13 18:03 . 2009-09-13 18:03 -------- d-----w- c:\program files\PC Drivers HeadQuarters
2009-09-09 19:24 . 2009-06-21 22:04 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-05 23:04 . 2009-08-17 16:05 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-09-05 23:04 . 2009-08-17 16:05 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-09-05 23:04 . 2009-08-17 16:04 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-09-05 23:04 . 2009-08-17 16:04 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-09-05 23:04 . 2009-08-17 16:03 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-09-05 23:04 . 2009-08-17 16:02 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-09-05 23:04 . 2009-08-17 16:06 93392 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-09-05 23:04 . 2009-08-17 16:06 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-09-05 23:03 . 2009-08-17 16:10 1279456 ----a-w- c:\windows\system32\aswBoot.exe
2009-08-26 01:28 . 2008-10-16 20:06 208744 ----a-w- c:\windows\system32\muweb.dll
2009-08-26 01:28 . 2008-10-16 20:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-08-26 01:17 . 2009-09-10 09:09 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-26 01:00 . 2009-08-26 01:00 -------- d-----w- c:\documents and settings\User\Application Data\Template
2009-08-24 18:31 . 2009-09-18 22:49 7 ----a-w- c:\windows\sbacknt.bin
2009-08-24 18:30 . 2009-08-24 18:30 -------- d-----w- c:\program files\vghd
2009-08-24 18:30 . 2009-08-24 18:30 152904 ----a-w- c:\windows\system32\vghd.scr
2009-08-24 18:30 . 2009-08-24 18:30 -------- d-----w- c:\documents and settings\User\Application Data\vghd
2009-08-23 17:55 . 2004-03-02 23:37 125184 ------w- c:\windows\system32\drivers\imagesrv.sys
2009-08-23 17:55 . 2004-03-02 23:37 5504 ------w- c:\windows\system32\drivers\imagedrv.sys
2009-08-23 17:55 . 2000-06-26 17:45 106496 ----a-w- c:\windows\system32\TwnLib20.dll
2009-08-23 17:55 . 2004-07-26 23:16 476320 ------w- c:\windows\system32\ImagXpr7.dll
2009-08-23 17:55 . 2004-07-26 23:16 471040 ------w- c:\windows\system32\ImagXRA7.dll
2009-08-23 17:55 . 2004-07-26 23:16 262144 ------w- c:\windows\system32\ImagXR7.dll
2009-08-23 17:55 . 2004-07-26 23:16 1568768 ------w- c:\windows\system32\ImagX7.dll
2009-08-23 17:55 . 2001-07-09 17:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
2009-08-23 17:55 . 2009-08-23 17:55 -------- d-----w- c:\program files\Ahead
2009-08-23 17:55 . 2009-08-23 17:55 -------- d-----w- c:\program files\Common Files\Ahead
2009-08-21 21:42 . 2009-08-21 21:42 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-08-21 21:42 . 2009-08-21 21:42 -------- d-----w- c:\program files\DVD Shrink
2009-08-21 21:31 . 2009-08-21 21:31 -------- d-----w- c:\documents and settings\yfl\LOCALS~1
2009-08-21 21:31 . 2009-08-21 21:31 -------- d-----w- c:\documents and settings\yfl
2009-08-21 21:29 . 2009-08-21 21:29 -------- d-----w- c:\program files\Xilisoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-18 21:37 . 2009-07-17 18:10 -------- d-----w- c:\program files\BitComet
2009-09-17 04:17 . 2009-07-24 16:18 -------- d-----w- c:\program files\Image-Line
2009-09-11 15:06 . 2009-07-21 18:57 -------- d-----w- c:\program files\MpcStar
2009-09-06 01:35 . 2009-08-26 01:00 322 ----a-w- c:\documents and settings\User\Application Data\wklnhst.dat
2009-08-26 09:01 . 2009-07-08 03:07 -------- d-----w- c:\program files\Microsoft Works
2009-08-21 21:36 . 2009-07-16 19:34 -------- d-----w- c:\documents and settings\User\Application Data\CyberLink
2009-08-08 09:14 . 2005-01-10 01:26 33840 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-08 09:04 . 2009-08-08 09:04 -------- d-----w- c:\program files\MSBuild
2009-08-08 09:04 . 2009-08-08 09:04 -------- d-----w- c:\program files\Reference Assemblies
2009-08-08 09:00 . 2009-08-08 09:00 -------- d-----w- c:\program files\MSXML 6.0
2009-08-05 09:11 . 2009-07-08 00:41 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 02:56 . 2009-08-05 02:53 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL OCP
2009-08-05 02:55 . 2009-08-05 02:55 -------- d-----w- c:\documents and settings\User\Application Data\acccore
2009-08-05 02:55 . 2009-08-05 02:53 -------- d-----w- c:\program files\AIM6
2009-08-05 02:53 . 2009-08-05 02:53 -------- d-----w- c:\program files\Common Files\Software Update Utility
2009-08-05 02:53 . 2009-08-05 02:53 -------- d-----w- c:\documents and settings\All Users\Application Data\AIM Toolbar
2009-08-05 02:53 . 2009-08-05 02:53 -------- d-----w- c:\program files\Viewpoint
2009-08-05 02:53 . 2009-08-05 02:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-08-05 02:53 . 2009-08-05 02:53 -------- d-----w- c:\documents and settings\All Users\Application Data\acccore
2009-08-05 02:53 . 2009-08-05 02:53 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-08-05 02:53 . 2009-08-05 02:53 -------- d-----w- c:\program files\Common Files\AOL
2009-08-03 00:49 . 2009-08-03 00:15 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-08-01 15:33 . 2009-07-30 20:49 -------- d-----w- c:\program files\Yahoo!
2009-07-31 19:58 . 2009-07-08 02:41 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-31 19:55 . 2009-07-31 19:55 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-07-31 19:51 . 2009-07-31 19:51 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-07-31 17:45 . 2009-07-08 02:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Napster
2009-07-30 20:51 . 2009-07-30 20:51 -------- d-----w- c:\program files\7-Zip
2009-07-30 20:49 . 2009-07-30 20:49 -------- d-----w- c:\documents and settings\User\Application Data\Yahoo!
2009-07-30 20:32 . 2009-07-30 20:32 -------- d-----w- c:\documents and settings\User\Application Data\Uniblue
2009-07-30 17:32 . 2009-07-30 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Ableton
2009-07-30 17:32 . 2009-07-30 17:32 -------- d-----w- c:\documents and settings\User\Application Data\Ableton
2009-07-28 23:17 . 2009-07-28 23:17 -------- d-----w- c:\documents and settings\User\Application Data\Steinberg
2009-07-28 23:15 . 2009-07-28 23:15 -------- d-----w- c:\program files\Steinberg
2009-07-28 23:10 . 2009-07-28 23:09 -------- d-----w- c:\program files\Syncrosoft
2009-07-28 03:54 . 2009-07-28 03:54 -------- d-----w- c:\documents and settings\User\Application Data\AdobeUM
2009-07-27 23:06 . 2009-07-27 23:06 -------- d-----w- c:\documents and settings\User\Application Data\Deckadance
2009-07-27 22:38 . 2009-07-24 16:03 -------- d-----w- c:\program files\Vstplugins
2009-07-27 22:07 . 2009-07-24 16:03 -------- d-----w- c:\program files\Sony
2009-07-27 22:05 . 2009-07-23 18:14 -------- d-----w- c:\program files\Sony Setup
2009-07-27 22:04 . 2009-07-27 22:04 -------- d-----w- c:\documents and settings\User\Application Data\Publish Providers
2009-07-24 16:21 . 2009-07-24 16:21 -------- d-----w- c:\program files\ASIO4ALL v2
2009-07-24 16:20 . 2009-07-24 16:20 -------- d-----w- c:\program files\Outsim
2009-07-24 16:05 . 2009-07-24 16:05 -------- d-----w- c:\documents and settings\User\Application Data\Sony
2009-07-21 19:03 . 2009-07-21 18:59 -------- d-----w- c:\documents and settings\User\Application Data\TigerPlayer
2009-07-21 18:57 . 2009-07-21 18:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-07-17 18:55 . 2009-07-08 00:37 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 16:08 . 2009-07-08 00:44 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-09 03:04 . 2009-07-09 03:04 127 ----a-w- c:\documents and settings\User\Local Settings\Application Data\fusioncache.dat
2009-07-08 02:48 . 2009-07-08 02:48 21275 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-07-08 02:43 . 2009-07-08 02:43 4 ----a-w- c:\windows\Pix11.dat
2009-07-08 00:48 . 2009-07-08 00:48 60 ----a-w- c:\windows\system32\SYSDRV.DAT
2009-06-26 16:18 . 2009-07-08 00:43 659456 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:18 . 2009-07-08 00:39 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-25 18:36 . 2009-07-08 00:41 95744 ----a-w- c:\windows\system32\mqsec.dll
2009-06-25 18:36 . 2009-07-08 00:41 661504 ----a-w- c:\windows\system32\mqqm.dll
2009-06-25 18:36 . 2009-07-08 00:41 517120 ----a-w- c:\windows\system32\mqsnap.dll
2009-06-25 18:36 . 2009-07-08 00:41 48640 ----a-w- c:\windows\system32\mqupgrd.dll
2009-06-25 18:36 . 2009-07-08 00:41 471552 ----a-w- c:\windows\system32\mqutil.dll
2009-06-25 18:36 . 2009-07-08 00:41 225280 ----a-w- c:\windows\system32\mqoa.dll
2009-06-25 18:36 . 2009-07-08 00:41 186880 ----a-w- c:\windows\system32\mqtrig.dll
2009-06-25 18:36 . 2009-07-08 00:41 177152 ----a-w- c:\windows\system32\mqrt.dll
2009-06-25 18:36 . 2009-07-08 00:41 16896 ----a-w- c:\windows\system32\mqise.dll
2009-06-25 18:36 . 2009-07-08 00:41 123392 ----a-w- c:\windows\system32\mqrtdep.dll
2009-06-25 18:36 . 2009-07-08 00:41 47104 ----a-w- c:\windows\system32\mqdscli.dll
2009-06-25 18:36 . 2009-07-08 00:41 138240 ----a-w- c:\windows\system32\mqad.dll
2009-06-25 08:44 . 2009-07-08 00:43 59392 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:44 . 2009-07-08 00:42 56320 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:44 . 2009-07-08 00:42 168448 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:44 . 2009-07-08 00:41 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:44 . 2009-07-08 00:41 724480 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:44 . 2009-07-08 00:39 298496 ----a-w- c:\windows\system32\kerberos.dll
2009-06-22 11:49 . 2009-07-08 00:41 117248 ----a-w- c:\windows\system32\mqtgsvc.exe
2009-06-22 11:49 . 2009-07-08 00:41 19968 ----a-w- c:\windows\system32\mqbkup.exe
2009-06-22 11:49 . 2009-07-08 00:41 4608 ----a-w- c:\windows\system32\mqsvc.exe
2009-06-22 11:48 . 2009-07-08 00:41 91776 ----a-w- c:\windows\system32\drivers\mqac.sys
2009-06-22 11:34 . 2009-07-08 00:39 92544 ----a-w- c:\windows\system32\drivers\ksecdd.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"BitComet"="c:\program files\BitComet\BitComet.exe" [2009-06-22 2624824]
"AdobeBridge"="c:\program files\Adobe\Adobe Bridge CS4\Bridge.exe" [2008-08-29 13145448]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-07-09 49968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-05-24 573440]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"QuickTime Task"="c:\program files\MpcStar\Codecs\QuickTime\QTSystem\qttask.exe" [2009-07-21 413696]
"H2O"="c:\program files\SyncroSoft\Pos\H2O\cledx.exe" [2005-05-11 200069]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-12-27 413696]

c:\documents and settings\User\Start Menu\Programs\Startup\
DesktopVideoPlayer.LNK - c:\program files\vghd\vghd.exe [2009-8-24 402768]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"23910:TCP"= 23910:TCP:BitComet 23910 TCP
"23910:UDP"= 23910:UDP:BitComet 23910 UDP
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [9/5/2009 5:04 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/5/2009 5:04 PM 20560]
R2 EvdoServer;EvdoServer;c:\windows\system32\svchost.exe -k netsvcs [7/7/2009 6:43 PM 14336]
R2 sofatnet;sofatnet Service;c:\windows\system32\sofatnet.exe [8/10/2004 1:00 PM 94720]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [8/4/2009 8:53 PM 24652]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [7/28/2009 5:10 PM 33792]
S2 spextocj;spextocj;\??\c:\windows\system32\drivers\ringowhfzke.sys --> c:\windows\system32\drivers\ringowhfzke.sys [?]
S3 ATMFBUS;A600 USB Composite Device Driver;c:\windows\system32\drivers\ATMFBUS.sys [7/16/2009 11:15 AM 38528]
S3 ATMFCVsp;A600 Cricket CM Port;c:\windows\system32\drivers\ATMFCVsp.sys [7/16/2009 11:15 AM 54656]
S3 ATMFFLT;A600 USB Modem Installation CD;c:\windows\system32\drivers\ATMFFLT.sys [7/16/2009 11:15 AM 11520]
S3 ATMFMdm;A600 Cricket EVDO Modem;c:\windows\system32\drivers\ATMFMdm.sys [7/16/2009 11:15 AM 54528]
S3 ATMFNET;A600 Cricket EVDO Network Adapter;c:\windows\system32\drivers\ATMFNET.sys [7/16/2009 11:15 AM 103424]
S3 ATMFNVsp;A600 Cricket NMEA Port Serial Port;c:\windows\system32\drivers\ATMFNVsp.sys [7/16/2009 11:15 AM 54656]
S3 ATMFVsp;A600 Cricket Diagnostics Port;c:\windows\system32\drivers\ATMFVsp.sys [7/16/2009 11:15 AM 54656]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - EVDOSERVER
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.myspace.com/
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\1o2oj4yr.default\
FF - plugin: c:\program files\MpcStar\Codecs\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\MpcStar\Codecs\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-HookURL - (no file)
URLSearchHooks-Rank - (no file)
HKLM-Run-19375154 - c:\documents and settings\All Users\Application Data\19375154\19375154.exe
AddRemove-AIM Search - c:\program files\AIM Search\uninstaller.exe
AddRemove-AIM Toolbar - c:\program files\AIM Toolbar\uninstall.exe
AddRemove-Live 8.0.3 - c:\progra~1\Ableton\LIVE80~1.3\Install\UNWISE.EXE

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-18 16:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\system32\wiwow64.exe 131072 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(880)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(3072)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\vghd\VirtuaGirl_Downloader.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\windows\system32\wmdtc.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-09-18 16:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-18 22:54

Pre-Run: 54,290,726,912 bytes free
Post-Run: 56,832,925,696 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

384 --- E O F --- 2009-09-10 09:01

axelmadden · 18-Sep-2009, 07:00 PM **#10**

and hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:57:49 PM, on 9/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\MpcStar\Codecs\QuickTime\QTSystem\qttask.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Adobe\Adobe Bridge CS4\Bridge.exe
C:\Program Files\vghd\VirtuaGirl_downloader.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\wmdtc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\sofatnet.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\lsm32.sys
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll (file missing)
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll (file missing)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.3.3.2.dll
O2 - BHO: AOL Search Enhancement - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll (file missing)
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll (file missing)
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll (file missing)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\MpcStar\Codecs\QuickTime\QTSystem\qttask.exe" -atboottime
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" /tray
O4 - HKCU\..\Run: [AdobeBridge] "C:\Program Files\Adobe\Adobe Bridge CS4\Bridge.exe" -stealth
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: DesktopVideoPlayer.LNK = C:\Program Files\vghd\vghd.exe
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll (file missing)
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.3.3.2.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: sofatnet Service (sofatnet) - Sigma Designs In - C:\WINDOWS\system32\sofatnet.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7955 bytes

**Cookiegal** · 19-Sep-2009, 05:02 PM **#11**

Open Notepad and copy and paste the text in the code box below into it:

Code:

File::
c:\windows\system32\wiwow64.exe
C:\Cvw02b.bat
c:\windows\system32\xd.dat
c:\windows\system32\q1.dat
c:\windows\system32\idm.dat
c:\windows\system32\c2d.dat
c:\windows\system32\xhl0.dll
c:\windows\system32\sofatnet.exe
c:\windows\system32\drivers\ringowhfzke.sys

Driver::
sofatnet
spextocj

Save the file to your desktop and name it CFScript.txt

Referring to the picture below, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

Ensure you are connected to the internet and click OK on the message box.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

axelmadden · 19-Sep-2009, 07:35 PM **#12**

HIGHJACKTHIS FILE:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:34:04 PM, on 9/19/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\MpcStar\Codecs\QuickTime\QTSystem\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Adobe\Adobe Bridge CS4\Bridge.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wiwow64.exe
C:\Program Files\vghd\VirtuaGirl_downloader.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\sofatnet.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\lsm32.sys
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll (file missing)
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll (file missing)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.3.3.2.dll
O2 - BHO: AOL Search Enhancement - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll (file missing)
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll (file missing)
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll (file missing)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\MpcStar\Codecs\QuickTime\QTSystem\qttask.exe" -atboottime
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" /tray
O4 - HKCU\..\Run: [AdobeBridge] "C:\Program Files\Adobe\Adobe Bridge CS4\Bridge.exe" -stealth
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: DesktopVideoPlayer.LNK = C:\Program Files\vghd\vghd.exe
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll (file missing)
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.3.3.2.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7844 bytes

axelmadden · 19-Sep-2009, 07:36 PM **#13**

COMBOFIX FILE:

ComboFix 09-09-18.02 - User 09/19/2009 17:24.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1445 [GMT -6:00]
Running from: c:\documents and settings\User\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1351 [VPS 090919-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"C:\Cvw02b.bat"
"c:\windows\system32\c2d.dat"
"c:\windows\system32\drivers\ringowhfzke.sys"
"c:\windows\system32\idm.dat"
"c:\windows\system32\q1.dat"
"c:\windows\system32\sofatnet.exe"
"c:\windows\system32\wiwow64.exe"
"c:\windows\system32\xd.dat"
"c:\windows\system32\xhl0.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Cvw02b.bat
c:\windows\Install.txt
c:\windows\system32\c2d.dat
c:\windows\system32\FInstall.sys
c:\windows\system32\idm.dat
c:\windows\system32\Install.txt
c:\windows\system32\q1.dat
c:\windows\system32\sofatnet.exe
c:\windows\system32\wiwow64.exe
c:\windows\system32\xd.dat
c:\windows\system32\xhl0.dll
c:\windows\TEMP\mta63346.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SOFATNET
-------\Service_sofatnet
-------\Service_spextocj

((((((((((((((((((((((((( Files Created from 2009-08-19 to 2009-09-19 )))))))))))))))))))))))))))))))
.

2009-09-19 14:52 . 2009-09-19 14:52 -------- d-----w- c:\program files\Caricature Software
2009-09-19 00:17 . 2009-09-19 00:17 -------- d-----w- c:\documents and settings\LocalService\Application Data\AdobeUM
2009-09-19 00:16 . 2009-09-19 00:17 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-09-18 21:36 . 2009-09-18 21:36 -------- d-----w- c:\program files\Trend Micro
2009-09-17 04:28 . 2009-09-17 04:28 0 ----a-w- c:\windows\nsreg.dat
2009-09-17 04:28 . 2009-09-17 04:28 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Mozilla
2009-09-16 15:24 . 2009-09-16 15:24 -------- d-----w- c:\documents and settings\User\Application Data\MixMeister Technology
2009-09-16 15:23 . 2009-09-16 15:24 -------- d-----w- c:\program files\MixMeister Express 6 Demo
2009-09-16 13:09 . 2009-09-16 13:12 -------- d-----w- c:\documents and settings\User\Application Data\NCH Swift Sound
2009-09-16 13:09 . 2009-09-16 13:12 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-09-16 13:09 . 2009-09-16 13:12 -------- d-----w- c:\program files\NCH Swift Sound
2009-09-16 12:49 . 2009-09-16 12:49 -------- d-----w- c:\documents and settings\User\Application Data\NCH Software
2009-09-16 12:49 . 2009-09-16 12:49 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software
2009-09-16 12:49 . 2009-09-16 12:49 -------- d-----w- c:\program files\NCH Software
2009-09-16 01:06 . 2009-09-16 01:06 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Ahead
2009-09-13 18:03 . 2009-09-13 18:03 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2009-09-13 18:03 . 2009-09-13 18:03 -------- d-----w- c:\program files\PC Drivers HeadQuarters
2009-09-09 19:24 . 2009-06-21 22:04 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-05 23:04 . 2009-08-17 16:05 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-09-05 23:04 . 2009-08-17 16:05 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-09-05 23:04 . 2009-08-17 16:04 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-09-05 23:04 . 2009-08-17 16:04 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-09-05 23:04 . 2009-08-17 16:03 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-09-05 23:04 . 2009-08-17 16:02 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-09-05 23:04 . 2009-08-17 16:06 93392 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-09-05 23:04 . 2009-08-17 16:06 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-09-05 23:03 . 2009-08-17 16:10 1279456 ----a-w- c:\windows\system32\aswBoot.exe
2009-08-26 01:28 . 2008-10-16 20:06 208744 ----a-w- c:\windows\system32\muweb.dll
2009-08-26 01:28 . 2008-10-16 20:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-08-26 01:17 . 2009-09-10 09:09 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-26 01:00 . 2009-08-26 01:00 -------- d-----w- c:\documents and settings\User\Application Data\Template
2009-08-24 18:31 . 2009-09-19 23:30 7 ----a-w- c:\windows\sbacknt.bin
2009-08-24 18:30 . 2009-08-24 18:30 -------- d-----w- c:\program files\vghd
2009-08-24 18:30 . 2009-08-24 18:30 152904 ----a-w- c:\windows\system32\vghd.scr
2009-08-24 18:30 . 2009-08-24 18:30 -------- d-----w- c:\documents and settings\User\Application Data\vghd
2009-08-23 17:55 . 2004-03-02 23:37 125184 ------w- c:\windows\system32\drivers\imagesrv.sys
2009-08-23 17:55 . 2004-03-02 23:37 5504 ------w- c:\windows\system32\drivers\imagedrv.sys
2009-08-23 17:55 . 2000-06-26 17:45 106496 ----a-w- c:\windows\system32\TwnLib20.dll
2009-08-23 17:55 . 2004-07-26 23:16 476320 ------w- c:\windows\system32\ImagXpr7.dll
2009-08-23 17:55 . 2004-07-26 23:16 471040 ------w- c:\windows\system32\ImagXRA7.dll
2009-08-23 17:55 . 2004-07-26 23:16 262144 ------w- c:\windows\system32\ImagXR7.dll
2009-08-23 17:55 . 2004-07-26 23:16 1568768 ------w- c:\windows\system32\ImagX7.dll
2009-08-23 17:55 . 2001-07-09 17:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
2009-08-23 17:55 . 2009-08-23 17:55 -------- d-----w- c:\program files\Ahead
2009-08-23 17:55 . 2009-08-23 17:55 -------- d-----w- c:\program files\Common Files\Ahead
2009-08-21 21:42 . 2009-08-21 21:42 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-08-21 21:42 . 2009-08-21 21:42 -------- d-----w- c:\program files\DVD Shrink
2009-08-21 21:31 . 2009-08-21 21:31 -------- d-----w- c:\documents and settings\yfl\LOCALS~1
2009-08-21 21:31 . 2009-08-21 21:31 -------- d-----w- c:\documents and settings\yfl
2009-08-21 21:29 . 2009-08-21 21:29 -------- d-----w- c:\program files\Xilisoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-19 23:25 . 2009-07-17 18:10 -------- d-----w- c:\program files\BitComet
2009-09-19 03:04 . 2009-07-21 18:57 -------- d-----w- c:\program files\MpcStar
2009-09-17 04:17 . 2009-07-24 16:18 -------- d-----w- c:\program files\Image-Line
2009-09-06 01:35 . 2009-08-26 01:00 322 ----a-w- c:\documents and settings\User\Application Data\wklnhst.dat
2009-08-26 09:01 . 2009-07-08 03:07 -------- d-----w- c:\program files\Microsoft Works
2009-08-21 21:36 . 2009-07-16 19:34 -------- d-----w- c:\documents and settings\User\Application Data\CyberLink
2009-08-08 09:14 . 2005-01-10 01:26 33840 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-08 09:04 . 2009-08-08 09:04 -------- d-----w- c:\program files\MSBuild
2009-08-08 09:04 . 2009-08-08 09:04 -------- d-----w- c:\program files\Reference Assemblies
2009-08-08 09:00 . 2009-08-08 09:00 -------- d-----w- c:\program files\MSXML 6.0
2009-08-05 09:11 . 2009-07-08 00:41 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 02:56 . 2009-08-05 02:53 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL OCP
2009-08-05 02:55 . 2009-08-05 02:55 -------- d-----w- c:\documents and settings\User\Application Data\acccore
2009-08-05 02:55 . 2009-08-05 02:53 -------- d-----w- c:\program files\AIM6
2009-08-05 02:53 . 2009-08-05 02:53 -------- d-----w- c:\program files\Common Files\Software Update Utility
2009-08-05 02:53 . 2009-08-05 02:53 -------- d-----w- c:\documents and settings\All Users\Application Data\AIM Toolbar
2009-08-05 02:53 . 2009-08-05 02:53 -------- d-----w- c:\program files\Viewpoint
2009-08-05 02:53 . 2009-08-05 02:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-08-05 02:53 . 2009-08-05 02:53 -------- d-----w- c:\documents and settings\All Users\Application Data\acccore
2009-08-05 02:53 . 2009-08-05 02:53 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-08-05 02:53 . 2009-08-05 02:53 -------- d-----w- c:\program files\Common Files\AOL
2009-08-03 00:49 . 2009-08-03 00:15 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-08-01 15:33 . 2009-07-30 20:49 -------- d-----w- c:\program files\Yahoo!
2009-07-31 19:58 . 2009-07-08 02:41 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-31 19:55 . 2009-07-31 19:55 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-07-31 19:51 . 2009-07-31 19:51 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-07-31 17:45 . 2009-07-08 02:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Napster
2009-07-30 20:51 . 2009-07-30 20:51 -------- d-----w- c:\program files\7-Zip
2009-07-30 20:49 . 2009-07-30 20:49 -------- d-----w- c:\documents and settings\User\Application Data\Yahoo!
2009-07-30 20:32 . 2009-07-30 20:32 -------- d-----w- c:\documents and settings\User\Application Data\Uniblue
2009-07-30 17:32 . 2009-07-30 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Ableton
2009-07-30 17:32 . 2009-07-30 17:32 -------- d-----w- c:\documents and settings\User\Application Data\Ableton
2009-07-28 23:17 . 2009-07-28 23:17 -------- d-----w- c:\documents and settings\User\Application Data\Steinberg
2009-07-28 23:15 . 2009-07-28 23:15 -------- d-----w- c:\program files\Steinberg
2009-07-28 23:10 . 2009-07-28 23:09 -------- d-----w- c:\program files\Syncrosoft
2009-07-28 03:54 . 2009-07-28 03:54 -------- d-----w- c:\documents and settings\User\Application Data\AdobeUM
2009-07-27 23:06 . 2009-07-27 23:06 -------- d-----w- c:\documents and settings\User\Application Data\Deckadance
2009-07-27 22:38 . 2009-07-24 16:03 -------- d-----w- c:\program files\Vstplugins
2009-07-27 22:07 . 2009-07-24 16:03 -------- d-----w- c:\program files\Sony
2009-07-27 22:05 . 2009-07-23 18:14 -------- d-----w- c:\program files\Sony Setup
2009-07-27 22:04 . 2009-07-27 22:04 -------- d-----w- c:\documents and settings\User\Application Data\Publish Providers
2009-07-24 16:21 . 2009-07-24 16:21 -------- d-----w- c:\program files\ASIO4ALL v2
2009-07-24 16:20 . 2009-07-24 16:20 -------- d-----w- c:\program files\Outsim
2009-07-24 16:05 . 2009-07-24 16:05 -------- d-----w- c:\documents and settings\User\Application Data\Sony
2009-07-17 18:55 . 2009-07-08 00:37 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 16:08 . 2009-07-08 00:44 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-09 03:04 . 2009-07-09 03:04 127 ----a-w- c:\documents and settings\User\Local Settings\Application Data\fusioncache.dat
2009-07-08 02:48 . 2009-07-08 02:48 21275 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-07-08 02:43 . 2009-07-08 02:43 4 ----a-w- c:\windows\Pix11.dat
2009-07-08 00:48 . 2009-07-08 00:48 60 ----a-w- c:\windows\system32\SYSDRV.DAT
2009-06-26 16:18 . 2009-07-08 00:43 659456 ------w- c:\windows\system32\wininet.dll
2009-06-26 16:18 . 2009-07-08 00:39 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-25 18:36 . 2009-07-08 00:41 95744 ----a-w- c:\windows\system32\mqsec.dll
2009-06-25 18:36 . 2009-07-08 00:41 661504 ----a-w- c:\windows\system32\mqqm.dll
2009-06-25 18:36 . 2009-07-08 00:41 517120 ----a-w- c:\windows\system32\mqsnap.dll
2009-06-25 18:36 . 2009-07-08 00:41 48640 ----a-w- c:\windows\system32\mqupgrd.dll
2009-06-25 18:36 . 2009-07-08 00:41 471552 ----a-w- c:\windows\system32\mqutil.dll
2009-06-25 18:36 . 2009-07-08 00:41 225280 ----a-w- c:\windows\system32\mqoa.dll
2009-06-25 18:36 . 2009-07-08 00:41 186880 ----a-w- c:\windows\system32\mqtrig.dll
2009-06-25 18:36 . 2009-07-08 00:41 177152 ----a-w- c:\windows\system32\mqrt.dll
2009-06-25 18:36 . 2009-07-08 00:41 16896 ----a-w- c:\windows\system32\mqise.dll
2009-06-25 18:36 . 2009-07-08 00:41 123392 ----a-w- c:\windows\system32\mqrtdep.dll
2009-06-25 18:36 . 2009-07-08 00:41 47104 ----a-w- c:\windows\system32\mqdscli.dll
2009-06-25 18:36 . 2009-07-08 00:41 138240 ----a-w- c:\windows\system32\mqad.dll
2009-06-25 08:44 . 2009-07-08 00:43 59392 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:44 . 2009-07-08 00:42 56320 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:44 . 2009-07-08 00:42 168448 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:44 . 2009-07-08 00:41 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:44 . 2009-07-08 00:41 724480 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:44 . 2009-07-08 00:39 298496 ----a-w- c:\windows\system32\kerberos.dll
2009-06-22 11:49 . 2009-07-08 00:41 117248 ----a-w- c:\windows\system32\mqtgsvc.exe
2009-06-22 11:49 . 2009-07-08 00:41 19968 ----a-w- c:\windows\system32\mqbkup.exe
2009-06-22 11:49 . 2009-07-08 00:41 4608 ----a-w- c:\windows\system32\mqsvc.exe
2009-06-22 11:48 . 2009-07-08 00:41 91776 ----a-w- c:\windows\system32\drivers\mqac.sys
2009-06-22 11:34 . 2009-07-08 00:39 92544 ----a-w- c:\windows\system32\drivers\ksecdd.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-09-18_22.49.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-19 23:29 . 2009-09-19 23:29 16384 c:\windows\Temp\Perflib_Perfdata_7c4.dat
+ 2009-09-19 17:52 . 2009-09-19 17:52 85173 c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2009-09-19 23:30 . 2009-06-26 16:18 616448 c:\windows\Temp\x1c95727.dll
+ 2009-09-19 23:29 . 2009-06-26 16:18 616448 c:\windows\Temp\mta41495.dll
- 2009-09-18 22:50 . 2009-06-26 16:18 616448 c:\windows\Temp\mta13187.dll
+ 2009-09-19 23:30 . 2009-06-26 16:18 616448 c:\windows\Temp\mta13187.dll
+ 2009-09-19 23:30 . 2009-06-26 16:18 616448 c:\windows\Temp\mta105243.dll
+ 2004-08-10 19:00 . 2004-08-10 19:00 132096 c:\windows\system32\wmdtc.exe
+ 2009-07-18 03:21 . 2009-07-18 03:21 257440 c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2009-09-19 14:52 . 2009-09-19 14:52 440832 c:\windows\Installer\3a9a06.msi
+ 2005-09-16 19:07 . 2005-09-16 19:07 434176 c:\windows\ehome\CreateDisc\pxdrv.dll
+ 2009-09-19 16:29 . 2009-09-19 16:29 864256 c:\windows\assembly\GAC\ehepg\6.0.3000.0__31bf3856ad364e35\ehepg.dll
- 2009-09-10 09:09 . 2009-09-10 09:09 864256 c:\windows\assembly\GAC\ehepg\6.0.3000.0__31bf3856ad364e35\ehepg.dll
+ 2009-07-18 03:21 . 2009-07-18 03:21 3883424 c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2009-09-19 16:29 . 2009-09-19 16:29 1863680 c:\windows\assembly\GAC\EhCM\6.0.3000.0__31bf3856ad364e35\ehcm.dll
- 2009-09-10 09:09 . 2009-09-10 09:09 1863680 c:\windows\assembly\GAC\EhCM\6.0.3000.0__31bf3856ad364e35\EhCM.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"BitComet"="c:\program files\BitComet\BitComet.exe" [2009-06-22 2624824]
"AdobeBridge"="c:\program files\Adobe\Adobe Bridge CS4\Bridge.exe" [2008-08-29 13145448]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-07-09 49968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-05-24 573440]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"QuickTime Task"="c:\program files\MpcStar\Codecs\QuickTime\QTSystem\qttask.exe" [2009-07-21 413696]
"H2O"="c:\program files\SyncroSoft\Pos\H2O\cledx.exe" [2005-05-11 200069]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-12-27 413696]

c:\documents and settings\User\Start Menu\Programs\Startup\
DesktopVideoPlayer.LNK - c:\program files\vghd\vghd.exe [2009-8-24 402768]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"23910:TCP"= 23910:TCP:BitComet 23910 TCP
"23910:UDP"= 23910:UDP:BitComet 23910 UDP
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [9/5/2009 5:04 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/5/2009 5:04 PM 20560]
R2 EvdoServer;EvdoServer;c:\windows\system32\svchost.exe -k netsvcs [7/7/2009 6:43 PM 14336]
R2 sofatnet;sofatnet Service;c:\windows\system32\sofatnet.exe [8/10/2004 1:00 PM 94208]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [8/4/2009 8:53 PM 24652]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [7/28/2009 5:10 PM 33792]
S3 ATMFBUS;A600 USB Composite Device Driver;c:\windows\system32\drivers\ATMFBUS.sys [7/16/2009 11:15 AM 38528]
S3 ATMFCVsp;A600 Cricket CM Port;c:\windows\system32\drivers\ATMFCVsp.sys [7/16/2009 11:15 AM 54656]
S3 ATMFFLT;A600 USB Modem Installation CD;c:\windows\system32\drivers\ATMFFLT.sys [7/16/2009 11:15 AM 11520]
S3 ATMFMdm;A600 Cricket EVDO Modem;c:\windows\system32\drivers\ATMFMdm.sys [7/16/2009 11:15 AM 54528]
S3 ATMFNET;A600 Cricket EVDO Network Adapter;c:\windows\system32\drivers\ATMFNET.sys [7/16/2009 11:15 AM 103424]
S3 ATMFNVsp;A600 Cricket NMEA Port Serial Port;c:\windows\system32\drivers\ATMFNVsp.sys [7/16/2009 11:15 AM 54656]
S3 ATMFVsp;A600 Cricket Diagnostics Port;c:\windows\system32\drivers\ATMFVsp.sys [7/16/2009 11:15 AM 54656]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - EVDOSERVER
*NewlyCreated* - SOFATNET
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.myspace.com/
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\1o2oj4yr.default\
FF - plugin: c:\program files\MpcStar\Codecs\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\MpcStar\Codecs\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-HookURL - (no file)
URLSearchHooks-Rank - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-19 17:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\system32\sofatnet.exe 94208 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(876)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(2280)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\windows\ehome\ehmsas.exe
c:\qoobox\Quarantine\C\WINDOWS\system32\wiwow64.exe.vir
c:\program files\vghd\VirtuaGirl_Downloader.exe
c:\windows\system32\lsm32.sys
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-09-19 17:33 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-19 23:33
ComboFix2.txt 2009-09-18 22:54

Pre-Run: 43,012,866,048 bytes free
Post-Run: 43,052,875,776 bytes free

308 --- E O F --- 2009-09-19 13:51

**Cookiegal** · 20-Sep-2009, 04:38 PM **#14**

Open Notepad and copy and paste the text in the code box below into it:

Code:

File::
c:\windows\system32\sofatnet.exe

Driver::
EvdoServer
sofatnet

Save the file to your desktop and name it CFScript.txt

Referring to the picture below, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

Ensure you are connected to the internet and click OK on the message box.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

axelmadden · 20-Sep-2009, 06:13 PM **#15**

Hijak this:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:12:30 PM, on 9/20/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\MpcStar\Codecs\QuickTime\QTSystem\qttask.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Adobe\Adobe Bridge CS4\Bridge.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\vghd\vghd.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll (file missing)
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll (file missing)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.3.3.2.dll
O2 - BHO: AOL Search Enhancement - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll (file missing)
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll (file missing)
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll (file missing)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\MpcStar\Codecs\QuickTime\QTSystem\qttask.exe" -atboottime
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" /tray
O4 - HKCU\..\Run: [AdobeBridge] "C:\Program Files\Adobe\Adobe Bridge CS4\Bridge.exe" -stealth
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: DesktopVideoPlayer.LNK = C:\Program Files\vghd\vghd.exe
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll (file missing)
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.3.3.2.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7743 bytes

Tag Cloud
access audio blue screen boot bsod connection crash dell desktop driver dvd email error excel excel 2003 firefox hard drive hardware hdmi hijackthis internet keyboard laptop malware monitor motherboard network networking outlook problem ram recovery router screen slow sound spyware tdlwsp.dll trojan upgrade vba video virus vista vundo windows windows 7 windows vista windows xp wireless

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)