Msn Messenger Virus Need Help.

nezhaniswinnie · Nov 5, 2007

Hey,

I'm a having problems with my msn live messenger. I am sharing my laptop with my elder sister and she happens to receive a file that has beem sent through one of her contacts in her msn messenger account.- download of pics. She accepted the file and opened it - no pics.

eversince then, both my sister and i got affected everytime we logged in to the messenger. every once in a while the mouse freezes up there is flashes of MSN Messenger tabbed chats on my screen. and i realise it's a kind of virus/worm that is going around the msn contact. so, i really your help to remove this msn virus cause it's irritating me as my friends are asking why i actually send them those picture downloads, when i actually did not do anything.

please do help me. thank you.

Cheeseball81 · Nov 5, 2007

* Click here to download HJTsetup.exe.
Save HJTsetup.exe to your desktop.

Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
Click Save to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

nezhaniswinnie · Nov 7, 2007

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:30:57 PM, on 11/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\ohprotig.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\srvany.exe
C:\WINDOWS\system32\SurferClient.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\acer\epm\epm-dm.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\program files\altnet\points manager\points manager.exe
C:\WINDOWS\system32\asrsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\wisptis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.imesh.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SurfNavigator] C:\WINDOWS\system32\SurferClient.exe
O4 - HKLM\..\Run: [AutomatedSurfer] C:\WINDOWS\system32\SurferClient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [MicrosoftUpdate] C:\WINDOWS\system32\MSServx.exe
O4 - HKLM\..\Run: [Option Bib Logo Log] C:\Documents and Settings\All Users\Application Data\LICENSE ADMIN OPTION BIB\BASH BOOB.exe
O4 - HKLM\..\Run: [Application Layer Services] asrsvc.exe
O4 - HKLM\..\Run: [320d18a1] rundll32.exe "C:\WINDOWS\system32\lqqyrufq.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SurfNavigator] C:\WINDOWS\system32\SurferClient.exe
O4 - HKCU\..\Run: [AutomatedSurfer] C:\WINDOWS\system32\SurferClient.exe
O4 - HKCU\..\Run: [book ante] C:\DOCUME~1\Hanis\APPLIC~1\ELSEPL~1\AXISNEW.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [AutomatedSurfer] C:\WINDOWS\system32\SurferClient.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AutomatedSurfer] C:\WINDOWS\system32\SurferClient.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Hanis\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/ZwinkyInitialSetup1.0.0.15-3.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E55FD215-A32E-43FE-A777-A7E8F165F551} (Flatcast Viewer 4.15) - http://www.flatcast.info/objects/NpFv415.dll
O18 - Filter hijack: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Program Files\RXToolBar\sfcont.dll
O23 - Service: Notebook Manager Service (anbmService) - Unknown owner - C:\Acer\eManager\anbmServ.exe (file missing)
O23 - Service: Auto HotKey Poller - Unknown owner - C:\WINDOWS\system32\winpol.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\ohprotig.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: AutomatedSurfer (SurferService) - Unknown owner - C:\WINDOWS\system32\srvany.exe

--
End of file - 9141 bytes

Cheeseball81 · Nov 7, 2007

Download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

...

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

nezhaniswinnie · Nov 8, 2007

Cheeseball81, before I proceed, the software tells me that for the removal of virus, it will reboot windows. that means my documents will be lost? Actually, i don't prefer rebooting the whole system. i only wanted to remove the virus without the any rebooting.

Cheeseball81 · Nov 9, 2007

Rebooting means it's restarting the system. You might be confusing it with reformatting - which wipes everything out. 2 totally different things.

nezhaniswinnie · Nov 11, 2007

ComboFix 07-11-08.1 - Hanis 2007-11-12 12:33:03.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.486 [GMT 8:00]
Running from: C:\Documents and Settings\Hanis\Local Settings\Temporary Internet Files\Content.IE5\318KLK0R\ComboFix[1].exe
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2006
C:\Documents and Settings\Guest\Application Data\WinAntiVirus Pro 2006
C:\Documents and Settings\Guest\Application Data\WinAntiVirus Pro 2006\Logs\wa6Support.log
C:\Documents and Settings\Guest\Application Data\WinAntiVirus Pro 2006\Logs\winav.log
C:\Documents and Settings\Hanis\Application Data\macromedia\Flash Player\#SharedObjects\UUTHLSXV\iforex.com
C:\Documents and Settings\Hanis\Application Data\macromedia\Flash Player\#SharedObjects\UUTHLSXV\iforex.com\Emerp\Events\flash_object.swf\user_data.sol
C:\Documents and Settings\Hanis\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com
C:\Documents and Settings\Hanis\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol
C:\Documents and Settings\Hanis\Application Data\WinAntiVirus Pro 2006
C:\Documents and Settings\Hanis\Application Data\WinAntiVirus Pro 2006\Logs\update.log
C:\Documents and Settings\Hanis\Application Data\WinAntiVirus Pro 2006\Logs\wa6Support.log
C:\Documents and Settings\Hanis\Application Data\WinAntiVirus Pro 2006\Logs\winav.log
C:\Documents and Settings\Hanis\Application Data\WinAntiVirus Pro 2006\PGE.dat
C:\Program Files\Common Files\companion wizard
C:\Program Files\Common Files\Companion Wizard\compwiz.exe
C:\Program Files\Common Files\Companion Wizard\WapCHK.dll
C:\Program Files\Common Files\Companion Wizard\WapCHK{231E135C-0BF8-41E8-9C33-1013B4881AFE}.dll
C:\Program Files\Common Files\companion wizard\WapCHK{26DAD9D7-6890-42F7-B41B-ADCAD0552EDC}.dll
C:\Program Files\Common Files\companion wizard\WapCHK{481186AC-E2A4-4E17-AE05-3CCB3C32900A}.dll
C:\Program Files\Common Files\companion wizard\WapCHK{B5524BDB-295C-4CA7-89A6-E8981A57754B}.dll
C:\Program Files\Common Files\winantivirus pro 2006
C:\Program Files\Common Files\WinAntiVirus Pro 2006\WapCHK.dll
C:\Program Files\Instant Messenger Names
C:\Program Files\Instant Messenger Names\1.exe
C:\Program Files\Instant Messenger Names\2.exe
C:\Program Files\Instant Messenger Names\IM-svr.exe
C:\Program Files\Instant Messenger Names\IMNames.exe
C:\Program Files\Instant Messenger Names\main.exe
C:\Program Files\VideoAccessCodec
C:\Program Files\VideoAccessCodec\install.ico
C:\WINDOWS\cookies.ini
C:\WINDOWS\dat.txt
C:\WINDOWS\Fonts\acrsecI.fon
C:\WINDOWS\msvb.dll
C:\WINDOWS\NDNuninstall6_38.exe
C:\WINDOWS\NDNuninstall7_22.exe
C:\WINDOWS\NDNuninstall7_48.exe
C:\WINDOWS\rs.txt
C:\WINDOWS\search_res.txt
C:\WINDOWS\sysdx.dll
C:\WINDOWS\system32\_000006_.tmp.dll
C:\WINDOWS\system32\bdeeg.bak1
C:\WINDOWS\system32\bdeeg.bak2
C:\WINDOWS\system32\bdeeg.ini
C:\WINDOWS\system32\bdeeg.ini2
C:\WINDOWS\system32\ciejeydj.exe
C:\WINDOWS\system32\dwbjsced.exe
C:\WINDOWS\system32\geedb.dll
C:\WINDOWS\system32\hgglcrvp.exe
C:\WINDOWS\system32\hhcteusm.dll
C:\WINDOWS\system32\internet.exe
C:\WINDOWS\system32\ndkqftvn.exe
C:\WINDOWS\system32\nudweanc.exe
C:\WINDOWS\system32\obwgwclu.exe
C:\WINDOWS\system32\ohprotig.exe
C:\WINDOWS\system32\stera.log
C:\WINDOWS\system32\update.exe
C:\WINDOWS\system32\vevaqfcr.exe
C:\WINDOWS\system32\winpol.exe
C:\WINDOWS\wsremover.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_AUTO_HOTKEY_POLLER
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_FOPN
-------\LEGACY_VSPF
-------\LEGACY_VSPF_HK
-------\Auto HotKey Poller
-------\DomainService
-------\vspf
-------\vspf_hk

((((((((((((((((((((((((( Files Created from 2007-10-12 to 2007-11-12 )))))))))))))))))))))))))))))))
.

2007-11-12 07:56 79,936 --a------ C:\WINDOWS\system32\eyugxeug.dll
2007-11-12 07:53 88,128 --a------ C:\WINDOWS\system32\keoegtlu.dll
2007-11-12 07:47 71,232 --a------ C:\WINDOWS\system32\hjgnevph.exe
2007-11-11 21:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-11 00:57 81,472 --a------ C:\WINDOWS\system32\clgdocwv.dll
2007-11-11 00:49 71,232 --a------ C:\WINDOWS\system32\wiulusyt.exe
2007-11-10 00:24 77,888 --a------ C:\WINDOWS\system32\cmsfaqlg.dll
2007-11-10 00:21 71,232 --a------ C:\WINDOWS\system32\ysjrtlne.exe
2007-11-09 19:43 <DIR> d-------- C:\Documents and Settings\Hanis\Incomplete
2007-11-09 10:47 80,448 --a------ C:\WINDOWS\system32\cwnhrwyv.dll
2007-11-09 10:46 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-09 02:30 <DIR> d-------- C:\Program Files\Else plus
2007-11-09 02:27 36,352 --a------ C:\WINDOWS\system32\efcywus.dll
2007-11-08 12:19 71,232 --a------ C:\WINDOWS\system32\npuqfrnn.exe
2007-11-07 11:45 71,232 --a------ C:\WINDOWS\system32\jyrgityy.exe
2007-11-07 11:14 71,232 --a------ C:\WINDOWS\system32\opsjgwlc.exe
2007-11-05 12:46 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-05 12:42 <DIR> d-------- C:\BackUpMSNCleaner
2007-11-03 22:54 36,352 --a------ C:\WINDOWS\system32\vtuuroo.dll
2007-11-03 22:50 36,352 --a------ C:\WINDOWS\system32\opnolii.dll
2007-11-02 22:21 33,280 --a------ C:\WINDOWS\system32\xxywwwt.dll
2007-11-02 22:20 33,280 --a------ C:\WINDOWS\system32\yaywvuu.dll
2007-11-02 11:14 <DIR> d-------- C:\WINDOWS\pss
2007-11-01 10:06 33,280 --a------ C:\WINDOWS\system32\xxyabxv.dll
2007-11-01 09:37 33,280 --a------ C:\WINDOWS\system32\nnnkhhi.dll
2007-11-01 09:36 33,280 --a------ C:\WINDOWS\system32\awtrstu.dll
2007-11-01 09:36 10,752 -r-hs---- C:\WINDOWS\system32\asrsvc.exe
2007-10-20 14:16 <DIR> d-------- C:\Program Files\mp3DirectCut
2007-10-16 22:53 <DIR> d-------- C:\Program Files\Windows Journal Viewer
2007-10-12 12:26 <DIR> d-------- C:\Documents and Settings\Hanis\Application Data\Apple Computer
2007-10-12 12:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-10-12 12:24 <DIR> d-------- C:\Program Files\Apple Software Update
2007-10-12 12:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-12 04:46 905 ----a-w C:\WINDOWS\Fonts\acrsecI.fon
2007-10-09 12:35 408,092 ----a-w C:\WINDOWS\system32\MSServx.exe
2007-10-08 05:18 --------- d-----w C:\Program Files\SystemDefender
2007-09-26 06:20 --------- d-----w C:\Documents and Settings\Hanis\Application Data\Netscape
2007-09-26 06:19 --------- d-----w C:\Program Files\Netscape
2007-09-17 12:01 --------- d-----w C:\Program Files\JustZIPit
2007-09-11 07:05 1,761 ----a-w C:\WINDOWS\Fonts\acrsecB.fon
2007-08-29 10:27 464,112 ----a-w C:\WINDOWS\daffy.scr
2007-08-29 10:27 461,308 ----a-w C:\WINDOWS\daffy.exe
2007-08-29 10:27 40,960 ----a-w C:\WINDOWS\daffy.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-08-20 10:04 824,832 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-20 10:04 671,232 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-20 10:04 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-08-20 10:04 6,058,496 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-08-20 10:04 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-08-20 10:04 477,696 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-20 10:04 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-08-20 10:04 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-08-20 10:04 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-08-20 10:04 3,584,512 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-20 10:04 27,648 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-20 10:04 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-08-20 10:04 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-08-20 10:04 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-08-20 10:04 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-20 10:04 193,024 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-20 10:04 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-08-20 10:04 132,608 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-20 10:04 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-08-20 10:04 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-08-20 10:04 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-08-20 10:04 1,152,000 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-17 10:21 625,152 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-08-17 10:20 63,488 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-08-17 10:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-08-17 07:34 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-08-13 10:54 413,696 ----a-w C:\WINDOWS\system32\vbscript.dll
2007-08-13 10:54 413,696 ----a-w C:\WINDOWS\system32\dllcache\vbscript.dll
2007-08-13 10:54 33,792 ----a-w C:\WINDOWS\system32\dllcache\custsat.dll
2007-08-13 10:54 191,488 ----a-w C:\WINDOWS\system32\dllcache\iepeers.dll
2007-08-13 10:54 156,160 ----a-w C:\WINDOWS\system32\msls31.dll
2007-08-13 10:54 156,160 ----a-w C:\WINDOWS\system32\dllcache\msls31.dll
2007-08-13 10:45 78,336 ----a-w C:\WINDOWS\system32\ieencode.dll
2007-08-13 10:45 78,336 ----a-w C:\WINDOWS\system32\dllcache\ieencode.dll
2007-08-13 10:44 69,120 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe
2007-08-13 10:44 40,960 ----a-w C:\WINDOWS\system32\licmgr10.dll
2007-08-13 10:44 40,960 ----a-w C:\WINDOWS\system32\dllcache\licmgr10.dll
2007-08-13 10:39 92,672 ----a-w C:\WINDOWS\system32\dllcache\inseng.dll
2007-08-13 10:39 71,680 ----a-w C:\WINDOWS\system32\dllcache\admparse.dll
2007-08-13 10:39 71,680 ----a-w C:\WINDOWS\system32\admparse.dll
2007-08-13 10:39 55,296 ----a-w C:\WINDOWS\system32\iesetup.dll
2007-08-13 10:39 55,296 ----a-w C:\WINDOWS\system32\dllcache\iesetup.dll
2007-08-13 10:38 491,520 ----a-w C:\WINDOWS\system32\dllcache\jscript.dll
2007-08-13 10:36 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-08-13 10:36 36,352 ----a-w C:\WINDOWS\system32\imgutil.dll
2007-08-13 10:36 36,352 ----a-w C:\WINDOWS\system32\dllcache\imgutil.dll
2007-08-13 10:35 346,624 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-08-13 10:32 45,568 ----a-w C:\WINDOWS\system32\mshta.exe
2007-08-13 10:32 45,568 ----a-w C:\WINDOWS\system32\dllcache\mshta.exe
2007-08-13 10:18 60,416 ----a-w C:\WINDOWS\system32\dllcache\hmmapi.dll
2007-08-13 10:01 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll
2007-08-13 10:01 48,128 ----a-w C:\WINDOWS\system32\dllcache\mshtmler.dll
2006-11-13 12:39 84 ----a-w C:\Documents and Settings\Hanis\cmd2.cmd
2006-11-13 12:39 110,592 ----a-w C:\Documents and Settings\Hanis\mtr.exe
2004-08-03 21:00 774,144 ----a-w C:\Documents and Settings\dotnetfx\XPSPUI.DLL
2004-08-03 21:00 647,168 ----a-w C:\Documents and Settings\dotnetfx\SITSETUP.DLL
2004-08-03 21:00 487,424 ----a-w C:\Documents and Settings\dotnetfx\MSVCP70.DLL
2004-08-03 21:00 40,960 ----a-w C:\Documents and Settings\dotnetfx\CMNRES.DLL
2004-08-03 21:00 36,864 ----a-w C:\Documents and Settings\dotnetfx\SUITE.DLL
2004-08-03 21:00 36,864 ----a-w C:\Documents and Settings\dotnetfx\DELTEMP.EXE
2004-08-03 21:00 344,064 ----a-w C:\Documents and Settings\dotnetfx\MSVCR70.DLL
2004-08-03 21:00 339,968 ----a-w C:\Documents and Settings\dotnetfx\TEMPLMGR.DLL
2004-08-03 21:00 335,872 ----a-w C:\Documents and Settings\dotnetfx\GENCOMP.DLL
2004-08-03 21:00 308 ----a-w C:\Documents and Settings\dotnetfx\DFFACT.DAT
2004-08-03 21:00 286,720 ----a-w C:\Documents and Settings\dotnetfx\XPSPSCEN.DLL
2004-08-03 21:00 274,432 ----a-w C:\Documents and Settings\dotnetfx\UIMGR.DLL
2004-08-03 21:00 24,265,736 ----a-w C:\Documents and Settings\dotnetfx\DOTNETFX.EXE
2004-08-03 21:00 233,472 ----a-w C:\Documents and Settings\dotnetfx\DFDEPUI.DLL
2004-08-03 21:00 200,704 ----a-w C:\Documents and Settings\dotnetfx\XPSPREQS.DLL
2004-08-03 21:00 200,704 ----a-w C:\Documents and Settings\dotnetfx\SVRGRMGR.DLL
2004-08-03 21:00 192,512 ----a-w C:\Documents and Settings\dotnetfx\DEPMGR.DLL
2004-08-03 21:00 163,840 ----a-w C:\Documents and Settings\dotnetfx\DFCHGFLD.DLL
2004-08-03 21:00 155,648 ----a-w C:\Documents and Settings\dotnetfx\SETUPDB.DLL
2004-08-03 21:00 147,456 ----a-w C:\Documents and Settings\dotnetfx\CDMGR.DLL
2004-08-03 21:00 143,360 ----a-w C:\Documents and Settings\dotnetfx\DISKMGR.DLL
2004-08-03 21:00 143,360 ----a-w C:\Documents and Settings\dotnetfx\ACCMGR.DLL
2004-08-03 21:00 139,264 ----a-w C:\Documents and Settings\dotnetfx\SETLOG.DLL
2004-08-03 21:00 135,168 ----a-w C:\Documents and Settings\dotnetfx\VALIDATE.DLL
2004-08-03 21:00 135,168 ----a-w C:\Documents and Settings\dotnetfx\DFFACT.DLL
2004-08-03 21:00 131,072 ----a-w C:\Documents and Settings\dotnetfx\HTMLLITE.DLL
2004-08-03 21:00 129,720 ----a-w C:\Documents and Settings\dotnetfx\SETUP.EXE
2004-08-03 21:00 122,880 ----a-w C:\Documents and Settings\dotnetfx\DEFHELP.DLL
2004-08-03 21:00 118,784 ----a-w C:\Documents and Settings\dotnetfx\REBOOTST.EXE
2004-08-03 21:00 10,694,464 ----a-w C:\Documents and Settings\dotnetfx\NDPSP.EXE
2004-08-03 21:00 1,773 ----a-w C:\Documents and Settings\dotnetfx\BASELINE.DAT
2007-01-23 13:35:10 3,140 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-01-23 13:33:40 8 --sh--r C:\WINDOWS\system32\21D33CA5AB.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E7BD74F-2B8D-469E-90F0-F66AB581A933}]
C:\PROGRA~1\INSTAF~1\INSTAF~1.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59879FA4-4790-461c-A1CC-4EC4DE4CA483}]
C:\Program Files\RXToolBar\sfcont.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{634BBAB7-3F60-4426-944F-A62B9007F67F}]
2007-11-03 22:50 36352 --a------ C:\WINDOWS\system32\opnolii.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b0da615c-848d-40bd-a95f-22796762fdc8}]
2007-11-12 07:56 79936 --a------ C:\WINDOWS\system32\eyugxeug.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" []
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-01-07 16:17]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-01-07 16:16]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:00]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" []
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-01-22 19:31]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-07-15 01:07]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-03-24 21:22]
"nwiz"="nwiz.exe" [2005-03-24 21:22 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-03-24 21:22]
"SoundMan"="SOUNDMAN.EXE" [2004-12-01 15:54 C:\WINDOWS\soundman.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-15 11:45 C:\WINDOWS\AGRSMMSG.exe]
"EPM-DM"="c:\acer\epm\epm-dm.exe" [2005-04-21 10:13]
"ePowerManagement"="C:\Acer\ePM\ePM.exe" [2005-03-15 10:03]
"LManager"="C:\PROGRA~1\LAUNCH~1\LManager.exe" [2005-10-14 15:38]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 05:00 C:\WINDOWS\system32\bthprops.cpl]
"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\Monitor.exe" [2005-11-16 16:54]
"SemanticInsight"="C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"SurfNavigator"="C:\WINDOWS\system32\SurferClient.exe" [2007-01-28 12:14]
"AutomatedSurfer"="C:\WINDOWS\system32\SurferClient.exe" [2007-01-28 12:14]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"AltnetPointsManager"="c:\program files\altnet\points manager\points manager.exe" [2006-07-19 17:01]
"MicrosoftUpdate"="C:\WINDOWS\system32\MSServx.exe" [2007-10-09 20:35]
"Application Layer Services"="asrsvc.exe" [2007-11-01 00:50 C:\WINDOWS\system32\asrsvc.exe]
"Option Bib Logo Log"="C:\Documents and Settings\All Users\Application Data\LICENSE ADMIN OPTION BIB\Logo Start.exe" [2007-11-12 12:46]
"320d18a1"="C:\WINDOWS\system32\keoegtlu.dll" [2007-11-12 07:53]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"SurfNavigator"="C:\WINDOWS\system32\SurferClient.exe" [2007-01-28 12:14]
"AutomatedSurfer"="C:\WINDOWS\system32\SurferClient.exe" [2007-01-28 12:14]
"book ante"="C:\DOCUME~1\Hanis\APPLIC~1\ELSEPL~1\AXISNEW.exe" [2007-11-09 02:29]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AutomatedSurfer"=C:\WINDOWS\system32\SurferClient.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-18 04:05:56]
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-05-27 13:41:44]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-08-16 14:06:22]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{634BBAB7-3F60-4426-944F-A62B9007F67F}"= C:\WINDOWS\system32\opnolii.dll [2007-11-03 22:50 36352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="LogonUI.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnolii]
opnolii.dll 2007-11-03 22:50 36352 C:\WINDOWS\system32\opnolii.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\geedb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messaging]
C:\Program Files\Instant Messenger Names\IM-svr.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

R0 UBHelper;UBHelper;C:\WINDOWS\system32\drivers\UBHelper.sys
R2 EpmPsd;Acer EPM Power Scheme Driver;\??\C:\WINDOWS\system32\drivers\epm-psd.sys
R2 EpmShd;Acer EPM System Hardware Driver;\??\C:\WINDOWS\system32\drivers\epm-shd.sys
R2 osaio;osaio;\??\C:\WINDOWS\system32\drivers\osaio.sys
R2 osanbm;osanbm;\??\C:\WINDOWS\system32\drivers\osanbm.sys
R2 SurferService;AutomatedSurfer;C:\WINDOWS\system32\srvany.exe
R3 DKbFltr;Dritek Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\DKbFltr.sys
R3 EMSCR;EMSCR;C:\WINDOWS\system32\DRIVERS\EMS7SK.sys
R3 ESDCR;ESDCR;C:\WINDOWS\system32\DRIVERS\ESD7SK.sys
R3 ESMCR;ESMCR;C:\WINDOWS\system32\DRIVERS\ESM7SK.sys
R4 DritekPortIO;Dritek General Port I/O;\??\C:\PROGRA~1\LAUNCH~1\DPortIO.sys
S3 SE2Bbus;Sony Ericsson Device 043 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\SE2Bbus.sys
S3 SE2Bmdfl;Sony Ericsson Device 043 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\SE2Bmdfl.sys
S3 SE2Bmdm;Sony Ericsson Device 043 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\SE2Bmdm.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-06 15:55:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-12 03:00:06 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2007-11-12 03:00:02 C:\WINDOWS\Tasks\ADADC1DD918A7E25.job"
- c:\docume~1\hanis\applic~1\elsepl~1\Thunkdeafgreat.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-12 12:45:36
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
MicrosoftUpdate = C:\WINDOWS\system32\MSServx.exe????????|???B???|????????8)5?8k%????w?g%?H)5?|?#????w??????#???#?9????R??H"5???????EventWrite?d?er?%[email protected]????g%????|??%[email protected]?????????%???#????????????|???BD?#?l??|,?#?????4?#????????|?&5???#?Q??|??5?m??|??#??&5????????|p?#??2?|9??????????? ??????B??#????B???w???B?????2?|????????p??|???BH???????X??????|?2?|?????2?|???|??????????5???#???5???????#?(?#?????????<???????D?#????|??#????|p??|????m??|???|??5??????&5?(?#?\??|?&5??&5?9??\??#????|?s?|[email protected]?????|[email protected]?|FA?|???|????????????????????p 5?(&5?T&5????|?????????????????&5?x%5?T&5??&5?????????T&5??!5?P??|??#??%5?T&5? &5????|?&5????|?!5?9??\[email protected]??????????????T&5?T&5??&5???#??&5?4?#???????#????|?r?|?????s?|?a?|???\?`?|[email protected]?????|0???????????????????????????????????????????????0???????????????????????????????????????????????????????8%?|??????????#[email protected]???????????0?#???????#??????%?|?????#?|????0????????#?|D?F?$???J?L??"%?(??????|[email protected]?>[email protected]?????>???????????????????????Ct?|??5? ??????????????????????????????????????|????"??????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-12 12:47:10 - machine was rebooted
.
--- E O F ---

nezhaniswinnie · Nov 11, 2007

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:50:00 PM, on 11/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\srvany.exe
C:\WINDOWS\system32\SurferClient.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\acer\epm\epm-dm.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\program files\altnet\points manager\points manager.exe
C:\WINDOWS\system32\asrsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: InstaFinderK - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} - C:\PROGRA~1\INSTAF~1\INSTAF~1.DLL (file missing)
O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - C:\Program Files\RXToolBar\sfcont.dll (file missing)
O2 - BHO: (no name) - {634BBAB7-3F60-4426-944F-A62B9007F67F} - C:\WINDOWS\system32\opnolii.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: {8cdf2676-9722-f59a-db04-d848c516ad0b} - {b0da615c-848d-40bd-a95f-22796762fdc8} - C:\WINDOWS\system32\eyugxeug.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SurfNavigator] C:\WINDOWS\system32\SurferClient.exe
O4 - HKLM\..\Run: [AutomatedSurfer] C:\WINDOWS\system32\SurferClient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [MicrosoftUpdate] C:\WINDOWS\system32\MSServx.exe
O4 - HKLM\..\Run: [Application Layer Services] asrsvc.exe
O4 - HKLM\..\Run: [Option Bib Logo Log] C:\Documents and Settings\All Users\Application Data\LICENSE ADMIN OPTION BIB\Logo Start.exe
O4 - HKLM\..\Run: [320d18a1] rundll32.exe "C:\WINDOWS\system32\keoegtlu.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SurfNavigator] C:\WINDOWS\system32\SurferClient.exe
O4 - HKCU\..\Run: [AutomatedSurfer] C:\WINDOWS\system32\SurferClient.exe
O4 - HKCU\..\Run: [book ante] C:\DOCUME~1\Hanis\APPLIC~1\ELSEPL~1\AXISNEW.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [AutomatedSurfer] C:\WINDOWS\system32\SurferClient.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AutomatedSurfer] C:\WINDOWS\system32\SurferClient.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Hanis\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/ZwinkyInitialSetup1.0.0.15-3.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E55FD215-A32E-43FE-A777-A7E8F165F551} (Flatcast Viewer 4.15) - http://www.flatcast.info/objects/NpFv415.dll
O20 - Winlogon Notify: opnolii - C:\WINDOWS\SYSTEM32\opnolii.dll
O23 - Service: Notebook Manager Service (anbmService) - Unknown owner - C:\Acer\eManager\anbmServ.exe (file missing)
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: AutomatedSurfer (SurferService) - Unknown owner - C:\WINDOWS\system32\srvany.exe

--
End of file - 9842 bytes

Cheeseball81 · Nov 12, 2007

Download the Trial version of Superantispyware Pro (SAS):
http://www.superantispyware.com/superantispyware.html?rid=3132

Install it and double-click the icon on your desktop to run it.
· It will ask if you want to update the program definitions, click Yes.
· Under Configuration and Preferences, click the Preferences button.
· Click the Scanning Control tab.
· Under Scanner Options make sure the following are checked:
o Close browsers before scanning
o Scan for tracking cookies
o Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click the Close button to leave the control center screen.
· On the main screen, under Scan for Harmful Software click Scan your computer.
· On the left check C:\Fixed Drive.
· On the right, under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan. Please be patient while it scans your computer.
· After the scan is complete a summary box will appear. Click OK.
· Make sure everything in the white box has a check next to it, then click Next.
· It will quarantine what it found and if it asks if you want to reboot, click Yes.
· To retrieve the removal information for me please do the following:
o After reboot, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.
· Click close and close again to exit the program.
· Please paste that information here for me with a new Hijack This log.

nezhaniswinnie · Nov 12, 2007

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/13/2007 at 12:20 PM

Application Version : 3.9.1008

Core Rules Database Version : 3343
Trace Rules Database Version: 1344

Scan type : Complete Scan
Total Scan Time : 00:20:27

Memory items scanned : 407
Memory threats detected : 5
Registry items scanned : 4955
Registry threats detected : 72
File items scanned : 36018
File threats detected : 91

Adware.Vundo-Variant
C:\WINDOWS\SYSTEM32\RWMZFADV.DLL
C:\WINDOWS\SYSTEM32\RWMZFADV.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07091697-eb9e-4a65-9443-8a42bfa84a29}
HKCR\CLSID\{07091697-EB9E-4A65-9443-8A42BFA84A29}
HKCR\CLSID\{07091697-EB9E-4A65-9443-8A42BFA84A29}\InprocServer32
HKCR\CLSID\{07091697-EB9E-4A65-9443-8A42BFA84A29}\InprocServer32#ThreadingModel
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\rwmzfadv
C:\WINDOWS\SYSTEM32\GFXVYDOH.DLL
C:\WINDOWS\SYSTEM32\CMSFAQLG.DLL
C:\WINDOWS\SYSTEM32\CLGDOCWV.DLL
C:\WINDOWS\SYSTEM32\CWNHRWYV.DLL
C:\WINDOWS\SYSTEM32\EYUGXEUG.DLL

Adware.Vundo Variant
C:\WINDOWS\SYSTEM32\OPNOLII.DLL
C:\WINDOWS\SYSTEM32\OPNOLII.DLL
HKLM\Software\Classes\CLSID\{634BBAB7-3F60-4426-944F-A62B9007F67F}
HKCR\CLSID\{634BBAB7-3F60-4426-944F-A62B9007F67F}
HKCR\CLSID\{634BBAB7-3F60-4426-944F-A62B9007F67F}\InprocServer32
HKCR\CLSID\{634BBAB7-3F60-4426-944F-A62B9007F67F}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{A8FA26E1-C23E-4F35-B02B-439584E15A7E}
HKCR\CLSID\{A8FA26E1-C23E-4F35-B02B-439584E15A7E}
HKCR\CLSID\{A8FA26E1-C23E-4F35-B02B-439584E15A7E}\InprocServer32
HKCR\CLSID\{A8FA26E1-C23E-4F35-B02B-439584E15A7E}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\GEEDB.DLL
HKLM\Software\Classes\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}
HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}
HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}\InprocServer32
HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{634BBAB7-3F60-4426-944F-A62B9007F67F}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{634BBAB7-3F60-4426-944F-A62B9007F67F}
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\opnolii
HKCR\CLSID\{634BBAB7-3F60-4426-944F-A62B9007F67F}
HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}
C:\WINDOWS\SYSTEM32\IIFGDCY.DLL
C:\WINDOWS\SYSTEM32\VTUUROO.DLL
C:\WINDOWS\SYSTEM32\EFCYWUS.DLL

Trojan.WinFixer
C:\WINDOWS\SYSTEM32\VTSQN.DLL
C:\WINDOWS\SYSTEM32\VTSQN.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D82ED696-2E9F-4EFC-9096-B4FD7A4DBB4A}
HKCR\CLSID\{D82ED696-2E9F-4EFC-9096-B4FD7A4DBB4A}
HKCR\CLSID\{D82ED696-2E9F-4EFC-9096-B4FD7A4DBB4A}\InprocServer32
HKCR\CLSID\{D82ED696-2E9F-4EFC-9096-B4FD7A4DBB4A}\InprocServer32#ThreadingModel

Trojan.Downloader-NewJuan/VM
C:\WINDOWS\SYSTEM32\YRUSXSHW.DLL
C:\WINDOWS\SYSTEM32\YRUSXSHW.DLL

Adware.eZula
C:\WINDOWS\SYSTEM32\WMKHKMAD.EXE
C:\WINDOWS\SYSTEM32\WMKHKMAD.EXE
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\OHPROTIG.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\OBWGWCLU.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\CIEJEYDJ.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\DWBJSCED.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\VEVAQFCR.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\NUDWEANC.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\HGGLCRVP.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\NDKQFTVN.EXE.VIR
C:\WINDOWS\Prefetch\WMKHKMAD.EXE-32E69222.pf

Adware.Lop
[book ante] C:\DOCUME~1\HANIS\APPLIC~1\ELSEPL~1\AXISNEW.EXE
C:\DOCUME~1\HANIS\APPLIC~1\ELSEPL~1\AXISNEW.EXE
C:\DOCUMENTS AND SETTINGS\HANIS\APPLICATION DATA\ELSE PLUS\AXISNEW.EXE
C:\WINDOWS\Prefetch\AXISNEW.EXE-258D0485.pf

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}
HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}
HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}
HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}\InprocServer32
HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{2AB289AE-4B90-4281-B2AE-1F4BB034B647}
HKCR\CLSID\{2AB289AE-4B90-4281-B2AE-1F4BB034B647}
HKCR\CLSID\{2AB289AE-4B90-4281-B2AE-1F4BB034B647}
HKCR\CLSID\{2AB289AE-4B90-4281-B2AE-1F4BB034B647}\InprocServer32
HKCR\CLSID\{2AB289AE-4B90-4281-B2AE-1F4BB034B647}\InprocServer32#ThreadingModel
HKCR\CLSID\{2AB289AE-4B90-4281-B2AE-1F4BB034B647}\KeyPhrasesFileName
HKCR\CLSID\{2AB289AE-4B90-4281-B2AE-1F4BB034B647}\ProgID
HKCR\CLSID\{2AB289AE-4B90-4281-B2AE-1F4BB034B647}\VersionIndependentProgID
C:\PROGRAM FILES\RXTOOLBAR\SFCONT.DLL
HKLM\Software\Microsoft\Internet Explorer\Toolbar#{11A69AE4-FBED-4832-A2BF-45AF82825583}

InstaFinderK BHO
HKLM\Software\Classes\CLSID\{4E7BD74F-2B8D-469E-90F0-F66AB581A933}
HKCR\CLSID\{4E7BD74F-2B8D-469E-90F0-F66AB581A933}
HKCR\CLSID\{4E7BD74F-2B8D-469E-90F0-F66AB581A933}
HKCR\CLSID\{4E7BD74F-2B8D-469E-90F0-F66AB581A933}\InprocServer32
HKCR\CLSID\{4E7BD74F-2B8D-469E-90F0-F66AB581A933}\InprocServer32#ThreadingModel
HKCR\CLSID\{4E7BD74F-2B8D-469E-90F0-F66AB581A933}\ProgID
C:\PROGRA~1\INSTAF~1\INSTAF~1.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4E7BD74F-2B8D-469E-90F0-F66AB581A933}

Adware.RX Toolbar
HKLM\Software\Classes\CLSID\{59879FA4-4790-461c-A1CC-4EC4DE4CA483}
HKCR\CLSID\{59879FA4-4790-461C-A1CC-4EC4DE4CA483}
HKCR\CLSID\{59879FA4-4790-461C-A1CC-4EC4DE4CA483}
HKCR\CLSID\{59879FA4-4790-461C-A1CC-4EC4DE4CA483}\InprocServer32
HKCR\CLSID\{59879FA4-4790-461C-A1CC-4EC4DE4CA483}\InprocServer32#ThreadingModel
HKCR\CLSID\{59879FA4-4790-461C-A1CC-4EC4DE4CA483}\ProgID
HKCR\CLSID\{59879FA4-4790-461C-A1CC-4EC4DE4CA483}\VersionIndependentProgID
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{59879FA4-4790-461c-A1CC-4EC4DE4CA483}

Trojan.Downloader-Gen/DDC
HKLM\System\ControlSet001\Services\DomainService
HKLM\System\ControlSet003\Services\DomainService
HKLM\System\CurrentControlSet\Services\DomainService
C:\WINDOWS\SYSTEM32\OPSJGWLC.EXE
C:\WINDOWS\SYSTEM32\JYRGITYY.EXE
C:\WINDOWS\SYSTEM32\YSJRTLNE.EXE
C:\WINDOWS\SYSTEM32\NPUQFRNN.EXE
C:\WINDOWS\SYSTEM32\WIULUSYT.EXE
C:\WINDOWS\SYSTEM32\HJGNEVPH.EXE

Adware.Tracking Cookie
C:\Documents and Settings\Hanis\Cookies\[email protected][2].txt
C:\Documents and Settings\Hanis\Cookies\[email protected][2].txt
C:\Documents and Settings\Hanis\Cookies\[email protected][2].txt
C:\Documents and Settings\Hanis\Cookies\[email protected][1].txt
C:\Documents and Settings\Hanis\Cookies\[email protected][1].txt
C:\Documents and Settings\Hanis\Cookies\[email protected][1].txt
C:\Documents and Settings\Guest\Cookies\[email protected][2].txt
C:\Documents and Settings\Guest\Cookies\[email protected][2].txt
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
C:\Documents and Settings\Guest\Cookies\[email protected][2].txt
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
C:\Documents and Settings\Guest\Cookies\[email protected][2].txt
C:\Documents and Settings\Guest\Cookies\[email protected][2].txt
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt

Adware.WhenU
HKCR\WUSE.1
HKCR\WUSE.1#WUSE_Id

Trojan.NewDotNet
HKU\.DEFAULT\Software\New.net
HKU\S-1-5-19\Software\New.net
HKU\S-1-5-18\Software\New.net
C:\QOOBOX\QUARANTINE\C\WINDOWS\NDNUNINSTALL7_48.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\NDNUNINSTALL6_38.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\NDNUNINSTALL7_22.EXE.VIR

Malware.DriveCleaner
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6}
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6}#SystemComponent
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6}#Installer
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6}\AvailableVersion
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6}\AvailableVersion#Precache
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6}\DownloadInformation
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6}\DownloadInformation#CODEBASE

Malware.System Defender
C:\Program Files\SystemDefender

Spyware.RelevantKnowledge
C:\WINDOWS\SYSTEM32\RKINSTALLER.EXE

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\NQSTV.BAK1

Adware.Vundo-Variant/Small
C:\WINDOWS\SYSTEM32\AWTRSTU.DLL
C:\WINDOWS\SYSTEM32\NNNKHHI.DLL
C:\WINDOWS\SYSTEM32\XXYABXV.DLL
C:\WINDOWS\SYSTEM32\YAYWVUU.DLL
C:\WINDOWS\SYSTEM32\XXYWWWT.DLL

Adware.Lop-Gen
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SCR THIRD HEART MESS\MORE ITCH.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SCR THIRD HEART MESS\ACIDWMA.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SCR THIRD HEART MESS\FAST FRAG.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SCR THIRD HEART MESS\MEMO BOLD.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SCR THIRD HEART MESS\2ANTE.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SCR THIRD HEART MESS\WEBINTER.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SCR THIRD HEART MESS\ARMY AMEN.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SCR THIRD HEART MESS\FORD OPTION.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SCR THIRD HEART MESS\POLL MEDIA.EXE
C:\DOCUMENTS AND SETTINGS\HANIS\APPLICATION DATA\ELSE PLUS\DTNLTFSO.EXE
C:\DOCUMENTS AND SETTINGS\HANIS\APPLICATION DATA\ELSE PLUS\GRFYENBD.EXE
C:\DOCUMENTS AND SETTINGS\HANIS\APPLICATION DATA\ELSE PLUS\HRXWBHNW.EXE

Adware.Lop-Variant
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\LICENSE ADMIN OPTION BIB\AUDIO PURE.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\LICENSE ADMIN OPTION BIB\LOGO START.EXE
C:\DOCUMENTS AND SETTINGS\HANIS\APPLICATION DATA\ELSE PLUS\JOYPOKEFORKBLUE.EXE
C:\DOCUMENTS AND SETTINGS\HANIS\APPLICATION DATA\ELSE PLUS\THUNKDEAFGREAT.EXE
C:\DOCUMENTS AND SETTINGS\HANIS\APPLICATION DATA\ELSE PLUS\AGUIUQSC.EXE
C:\DOCUMENTS AND SETTINGS\HANIS\APPLICATION DATA\ELSE PLUS\THUNKMEETPOKE.EXE
C:\DOCUMENTS AND SETTINGS\HANIS\APPLICATION DATA\ELSE PLUS\AGFABBZG.EXE
C:\DOCUMENTS AND SETTINGS\HANIS\APPLICATION DATA\ELSE PLUS\OFKMMAPO.EXE
C:\DOCUMENTS AND SETTINGS\HANIS\APPLICATION DATA\ELSE PLUS\YJLYUGAG.EXE
C:\DOCUMENTS AND SETTINGS\HANIS\APPLICATION DATA\ELSE PLUS\SSSVPPCL.EXE
C:\DOCUMENTS AND SETTINGS\HANIS\APPLICATION DATA\ELSE PLUS\MKVLLSDX.EXE
C:\DOCUMENTS AND SETTINGS\HANIS\APPLICATION DATA\ELSE PLUS\ZATZBIRG.EXE
C:\PROGRAM FILES\ADVERTS\UNINST.EXE
C:\WINDOWS\Prefetch\THUNKDEAFGREAT.EXE-1C4C1537.pf
C:\WINDOWS\Prefetch\LOGO START.EXE-06CCDD0A.pf

Adware.Need2Find
C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS\NPND2FN.DLL

Adware.PointsManager-Uninstaller
C:\PROGRAM FILES\ALTNET\DOWNLOAD MANAGER\ALTNETUNINSTALL.EXE

nezhaniswinnie · Nov 12, 2007

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:32:26 PM, on 11/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\acer\epm\epm-dm.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\SurferClient.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\srvany.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\program files\altnet\points manager\points manager.exe
C:\WINDOWS\system32\asrsvc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SurfNavigator] C:\WINDOWS\system32\SurferClient.exe
O4 - HKLM\..\Run: [AutomatedSurfer] C:\WINDOWS\system32\SurferClient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [MicrosoftUpdate] C:\WINDOWS\system32\MSServx.exe
O4 - HKLM\..\Run: [Application Layer Services] asrsvc.exe
O4 - HKLM\..\Run: [Option Bib Logo Log] C:\Documents and Settings\All Users\Application Data\LICENSE ADMIN OPTION BIB\Logo Start.exe
O4 - HKLM\..\Run: [320d18a1] rundll32.exe "C:\WINDOWS\system32\hnwfesvw.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SurfNavigator] C:\WINDOWS\system32\SurferClient.exe
O4 - HKCU\..\Run: [AutomatedSurfer] C:\WINDOWS\system32\SurferClient.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [AutomatedSurfer] C:\WINDOWS\system32\SurferClient.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AutomatedSurfer] C:\WINDOWS\system32\SurferClient.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Hanis\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/ZwinkyInitialSetup1.0.0.15-3.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E55FD215-A32E-43FE-A777-A7E8F165F551} (Flatcast Viewer 4.15) - http://www.flatcast.info/objects/NpFv415.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Notebook Manager Service (anbmService) - Unknown owner - C:\Acer\eManager\anbmServ.exe (file missing)
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: AutomatedSurfer (SurferService) - Unknown owner - C:\WINDOWS\system32\srvany.exe

--
End of file - 8871 bytes

Cheeseball81 · Nov 13, 2007

Now please rerun ComboFix and post the results along with a new Hijack This log.

nezhaniswinnie · Nov 14, 2007

ComboFix 07-11-08.1 - Hanis 2007-11-14 21:49:47.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.509 [GMT 8:00]
Running from: C:\Documents and Settings\Hanis\Local Settings\Temporary Internet Files\Content.IE5\EP841EV4\ComboFix[1].exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\Fonts\acrsecI.fon
C:\WINDOWS\system32\internet.exe
C:\WINDOWS\system32\rwmzfadv.dllbox
C:\WINDOWS\system32\update.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE

((((((((((((((((((((((((( Files Created from 2007-10-14 to 2007-11-14 )))))))))))))))))))))))))))))))
.

2007-11-13 12:03 109,161 ---hs---- C:\WINDOWS\system32\nqstv.ini2
2007-11-13 11:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-13 11:45 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-13 11:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-13 11:45 <DIR> d-------- C:\Documents and Settings\Hanis\Application Data\SUPERAntiSpyware.com
2007-11-12 23:11 88,128 --a------ C:\WINDOWS\system32\hnwfesvw.dll
2007-11-12 23:08 100,365 ---hs---- C:\WINDOWS\system32\nqstv.bak2
2007-11-11 21:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-09 19:43 <DIR> d-------- C:\Documents and Settings\Hanis\Incomplete
2007-11-09 10:46 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-09 02:30 <DIR> d-------- C:\Program Files\Else plus
2007-11-05 12:46 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-05 12:42 <DIR> d-------- C:\BackUpMSNCleaner
2007-11-02 11:14 <DIR> d-------- C:\WINDOWS\pss
2007-11-01 09:36 10,752 -r-hs---- C:\WINDOWS\system32\asrsvc.exe
2007-10-20 14:16 <DIR> d-------- C:\Program Files\mp3DirectCut
2007-10-16 22:53 <DIR> d-------- C:\Program Files\Windows Journal Viewer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-12 04:26 --------- d-----w C:\Documents and Settings\Hanis\Application Data\Apple Computer
2007-10-12 04:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-10-12 04:24 --------- d-----w C:\Program Files\Apple Software Update
2007-10-12 04:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-10-09 12:35 408,092 ----a-w C:\WINDOWS\system32\MSServx.exe
2007-09-26 06:20 --------- d-----w C:\Documents and Settings\Hanis\Application Data\Netscape
2007-09-26 06:19 --------- d-----w C:\Program Files\Netscape
2007-09-17 12:01 --------- d-----w C:\Program Files\JustZIPit
2007-09-11 07:05 1,761 ----a-w C:\WINDOWS\Fonts\acrsecB.fon
2007-08-29 10:27 464,112 ----a-w C:\WINDOWS\daffy.scr
2007-08-29 10:27 461,308 ----a-w C:\WINDOWS\daffy.exe
2007-08-29 10:27 40,960 ----a-w C:\WINDOWS\daffy.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-08-20 10:04 824,832 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-20 10:04 671,232 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-20 10:04 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-08-20 10:04 6,058,496 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-08-20 10:04 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-08-20 10:04 477,696 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-20 10:04 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-08-20 10:04 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-08-20 10:04 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-08-20 10:04 3,584,512 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-20 10:04 27,648 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-20 10:04 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-08-20 10:04 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-08-20 10:04 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-08-20 10:04 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-20 10:04 193,024 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-20 10:04 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-08-20 10:04 132,608 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-20 10:04 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-08-20 10:04 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-08-20 10:04 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-08-20 10:04 1,152,000 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-17 10:21 625,152 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-08-17 10:20 63,488 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-08-17 10:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-08-17 07:34 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2006-11-13 12:39 84 ----a-w C:\Documents and Settings\Hanis\cmd2.cmd
2006-11-13 12:39 110,592 ----a-w C:\Documents and Settings\Hanis\mtr.exe
2004-08-03 21:00 774,144 ----a-w C:\Documents and Settings\dotnetfx\XPSPUI.DLL
2004-08-03 21:00 647,168 ----a-w C:\Documents and Settings\dotnetfx\SITSETUP.DLL
2004-08-03 21:00 487,424 ----a-w C:\Documents and Settings\dotnetfx\MSVCP70.DLL
2004-08-03 21:00 40,960 ----a-w C:\Documents and Settings\dotnetfx\CMNRES.DLL
2004-08-03 21:00 36,864 ----a-w C:\Documents and Settings\dotnetfx\SUITE.DLL
2004-08-03 21:00 36,864 ----a-w C:\Documents and Settings\dotnetfx\DELTEMP.EXE
2004-08-03 21:00 344,064 ----a-w C:\Documents and Settings\dotnetfx\MSVCR70.DLL
2004-08-03 21:00 339,968 ----a-w C:\Documents and Settings\dotnetfx\TEMPLMGR.DLL
2004-08-03 21:00 335,872 ----a-w C:\Documents and Settings\dotnetfx\GENCOMP.DLL
2004-08-03 21:00 308 ----a-w C:\Documents and Settings\dotnetfx\DFFACT.DAT
2004-08-03 21:00 286,720 ----a-w C:\Documents and Settings\dotnetfx\XPSPSCEN.DLL
2004-08-03 21:00 274,432 ----a-w C:\Documents and Settings\dotnetfx\UIMGR.DLL
2004-08-03 21:00 24,265,736 ----a-w C:\Documents and Settings\dotnetfx\DOTNETFX.EXE
2004-08-03 21:00 233,472 ----a-w C:\Documents and Settings\dotnetfx\DFDEPUI.DLL
2004-08-03 21:00 200,704 ----a-w C:\Documents and Settings\dotnetfx\XPSPREQS.DLL
2004-08-03 21:00 200,704 ----a-w C:\Documents and Settings\dotnetfx\SVRGRMGR.DLL
2004-08-03 21:00 192,512 ----a-w C:\Documents and Settings\dotnetfx\DEPMGR.DLL
2004-08-03 21:00 163,840 ----a-w C:\Documents and Settings\dotnetfx\DFCHGFLD.DLL
2004-08-03 21:00 155,648 ----a-w C:\Documents and Settings\dotnetfx\SETUPDB.DLL
2004-08-03 21:00 147,456 ----a-w C:\Documents and Settings\dotnetfx\CDMGR.DLL
2004-08-03 21:00 143,360 ----a-w C:\Documents and Settings\dotnetfx\DISKMGR.DLL
2004-08-03 21:00 143,360 ----a-w C:\Documents and Settings\dotnetfx\ACCMGR.DLL
2004-08-03 21:00 139,264 ----a-w C:\Documents and Settings\dotnetfx\SETLOG.DLL
2004-08-03 21:00 135,168 ----a-w C:\Documents and Settings\dotnetfx\VALIDATE.DLL
2004-08-03 21:00 135,168 ----a-w C:\Documents and Settings\dotnetfx\DFFACT.DLL
2004-08-03 21:00 131,072 ----a-w C:\Documents and Settings\dotnetfx\HTMLLITE.DLL
2004-08-03 21:00 129,720 ----a-w C:\Documents and Settings\dotnetfx\SETUP.EXE
2004-08-03 21:00 122,880 ----a-w C:\Documents and Settings\dotnetfx\DEFHELP.DLL
2004-08-03 21:00 118,784 ----a-w C:\Documents and Settings\dotnetfx\REBOOTST.EXE
2004-08-03 21:00 10,694,464 ----a-w C:\Documents and Settings\dotnetfx\NDPSP.EXE
2004-08-03 21:00 1,773 ----a-w C:\Documents and Settings\dotnetfx\BASELINE.DAT
2007-01-23 13:35:10 3,140 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-01-23 13:33:40 8 --sh--r C:\WINDOWS\system32\21D33CA5AB.sys
.

((((((((((((((((((((((((((((( [email protected]_12.46.30.10 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" []
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-01-07 16:17]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-01-07 16:16]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:00]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" []
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-01-22 19:31]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-07-15 01:07]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-03-24 21:22]
"nwiz"="nwiz.exe" [2005-03-24 21:22 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-03-24 21:22]
"SoundMan"="SOUNDMAN.EXE" [2004-12-01 15:54 C:\WINDOWS\soundman.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-15 11:45 C:\WINDOWS\AGRSMMSG.exe]
"EPM-DM"="c:\acer\epm\epm-dm.exe" [2005-04-21 10:13]
"ePowerManagement"="C:\Acer\ePM\ePM.exe" [2005-03-15 10:03]
"LManager"="C:\PROGRA~1\LAUNCH~1\LManager.exe" [2005-10-14 15:38]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 05:00 C:\WINDOWS\system32\bthprops.cpl]
"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\Monitor.exe" [2005-11-16 16:54]
"SemanticInsight"="C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"SurfNavigator"="C:\WINDOWS\system32\SurferClient.exe" [2007-01-28 12:14]
"AutomatedSurfer"="C:\WINDOWS\system32\SurferClient.exe" [2007-01-28 12:14]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"AltnetPointsManager"="c:\program files\altnet\points manager\points manager.exe" [2006-07-19 17:01]
"MicrosoftUpdate"="C:\WINDOWS\system32\MSServx.exe" [2007-10-09 20:35]
"Application Layer Services"="asrsvc.exe" [2007-11-01 00:50 C:\WINDOWS\system32\asrsvc.exe]
"Option Bib Logo Log"="C:\Documents and Settings\All Users\Application Data\LICENSE ADMIN OPTION BIB\Logo Start.exe" []
"320d18a1"="C:\WINDOWS\system32\hnwfesvw.dll" [2007-11-12 23:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"SurfNavigator"="C:\WINDOWS\system32\SurferClient.exe" [2007-01-28 12:14]
"AutomatedSurfer"="C:\WINDOWS\system32\SurferClient.exe" [2007-01-28 12:14]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AutomatedSurfer"=C:\WINDOWS\system32\SurferClient.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-18 04:05:56]
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-05-27 13:41:44]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-08-16 14:06:22]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="LogonUI.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messaging]
C:\Program Files\Instant Messenger Names\IM-svr.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

R0 UBHelper;UBHelper;C:\WINDOWS\system32\drivers\UBHelper.sys
R2 EpmPsd;Acer EPM Power Scheme Driver;\??\C:\WINDOWS\system32\drivers\epm-psd.sys
R2 EpmShd;Acer EPM System Hardware Driver;\??\C:\WINDOWS\system32\drivers\epm-shd.sys
R2 osaio;osaio;\??\C:\WINDOWS\system32\drivers\osaio.sys
R2 osanbm;osanbm;\??\C:\WINDOWS\system32\drivers\osanbm.sys
R2 SurferService;AutomatedSurfer;C:\WINDOWS\system32\srvany.exe
R3 DKbFltr;Dritek Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\DKbFltr.sys
R3 EMSCR;EMSCR;C:\WINDOWS\system32\DRIVERS\EMS7SK.sys
R3 ESDCR;ESDCR;C:\WINDOWS\system32\DRIVERS\ESD7SK.sys
R3 ESMCR;ESMCR;C:\WINDOWS\system32\DRIVERS\ESM7SK.sys
R4 DritekPortIO;Dritek General Port I/O;\??\C:\PROGRA~1\LAUNCH~1\DPortIO.sys
S3 SE2Bbus;Sony Ericsson Device 043 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\SE2Bbus.sys
S3 SE2Bmdfl;Sony Ericsson Device 043 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\SE2Bmdfl.sys
S3 SE2Bmdm;Sony Ericsson Device 043 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\SE2Bmdm.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-13 15:55:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-14 13:00:00 C:\WINDOWS\Tasks\ADADC1DD918A7E25.job"
- c:\docume~1\hanis\applic~1\elsepl~1\Thunkdeafgreat.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-14 21:53:03
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
MicrosoftUpdate = C:\WINDOWS\system32\MSServx.exe????????|???B???|????????8)5?8k%????w?g%?H)5?|?#????w??????#???#?9????R??H"5???????EventWrite?d?er?%[email protected]????g%????|??%[email protected]?????????%???#????????????|???BD?#?l??|,?#?????4?#????????|?&5???#?Q??|??5?m??|??#??&5????????|p?#??2?|9??????????? ??????B??#????B???w???B?????2?|????????p??|???BH???????X??????|?2?|?????2?|???|??????????5???#???5???????#?(?#?????????<???????D?#????|??#????|p??|????m??|???|??5??????&5?(?#?\??|?&5??&5?9??\??#????|?s?|???????????????|[email protected]?|FA?|???|????????????????????p 5?(&5?T&5????|?????????????????&5?x%5?T&5??&5?????????T&5??!5?P??|??#??%5?T&5? &5????|?&5????|?!5?9??\????????????????????T&5?T&5??&5???#??&5?4?#???????#????|?r?|?????s?|?a?|???\?`?|???????????|0???????????????????????????????????????????????0???????????????????????????????????????????????????????8%?|??????????#[email protected]???????????0?#???????#??????%?|?????#?|????0????????#?|D?F?$???J?L??"%?(??????|[email protected]?>[email protected]?????>???????????????????????Ct?|??5? ??????????????????????????????????????|????"??????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-14 21:54:07 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-12 12:47
.
--- E O F ---

nezhaniswinnie · Nov 14, 2007

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:57:52 PM, on 11/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\srvany.exe
C:\WINDOWS\system32\SurferClient.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\acer\epm\epm-dm.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\program files\altnet\points manager\points manager.exe
C:\WINDOWS\system32\asrsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SurfNavigator] C:\WINDOWS\system32\SurferClient.exe
O4 - HKLM\..\Run: [AutomatedSurfer] C:\WINDOWS\system32\SurferClient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [MicrosoftUpdate] C:\WINDOWS\system32\MSServx.exe
O4 - HKLM\..\Run: [Application Layer Services] asrsvc.exe
O4 - HKLM\..\Run: [Option Bib Logo Log] C:\Documents and Settings\All Users\Application Data\LICENSE ADMIN OPTION BIB\Logo Start.exe
O4 - HKLM\..\Run: [320d18a1] rundll32.exe "C:\WINDOWS\system32\hnwfesvw.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SurfNavigator] C:\WINDOWS\system32\SurferClient.exe
O4 - HKCU\..\Run: [AutomatedSurfer] C:\WINDOWS\system32\SurferClient.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [AutomatedSurfer] C:\WINDOWS\system32\SurferClient.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AutomatedSurfer] C:\WINDOWS\system32\SurferClient.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Hanis\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/ZwinkyInitialSetup1.0.0.15-3.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E55FD215-A32E-43FE-A777-A7E8F165F551} (Flatcast Viewer 4.15) - http://www.flatcast.info/objects/NpFv415.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Notebook Manager Service (anbmService) - Unknown owner - C:\Acer\eManager\anbmServ.exe (file missing)
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: AutomatedSurfer (SurferService) - Unknown owner - C:\WINDOWS\system32\srvany.exe

--
End of file - 8903 bytes

Cheeseball81 · Nov 14, 2007

1. Please download The Avenger by Swandog46 to your Desktop.

Click on Avenger.zip to open the file

Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\MSServx.exe
C:\WINDOWS\system32\asrsvc.exe
C:\WINDOWS\system32\hnwfesvw.dll
C:\WINDOWS\system32\nqstv.ini2
C:\WINDOWS\system32\hnwfesvw.dll
C:\WINDOWS\system32\nqstv.bak2

Folders to delete:
C:\Program Files\RXToolBar
c:\program files\altnet
C:\Documents and Settings\All Users\Application Data\LICENSE ADMIN OPTION BIB

Click to expand...

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

Under "Script file to execute" choose "Input Script Manually".

Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"

Paste the text copied to clipboard into this window by pressing (Ctrl+V).

Click Done

Now click on the Green Light to begin execution of the script

Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)

On reboot, it will briefly open a black command window on your desktop, this is normal.

After the restart, it creates a log file that should open with the results of Avengers actions. This log file will be located at C:\avenger.txt

The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply.

Rescan with Hijack This, close all browser windows except Hijack This, put a checkmark beside these entries and click fix checked.

O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe

O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s

O4 - HKLM\..\Run: [MicrosoftUpdate] C:\WINDOWS\system32\MSServx.exe

O4 - HKLM\..\Run: [Application Layer Services] asrsvc.exe

O4 - HKLM\..\Run: [Option Bib Logo Log] C:\Documents and Settings\All Users\Application Data\LICENSE ADMIN OPTION BIB\Logo Start.exe

O4 - HKLM\..\Run: [320d18a1] rundll32.exe "C:\WINDOWS\system32\hnwfesvw.dll",b

Reboot and post another Hijack This log please.

Log in or Sign up

Msn Messenger Virus Need Help.

nezhaniswinnie Thread Starter

Cheeseball81 Retired Moderator

nezhaniswinnie Thread Starter

Cheeseball81 Retired Moderator

nezhaniswinnie Thread Starter

Cheeseball81 Retired Moderator

nezhaniswinnie Thread Starter

nezhaniswinnie Thread Starter

Cheeseball81 Retired Moderator

nezhaniswinnie Thread Starter

nezhaniswinnie Thread Starter

Cheeseball81 Retired Moderator

nezhaniswinnie Thread Starter

nezhaniswinnie Thread Starter

Cheeseball81 Retired Moderator

Sponsor

Welcome to Tech Support Guy!

In Progress Remove Segurazo Antivirus

In Progress Anti-Virus Program

In Progress Segurazo antivirus uninstall

In Progress Search pulse.net virus

In Progress Safe finder virus

Log in or Sign up

Msn Messenger Virus Need Help.

nezhaniswinnie Thread Starter

Cheeseball81 Retired Moderator

nezhaniswinnie Thread Starter

Cheeseball81 Retired Moderator

nezhaniswinnie Thread Starter

Cheeseball81 Retired Moderator

nezhaniswinnie Thread Starter

nezhaniswinnie Thread Starter

Cheeseball81 Retired Moderator

nezhaniswinnie Thread Starter

nezhaniswinnie Thread Starter

Cheeseball81 Retired Moderator

nezhaniswinnie Thread Starter

nezhaniswinnie Thread Starter

Cheeseball81 Retired Moderator

Sponsor

Welcome to Tech Support Guy!

In Progress Remove Segurazo Antivirus

In Progress Anti-Virus Program

In Progress Segurazo antivirus uninstall

In Progress Search pulse.net virus

In Progress Safe finder virus

Useful Searches