Regedit/task manager disabled (+HJT log)

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

SuperSonic_ht

Thread Starter
Joined
Oct 4, 2008
Messages
20
Hi, Im SuperSonic. I couldnt find much time to type everything in again, so I pasted what I typed in Yahoo Answers some time ago. Heres the story from the beginning:-

Yesterday, I took a pen drive from my friend and inserted it in the comp. When I tried to open the pen drive folder, a message came up "Windows cant find the file Axxx.vbs"(xxx was a number) At the same time Symantec AntiVirus popped up, saying it had quarantined 4 files(3 Axxx.vbs and 1 AQxxx.vbs and some registry entries). Then I took the pen drive out and started minding my other work. Then I realized that Task Manager and Regedit were disabled. Then I found that Symantec Antivirus was no longer running. I tried to run it but it won't start(or maybe closing instantly).

Then I installed Spybot S&D, but it started for a few seconds, was normal, then quit instantly. Same happened to ESET. Then I tried to boot into Safe Mode, but it kept rebooting while displaying a list of .sys files that were being run.

In the process I lost a lot of important files. When restarting, the computer said my user profile was corrupted and created a temp profile. I thought it was a permanent profile, so I Cut-Pasted everything from my original profile to the new profile. Today when I started up, the temp profile was gone, and with it, all the things I'd copied.

So, the main problem now is that Firewall,Regedit and Task Manager keep getting disabled, and antivirus stuff refuse to run. Any help would be appreciated.

HJT Log:-


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:08:21, on 10/4/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
F:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\GM4IE\gm4ie.exe
C:\Program Files\iPod\bin\iPodService.exe
G:\backup\c\Program Files\Mozilla\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\DOCUME~1\user\LOCALS~1\Temp\winipkbnh.exe
C:\DOCUME~1\user\LOCALS~1\Temp\winenwdh.exe
E:\games\Audacity\Call of Duty\HiJackThis.exe

O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - E:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PCTVRemote] F:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [GM4IE] C:\Program Files\GM4IE\gm4ie.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll (file missing)
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab3.cab
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - http://www.windowsvistatestdrive.com/SP1/ActiveX/VMRCActiveXClient1.cab
O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames.com/downloads/activex/YoYo.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.getrightarcade.com/online/online2/heavy_weapon/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{899F11B0-28F0-452D-8D6D-1CAE6E9E505E}: NameServer = 208.67.222.222 208.67.220.220
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 8226 bytes
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
Please visit Combofix Guide & Instructions for instructions for downloading and running ComboFix: especially follow the advice about installing the recovery console

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply
 

SuperSonic_ht

Thread Starter
Joined
Oct 4, 2008
Messages
20
I don't think that did much, but heres the new HJT log. Also, Ive found two places where the virus keeps resetting registry entries:-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system]

HJT Log:-

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:54:21 AM, on 10/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\GM4IE\gm4ie.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\regedit.exe
E:\games\Audacity\Call of Duty\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - E:\Program Files\GetRight\xx2gr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PCTVRemote] F:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [GM4IE] C:\Program Files\GM4IE\gm4ie.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Download with GetRight - E:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - E:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll (file missing)
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab3.cab
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - http://www.windowsvistatestdrive.com/SP1/ActiveX/VMRCActiveXClient1.cab
O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames.com/downloads/activex/YoYo.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Unknown owner - C:\Program Files\Symantec AntiVirus\DefWatch.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - g:\backup\c\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - g:\backup\c\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 7994 bytes


Oh, and the Combofix log


ComboFix 08-10-06.05 - user 2008-10-10 11:39:24.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.436 [GMT 5.5:30]
Running from: G:\backup\c\Program Files\Mozilla\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\user\Application Data\rbap550.dll
C:\WINDOWS\system32\dao350.dll
C:\WINDOWS\system32\[email protected]@@k.dll
C:\WINDOWS\system32\x64

.
((((((((((((((((((((((((( Files Created from 2008-09-10 to 2008-10-10 )))))))))))))))))))))))))))))))
.

2009-03-15 16:27 . 2008-10-10 11:31 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2009-02-07 11:17 . 2009-02-07 11:17 <DIR> d----c--- C:\Program Files\Alcohol Soft
2008-10-10 09:49 . 2008-10-10 09:49 685,056 --a------ C:\WINDOWS\isRS-000.tmp
2008-10-05 11:32 . 2008-10-05 11:46 21,004 --ah-c--- C:\TEMP_BDT.CHA
2008-10-05 10:00 . 2008-10-05 10:00 86,528 --a------ C:\WINDOWS\bnetunin.exe
2008-10-04 20:57 . 2008-10-04 20:57 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-10-04 20:57 . 2008-10-04 20:57 <DIR> d-------- C:\Documents and Settings\user\Application Data\SUPERAntiSpyware.com
2008-10-04 20:57 . 2008-10-04 20:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-04 20:41 . 2008-10-04 20:41 <DIR> d-------- C:\Documents and Settings\user\Application Data\PC Tools
2008-10-04 20:41 . 2008-08-25 11:36 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-10-04 20:41 . 2008-08-25 11:36 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-10-04 20:41 . 2008-08-25 11:36 40,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-10-04 20:41 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-10-04 17:51 . 2008-10-04 18:18 <DIR> d-------- C:\Program Files\Unlocker
2008-10-04 17:26 . 2008-10-06 18:50 2,852 --a------ C:\WINDOWS\system32\tmp.reg
2008-10-04 16:48 . 2008-10-04 17:35 <DIR> d--h-c--- C:\SDFix
2008-10-04 14:57 . 2008-10-04 18:19 <DIR> d--h----- C:\Program Files\sb
2008-10-03 17:12 . 2008-03-15 14:23 <DIR> d----c--- C:\Documents and Settings\Administrator.USER-08E83726E4\Application Data\Apple Computer
2008-10-03 17:12 . 2008-10-03 17:12 <DIR> d----c--- C:\Documents and Settings\Administrator.USER-08E83726E4
2008-10-03 16:24 . 2008-10-03 17:12 <DIR> d----c--- C:\Documents and Settings\TEMP
2008-10-03 15:50 . 2008-10-03 15:51 <DIR> d-------- C:\Documents and Settings\user\Application Data\dxdlls
2008-10-02 20:14 . 2008-10-02 20:14 <DIR> d-------- C:\Documents and Settings\user\Application Data\gtk-2.0
2008-10-01 21:35 . 2008-10-01 21:35 <DIR> d-------- C:\Documents and Settings\user\Application Data\Xfire Plus
2008-09-28 17:18 . 2008-09-28 17:18 0 --a------ C:\WINDOWS\wt9_1sptlEN.INI
2008-09-25 13:59 . 2008-09-25 14:00 <DIR> d--h-c--- C:\gs
2008-09-25 13:38 . 2008-09-25 13:38 <DIR> d-------- C:\Documents and Settings\user\Application Data\Ironclad Games
2008-09-18 21:17 . 1999-09-11 02:20 25,600 --a------ C:\WINDOWS\system\007.DLL
2008-09-18 21:17 . 1999-09-11 02:20 9,504 --a------ C:\WINDOWS\system\006.DLL
2008-09-18 21:06 . 2008-09-18 21:06 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-09-18 21:06 . 2008-09-18 21:06 <DIR> d-------- C:\WINDOWS\system32\en
2008-09-18 21:06 . 2008-09-18 21:06 <DIR> d-------- C:\WINDOWS\system32\bits
2008-09-18 21:06 . 2008-09-18 21:06 <DIR> d-------- C:\WINDOWS\l2schemas
2008-09-18 21:03 . 2008-09-18 21:06 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-09-18 09:11 . 2008-04-14 05:42 1,737,856 --a------ C:\WINDOWS\system32\mtxparhd.dll
2008-09-18 09:10 . 2008-04-14 05:41 1,888,992 --a------ C:\WINDOWS\system32\ati3duag.dll
2008-09-18 06:11 . 2008-09-18 06:11 42,320 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-09-11 10:44 . 2008-09-12 15:34 <DIR> d-------- C:\Documents and Settings\user\Application Data\MiniDm
2008-09-11 10:43 . 2008-09-11 11:00 <DIR> d-------- C:\Documents and Settings\user\Application Data\IEPro
2008-09-11 10:40 . 2008-09-11 10:42 <DIR> d----c--- C:\Program Files\GM4IE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-10 05:15 --------- dc----w C:\Program Files\Symantec
2008-10-07 11:59 --------- d-----w C:\Documents and Settings\user\Application Data\Xfire
2008-10-06 07:23 --------- dc----w C:\Program Files\Symantec AntiVirus2
2008-10-05 03:57 361,600 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS
2008-10-04 15:27 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-10-04 12:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-03 12:06 --------- dc----w C:\Program Files\QuickTime
2008-10-02 14:44 --------- d-----w C:\Documents and Settings\user\Application Data\.gaim
2008-09-29 10:19 --------- d-----w C:\Documents and Settings\user\Application Data\LimeWire
2008-09-28 11:43 --------- d-----w C:\Documents and Settings\user\Application Data\MSNInstaller
2008-09-15 15:34 --------- d-----w C:\Documents and Settings\user\Application Data\GetRightToGo
2008-09-10 10:19 --------- dc----w C:\Program Files\Java
2008-09-01 10:35 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-01 05:32 --------- d-----w C:\Documents and Settings\user\Application Data\Games
2008-09-01 05:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\InstallShield
2008-09-01 05:23 278,984 ----a-w C:\WINDOWS\system32\drivers\atksgt.sys
2008-09-01 05:23 25,416 ----a-w C:\WINDOWS\system32\drivers\lirsgt.sys
2008-09-01 05:18 --------- dc--a-w C:\Program Files\Common Files\InstallShield
2008-09-01 04:45 --------- dc----w C:\Program Files\MSXML 6.0
2008-08-30 13:17 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-08-13 10:41 --------- dc----w C:\Program Files\Common Files\GTK
2008-07-30 12:25 69,409 ----a-w C:\WINDOWS\system32\uninst.exe
2008-07-23 06:49 32,768 ----a-w C:\WINDOWS\system32\asteriskie.exe
2008-07-23 06:48 397,379 ----a-w C:\WINDOWS\system32\paqbonus.exe
2008-07-23 06:48 311,296 ----a-w C:\WINDOWS\system32\winping.exe
2008-07-21 12:12 184,320 ----a-w C:\WINDOWS\freeze.exe
2008-07-18 18:34 664,064 ----a-w C:\WINDOWS\WLXPGSS.SCR
2008-07-18 16:40 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 16:40 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 16:40 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 16:40 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 16:39 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 16:39 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 16:39 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 16:39 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 16:37 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-18 16:37 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-01-30 10:43 88 --sha-r C:\WINDOWS\system32\20953AAD62.sys
2008-03-06 06:54 2,516 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

------- Sigcheck -------

2007-10-30 22:23 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 16:14 360960 744e57c99232201ae98c49168b918f48 C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 17:21 361600 9aefa14bd6b182d61e3119fa5f436d3d C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 17:29 361600 ad978a1b783b5719720cff204b666c8e C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-06-20 16:15 360320 2a5554fc5b1e04e131230e3ce035c3f9 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-04 02:44 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2008-04-14 00:50 361344 93ea8d04ec73a85db02eb8805988f733 C:\WINDOWS\$NtUninstallKB951748$\tcpip.sys
2007-10-30 22:50 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\$NtUninstallKB951748_0$\tcpip.sys
2008-04-14 00:50 361344 93ea8d04ec73a85db02eb8805988f733 C:\WINDOWS\ServicePackFiles\i386\TCPIP.SYS
2008-10-05 09:27 361600 d24ea301e2b36c4e975fd216ca85d8e7 C:\WINDOWS\system32\dllcache\TCPIP.SYS
2008-10-05 09:27 361600 d24ea301e2b36c4e975fd216ca85d8e7 C:\WINDOWS\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-02-05 241080]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
"GM4IE"="C:\Program Files\GM4IE\gm4ie.exe" [2006-07-23 139264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-22 813912]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-06 849280]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 218512]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 458752]
"iTunesHelper"="F:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"PCTVRemote"="F:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe" [2002-01-28 139264]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2008-02-15 204800]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2008-02-15 208896]
"SkyTel"="SkyTel.EXE" [2006-05-15 C:\WINDOWS\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-12-17 C:\WINDOWS\RTHDCPL.EXE]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-01-28 195584]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.yv12"= yv12vfw.dll
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^LimeWire Turbo Accelerator.lnk]
path=C:\Documents and Settings\user\Start Menu\Programs\Startup\LimeWire Turbo Accelerator.lnk
backup=C:\WINDOWS\pss\LimeWire Turbo Accelerator.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2008-02-15 12:46 237568 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 225280 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"C-DillaCdaC11BA"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"E:\\My Web\\new\\3dsmax.exe"=
"G:\\backup\\d\\Adobe Photoshop 7.0\\Presets\\Patterns\\PostScript Patterns\\Aphex.exe"=
"E:\\Program Files\\Wyzo\\wyzo.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"E:\\My Second Web\\_private\\LimeWire\\LimeWire.exe"=
"G:\\backup\\d\\Adobe PageMaker 7.0\\Images\\ua\\game\\bakup\\urbanassault\\Ua.exe"=
"E:\\gmax\\downloads\\cc2\\closecombat2\\Cc2.exe"=
"E:\\Program Files\\GetRight\\GetRight.exe"=
"G:\\backup\\c\\Program Files\\byo\\bin\\byond.exe"=
"G:\\backup\\c\\Program Files\\byo\\bin\\dreamseeker.exe"=
"E:\\Program Files\\Xfire\\xfire.exe"=
"E:\\games\\Audacity\\Call of Duty\\CoDMP.exe"=
"E:\\games\\Audacity\\Call of Duty\\CoDMPw0rt.exe"=
"E:\\games\\thunder\\thunbrigade\\thunbrig\\Tbrigade.exe"=
"G:\\backup\\c\\Program Files\\Freespace\\Freespace\\FS2.exe"=
"G:\\backup\\c\\Program Files\\Freespace\\Freespace\\incoming\\incoming\\incoming.exe"=
"F:\\Program Files\\iTunes\\iTunes.exe"=
"G:\\backup\\c\\Program Files\\Freespace\\Freespace\\fs2_open_3_6_9.exe"=
"G:\\backup\\c\\Program Files\\Freespace\\Freespace\\fs2_open_3_6_9_debug.exe"=
"G:\\backup\\c\\Program Files\\Freespace\\Freespace\\fs2_open_3_6_10_debug-20071007T.exe"=
"G:\\backup\\c\\Program Files\\byo\\bin\\dreamdaemon.exe"=
"G:\\backup\\c\\Program Files\\wwp\\Worms World Party\\Worms World Party.exe"=
"G:\\backup\\c\\Program Files\\Freespace\\Freespace\\fs2_open_3_6_10-20071007T.exe"=
"G:\\backup\\d\\Corel11\\sse\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"C:\\Program Files\\backburner 2\\manager.exe"=
"E:\\My Second Web\\_private\\LimeWire\\dls\\gta.sa\\GTA San Andreas\\samp022server.win32\\samp-server.exe"=
"E:\\My Second Web\\_private\\LimeWire\\dls\\gta.sa\\GTA San Andreas\\samp022server.win32\\SA-MP SERVER\\samp-server.exe"=
"G:\\Program Files\\Microsoft Games\\Halo Custom Edition\\haloce.exe"=
"E:\\games\\kmd.exe"=
"E:\\My Second Web\\_private\\LimeWire\\dls\\w3\\Warcraft III.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\igfxtray.exe"=
"C:\\WINDOWS\\system32\\userinit.exe"=
"C:\\WINDOWS\\system32\\hkcmd.exe"=
"C:\\WINDOWS\\system32\\NeroCheck.exe"=
"C:\\WINDOWS\\ALCMTR.EXE"=
"C:\\Program Files\\QuickTime\\qttask.exe"=
"C:\\Program Files\\Common Files\\Adobe\\Calibration\\Adobe Gamma Loader.exe"=
"C:\\WINDOWS\\RTHDCPL.EXE"=
"C:\\Program Files\\Java\\jre1.6.0_07\\bin\\jusched.exe"=
"e:\\my second web\\_private\\limewire\\dls\\w3\\worldedit.exe"=
"F:\\Program Files\\Pinnacle\\Pinnacle PCTV\\Remote\\Remoterm.exe"=
"C:\\WINDOWS\\system32\\taskmgr.exe"=
"C:\\WINDOWS\\system32\\igfxsrvc.exe"=
"g:\\backup\\c\\Program Files\\Spyware Doctor\\pctsTray.exe"= G:\\backup\\c\\Program Files\\Spyware Doctor\\pctsTray.exe
"C:\\WINDOWS\\system32\\igfxpers.exe"=
"C:\\WINDOWS\\system32\\netsh.exe"=
"C:\\Program Files\\GM4IE\\gm4ie.exe"=
"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe"=
"C:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\OutlookSyncClient.exe"=

R3 AtcL002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;C:\WINDOWS\system32\DRIVERS\l251x86.sys [2008-04-17 30720]
R3 dac970nt;dac970nt;C:\WINDOWS\system32\drivers\rnnrl.sys [ ]
R3 pctvvbi;PCTVVBI;C:\WINDOWS\system32\DRIVERS\pctvvbi.sys [2002-04-02 6369]
S3 ASPI;Advanced SCSI Programming Interface Driver;C:\WINDOWS\System32\DRIVERS\ASPI32.sys [2002-07-17 16512]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{27b7ea02-1b36-11dd-a576-001bfc1861eb}]
\Shell\AutoRun\command - jfvkcsy.bat
\Shell\explore\Command - jfvkcsy.bat
\Shell\open\Command - jfvkcsy.bat

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-03-07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{DA30EFF8-CCC6-4162-A20D-67402A26A215} - (no file)
HKCU-Run-WMPNSCFG - C:\Program Files\Windows Media Player\WMPNSCFG.exe
HKLM-Run-ccApp - C:\Program Files\Common Files\Symantec Shared\ccApp.exe
HKLM-Run-UnlockerAssistant - C:\Program Files\Unlocker\UnlockerAssistant.exe
MSConfigStartUp-c0 - C:\aidualc3\c0.exe
MSConfigStartUp-LimeWire Turbo Accelerator - E:\My Second Web\_private\LimeWire\turbo\LimeWire Turbo Accelerator.exe
MSConfigStartUp-TkBellExe - realsched.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\s549718h.default\
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - E:\Program Files\Real\RealOne Player\v2\Netscape6\nppl3260.dll
FF -: plugin - E:\Program Files\Real\RealOne Player\v2\Netscape6\nprjplug.dll
FF -: plugin - E:\Program Files\Real\RealOne Player\v2\Netscape6\nprpjplug.dll
FF -: plugin - F:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - G:\backup\c\Program Files\Mozilla\plugins\NPGetRt.dll
FF -: plugin - G:\backup\c\Program Files\Mozilla\plugins\npnul32.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-10 11:41:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-10 11:44:17
ComboFix-quarantined-files.txt 2008-10-10 06:13:56

Pre-Run: 10,975,522,816 bytes free
Post-Run: 10,957,713,408 bytes free

275 --- E O F --- 2008-09-20 02:52:32
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
when you reply, please do not use code tags for logs as it makes them unreadable without scrolling all over the place


download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press SAVE and choose desktop in the list of selections in that window & press save)

Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before going any further

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.







This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Remember to reconnect to the net and enable any disabled antivirus etc BEFORE reconnecting

Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

This will create a zip file inside C:\QooBox\ named something like [38][email protected]

at the end it will pop up an alert & open your browser and ask you to send the zip file

please follow those instructions. We need to see the zip file before we can carry on with the fix

If there is no pop up alert or open browser then

please go to http://www.thespykiller.co.uk/index.php?board=1.0 and upload these files so I can examine them and if needed distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

Files to submit:
the zip file inside C:\QooBox\ created by combofix named something like [38][email protected]
 

Attachments

SuperSonic_ht

Thread Starter
Joined
Oct 4, 2008
Messages
20
Uploaded. For your information, GM4IE was an add-on for Internet Explorer and C:\gs folder was created by me.

ComboFix log:-


ComboFix 08-10-06.05 - user 2008-10-10 20:47:16.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.554 [GMT 5.5:30]
Running from: G:\backup\c\Program Files\Mozilla\ComboFix.exe
Command switches used :: G:\backup\c\Program Files\Mozilla\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-09-10 to 2008-10-10 )))))))))))))))))))))))))))))))
.

2009-03-15 16:27 . 2008-10-10 11:31 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2009-02-07 11:17 . 2009-02-07 11:17 <DIR> d----c--- C:\Program Files\Alcohol Soft
2008-10-10 12:24 . 2008-10-10 12:24 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-10 12:24 . 2008-10-10 12:24 <DIR> d-------- C:\Documents and Settings\user\Application Data\Malwarebytes
2008-10-10 12:24 . 2008-10-10 12:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-10 12:24 . 2008-09-10 00:09 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-10 12:24 . 2008-09-10 00:09 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-05 11:32 . 2008-10-05 11:46 21,004 --ah-c--- C:\TEMP_BDT.CHA
2008-10-05 10:00 . 2008-10-05 10:00 86,528 --a------ C:\WINDOWS\bnetunin.exe
2008-10-04 20:57 . 2008-10-04 20:57 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-10-04 20:57 . 2008-10-04 20:57 <DIR> d-------- C:\Documents and Settings\user\Application Data\SUPERAntiSpyware.com
2008-10-04 20:57 . 2008-10-04 20:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-04 20:41 . 2008-10-04 20:41 <DIR> d-------- C:\Documents and Settings\user\Application Data\PC Tools
2008-10-04 20:41 . 2008-08-25 11:36 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-10-04 20:41 . 2008-08-25 11:36 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-10-04 20:41 . 2008-08-25 11:36 40,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-10-04 20:41 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-10-04 17:51 . 2008-10-10 13:11 <DIR> d-------- C:\Program Files\Unlocker
2008-10-04 17:26 . 2008-10-06 18:50 2,852 --a------ C:\WINDOWS\system32\tmp.reg
2008-10-04 16:48 . 2008-10-04 17:35 <DIR> d--h-c--- C:\SDFix
2008-10-04 14:57 . 2008-10-04 18:19 <DIR> d--h----- C:\Program Files\sb
2008-10-03 17:12 . 2008-03-15 14:23 <DIR> d----c--- C:\Documents and Settings\Administrator.USER-08E83726E4\Application Data\Apple Computer
2008-10-03 17:12 . 2008-10-03 17:12 <DIR> d----c--- C:\Documents and Settings\Administrator.USER-08E83726E4
2008-10-03 16:24 . 2008-10-03 17:12 <DIR> d----c--- C:\Documents and Settings\TEMP
2008-10-03 15:50 . 2008-10-03 15:51 <DIR> d-------- C:\Documents and Settings\user\Application Data\dxdlls
2008-10-02 20:14 . 2008-10-02 20:14 <DIR> d-------- C:\Documents and Settings\user\Application Data\gtk-2.0
2008-10-01 21:35 . 2008-10-01 21:35 <DIR> d-------- C:\Documents and Settings\user\Application Data\Xfire Plus
2008-09-28 17:18 . 2008-09-28 17:18 0 --a------ C:\WINDOWS\wt9_1sptlEN.INI
2008-09-25 13:59 . 2008-09-25 14:00 <DIR> d--h-c--- C:\gs
2008-09-25 13:38 . 2008-09-25 13:38 <DIR> d-------- C:\Documents and Settings\user\Application Data\Ironclad Games
2008-09-18 21:17 . 1999-09-11 02:20 25,600 --a------ C:\WINDOWS\system\007.DLL
2008-09-18 21:17 . 1999-09-11 02:20 9,504 --a------ C:\WINDOWS\system\006.DLL
2008-09-18 21:06 . 2008-09-18 21:06 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-09-18 21:06 . 2008-09-18 21:06 <DIR> d-------- C:\WINDOWS\system32\en
2008-09-18 21:06 . 2008-09-18 21:06 <DIR> d-------- C:\WINDOWS\system32\bits
2008-09-18 21:06 . 2008-09-18 21:06 <DIR> d-------- C:\WINDOWS\l2schemas
2008-09-18 21:03 . 2008-09-18 21:06 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-09-18 09:11 . 2008-04-14 05:42 1,737,856 --a------ C:\WINDOWS\system32\mtxparhd.dll
2008-09-18 09:10 . 2008-04-14 05:41 1,888,992 --a------ C:\WINDOWS\system32\ati3duag.dll
2008-09-18 06:11 . 2008-09-18 06:11 42,320 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-09-11 10:44 . 2008-09-12 15:34 <DIR> d-------- C:\Documents and Settings\user\Application Data\MiniDm
2008-09-11 10:43 . 2008-09-11 11:00 <DIR> d-------- C:\Documents and Settings\user\Application Data\IEPro
2008-09-11 10:40 . 2008-10-10 20:46 <DIR> d----c--- C:\Program Files\GM4IE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-10 05:15 --------- dc----w C:\Program Files\Symantec
2008-10-07 11:59 --------- d-----w C:\Documents and Settings\user\Application Data\Xfire
2008-10-06 07:23 --------- dc----w C:\Program Files\Symantec AntiVirus2
2008-10-05 03:57 361,600 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS
2008-10-04 15:27 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-10-04 12:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-03 12:06 --------- dc----w C:\Program Files\QuickTime
2008-10-02 14:44 --------- d-----w C:\Documents and Settings\user\Application Data\.gaim
2008-09-29 10:19 --------- d-----w C:\Documents and Settings\user\Application Data\LimeWire
2008-09-28 11:43 --------- d-----w C:\Documents and Settings\user\Application Data\MSNInstaller
2008-09-15 15:34 --------- d-----w C:\Documents and Settings\user\Application Data\GetRightToGo
2008-09-10 10:19 --------- dc----w C:\Program Files\Java
2008-09-01 10:35 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-01 05:32 --------- d-----w C:\Documents and Settings\user\Application Data\Games
2008-09-01 05:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\InstallShield
2008-09-01 05:23 278,984 ----a-w C:\WINDOWS\system32\drivers\atksgt.sys
2008-09-01 05:23 25,416 ----a-w C:\WINDOWS\system32\drivers\lirsgt.sys
2008-09-01 05:18 --------- dc--a-w C:\Program Files\Common Files\InstallShield
2008-09-01 04:45 --------- dc----w C:\Program Files\MSXML 6.0
2008-08-30 13:17 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-08-13 10:41 --------- dc----w C:\Program Files\Common Files\GTK
2008-07-30 12:25 69,409 ----a-w C:\WINDOWS\system32\uninst.exe
2008-07-23 06:49 32,768 ----a-w C:\WINDOWS\system32\asteriskie.exe
2008-07-23 06:48 397,379 ----a-w C:\WINDOWS\system32\paqbonus.exe
2008-07-23 06:48 311,296 ----a-w C:\WINDOWS\system32\winping.exe
2008-07-21 12:12 184,320 ----a-w C:\WINDOWS\freeze.exe
2008-07-18 18:34 664,064 ----a-w C:\WINDOWS\WLXPGSS.SCR
2008-07-18 16:40 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 16:40 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 16:40 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 16:40 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 16:39 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 16:39 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 16:39 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 16:39 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 16:37 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-18 16:37 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-01-30 10:43 88 --sha-r C:\WINDOWS\system32\20953AAD62.sys
2008-03-06 06:54 2,516 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Documents and Settings\user\Application Data\dxdlls ----

2007-11-23 08:14 1708 --ah----- C:\Documents and Settings\user\Application Data\dxdlls\ActMon.ini
2007-11-22 19:06 58880 --ahs---- C:\Documents and Settings\user\Application Data\dxdlls\imapde.dll
2007-11-22 19:05 620032 --ahs---- C:\Documents and Settings\user\Application Data\dxdlls\imapd.exe
2007-11-22 19:05 33280 --ahs---- C:\Documents and Settings\user\Application Data\dxdlls\imapdb.dll
2007-11-22 19:05 30208 --ahs---- C:\Documents and Settings\user\Application Data\dxdlls\imapdd.dll
2007-11-22 19:05 199680 --ahs---- C:\Documents and Settings\user\Application Data\dxdlls\imapdc.dll

---- Directory of C:\gs ----

2008-09-25 13:56 804 --ah-c--- C:\gs\main\datasource\textures\effects.lnk

---- Directory of C:\Program Files\GM4IE ----

2006-07-23 14:02 139264 --a------ C:\Program Files\GM4IE\gm4ie.exe


------- Sigcheck -------

2007-10-30 22:23 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 16:14 360960 744e57c99232201ae98c49168b918f48 C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 17:21 361600 9aefa14bd6b182d61e3119fa5f436d3d C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 17:29 361600 ad978a1b783b5719720cff204b666c8e C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-06-20 16:15 360320 2a5554fc5b1e04e131230e3ce035c3f9 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-04 02:44 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2008-04-14 00:50 361344 93ea8d04ec73a85db02eb8805988f733 C:\WINDOWS\$NtUninstallKB951748$\tcpip.sys
2007-10-30 22:50 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\$NtUninstallKB951748_0$\tcpip.sys
2008-04-14 00:50 361344 93ea8d04ec73a85db02eb8805988f733 C:\WINDOWS\ServicePackFiles\i386\TCPIP.SYS
2008-10-05 09:27 361600 d24ea301e2b36c4e975fd216ca85d8e7 C:\WINDOWS\system32\dllcache\TCPIP.SYS
2008-10-05 09:27 361600 d24ea301e2b36c4e975fd216ca85d8e7 C:\WINDOWS\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((( [email protected]_11.42.34.57 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-10-10 03:53:45 64,886 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-10-10 15:06:50 64,886 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-10-10 03:53:45 409,856 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-10-10 15:06:50 409,856 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-02-05 241080]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
"GM4IE"="C:\Program Files\GM4IE\gm4ie.exe" [2006-07-23 139264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-22 813912]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-06 849280]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 218512]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 458752]
"iTunesHelper"="F:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 340776]
"PCTVRemote"="F:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe" [2002-01-28 139264]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2008-02-15 204800]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2008-02-15 208896]
"SkyTel"="SkyTel.EXE" [2006-05-15 C:\WINDOWS\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-12-17 C:\WINDOWS\RTHDCPL.EXE]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-01-28 195584]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.yv12"= yv12vfw.dll
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^LimeWire Turbo Accelerator.lnk]
path=C:\Documents and Settings\user\Start Menu\Programs\Startup\LimeWire Turbo Accelerator.lnk
backup=C:\WINDOWS\pss\LimeWire Turbo Accelerator.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2008-02-15 12:46 237568 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 225280 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"C-DillaCdaC11BA"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"E:\\My Web\\new\\3dsmax.exe"=
"G:\\backup\\d\\Adobe Photoshop 7.0\\Presets\\Patterns\\PostScript Patterns\\Aphex.exe"=
"E:\\Program Files\\Wyzo\\wyzo.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"E:\\My Second Web\\_private\\LimeWire\\LimeWire.exe"=
"G:\\backup\\d\\Adobe PageMaker 7.0\\Images\\ua\\game\\bakup\\urbanassault\\Ua.exe"=
"E:\\gmax\\downloads\\cc2\\closecombat2\\Cc2.exe"=
"E:\\Program Files\\GetRight\\GetRight.exe"=
"G:\\backup\\c\\Program Files\\byo\\bin\\byond.exe"=
"G:\\backup\\c\\Program Files\\byo\\bin\\dreamseeker.exe"=
"E:\\Program Files\\Xfire\\xfire.exe"=
"E:\\games\\Audacity\\Call of Duty\\CoDMP.exe"=
"E:\\games\\Audacity\\Call of Duty\\CoDMPw0rt.exe"=
"E:\\games\\thunder\\thunbrigade\\thunbrig\\Tbrigade.exe"=
"G:\\backup\\c\\Program Files\\Freespace\\Freespace\\FS2.exe"=
"G:\\backup\\c\\Program Files\\Freespace\\Freespace\\incoming\\incoming\\incoming.exe"=
"F:\\Program Files\\iTunes\\iTunes.exe"=
"G:\\backup\\c\\Program Files\\Freespace\\Freespace\\fs2_open_3_6_9.exe"=
"G:\\backup\\c\\Program Files\\Freespace\\Freespace\\fs2_open_3_6_9_debug.exe"=
"G:\\backup\\c\\Program Files\\Freespace\\Freespace\\fs2_open_3_6_10_debug-20071007T.exe"=
"G:\\backup\\c\\Program Files\\byo\\bin\\dreamdaemon.exe"=
"G:\\backup\\c\\Program Files\\wwp\\Worms World Party\\Worms World Party.exe"=
"G:\\backup\\c\\Program Files\\Freespace\\Freespace\\fs2_open_3_6_10-20071007T.exe"=
"G:\\backup\\d\\Corel11\\sse\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"C:\\Program Files\\backburner 2\\manager.exe"=
"E:\\My Second Web\\_private\\LimeWire\\dls\\gta.sa\\GTA San Andreas\\samp022server.win32\\samp-server.exe"=
"E:\\My Second Web\\_private\\LimeWire\\dls\\gta.sa\\GTA San Andreas\\samp022server.win32\\SA-MP SERVER\\samp-server.exe"=
"G:\\Program Files\\Microsoft Games\\Halo Custom Edition\\haloce.exe"=
"E:\\games\\kmd.exe"=
"E:\\My Second Web\\_private\\LimeWire\\dls\\w3\\Warcraft III.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\igfxtray.exe"=
"C:\\WINDOWS\\system32\\userinit.exe"=
"C:\\WINDOWS\\system32\\hkcmd.exe"=
"C:\\WINDOWS\\system32\\NeroCheck.exe"=
"C:\\WINDOWS\\ALCMTR.EXE"=
"C:\\Program Files\\QuickTime\\qttask.exe"=
"C:\\Program Files\\Common Files\\Adobe\\Calibration\\Adobe Gamma Loader.exe"=
"C:\\WINDOWS\\RTHDCPL.EXE"=
"C:\\Program Files\\Java\\jre1.6.0_07\\bin\\jusched.exe"=
"e:\\my second web\\_private\\limewire\\dls\\w3\\worldedit.exe"=
"F:\\Program Files\\Pinnacle\\Pinnacle PCTV\\Remote\\Remoterm.exe"=
"C:\\WINDOWS\\system32\\taskmgr.exe"=
"C:\\WINDOWS\\system32\\igfxsrvc.exe"=
"g:\\backup\\c\\Program Files\\Spyware Doctor\\pctsTray.exe"= G:\\backup\\c\\Program Files\\Spyware Doctor\\pctsTray.exe
"C:\\WINDOWS\\system32\\igfxpers.exe"=
"C:\\WINDOWS\\system32\\netsh.exe"=
"C:\\Program Files\\GM4IE\\gm4ie.exe"=
"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe"=
"C:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\OutlookSyncClient.exe"=

R3 AtcL002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;C:\WINDOWS\system32\DRIVERS\l251x86.sys [2008-04-17 30720]
R3 dac970nt;dac970nt;C:\WINDOWS\system32\drivers\rnnrl.sys [ ]
R3 pctvvbi;PCTVVBI;C:\WINDOWS\system32\DRIVERS\pctvvbi.sys [2002-04-02 6369]
S3 ASPI;Advanced SCSI Programming Interface Driver;C:\WINDOWS\System32\DRIVERS\ASPI32.sys [2002-07-17 16512]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{27b7ea02-1b36-11dd-a576-001bfc1861eb}]
\Shell\AutoRun\command - jfvkcsy.bat
\Shell\explore\Command - jfvkcsy.bat
\Shell\open\Command - jfvkcsy.bat
.
Contents of the 'Scheduled Tasks' folder

2008-03-07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-10 20:48:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-10 20:50:29
ComboFix-quarantined-files.txt 2008-10-10 06:13:56

Pre-Run: 10,761,494,528 bytes free
Post-Run: 10,742,996,992 bytes free

270 --- E O F --- 2008-09-20 02:52:32



HJT:-



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:14:30 PM, on 10/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
F:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\GM4IE\gm4ie.exe
C:\WINDOWS\explorer.exe
G:\backup\c\Program Files\Mozilla\firefox.exe
e:\my second web\_private\limewire\dls\w3\worldedit.exe
E:\games\Audacity\Call of Duty\HiJackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - E:\Program Files\GetRight\xx2gr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PCTVRemote] F:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [GM4IE] C:\Program Files\GM4IE\gm4ie.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Download with GetRight - E:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - E:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll (file missing)
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab3.cab
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - http://www.windowsvistatestdrive.com/SP1/ActiveX/VMRCActiveXClient1.cab
O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames.com/downloads/activex/YoYo.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{899F11B0-28F0-452D-8D6D-1CAE6E9E505E}: NameServer = 218.248.240.208 218.248.240.79
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Unknown owner - C:\Program Files\Symantec AntiVirus\DefWatch.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - g:\backup\c\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - g:\backup\c\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 7865 bytes
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
This is effectively unfixable
the files contained sality.aa which is a file infector virus which infcts ALL .exe files on the computer including the antivirus & every other security tool taht is run

it is also a keylogger that will have stolen all your personal & private information including all passwords & logins to everywhere, including any online banking you do

I do not consider it safe or effective to attempt any fixes & the only way is to format the computer & start from scratch
 

SuperSonic_ht

Thread Starter
Joined
Oct 4, 2008
Messages
20
Knew something like this was coming... Anyway, do you know of any software that keeps the task manager enabled continuously(similiar to the virus which disables the task manager after short periods of time)? That will do, as I cant afford a complete reformat.
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
You HAVE to do a format & there is nothing that stops it

EVERY file on that computer will be infected

All you can try is an online scan several times to see if it can disinfect any of the files but be warned, often the scanners will delete infected system files

try this one
http://www.bitdefender.com/scan8/
 

SuperSonic_ht

Thread Starter
Joined
Oct 4, 2008
Messages
20
Maybe you spoke too soon...While searching the Net for sality.aa, I found a page that said a software called CA Antivirus can fix sality.aa. So I downloaded that software and run it. After about half an hour, the infection was no more. Everything was completely cleaned! So this problem is solved, thank you very much for informing me about the virus name.
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
If you believe that, then you believe in father Christmas

Sality cannot ever be 100% guaranteed to be disinfected or repaired becasue it attacks the antivirus as soon as it is installed
in over 100 case of sality I have never seen a complete satisfactory safe fix that I would ever depend on
 

SuperSonic_ht

Thread Starter
Joined
Oct 4, 2008
Messages
20
I don't see what you mean, but all the symptoms I had are gone(at least for now). It did attack all antivirus, but it perhaps didn't detect CA Antivirus. If you want, you can see a HJT log right now:-

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:51:11 AM, on 10/14/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\GM4IE\gm4ie.exe
C:\Program Files\iPod\bin\iPodService.exe
E:\PROGRA~1\Wyzo\wyzo.exe
G:\backup\c\Program Files\Mozilla\firefox.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
E:\Program Files\Xfire\xfire.exe
E:\games\Audacity\Call of Duty\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - E:\Program Files\GetRight\xx2gr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PCTVRemote] F:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [GM4IE] C:\Program Files\GM4IE\gm4ie.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Download with GetRight - E:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - E:\Program Files\GetRight\GRdownload.htm
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll (file missing)
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab3.cab
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - http://www.windowsvistatestdrive.com/SP1/ActiveX/VMRCActiveXClient1.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames.com/downloads/activex/YoYo.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - g:\backup\c\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - g:\backup\c\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
--
End of file - 8521 bytes



 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
If you are happy & feel,it is solved that is fine

be aware it might well come back

do a scan here to see what else is still infected

* Run Kaspersky online virus scan Kaspersky Online Scanner.

After the updates have downloaded, click on the "Scan Settings" button.
Choose the "Extended database" for the scan.
Under "Please select a target to scan", click "My Computer".
When the scan is finished, Save the results from the scan!

Note: You have to use Internet Explorer to do the online scan.

Post a new HiJackThis log along with the results from Kaspersky scan

Note: Kavscan is a scanner only & won't fix anything but will normally find the most infected files so it's report gives us a good place to work from

you can make your mind up after seeing the results
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top