1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Regedit/task manager disabled (+HJT log)

Discussion in 'Virus & Other Malware Removal' started by SuperSonic_ht, Oct 4, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. SuperSonic_ht

    SuperSonic_ht Thread Starter

    Joined:
    Oct 4, 2008
    Messages:
    20
    Hi, Im SuperSonic. I couldnt find much time to type everything in again, so I pasted what I typed in Yahoo Answers some time ago. Heres the story from the beginning:-

    Yesterday, I took a pen drive from my friend and inserted it in the comp. When I tried to open the pen drive folder, a message came up "Windows cant find the file Axxx.vbs"(xxx was a number) At the same time Symantec AntiVirus popped up, saying it had quarantined 4 files(3 Axxx.vbs and 1 AQxxx.vbs and some registry entries). Then I took the pen drive out and started minding my other work. Then I realized that Task Manager and Regedit were disabled. Then I found that Symantec Antivirus was no longer running. I tried to run it but it won't start(or maybe closing instantly).

    Then I installed Spybot S&D, but it started for a few seconds, was normal, then quit instantly. Same happened to ESET. Then I tried to boot into Safe Mode, but it kept rebooting while displaying a list of .sys files that were being run.

    In the process I lost a lot of important files. When restarting, the computer said my user profile was corrupted and created a temp profile. I thought it was a permanent profile, so I Cut-Pasted everything from my original profile to the new profile. Today when I started up, the temp profile was gone, and with it, all the things I'd copied.

    So, the main problem now is that Firewall,Regedit and Task Manager keep getting disabled, and antivirus stuff refuse to run. Any help would be appreciated.

    HJT Log:-


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 18:08:21, on 10/4/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Unable to get Internet Explorer version!
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\drivers\CDAC11BA.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Microsoft IntelliType Pro\itype.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    F:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\GM4IE\gm4ie.exe
    C:\Program Files\iPod\bin\iPodService.exe
    G:\backup\c\Program Files\Mozilla\firefox.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Unlocker\UnlockerAssistant.exe
    C:\DOCUME~1\user\LOCALS~1\Temp\winipkbnh.exe
    C:\DOCUME~1\user\LOCALS~1\Temp\winenwdh.exe
    E:\games\Audacity\Call of Duty\HiJackThis.exe

    O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll (file missing)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - E:\Program Files\GetRight\xx2gr.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [PCTVRemote] F:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [GM4IE] C:\Program Files\GM4IE\gm4ie.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll (file missing)
    O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll (file missing)
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
    O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
    O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab3.cab
    O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - http://www.windowsvistatestdrive.com/SP1/ActiveX/VMRCActiveXClient1.cab
    O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames.com/downloads/activex/YoYo.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.getrightarcade.com/online/online2/heavy_weapon/popcaploader_v6.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{899F11B0-28F0-452D-8D6D-1CAE6E9E505E}: NameServer = 208.67.222.222 208.67.220.220
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

    --
    End of file - 8226 bytes
     
  2. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    Please visit Combofix Guide & Instructions for instructions for downloading and running ComboFix: especially follow the advice about installing the recovery console

    Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall

    Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply
     
  3. SuperSonic_ht

    SuperSonic_ht Thread Starter

    Joined:
    Oct 4, 2008
    Messages:
    20
    I don't think that did much, but heres the new HJT log. Also, Ive found two places where the virus keeps resetting registry entries:-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system]

    HJT Log:-

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:54:21 AM, on 10/10/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Unable to get Internet Explorer version!
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\drivers\CDAC11BA.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Microsoft IntelliType Pro\itype.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    F:\Program Files\iTunes\iTunesHelper.exe
    F:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\GM4IE\gm4ie.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\notepad.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\WINDOWS\regedit.exe
    E:\games\Audacity\Call of Duty\HiJackThis.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll (file missing)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - E:\Program Files\GetRight\xx2gr.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [PCTVRemote] F:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [GM4IE] C:\Program Files\GM4IE\gm4ie.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O8 - Extra context menu item: Download with GetRight - E:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Open with GetRight Browser - E:\Program Files\GetRight\GRbrowse.htm
    O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll (file missing)
    O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll (file missing)
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
    O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab3.cab
    O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - http://www.windowsvistatestdrive.com/SP1/ActiveX/VMRCActiveXClient1.cab
    O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames.com/downloads/activex/YoYo.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Unknown owner - C:\Program Files\Symantec AntiVirus\DefWatch.exe (file missing)
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - g:\backup\c\Program Files\Spyware Doctor\pctsAuxs.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - g:\backup\c\Program Files\Spyware Doctor\pctsSvc.exe
    O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

    --
    End of file - 7994 bytes


    Oh, and the Combofix log


    ComboFix 08-10-06.05 - user 2008-10-10 11:39:24.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.436 [GMT 5.5:30]
    Running from: G:\backup\c\Program Files\Mozilla\ComboFix.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\user\Application Data\rbap550.dll
    C:\WINDOWS\system32\dao350.dll
    C:\WINDOWS\system32\[email protected]@@k.dll
    C:\WINDOWS\system32\x64

    .
    ((((((((((((((((((((((((( Files Created from 2008-09-10 to 2008-10-10 )))))))))))))))))))))))))))))))
    .

    2009-03-15 16:27 . 2008-10-10 11:31 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
    2009-02-07 11:17 . 2009-02-07 11:17 <DIR> d----c--- C:\Program Files\Alcohol Soft
    2008-10-10 09:49 . 2008-10-10 09:49 685,056 --a------ C:\WINDOWS\isRS-000.tmp
    2008-10-05 11:32 . 2008-10-05 11:46 21,004 --ah-c--- C:\TEMP_BDT.CHA
    2008-10-05 10:00 . 2008-10-05 10:00 86,528 --a------ C:\WINDOWS\bnetunin.exe
    2008-10-04 20:57 . 2008-10-04 20:57 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
    2008-10-04 20:57 . 2008-10-04 20:57 <DIR> d-------- C:\Documents and Settings\user\Application Data\SUPERAntiSpyware.com
    2008-10-04 20:57 . 2008-10-04 20:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2008-10-04 20:41 . 2008-10-04 20:41 <DIR> d-------- C:\Documents and Settings\user\Application Data\PC Tools
    2008-10-04 20:41 . 2008-08-25 11:36 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
    2008-10-04 20:41 . 2008-08-25 11:36 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
    2008-10-04 20:41 . 2008-08-25 11:36 40,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
    2008-10-04 20:41 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
    2008-10-04 17:51 . 2008-10-04 18:18 <DIR> d-------- C:\Program Files\Unlocker
    2008-10-04 17:26 . 2008-10-06 18:50 2,852 --a------ C:\WINDOWS\system32\tmp.reg
    2008-10-04 16:48 . 2008-10-04 17:35 <DIR> d--h-c--- C:\SDFix
    2008-10-04 14:57 . 2008-10-04 18:19 <DIR> d--h----- C:\Program Files\sb
    2008-10-03 17:12 . 2008-03-15 14:23 <DIR> d----c--- C:\Documents and Settings\Administrator.USER-08E83726E4\Application Data\Apple Computer
    2008-10-03 17:12 . 2008-10-03 17:12 <DIR> d----c--- C:\Documents and Settings\Administrator.USER-08E83726E4
    2008-10-03 16:24 . 2008-10-03 17:12 <DIR> d----c--- C:\Documents and Settings\TEMP
    2008-10-03 15:50 . 2008-10-03 15:51 <DIR> d-------- C:\Documents and Settings\user\Application Data\dxdlls
    2008-10-02 20:14 . 2008-10-02 20:14 <DIR> d-------- C:\Documents and Settings\user\Application Data\gtk-2.0
    2008-10-01 21:35 . 2008-10-01 21:35 <DIR> d-------- C:\Documents and Settings\user\Application Data\Xfire Plus
    2008-09-28 17:18 . 2008-09-28 17:18 0 --a------ C:\WINDOWS\wt9_1sptlEN.INI
    2008-09-25 13:59 . 2008-09-25 14:00 <DIR> d--h-c--- C:\gs
    2008-09-25 13:38 . 2008-09-25 13:38 <DIR> d-------- C:\Documents and Settings\user\Application Data\Ironclad Games
    2008-09-18 21:17 . 1999-09-11 02:20 25,600 --a------ C:\WINDOWS\system\007.DLL
    2008-09-18 21:17 . 1999-09-11 02:20 9,504 --a------ C:\WINDOWS\system\006.DLL
    2008-09-18 21:06 . 2008-09-18 21:06 <DIR> d-------- C:\WINDOWS\system32\scripting
    2008-09-18 21:06 . 2008-09-18 21:06 <DIR> d-------- C:\WINDOWS\system32\en
    2008-09-18 21:06 . 2008-09-18 21:06 <DIR> d-------- C:\WINDOWS\system32\bits
    2008-09-18 21:06 . 2008-09-18 21:06 <DIR> d-------- C:\WINDOWS\l2schemas
    2008-09-18 21:03 . 2008-09-18 21:06 <DIR> d-------- C:\WINDOWS\ServicePackFiles
    2008-09-18 09:11 . 2008-04-14 05:42 1,737,856 --a------ C:\WINDOWS\system32\mtxparhd.dll
    2008-09-18 09:10 . 2008-04-14 05:41 1,888,992 --a------ C:\WINDOWS\system32\ati3duag.dll
    2008-09-18 06:11 . 2008-09-18 06:11 42,320 --a------ C:\WINDOWS\system32\xfcodec.dll
    2008-09-11 10:44 . 2008-09-12 15:34 <DIR> d-------- C:\Documents and Settings\user\Application Data\MiniDm
    2008-09-11 10:43 . 2008-09-11 11:00 <DIR> d-------- C:\Documents and Settings\user\Application Data\IEPro
    2008-09-11 10:40 . 2008-09-11 10:42 <DIR> d----c--- C:\Program Files\GM4IE

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-10-10 05:15 --------- dc----w C:\Program Files\Symantec
    2008-10-07 11:59 --------- d-----w C:\Documents and Settings\user\Application Data\Xfire
    2008-10-06 07:23 --------- dc----w C:\Program Files\Symantec AntiVirus2
    2008-10-05 03:57 361,600 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS
    2008-10-04 15:27 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
    2008-10-04 12:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-10-03 12:06 --------- dc----w C:\Program Files\QuickTime
    2008-10-02 14:44 --------- d-----w C:\Documents and Settings\user\Application Data\.gaim
    2008-09-29 10:19 --------- d-----w C:\Documents and Settings\user\Application Data\LimeWire
    2008-09-28 11:43 --------- d-----w C:\Documents and Settings\user\Application Data\MSNInstaller
    2008-09-15 15:34 --------- d-----w C:\Documents and Settings\user\Application Data\GetRightToGo
    2008-09-10 10:19 --------- dc----w C:\Program Files\Java
    2008-09-01 10:35 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-09-01 05:32 --------- d-----w C:\Documents and Settings\user\Application Data\Games
    2008-09-01 05:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\InstallShield
    2008-09-01 05:23 278,984 ----a-w C:\WINDOWS\system32\drivers\atksgt.sys
    2008-09-01 05:23 25,416 ----a-w C:\WINDOWS\system32\drivers\lirsgt.sys
    2008-09-01 05:18 --------- dc--a-w C:\Program Files\Common Files\InstallShield
    2008-09-01 04:45 --------- dc----w C:\Program Files\MSXML 6.0
    2008-08-30 13:17 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
    2008-08-13 10:41 --------- dc----w C:\Program Files\Common Files\GTK
    2008-07-30 12:25 69,409 ----a-w C:\WINDOWS\system32\uninst.exe
    2008-07-23 06:49 32,768 ----a-w C:\WINDOWS\system32\asteriskie.exe
    2008-07-23 06:48 397,379 ----a-w C:\WINDOWS\system32\paqbonus.exe
    2008-07-23 06:48 311,296 ----a-w C:\WINDOWS\system32\winping.exe
    2008-07-21 12:12 184,320 ----a-w C:\WINDOWS\freeze.exe
    2008-07-18 18:34 664,064 ----a-w C:\WINDOWS\WLXPGSS.SCR
    2008-07-18 16:40 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
    2008-07-18 16:40 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
    2008-07-18 16:40 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
    2008-07-18 16:40 36,552 ----a-w C:\WINDOWS\system32\wups.dll
    2008-07-18 16:39 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
    2008-07-18 16:39 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
    2008-07-18 16:39 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
    2008-07-18 16:39 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
    2008-07-18 16:37 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
    2008-07-18 16:37 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
    2008-01-30 10:43 88 --sha-r C:\WINDOWS\system32\20953AAD62.sys
    2008-03-06 06:54 2,516 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
    .

    ------- Sigcheck -------

    2007-10-30 22:23 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
    2008-06-20 16:14 360960 744e57c99232201ae98c49168b918f48 C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\tcpip.sys
    2008-06-20 17:21 361600 9aefa14bd6b182d61e3119fa5f436d3d C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\tcpip.sys
    2008-06-20 17:29 361600 ad978a1b783b5719720cff204b666c8e C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys
    2008-06-20 16:15 360320 2a5554fc5b1e04e131230e3ce035c3f9 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
    2004-08-04 02:44 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
    2008-04-14 00:50 361344 93ea8d04ec73a85db02eb8805988f733 C:\WINDOWS\$NtUninstallKB951748$\tcpip.sys
    2007-10-30 22:50 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\$NtUninstallKB951748_0$\tcpip.sys
    2008-04-14 00:50 361344 93ea8d04ec73a85db02eb8805988f733 C:\WINDOWS\ServicePackFiles\i386\TCPIP.SYS
    2008-10-05 09:27 361600 d24ea301e2b36c4e975fd216ca85d8e7 C:\WINDOWS\system32\dllcache\TCPIP.SYS
    2008-10-05 09:27 361600 d24ea301e2b36c4e975fd216ca85d8e7 C:\WINDOWS\system32\drivers\TCPIP.SYS
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-02-05 241080]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
    "GM4IE"="C:\Program Files\GM4IE\gm4ie.exe" [2006-07-23 139264]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]
    "itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-22 813912]
    "IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-06 849280]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 218512]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 458752]
    "iTunesHelper"="F:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
    "PCTVRemote"="F:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe" [2002-01-28 139264]
    "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2008-02-15 204800]
    "Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2008-02-15 208896]
    "SkyTel"="SkyTel.EXE" [2006-05-15 C:\WINDOWS\SkyTel.exe]
    "RTHDCPL"="RTHDCPL.EXE" [2006-12-17 C:\WINDOWS\RTHDCPL.EXE]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-01-28 195584]
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "DisableTaskMgr"= 1 (0x1)
    "DisableRegistryTools"= 1 (0x1)

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "vidc.yv12"= yv12vfw.dll
    "VIDC.XFR1"= xfcodec.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^LimeWire Turbo Accelerator.lnk]
    path=C:\Documents and Settings\user\Start Menu\Programs\Startup\LimeWire Turbo Accelerator.lnk
    backup=C:\WINDOWS\pss\LimeWire Turbo Accelerator.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
    --a------ 2008-02-15 12:46 237568 C:\WINDOWS\system32\hkcmd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    --a------ 2001-07-09 10:50 225280 C:\WINDOWS\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "C-DillaCdaC11BA"=2 (0x2)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000001
    "UpdatesDisableNotify"=dword:00000001
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001
    "UacDisableNotify"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
    "AntiVirusOverride"=dword:00000001
    "AntiVirusDisableNotify"=dword:00000001
    "FirewallDisableNotify"=dword:00000001
    "FirewallOverride"=dword:00000001
    "UpdatesDisableNotify"=dword:00000001
    "UacDisableNotify"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "E:\\My Web\\new\\3dsmax.exe"=
    "G:\\backup\\d\\Adobe Photoshop 7.0\\Presets\\Patterns\\PostScript Patterns\\Aphex.exe"=
    "E:\\Program Files\\Wyzo\\wyzo.exe"=
    "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "C:\\WINDOWS\\system32\\dplaysvr.exe"=
    "E:\\My Second Web\\_private\\LimeWire\\LimeWire.exe"=
    "G:\\backup\\d\\Adobe PageMaker 7.0\\Images\\ua\\game\\bakup\\urbanassault\\Ua.exe"=
    "E:\\gmax\\downloads\\cc2\\closecombat2\\Cc2.exe"=
    "E:\\Program Files\\GetRight\\GetRight.exe"=
    "G:\\backup\\c\\Program Files\\byo\\bin\\byond.exe"=
    "G:\\backup\\c\\Program Files\\byo\\bin\\dreamseeker.exe"=
    "E:\\Program Files\\Xfire\\xfire.exe"=
    "E:\\games\\Audacity\\Call of Duty\\CoDMP.exe"=
    "E:\\games\\Audacity\\Call of Duty\\CoDMPw0rt.exe"=
    "E:\\games\\thunder\\thunbrigade\\thunbrig\\Tbrigade.exe"=
    "G:\\backup\\c\\Program Files\\Freespace\\Freespace\\FS2.exe"=
    "G:\\backup\\c\\Program Files\\Freespace\\Freespace\\incoming\\incoming\\incoming.exe"=
    "F:\\Program Files\\iTunes\\iTunes.exe"=
    "G:\\backup\\c\\Program Files\\Freespace\\Freespace\\fs2_open_3_6_9.exe"=
    "G:\\backup\\c\\Program Files\\Freespace\\Freespace\\fs2_open_3_6_9_debug.exe"=
    "G:\\backup\\c\\Program Files\\Freespace\\Freespace\\fs2_open_3_6_10_debug-20071007T.exe"=
    "G:\\backup\\c\\Program Files\\byo\\bin\\dreamdaemon.exe"=
    "G:\\backup\\c\\Program Files\\wwp\\Worms World Party\\Worms World Party.exe"=
    "G:\\backup\\c\\Program Files\\Freespace\\Freespace\\fs2_open_3_6_10-20071007T.exe"=
    "G:\\backup\\d\\Corel11\\sse\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
    "C:\\Program Files\\backburner 2\\manager.exe"=
    "E:\\My Second Web\\_private\\LimeWire\\dls\\gta.sa\\GTA San Andreas\\samp022server.win32\\samp-server.exe"=
    "E:\\My Second Web\\_private\\LimeWire\\dls\\gta.sa\\GTA San Andreas\\samp022server.win32\\SA-MP SERVER\\samp-server.exe"=
    "G:\\Program Files\\Microsoft Games\\Halo Custom Edition\\haloce.exe"=
    "E:\\games\\kmd.exe"=
    "E:\\My Second Web\\_private\\LimeWire\\dls\\w3\\Warcraft III.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\Messenger\\msmsgs.exe"=
    "C:\\WINDOWS\\system32\\igfxtray.exe"=
    "C:\\WINDOWS\\system32\\userinit.exe"=
    "C:\\WINDOWS\\system32\\hkcmd.exe"=
    "C:\\WINDOWS\\system32\\NeroCheck.exe"=
    "C:\\WINDOWS\\ALCMTR.EXE"=
    "C:\\Program Files\\QuickTime\\qttask.exe"=
    "C:\\Program Files\\Common Files\\Adobe\\Calibration\\Adobe Gamma Loader.exe"=
    "C:\\WINDOWS\\RTHDCPL.EXE"=
    "C:\\Program Files\\Java\\jre1.6.0_07\\bin\\jusched.exe"=
    "e:\\my second web\\_private\\limewire\\dls\\w3\\worldedit.exe"=
    "F:\\Program Files\\Pinnacle\\Pinnacle PCTV\\Remote\\Remoterm.exe"=
    "C:\\WINDOWS\\system32\\taskmgr.exe"=
    "C:\\WINDOWS\\system32\\igfxsrvc.exe"=
    "g:\\backup\\c\\Program Files\\Spyware Doctor\\pctsTray.exe"= G:\\backup\\c\\Program Files\\Spyware Doctor\\pctsTray.exe
    "C:\\WINDOWS\\system32\\igfxpers.exe"=
    "C:\\WINDOWS\\system32\\netsh.exe"=
    "C:\\Program Files\\GM4IE\\gm4ie.exe"=
    "C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe"=
    "C:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\OutlookSyncClient.exe"=

    R3 AtcL002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;C:\WINDOWS\system32\DRIVERS\l251x86.sys [2008-04-17 30720]
    R3 dac970nt;dac970nt;C:\WINDOWS\system32\drivers\rnnrl.sys [ ]
    R3 pctvvbi;PCTVVBI;C:\WINDOWS\system32\DRIVERS\pctvvbi.sys [2002-04-02 6369]
    S3 ASPI;Advanced SCSI Programming Interface Driver;C:\WINDOWS\System32\DRIVERS\ASPI32.sys [2002-07-17 16512]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{27b7ea02-1b36-11dd-a576-001bfc1861eb}]
    \Shell\AutoRun\command - jfvkcsy.bat
    \Shell\explore\Command - jfvkcsy.bat
    \Shell\open\Command - jfvkcsy.bat

    *Newly Created Service* - PROCEXP90
    .
    Contents of the 'Scheduled Tasks' folder

    2008-03-07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
    .
    - - - - ORPHANS REMOVED - - - -

    WebBrowser-{DA30EFF8-CCC6-4162-A20D-67402A26A215} - (no file)
    HKCU-Run-WMPNSCFG - C:\Program Files\Windows Media Player\WMPNSCFG.exe
    HKLM-Run-ccApp - C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    HKLM-Run-UnlockerAssistant - C:\Program Files\Unlocker\UnlockerAssistant.exe
    MSConfigStartUp-c0 - C:\aidualc3\c0.exe
    MSConfigStartUp-LimeWire Turbo Accelerator - E:\My Second Web\_private\LimeWire\turbo\LimeWire Turbo Accelerator.exe
    MSConfigStartUp-TkBellExe - realsched.exe


    .
    ------- Supplementary Scan -------
    .
    FireFox -: Profile - C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\s549718h.default\
    FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
    FF -: plugin - E:\Program Files\Real\RealOne Player\v2\Netscape6\nppl3260.dll
    FF -: plugin - E:\Program Files\Real\RealOne Player\v2\Netscape6\nprjplug.dll
    FF -: plugin - E:\Program Files\Real\RealOne Player\v2\Netscape6\nprpjplug.dll
    FF -: plugin - F:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
    FF -: plugin - G:\backup\c\Program Files\Mozilla\plugins\NPGetRt.dll
    FF -: plugin - G:\backup\c\Program Files\Mozilla\plugins\npnul32.dll
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-10-10 11:41:20
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-10-10 11:44:17
    ComboFix-quarantined-files.txt 2008-10-10 06:13:56

    Pre-Run: 10,975,522,816 bytes free
    Post-Run: 10,957,713,408 bytes free

    275 --- E O F --- 2008-09-20 02:52:32
     
  4. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    when you reply, please do not use code tags for logs as it makes them unreadable without scrolling all over the place


    download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press SAVE and choose desktop in the list of selections in that window & press save)

    Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before going any further

    Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.



    [​IMG]



    This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

    Remember to reconnect to the net and enable any disabled antivirus etc BEFORE reconnecting

    Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

    This will create a zip file inside C:\QooBox\ named something like [38][email protected]

    at the end it will pop up an alert & open your browser and ask you to send the zip file

    please follow those instructions. We need to see the zip file before we can carry on with the fix

    If there is no pop up alert or open browser then

    please go to http://www.thespykiller.co.uk/index.php?board=1.0 and upload these files so I can examine them and if needed distribute them to antivirus companies.
    Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

    Files to submit:
    the zip file inside C:\QooBox\ created by combofix named something like [38][email protected]
     

    Attached Files:

  5. SuperSonic_ht

    SuperSonic_ht Thread Starter

    Joined:
    Oct 4, 2008
    Messages:
    20
    Uploaded. For your information, GM4IE was an add-on for Internet Explorer and C:\gs folder was created by me.

    ComboFix log:-


    ComboFix 08-10-06.05 - user 2008-10-10 20:47:16.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.554 [GMT 5.5:30]
    Running from: G:\backup\c\Program Files\Mozilla\ComboFix.exe
    Command switches used :: G:\backup\c\Program Files\Mozilla\CFScript.txt
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((( Files Created from 2008-09-10 to 2008-10-10 )))))))))))))))))))))))))))))))
    .

    2009-03-15 16:27 . 2008-10-10 11:31 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
    2009-02-07 11:17 . 2009-02-07 11:17 <DIR> d----c--- C:\Program Files\Alcohol Soft
    2008-10-10 12:24 . 2008-10-10 12:24 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-10-10 12:24 . 2008-10-10 12:24 <DIR> d-------- C:\Documents and Settings\user\Application Data\Malwarebytes
    2008-10-10 12:24 . 2008-10-10 12:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-10-10 12:24 . 2008-09-10 00:09 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-10-10 12:24 . 2008-09-10 00:09 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-10-05 11:32 . 2008-10-05 11:46 21,004 --ah-c--- C:\TEMP_BDT.CHA
    2008-10-05 10:00 . 2008-10-05 10:00 86,528 --a------ C:\WINDOWS\bnetunin.exe
    2008-10-04 20:57 . 2008-10-04 20:57 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
    2008-10-04 20:57 . 2008-10-04 20:57 <DIR> d-------- C:\Documents and Settings\user\Application Data\SUPERAntiSpyware.com
    2008-10-04 20:57 . 2008-10-04 20:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2008-10-04 20:41 . 2008-10-04 20:41 <DIR> d-------- C:\Documents and Settings\user\Application Data\PC Tools
    2008-10-04 20:41 . 2008-08-25 11:36 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
    2008-10-04 20:41 . 2008-08-25 11:36 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
    2008-10-04 20:41 . 2008-08-25 11:36 40,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
    2008-10-04 20:41 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
    2008-10-04 17:51 . 2008-10-10 13:11 <DIR> d-------- C:\Program Files\Unlocker
    2008-10-04 17:26 . 2008-10-06 18:50 2,852 --a------ C:\WINDOWS\system32\tmp.reg
    2008-10-04 16:48 . 2008-10-04 17:35 <DIR> d--h-c--- C:\SDFix
    2008-10-04 14:57 . 2008-10-04 18:19 <DIR> d--h----- C:\Program Files\sb
    2008-10-03 17:12 . 2008-03-15 14:23 <DIR> d----c--- C:\Documents and Settings\Administrator.USER-08E83726E4\Application Data\Apple Computer
    2008-10-03 17:12 . 2008-10-03 17:12 <DIR> d----c--- C:\Documents and Settings\Administrator.USER-08E83726E4
    2008-10-03 16:24 . 2008-10-03 17:12 <DIR> d----c--- C:\Documents and Settings\TEMP
    2008-10-03 15:50 . 2008-10-03 15:51 <DIR> d-------- C:\Documents and Settings\user\Application Data\dxdlls
    2008-10-02 20:14 . 2008-10-02 20:14 <DIR> d-------- C:\Documents and Settings\user\Application Data\gtk-2.0
    2008-10-01 21:35 . 2008-10-01 21:35 <DIR> d-------- C:\Documents and Settings\user\Application Data\Xfire Plus
    2008-09-28 17:18 . 2008-09-28 17:18 0 --a------ C:\WINDOWS\wt9_1sptlEN.INI
    2008-09-25 13:59 . 2008-09-25 14:00 <DIR> d--h-c--- C:\gs
    2008-09-25 13:38 . 2008-09-25 13:38 <DIR> d-------- C:\Documents and Settings\user\Application Data\Ironclad Games
    2008-09-18 21:17 . 1999-09-11 02:20 25,600 --a------ C:\WINDOWS\system\007.DLL
    2008-09-18 21:17 . 1999-09-11 02:20 9,504 --a------ C:\WINDOWS\system\006.DLL
    2008-09-18 21:06 . 2008-09-18 21:06 <DIR> d-------- C:\WINDOWS\system32\scripting
    2008-09-18 21:06 . 2008-09-18 21:06 <DIR> d-------- C:\WINDOWS\system32\en
    2008-09-18 21:06 . 2008-09-18 21:06 <DIR> d-------- C:\WINDOWS\system32\bits
    2008-09-18 21:06 . 2008-09-18 21:06 <DIR> d-------- C:\WINDOWS\l2schemas
    2008-09-18 21:03 . 2008-09-18 21:06 <DIR> d-------- C:\WINDOWS\ServicePackFiles
    2008-09-18 09:11 . 2008-04-14 05:42 1,737,856 --a------ C:\WINDOWS\system32\mtxparhd.dll
    2008-09-18 09:10 . 2008-04-14 05:41 1,888,992 --a------ C:\WINDOWS\system32\ati3duag.dll
    2008-09-18 06:11 . 2008-09-18 06:11 42,320 --a------ C:\WINDOWS\system32\xfcodec.dll
    2008-09-11 10:44 . 2008-09-12 15:34 <DIR> d-------- C:\Documents and Settings\user\Application Data\MiniDm
    2008-09-11 10:43 . 2008-09-11 11:00 <DIR> d-------- C:\Documents and Settings\user\Application Data\IEPro
    2008-09-11 10:40 . 2008-10-10 20:46 <DIR> d----c--- C:\Program Files\GM4IE

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-10-10 05:15 --------- dc----w C:\Program Files\Symantec
    2008-10-07 11:59 --------- d-----w C:\Documents and Settings\user\Application Data\Xfire
    2008-10-06 07:23 --------- dc----w C:\Program Files\Symantec AntiVirus2
    2008-10-05 03:57 361,600 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS
    2008-10-04 15:27 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
    2008-10-04 12:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-10-03 12:06 --------- dc----w C:\Program Files\QuickTime
    2008-10-02 14:44 --------- d-----w C:\Documents and Settings\user\Application Data\.gaim
    2008-09-29 10:19 --------- d-----w C:\Documents and Settings\user\Application Data\LimeWire
    2008-09-28 11:43 --------- d-----w C:\Documents and Settings\user\Application Data\MSNInstaller
    2008-09-15 15:34 --------- d-----w C:\Documents and Settings\user\Application Data\GetRightToGo
    2008-09-10 10:19 --------- dc----w C:\Program Files\Java
    2008-09-01 10:35 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-09-01 05:32 --------- d-----w C:\Documents and Settings\user\Application Data\Games
    2008-09-01 05:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\InstallShield
    2008-09-01 05:23 278,984 ----a-w C:\WINDOWS\system32\drivers\atksgt.sys
    2008-09-01 05:23 25,416 ----a-w C:\WINDOWS\system32\drivers\lirsgt.sys
    2008-09-01 05:18 --------- dc--a-w C:\Program Files\Common Files\InstallShield
    2008-09-01 04:45 --------- dc----w C:\Program Files\MSXML 6.0
    2008-08-30 13:17 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
    2008-08-13 10:41 --------- dc----w C:\Program Files\Common Files\GTK
    2008-07-30 12:25 69,409 ----a-w C:\WINDOWS\system32\uninst.exe
    2008-07-23 06:49 32,768 ----a-w C:\WINDOWS\system32\asteriskie.exe
    2008-07-23 06:48 397,379 ----a-w C:\WINDOWS\system32\paqbonus.exe
    2008-07-23 06:48 311,296 ----a-w C:\WINDOWS\system32\winping.exe
    2008-07-21 12:12 184,320 ----a-w C:\WINDOWS\freeze.exe
    2008-07-18 18:34 664,064 ----a-w C:\WINDOWS\WLXPGSS.SCR
    2008-07-18 16:40 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
    2008-07-18 16:40 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
    2008-07-18 16:40 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
    2008-07-18 16:40 36,552 ----a-w C:\WINDOWS\system32\wups.dll
    2008-07-18 16:39 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
    2008-07-18 16:39 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
    2008-07-18 16:39 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
    2008-07-18 16:39 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
    2008-07-18 16:37 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
    2008-07-18 16:37 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
    2008-01-30 10:43 88 --sha-r C:\WINDOWS\system32\20953AAD62.sys
    2008-03-06 06:54 2,516 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
    .

    (((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .

    ---- Directory of C:\Documents and Settings\user\Application Data\dxdlls ----

    2007-11-23 08:14 1708 --ah----- C:\Documents and Settings\user\Application Data\dxdlls\ActMon.ini
    2007-11-22 19:06 58880 --ahs---- C:\Documents and Settings\user\Application Data\dxdlls\imapde.dll
    2007-11-22 19:05 620032 --ahs---- C:\Documents and Settings\user\Application Data\dxdlls\imapd.exe
    2007-11-22 19:05 33280 --ahs---- C:\Documents and Settings\user\Application Data\dxdlls\imapdb.dll
    2007-11-22 19:05 30208 --ahs---- C:\Documents and Settings\user\Application Data\dxdlls\imapdd.dll
    2007-11-22 19:05 199680 --ahs---- C:\Documents and Settings\user\Application Data\dxdlls\imapdc.dll

    ---- Directory of C:\gs ----

    2008-09-25 13:56 804 --ah-c--- C:\gs\main\datasource\textures\effects.lnk

    ---- Directory of C:\Program Files\GM4IE ----

    2006-07-23 14:02 139264 --a------ C:\Program Files\GM4IE\gm4ie.exe


    ------- Sigcheck -------

    2007-10-30 22:23 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
    2008-06-20 16:14 360960 744e57c99232201ae98c49168b918f48 C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\tcpip.sys
    2008-06-20 17:21 361600 9aefa14bd6b182d61e3119fa5f436d3d C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\tcpip.sys
    2008-06-20 17:29 361600 ad978a1b783b5719720cff204b666c8e C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys
    2008-06-20 16:15 360320 2a5554fc5b1e04e131230e3ce035c3f9 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
    2004-08-04 02:44 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
    2008-04-14 00:50 361344 93ea8d04ec73a85db02eb8805988f733 C:\WINDOWS\$NtUninstallKB951748$\tcpip.sys
    2007-10-30 22:50 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\$NtUninstallKB951748_0$\tcpip.sys
    2008-04-14 00:50 361344 93ea8d04ec73a85db02eb8805988f733 C:\WINDOWS\ServicePackFiles\i386\TCPIP.SYS
    2008-10-05 09:27 361600 d24ea301e2b36c4e975fd216ca85d8e7 C:\WINDOWS\system32\dllcache\TCPIP.SYS
    2008-10-05 09:27 361600 d24ea301e2b36c4e975fd216ca85d8e7 C:\WINDOWS\system32\drivers\TCPIP.SYS
    .
    ((((((((((((((((((((((((((((( [email protected]_11.42.34.57 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-10-10 03:53:45 64,886 ----a-w C:\WINDOWS\system32\perfc009.dat
    + 2008-10-10 15:06:50 64,886 ----a-w C:\WINDOWS\system32\perfc009.dat
    - 2008-10-10 03:53:45 409,856 ----a-w C:\WINDOWS\system32\perfh009.dat
    + 2008-10-10 15:06:50 409,856 ----a-w C:\WINDOWS\system32\perfh009.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-02-05 241080]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
    "GM4IE"="C:\Program Files\GM4IE\gm4ie.exe" [2006-07-23 139264]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]
    "itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-22 813912]
    "IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-06 849280]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 218512]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 458752]
    "iTunesHelper"="F:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 340776]
    "PCTVRemote"="F:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe" [2002-01-28 139264]
    "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2008-02-15 204800]
    "Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2008-02-15 208896]
    "SkyTel"="SkyTel.EXE" [2006-05-15 C:\WINDOWS\SkyTel.exe]
    "RTHDCPL"="RTHDCPL.EXE" [2006-12-17 C:\WINDOWS\RTHDCPL.EXE]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-01-28 195584]
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "DisableTaskMgr"= 1 (0x1)
    "DisableRegistryTools"= 1 (0x1)

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "vidc.yv12"= yv12vfw.dll
    "VIDC.XFR1"= xfcodec.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^LimeWire Turbo Accelerator.lnk]
    path=C:\Documents and Settings\user\Start Menu\Programs\Startup\LimeWire Turbo Accelerator.lnk
    backup=C:\WINDOWS\pss\LimeWire Turbo Accelerator.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
    --a------ 2008-02-15 12:46 237568 C:\WINDOWS\system32\hkcmd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    --a------ 2001-07-09 10:50 225280 C:\WINDOWS\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "C-DillaCdaC11BA"=2 (0x2)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "AntiVirusDisableNotify"=dword:00000001
    "FirewallOverride"=dword:00000001
    "UpdatesDisableNotify"=dword:00000001
    "UacDisableNotify"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
    "AntiVirusOverride"=dword:00000001
    "AntiVirusDisableNotify"=dword:00000001
    "FirewallDisableNotify"=dword:00000001
    "FirewallOverride"=dword:00000001
    "UpdatesDisableNotify"=dword:00000001
    "UacDisableNotify"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "E:\\My Web\\new\\3dsmax.exe"=
    "G:\\backup\\d\\Adobe Photoshop 7.0\\Presets\\Patterns\\PostScript Patterns\\Aphex.exe"=
    "E:\\Program Files\\Wyzo\\wyzo.exe"=
    "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "C:\\WINDOWS\\system32\\dplaysvr.exe"=
    "E:\\My Second Web\\_private\\LimeWire\\LimeWire.exe"=
    "G:\\backup\\d\\Adobe PageMaker 7.0\\Images\\ua\\game\\bakup\\urbanassault\\Ua.exe"=
    "E:\\gmax\\downloads\\cc2\\closecombat2\\Cc2.exe"=
    "E:\\Program Files\\GetRight\\GetRight.exe"=
    "G:\\backup\\c\\Program Files\\byo\\bin\\byond.exe"=
    "G:\\backup\\c\\Program Files\\byo\\bin\\dreamseeker.exe"=
    "E:\\Program Files\\Xfire\\xfire.exe"=
    "E:\\games\\Audacity\\Call of Duty\\CoDMP.exe"=
    "E:\\games\\Audacity\\Call of Duty\\CoDMPw0rt.exe"=
    "E:\\games\\thunder\\thunbrigade\\thunbrig\\Tbrigade.exe"=
    "G:\\backup\\c\\Program Files\\Freespace\\Freespace\\FS2.exe"=
    "G:\\backup\\c\\Program Files\\Freespace\\Freespace\\incoming\\incoming\\incoming.exe"=
    "F:\\Program Files\\iTunes\\iTunes.exe"=
    "G:\\backup\\c\\Program Files\\Freespace\\Freespace\\fs2_open_3_6_9.exe"=
    "G:\\backup\\c\\Program Files\\Freespace\\Freespace\\fs2_open_3_6_9_debug.exe"=
    "G:\\backup\\c\\Program Files\\Freespace\\Freespace\\fs2_open_3_6_10_debug-20071007T.exe"=
    "G:\\backup\\c\\Program Files\\byo\\bin\\dreamdaemon.exe"=
    "G:\\backup\\c\\Program Files\\wwp\\Worms World Party\\Worms World Party.exe"=
    "G:\\backup\\c\\Program Files\\Freespace\\Freespace\\fs2_open_3_6_10-20071007T.exe"=
    "G:\\backup\\d\\Corel11\\sse\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
    "C:\\Program Files\\backburner 2\\manager.exe"=
    "E:\\My Second Web\\_private\\LimeWire\\dls\\gta.sa\\GTA San Andreas\\samp022server.win32\\samp-server.exe"=
    "E:\\My Second Web\\_private\\LimeWire\\dls\\gta.sa\\GTA San Andreas\\samp022server.win32\\SA-MP SERVER\\samp-server.exe"=
    "G:\\Program Files\\Microsoft Games\\Halo Custom Edition\\haloce.exe"=
    "E:\\games\\kmd.exe"=
    "E:\\My Second Web\\_private\\LimeWire\\dls\\w3\\Warcraft III.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\Messenger\\msmsgs.exe"=
    "C:\\WINDOWS\\system32\\igfxtray.exe"=
    "C:\\WINDOWS\\system32\\userinit.exe"=
    "C:\\WINDOWS\\system32\\hkcmd.exe"=
    "C:\\WINDOWS\\system32\\NeroCheck.exe"=
    "C:\\WINDOWS\\ALCMTR.EXE"=
    "C:\\Program Files\\QuickTime\\qttask.exe"=
    "C:\\Program Files\\Common Files\\Adobe\\Calibration\\Adobe Gamma Loader.exe"=
    "C:\\WINDOWS\\RTHDCPL.EXE"=
    "C:\\Program Files\\Java\\jre1.6.0_07\\bin\\jusched.exe"=
    "e:\\my second web\\_private\\limewire\\dls\\w3\\worldedit.exe"=
    "F:\\Program Files\\Pinnacle\\Pinnacle PCTV\\Remote\\Remoterm.exe"=
    "C:\\WINDOWS\\system32\\taskmgr.exe"=
    "C:\\WINDOWS\\system32\\igfxsrvc.exe"=
    "g:\\backup\\c\\Program Files\\Spyware Doctor\\pctsTray.exe"= G:\\backup\\c\\Program Files\\Spyware Doctor\\pctsTray.exe
    "C:\\WINDOWS\\system32\\igfxpers.exe"=
    "C:\\WINDOWS\\system32\\netsh.exe"=
    "C:\\Program Files\\GM4IE\\gm4ie.exe"=
    "C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe"=
    "C:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\OutlookSyncClient.exe"=

    R3 AtcL002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;C:\WINDOWS\system32\DRIVERS\l251x86.sys [2008-04-17 30720]
    R3 dac970nt;dac970nt;C:\WINDOWS\system32\drivers\rnnrl.sys [ ]
    R3 pctvvbi;PCTVVBI;C:\WINDOWS\system32\DRIVERS\pctvvbi.sys [2002-04-02 6369]
    S3 ASPI;Advanced SCSI Programming Interface Driver;C:\WINDOWS\System32\DRIVERS\ASPI32.sys [2002-07-17 16512]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{27b7ea02-1b36-11dd-a576-001bfc1861eb}]
    \Shell\AutoRun\command - jfvkcsy.bat
    \Shell\explore\Command - jfvkcsy.bat
    \Shell\open\Command - jfvkcsy.bat
    .
    Contents of the 'Scheduled Tasks' folder

    2008-03-07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-10-10 20:48:22
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-10-10 20:50:29
    ComboFix-quarantined-files.txt 2008-10-10 06:13:56

    Pre-Run: 10,761,494,528 bytes free
    Post-Run: 10,742,996,992 bytes free

    270 --- E O F --- 2008-09-20 02:52:32



    HJT:-



    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:14:30 PM, on 10/10/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Unable to get Internet Explorer version!
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\drivers\CDAC11BA.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Microsoft IntelliType Pro\itype.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    F:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\GM4IE\gm4ie.exe
    C:\WINDOWS\explorer.exe
    G:\backup\c\Program Files\Mozilla\firefox.exe
    e:\my second web\_private\limewire\dls\w3\worldedit.exe
    E:\games\Audacity\Call of Duty\HiJackThis.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll (file missing)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - E:\Program Files\GetRight\xx2gr.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [PCTVRemote] F:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [GM4IE] C:\Program Files\GM4IE\gm4ie.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O8 - Extra context menu item: Download with GetRight - E:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Open with GetRight Browser - E:\Program Files\GetRight\GRbrowse.htm
    O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll (file missing)
    O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll (file missing)
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
    O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab3.cab
    O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - http://www.windowsvistatestdrive.com/SP1/ActiveX/VMRCActiveXClient1.cab
    O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames.com/downloads/activex/YoYo.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{899F11B0-28F0-452D-8D6D-1CAE6E9E505E}: NameServer = 218.248.240.208 218.248.240.79
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Unknown owner - C:\Program Files\Symantec AntiVirus\DefWatch.exe (file missing)
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - g:\backup\c\Program Files\Spyware Doctor\pctsAuxs.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - g:\backup\c\Program Files\Spyware Doctor\pctsSvc.exe
    O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

    --
    End of file - 7865 bytes
     
  6. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    This is effectively unfixable
    the files contained sality.aa which is a file infector virus which infcts ALL .exe files on the computer including the antivirus & every other security tool taht is run

    it is also a keylogger that will have stolen all your personal & private information including all passwords & logins to everywhere, including any online banking you do

    I do not consider it safe or effective to attempt any fixes & the only way is to format the computer & start from scratch
     
  7. SuperSonic_ht

    SuperSonic_ht Thread Starter

    Joined:
    Oct 4, 2008
    Messages:
    20
    Knew something like this was coming... Anyway, do you know of any software that keeps the task manager enabled continuously(similiar to the virus which disables the task manager after short periods of time)? That will do, as I cant afford a complete reformat.
     
  8. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    You HAVE to do a format & there is nothing that stops it

    EVERY file on that computer will be infected

    All you can try is an online scan several times to see if it can disinfect any of the files but be warned, often the scanners will delete infected system files

    try this one
    http://www.bitdefender.com/scan8/
     
  9. SuperSonic_ht

    SuperSonic_ht Thread Starter

    Joined:
    Oct 4, 2008
    Messages:
    20
    Maybe you spoke too soon...While searching the Net for sality.aa, I found a page that said a software called CA Antivirus can fix sality.aa. So I downloaded that software and run it. After about half an hour, the infection was no more. Everything was completely cleaned! So this problem is solved, thank you very much for informing me about the virus name.
     
  10. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    If you believe that, then you believe in father Christmas

    Sality cannot ever be 100% guaranteed to be disinfected or repaired becasue it attacks the antivirus as soon as it is installed
    in over 100 case of sality I have never seen a complete satisfactory safe fix that I would ever depend on
     
  11. SuperSonic_ht

    SuperSonic_ht Thread Starter

    Joined:
    Oct 4, 2008
    Messages:
    20
    I don't see what you mean, but all the symptoms I had are gone(at least for now). It did attack all antivirus, but it perhaps didn't detect CA Antivirus. If you want, you can see a HJT log right now:-

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:51:11 AM, on 10/14/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\drivers\CDAC11BA.EXE
    C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Microsoft IntelliType Pro\itype.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    F:\Program Files\iTunes\iTunesHelper.exe
    F:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
    C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\GM4IE\gm4ie.exe
    C:\Program Files\iPod\bin\iPodService.exe
    E:\PROGRA~1\Wyzo\wyzo.exe
    G:\backup\c\Program Files\Mozilla\firefox.exe
    C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
    E:\Program Files\Xfire\xfire.exe
    E:\games\Audacity\Call of Duty\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll (file missing)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - E:\Program Files\GetRight\xx2gr.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [PCTVRemote] F:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
    O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [GM4IE] C:\Program Files\GM4IE\gm4ie.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: Download with GetRight - E:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Open with GetRight Browser - E:\Program Files\GetRight\GRdownload.htm
    O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll (file missing)
    O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll (file missing)
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
    O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab3.cab
    O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - http://www.windowsvistatestdrive.com/SP1/ActiveX/VMRCActiveXClient1.cab
    O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames.com/downloads/activex/YoYo.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
    O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - g:\backup\c\Program Files\Spyware Doctor\pctsAuxs.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - g:\backup\c\Program Files\Spyware Doctor\pctsSvc.exe
    O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
    --
    End of file - 8521 bytes



     
  12. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    If you are happy & feel,it is solved that is fine

    be aware it might well come back

    do a scan here to see what else is still infected

    * Run Kaspersky online virus scan Kaspersky Online Scanner.

    After the updates have downloaded, click on the "Scan Settings" button.
    Choose the "Extended database" for the scan.
    Under "Please select a target to scan", click "My Computer".
    When the scan is finished, Save the results from the scan!

    Note: You have to use Internet Explorer to do the online scan.

    Post a new HiJackThis log along with the results from Kaspersky scan

    Note: Kavscan is a scanner only & won't fix anything but will normally find the most infected files so it's report gives us a good place to work from

    you can make your mind up after seeing the results
     
  13. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/755995

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice