0

Whenever i go into C:\Program Files i get a error message saying

"Attention, (name)! Some dangerous viruses detected in your system. Microsoft Windows 2000 Files corrupted. This may lead to the destruction of important files in C:\WINNT. Download protection software now! Click OK to download the antispyware. (Recommended)"

When i click no it still goes to a website.

I've seen other threads and most can't youse Internet Explorer but i'm using opera and it doesnt seem to affect that. I know i'm supposed to use HJT but for some reason whenever I try to run it it says

"HijackThis.exe has generated errors and will be closed by windows. You will need to restart the program."

I have restarted the program many times and nothing seems to work.

I forgot to mention earlier i've also tried reinstalling the program.

2
Contributors
19
Replies
20
Views
9 Years
Discussion Span
Last Post by crunchie
0

I restarted my computer again and this time it worked i will post a log.

Here is the log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:11:35 PM, on 7/23/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\VTTimer.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hamachi\hamachi.exe
D:\Josh from C\Xfire\xfire.exe
C:\Documents and Settings\Administrator.CORRINA-GFYHSR2\Desktop\HijackThis.exe
D:\Josh from C\opera\Opera.exe
C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\rundll32.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: fdkowvbp - {A976B7DF-9CDC-436C-A5BA-D0CD8CB4A8AA} - C:\DOCUME~1\ADMINI~1.COR\LOCALS~1\Temp\ac8zt2\fdkowvbp.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Microsoft] msmsger.exe
O4 - HKLM\..\Run: [acf5173c] rundll32.exe "C:\WINNT\system32\srltaapd.dll",b
O4 - HKLM\..\RunServices: [Microsoft] msmsger.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Microsoft] msmsger.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O4 - Startup: Xfire.lnk = D:\Josh from C\Xfire\xfire.exe
O4 - Global Startup: GetRight.lnk = C:\Program Files\GetRight\GetRight.exe
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - ALWIL Software - (no file)
O23 - Service: AVG8 WatchDog (avg8wd) - ALWIL Software - (no file)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Connection Manager (NetCM) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Speech\svchost.exe (file missing)
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINNT\privacy_danger\index.htm

--
End of file - 6143 bytes

0

Ok, i just noticed whenever i go into C:\ or D:\ and click on anything it gives me that error. When i use a shorcut it doesnt and it doesnt seem to affect anything else except internet explorer. Any ideas?

0

Hi and welcome to the Daniweb forums :).

==========

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

0

Well thankyou a lot but i managed to get rid of it without that. I will still post that log along with the others from http://www.daniweb.com/forums/thread134865.html When i followed that post it fixed it but i would still like to check if my system is comletely clean.

Malware Bytes Log


Malwarebytes' Anti-Malware 1.23
Database version: 985
Windows 5.0.2195 Service Pack 4


12:18:34 PM 7/24/2008
Malwarebytes Log


Scan type: Full Scan (C:\|D:\|)
Objects scanned: 119794
Time elapsed: 2 hour(s), 19 minute(s), 12 second(s)


Memory Processes Infected: 0
Memory Modules Infected: 6
Registry Keys Infected: 22
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 2
Files Infected: 35


Memory Processes Infected:
(No malicious items detected)


Memory Modules Infected:
C:\WINNT\system32\frymmsjw.dll (Trojan.Vundo) -> No action taken.
C:\WINNT\system32\yayaAQiH.dll (Trojan.Vundo) -> No action taken.
C:\WINNT\system32\nnnooOfe.dll (Trojan.Vundo) -> No action taken.
C:\WINNT\system32\iefilter.dll (Trojan.FakeAlert) -> No action taken.
C:\WINNT\system32\btawwx.dll (Trojan.Vundo) -> No action taken.
C:\WINNT\system32\uspdxw.dll (Trojan.Vundo) -> No action taken.


Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{04d32989-deab-4c05-9163-7f06f490629e} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{04d32989-deab-4c05-9163-7f06f490629e} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{df292dd2-7551-4cac-af6e-00c4ba31fd4d} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{df292dd2-7551-4cac-af6e-00c4ba31fd4d} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{769d8280-a207-4eea-9963-f8b156c32855} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{769d8280-a207-4eea-9963-f8b156c32855} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nnnooofe (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{15c7d7ad-a87a-4c0d-9d8b-637fcd3488ef} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{4937d5d1-2039-409a-bd83-fec9b39b2356} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{caf9d798-c659-4b9b-8e19-ee27c3d04ee7} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{401f4b6b-3c36-4e8d-bc07-f46fc6d67d9a} (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{401f4b6b-3c36-4e8d-bc07-f46fc6d67d9a} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\bhonew.bho (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\bhonew.bho.1 (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\webvideo (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\fdkowvbp.bosv (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\fdkowvbp.toolbar.1 (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> No action taken.


Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\acf5173c (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{769d8280-a207-4eea-9963-f8b156c32855} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0\source (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\Microsoft (Backdoor.Bot) -> No action taken.


Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\winnt\system32\yayaaqih -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\winnt\system32\yayaaqih  -> No action taken.


Folders Infected:
C:\WINNT\privacy_danger (Trojan.FakeAlert) -> No action taken.
C:\WINNT\privacy_danger\images (Trojan.FakeAlert) -> No action taken.


Files Infected:
C:\WINNT\system32\yayaAQiH.dll (Trojan.Vundo) -> No action taken.
C:\WINNT\system32\HiQAayay.ini (Trojan.Vundo) -> No action taken.
C:\WINNT\system32\HiQAayay.ini2 (Trojan.Vundo) -> No action taken.
C:\WINNT\system32\uspdxw.dll (Trojan.Vundo) -> No action taken.
C:\WINNT\system32\frymmsjw.dll (Trojan.Vundo) -> No action taken.
C:\WINNT\system32\wjsmmyrf.ini (Trojan.Vundo) -> No action taken.
C:\WINNT\system32\rtlfktcx.dll (Trojan.Vundo) -> No action taken.
C:\WINNT\system32\xctkfltr.ini (Trojan.Vundo) -> No action taken.
C:\WINNT\system32\srltaapd.dll (Trojan.Vundo) -> No action taken.
C:\WINNT\system32\dpaatlrs.ini (Trojan.Vundo) -> No action taken.
C:\WINNT\system32\nnnooOfe.dll (Trojan.Vundo) -> No action taken.
C:\WINNT\system32\iefilter.dll (Trojan.FakeAlert) -> No action taken.
C:\WINNT\system32\btawwx.dll (Trojan.Vundo) -> No action taken.
C:\Program Files\Quick Batch File Compiler\Setup_ver1.113.0.exe (Trojan.FakeAlert) -> No action taken.
C:\Program Files\Quick Batch File Compiler\stubc.dll (Adware.Agent) -> No action taken.
C:\Program Files\Quick Batch File Compiler\wuick-batch-file-compiler-v-3.1.6.0-patch.exe (Trojan.FakeAlert) -> No action taken.
C:\WINNT\edgq.exe (Trojan.FakeAlert) -> No action taken.
C:\WINNT\system32\dtyhilky.dll (Trojan.Vundo) -> No action taken.
C:\WINNT\system32\ofvavbgl.dll (Trojan.Vundo) -> No action taken.
C:\WINNT\system32\owzooz.dll (Trojan.Vundo) -> No action taken.
C:\WINNT\system32\phxdiu.dll (Trojan.Vundo) -> No action taken.
C:\WINNT\system32\tgpspkqh.dll (Trojan.Vundo) -> No action taken.
C:\WINNT\system32\tkqipbmb.dll (Trojan.Vundo) -> No action taken.
C:\WINNT\system32\vmkfbz.dll (Trojan.Vundo) -> No action taken.
C:\WINNT\system32\wmbxytfy.dll (Trojan.Vundo) -> No action taken.
C:\WINNT\system32\vtUonlKB.dll (Trojan.Vundo) -> No action taken.
C:\WINNT\privacy_danger\index.htm (Trojan.FakeAlert) -> No action taken.
C:\WINNT\privacy_danger\images\capt.gif (Trojan.FakeAlert) -> No action taken.
C:\WINNT\privacy_danger\images\danger.jpg (Trojan.FakeAlert) -> No action taken.
C:\WINNT\privacy_danger\images\down.gif (Trojan.FakeAlert) -> No action taken.
C:\WINNT\privacy_danger\images\spacer.gif (Trojan.FakeAlert) -> No action taken.
C:\WINNT\eqvwamkl.dll (Trojan.FakeAlert) -> No action taken.
C:\WINNT\fdkowvbp.dll (Trojan.FakeAlert) -> No action taken.
C:\WINNT\grswptdl.exe (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\Administrator.CORRINA-GFYHSR2\Local Settings\Temp\CmdLineExt02.dll (Trojan.Agent) -> No action taken.


Eset Log


# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3293 (20080723)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=a4b65fb3fa61494aa594bd3a8ae61562
# end=finished
# remove_checked=true
# unwanted_checked=false
# utc_time=2008-07-24 06:06:01
# local_time=2008-07-24 02:06:01 (-0500, Eastern Daylight Time)
# country="United States"
# osver=5.0.2195 NT Service Pack 4
# scanned=344217
# found=13
# scan_time=6325
C:\Documents and Settings\owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-5a78fdfd-319987fa.zip   multiple infiltrations (deleted)    00000000000000000000000000000000
C:\Documents and Settings\owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-5a78fdfd-319987fa.zip »ZIP »BnnnnBaa.class  Java/ClassLoader trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object)    00000000000000000000000000000000
C:\Documents and Settings\owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-5a78fdfd-319987fa.zip »ZIP »VaannnaaBaa.class   Java/ClassLoader trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object)    00000000000000000000000000000000
C:\Documents and Settings\owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-5a78fdfd-319987fa.zip »ZIP »Dnnny.class Java/Exploit.Bytverify trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object)  00000000000000000000000000000000
C:\Documents and Settings\owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-5a78fdfd-319987fa.zip »ZIP »Bnnnnn.class    Java/ClassLoader.AS trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-5a78fdfd-319987fa.zip »ZIP »Den.class   Java/Exploit.Bytverify trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object)  00000000000000000000000000000000
C:\Documents and Settings\owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-5a78fdfd-319987fa.zip »ZIP »Din.class   Java/Exploit.Bytverify trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object)  00000000000000000000000000000000
C:\Documents and Settings\owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-5a78fdfd-319987fa.zip »ZIP »Dun.class   Java/Exploit.Bytverify trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object)  00000000000000000000000000000000
C:\Program Files\Quick Batch File Compiler\stubc.dll    probably a variant of Win32/Agent trojan (unable to clean - deleted)    00000000000000000000000000000000
C:\Program Files\Quick Batch File Compiler\wuick-batch-file-compiler-v-3.1.6.0-patch.exe    Win32/Adware.IeDefender.NGJ application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINNT\system32\iefilter.dll  Win32/Adware.IeDefender.NGJ application (unable to clean - deleted (after the next restart))    00000000000000000000000000000000
D:\Josh from C\MapleStory\AncientFixed.rar  Win32/Jeefo.A virus (deleted)   00000000000000000000000000000000
D:\Josh from C\MapleStory\AncientFixed.rar »RAR »AncientFixed.exe   Win32/Jeefo.A virus (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object)    00000000000000000000000000000000


HiJackThis


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:48:19 PM, on 8/24/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal


Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\VTTimer.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hamachi\hamachi.exe
D:\Josh from C\Xfire\xfire.exe
C:\Documents and Settings\Administrator.CORRINA-GFYHSR2\Desktop\dss.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\DOCUME~1\ADMINI~1.COR\Desktop\Administrator.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {2D63DFB8-719C-4B43-8E2F-7593657BA76A} - C:\WINNT\system32\pmnkKcYQ.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {769D8280-A207-4EEA-9963-F8B156C32855} - C:\WINNT\system32\nnnooOfe.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O2 - BHO: (no name) - {C1D2F57A-9944-435E-A16F-CA98B29D8884} - C:\WINNT\system32\yayaAQiH.dll (file missing)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: fdkowvbp - {A976B7DF-9CDC-436C-A5BA-D0CD8CB4A8AA} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [acf5173c] rundll32.exe "C:\WINNT\system32\arjekrfa.dll",b
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O4 - Startup: Xfire.lnk = D:\Josh from C\Xfire\xfire.exe
O4 - Global Startup: GetRight.lnk = C:\Program Files\GetRight\GetRight.exe
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: nnnooOfe - C:\WINNT\SYSTEM32\nnnooOfe.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - ALWIL Software - (no file)
O23 - Service: AVG8 WatchDog (avg8wd) - ALWIL Software - (no file)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O24 - Desktop Component 0: Privacy Protection - (no file)


--
End of file - 6820 bytes


Main.txt (DSS LOG)


Deckard's System Scanner v20071014.68
Run by Administrator on 2008-08-24 12:47:46
Computer is in Normal Mode.
--------------------------------------------------------------------------------


Backed up registry hives.
Performed disk cleanup.


Percentage of Memory in Use: 87% (more than 75%).
Total Physical Memory: 224 MiB (256 MiB recommended).



-- HijackThis (run as Administrator.exe) ---------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:48:19 PM, on 8/24/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal


Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\VTTimer.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hamachi\hamachi.exe
D:\Josh from C\Xfire\xfire.exe
C:\Documents and Settings\Administrator.CORRINA-GFYHSR2\Desktop\dss.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\DOCUME~1\ADMINI~1.COR\Desktop\Administrator.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {2D63DFB8-719C-4B43-8E2F-7593657BA76A} - C:\WINNT\system32\pmnkKcYQ.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {769D8280-A207-4EEA-9963-F8B156C32855} - C:\WINNT\system32\nnnooOfe.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O2 - BHO: (no name) - {C1D2F57A-9944-435E-A16F-CA98B29D8884} - C:\WINNT\system32\yayaAQiH.dll (file missing)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: fdkowvbp - {A976B7DF-9CDC-436C-A5BA-D0CD8CB4A8AA} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [acf5173c] rundll32.exe "C:\WINNT\system32\arjekrfa.dll",b
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O4 - Startup: Xfire.lnk = D:\Josh from C\Xfire\xfire.exe
O4 - Global Startup: GetRight.lnk = C:\Program Files\GetRight\GetRight.exe
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: nnnooOfe - C:\WINNT\SYSTEM32\nnnooOfe.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - ALWIL Software - (no file)
O23 - Service: AVG8 WatchDog (avg8wd) - ALWIL Software - (no file)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O24 - Desktop Component 0: Privacy Protection - (no file)


--
End of file - 6820 bytes


-- File Associations -----------------------------------------------------------


.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*



-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------


R0 GBDevice - c:\winnt\system32\drivers\gbdevice.sys <Not Verified; Roxio, Inc.; GoBack>
R0 GoBack2K - c:\winnt\system32\drivers\goback2k.sys <Not Verified; Roxio, Inc.; GoBack>
R0 viamraid - c:\winnt\system32\drivers\viamraid.sys <Not Verified; VIA Technologies inc,.ltd; VIA RAID driver>
R2 GBFSHook - c:\winnt\system32\drivers\gbfshook.sys <Not Verified; Roxio, Inc.; GoBack>
R2 npkcrypt - d:\josh from c\maplestory\npkcrypt.sys <Not Verified; INCA Internet Co., Ltd.; nProtect KeyCrypt Driver>
R3 viagfx - c:\winnt\system32\drivers\vtmini.sys <Not Verified; Copyright (C) VIA/S3 Graphics Co, Ltd.; UniChrome(Pro) IGP Driver>


S3 Pcouffin (Low level access layer for CD devices) - c:\winnt\system32\drivers\pcouffin.sys (file missing)



-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------


R2 GBPoll - c:\program files\roxio\goback\gbpoll.exe <Not Verified; Roxio, Inc.; GoBack>


S2 avg8emc (AVG8 E-mail Scanner) -
S2 avg8wd (AVG8 WatchDog) -
S2 NetCM (Network Connection Manager) -
S2 PowerManager (Power Manager) -



-- Device Manager: Disabled ----------------------------------------------------


Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Universal Serial Bus (USB) Controller
Device ID: PCI\VEN_1106&DEV_3104&SUBSYS_18981019&REV_86\3&61AAA01&0&84
Manufacturer:
Name: Universal Serial Bus (USB) Controller
PNP Device ID: PCI\VEN_1106&DEV_3104&SUBSYS_18981019&REV_86\3&61AAA01&0&84
Service:


Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_1106&DEV_3068&SUBSYS_0C041019&REV_80\3&61AAA01&0&8E
Manufacturer:
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_1106&DEV_3068&SUBSYS_0C041019&REV_80\3&61AAA01&0&8E
Service:



-- Scheduled Tasks -------------------------------------------------------------


2008-07-23 17:00:01       446 --a------ C:\WINNT\Tasks\RegCure Program Check.job
2008-07-17 10:06:20       380 --a------ C:\WINNT\Tasks\RegCure.job
2008-07-15 18:19:04       284 --a------ C:\WINNT\Tasks\AppleSoftwareUpdate.job



-- Files created between 2008-07-24 and 2008-08-24 -----------------------------


2008-08-24 12:48:02     94848 --a------ C:\WINNT\system32\arjekrfa.dll
2008-08-24 12:47:32     16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_37c.dat
2008-08-24 12:47:20       347 --ahs---- C:\WINNT\system32\QYcKknmp.ini2
2008-08-24 12:47:14    323584 --a------ C:\WINNT\system32\pmnkKcYQ.dll
2008-08-23 14:02:14     16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_22c.dat
2008-08-23 13:34:48         0 d-------- C:\Program Files\Trend Micro
2008-08-23 13:22:39     16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_3a0.dat
2008-08-22 13:25:27         0 d-------- C:\Documents and Settings\Administrator.CORRINA-GFYHSR2\Application Data\Adersoft
2008-08-22 13:25:13         0 d-------- C:\Program Files\Vbsedit
2008-08-22 12:32:00         0 d-------- C:\Xfire
2008-07-24 12:20:05         0 d-------- C:\DrWatson
2008-07-24 00:14:05         0 d-------- C:\Program Files\EsetOnlineScanner



-- Find3M Report ---------------------------------------------------------------


2008-08-24 12:48:22         0 d-------- C:\Documents and Settings\Administrator.CORRINA-GFYHSR2\Application Data\Hamachi
2008-08-22 16:38:51         0 d-------- C:\Program Files\GetRight
2008-07-24 12:36:56    832650 ---h----- C:\WINNT\ShellIconCache
2008-07-24 12:19:43         0 d-------- C:\Program Files\Quick Batch File Compiler
2008-07-23 22:51:40         0 d-------- C:\Documents and Settings\Administrator.CORRINA-GFYHSR2\Application Data\Malwarebytes
2008-07-23 22:51:39         0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-23 17:48:41         0 d-------- C:\Program Files\Batch File Compiler Professional Edition v4.0 DEMO
2008-07-23 17:23:10     16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_238.dat
2008-07-23 17:20:46         0 d-------- C:\Documents and Settings\Administrator.CORRINA-GFYHSR2\Application Data\uTorrent
2008-07-23 14:04:29     16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_3ac.dat
2008-07-23 13:01:52     16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_228.dat
2008-07-23 00:55:33     16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_210.dat
2008-07-22 23:47:13     33152 -----n--- C:\WINNT\system32\nnnooOfe.dll
2008-07-22 20:48:17     57344 --a------ C:\WINNT\uneng.exe <Not Verified; Roxio; Roxio Update Wizard>
2008-07-22 20:48:17         0 d-a------ C:\Program Files\Common Files
2008-07-22 20:48:17         0 d-a------ C:\Program Files\Common Files\Adaptec Shared
2008-07-21 23:01:11         0 d-------- C:\Program Files\BOTS
2008-07-21 18:11:43         0 d-------- C:\Documents and Settings\Administrator.CORRINA-GFYHSR2\Application Data\Xfire
2008-07-21 17:31:46         0 d-------- C:\Program Files\IzPack
2008-07-21 17:17:07         0 d-------- C:\Program Files\Launch4j
2008-07-17 18:19:15     16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_1264.dat
2008-07-17 17:48:31     16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_218.dat
2008-07-17 13:21:47         0 d-------- C:\Documents and Settings\Administrator.CORRINA-GFYHSR2\Application Data\Video DVD Maker FREE
2008-07-17 13:21:05         0 d-------- C:\Program Files\Video DVD Maker
2008-07-16 18:53:44         0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-16 13:20:44         0 d-------- C:\Documents and Settings\Administrator.CORRINA-GFYHSR2\Application Data\MP3Rocket
2008-07-16 10:13:05         0 d-------- C:\Program Files\wise DVD Creator 8.0
2008-07-15 18:19:03     16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_3d8.dat
2008-07-15 17:13:23         0 d-a------ C:\Program Files\iPod
2008-07-15 16:53:45         0 d-------- C:\Documents and Settings\Administrator.CORRINA-GFYHSR2\Application Data\Apple Computer
2008-07-15 16:52:37         0 d-a------ C:\Program Files\iTunes
2008-07-15 15:40:29         0 d-------- C:\Program Files\FinalBurner
2008-07-15 15:07:05         0 d-------- C:\Program Files\007DVD
2008-07-15 13:20:10         0 d-------- C:\Program Files\Apple Software Update
2008-07-15 13:01:39         0 d-a------ C:\Program Files\QuickTime
2008-07-15 12:57:25         0 d-------- C:\Documents and Settings\Administrator.CORRINA-GFYHSR2\Application Data\vlc
2008-07-15 12:55:57     16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_440.dat
2008-07-15 12:54:08         0 d-------- C:\Program Files\VideoLAN
2008-07-15 10:43:53         0 d-------- C:\Program Files\MP3 Rocket
2008-07-15 10:42:47         0 d-a------ C:\Program Files\Java
2008-07-15 10:41:25         0 d-------- C:\Documents and Settings\Administrator.CORRINA-GFYHSR2\Application Data\Sun
2008-07-13 13:12:26         0 d-a------ C:\Program Files\Common Files\Pure Networks Shared
2008-07-08 15:14:18         0 d-------- C:\Program Files\DAEMON Tools Toolbar
2008-07-08 15:14:18         0 d-------- C:\Program Files\DAEMON Tools Lite
2008-07-08 15:10:09     16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_214.dat
2008-07-08 15:07:44         0 d-------- C:\Documents and Settings\Administrator.CORRINA-GFYHSR2\Application Data\DAEMON Tools
2008-07-08 13:06:59         0 d-------- C:\Program Files\uTorrent
2008-06-30 14:05:45     16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_1fc.dat
2008-06-29 22:34:19     16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_1f8.dat
2008-06-23 08:52:47     16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_200.dat
2008-06-22 14:51:45     16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_204.dat
2008-05-30 14:01:24     80896 --a------ C:\WINNT\system32\dxdllreg.exe <Not Verified; Microsoft Corporation; Microsoft® DirectX for Windows®>
2008-05-25 17:02:06        47 --a------ C:\WINNT\system32\setpath.bat
2008-05-24 22:30:13 2147483647 --ahs---- C:\gobackio.bin
2008-05-24 21:32:43     15012 --a------ C:\WINNT\system32\emptyregdb.dat



-- Registry Dump ---------------------------------------------------------------


*Note* empty entries & legit default entries are not shown



[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2D63DFB8-719C-4B43-8E2F-7593657BA76A}]
08/24/08 12:47p 323584  --a------   C:\WINNT\system32\pmnkKcYQ.dll


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{769D8280-A207-4EEA-9963-F8B156C32855}]
07/22/08 11:47p 33152   ---------   C:\WINNT\system32\nnnooOfe.dll


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C1D2F57A-9944-435E-A16F-CA98B29D8884}]
C:\WINNT\system32\yayaAQiH.dll


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{32099AAC-C132-4136-9E9A-4E364A424E17}"= C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll [07/08/08 11:59a 683464]


[-HKEY_CLASSES_ROOT\CLSID\{32099AAC-C132-4136-9E9A-4E364A424E17}]
[HKEY_CLASSES_ROOT\DTToolbar.ToolBandObj.1]
[HKEY_CLASSES_ROOT\TypeLib\{3E288F79-03E4-4983-A48E-0D879B51FF19}]
[HKEY_CLASSES_ROOT\DTToolbar.ToolBandObj]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [06/19/03 12:05p C:\WINNT\system32\mobsync.exe]
"SpeedTouch USB Diagnostics"="C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" [05/03/02 10:40a]
"VTTimer"="VTTimer.exe" [03/08/05 03:33a C:\WINNT\system32\VTTimer.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [05/15/08 07:19p]
"nmctxth"="C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [01/08/08 05:20p]
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [01/18/08 10:32a]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [03/14/07 03:43a]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [04/27/07 09:41a]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [06/14/06 04:24p]
"acf5173c"="C:\WINNT\system32\arjekrfa.dll" [08/24/08 12:48p]


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [09/04/07 07:40p]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [07/08/08 12:22p]


[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop


C:\Documents and Settings\Administrator.CORRINA-GFYHSR2\Start Menu\Programs\Startup\
Hamachi.lnk - C:\Program Files\Hamachi\hamachi.exe [7/8/2008 12:24:43 PM]
Xfire.lnk - D:\Josh from C\Xfire\xfire.exe [7/15/2008 7:09:02 PM]


C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\
GetRight.lnk - C:\Program Files\GetRight\GetRight.exe [6/6/2008 11:29:38 PM]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{769D8280-A207-4EEA-9963-F8B156C32855}"= C:\WINNT\system32\nnnooOfe.dll [07/22/08 11:47p 33152]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnooOfe]
nnnooOfe.dll 07/22/08 11:47p 33152 C:\WINNT\system32\nnnooOfe.dll


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll


[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINNT\system32\pmnkKcYQ


[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders   msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys]
@="driver"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"



-- End of Deckard's System Scanner: finished at 2008-08-24 12:49:24 ------------


Extra.txt (DSS LOG)


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------


-- System Information ----------------------------------------------------------


Microsoft Windows 2000 Professional (build 2195) SP 4.0
Architecture: X86; Language: English


CPU 0: AMD Athlon(tm) XP 2800+
Percentage of Memory in Use: 94%
Physical Memory (total/avail): 223.43 MiB / 11.72 MiB
Pagefile Memory (total/avail): 537.57 MiB / 187.39 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1955.68 MiB


A: is Removable (No Media)
C: is Fixed (NTFS) - 38.09 GiB total, 21.43 GiB free.
D: is Fixed (FAT32) - 38.59 GiB total, 13.55 GiB free.
E: is CDROM (No Media)
F: is CDROM (No Media)
G: is CDROM (No Media)


\\.\PHYSICALDRIVE0 - HDS728080PLAT20 - 76.69 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 38.09 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 38.6 GiB - D:


-- Security Center -------------------------------------------------------------


AUOptions is scheduled to auto-install.



-- Environment Variables -------------------------------------------------------


ALLUSERSPROFILE=C:\Documents and Settings\All Users.WINNT
APPDATA=C:\Documents and Settings\Administrator.CORRINA-GFYHSR2\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=JOSH
ComSpec=C:\WINNT\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator.CORRINA-GFYHSR2
LOGONSERVER=\\JOSH
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Os2LibPath=C:\WINNT\system32\os2\dll;
Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 10 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0a00
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
SystemDrive=C:
SystemRoot=C:\WINNT
TEMP=C:\DOCUME~1\ADMINI~1.COR\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1.COR\LOCALS~1\Temp
USERDOMAIN=JOSH
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator.CORRINA-GFYHSR2
windir=C:\WINNT



-- User Profiles ---------------------------------------------------------------


Administrator.CORRINA-GFYHSR2 (admin)



-- Add/Remove Programs ---------------------------------------------------------


--> C:\WINNT\$NtServicePackUninstall$\spuninst\spuninst.exe
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
Adobe Flash Player ActiveX --> C:\WINNT\system32\Macromed\Flash\uninstall_activeX.exe
Alcatel SpeedTouch USB Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D41FAAA9-8048-4906-86B2-9AADEA1FA0B7}\Setup.exe"  -Control_Panel
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
avast! Antivirus --> C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
Batch File Compiler Professional Edition v4.0 DEMO --> C:\Program Files\Batch File Compiler Professional Edition v4.0 DEMO\uninstall.exe
BOTS --> "C:\Program Files\InstallShield Installation Information\{22D56257-DE33-4C7D-817B-C2DE69FE953C}\setup.exe" -runfromtemp -l0x0009 -removeonly
CakeStory --> D:\Josh from C\MapleStory\Uninstal.exe
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
DAEMON Tools Toolbar --> C:\Program Files\DAEMON Tools Toolbar\uninst.exe
ESET Online Scanner --> C:\WINNT\system32\OnlineScannerUninstaller.exe
GetRight --> "C:\Program Files\GetRight\unins000.exe"
Hamachi 1.0.2.5 --> C:\Program Files\Hamachi\uninstall.exe
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hirc --> "C:\Program Files\Hirc\unins000.exe"
iTunes --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{54C0D94A-F467-4ABC-9D02-6E58748668D4} /l1033
IzPack 4.0.1 --> "C:\Program Files\Java\jre1.6.0_01\bin\javaw.exe" -jar "C:\Program Files\IzPack\uninstaller\uninstaller.jar"
Java(TM) SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Launch4j 3.0.1 --> C:\Program Files\Launch4j\uninst.exe
LiveUpdate 1.7 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
MapleStory --> MsiExec.exe /I{7A512A34-F4E8-43C4-BD80-43A022B31BF6}
Microsoft Internet Explorer 6 SP1 --> rundll32 C:\WINNT\system32\setupwbv.dll,IE6Maintenance C:\Program Files\Internet Explorer\IE Uninstall\W2KEXCP.EXE /u
Microsoft Office 2000 Small Business --> MsiExec.exe /I{00030409-78E1-11D2-B60F-006097C998E7}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
MP3 Rocket --> C:\Program Files\MP3 Rocket\Uninstall.exe
Network Magic --> C:\Documents and Settings\All Users.WINNT\Application Data\Pure Networks\Setup\nmsetup.exe /uninstall
Quick Batch File Compiler 3.16 --> "C:\Program Files\Quick Batch File Compiler\unins000.exe"
QuickTime --> MsiExec.exe /I{08094E03-AFE4-4853-9D31-6D0743DF5328}
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" -l0x9  -removeonly
RegCure 1.5.0.0 --> D:\Josh from C\RegCure\uninst.exe
Security Update for DirectX 9 (KB951698) --> "C:\WINNT\$NtUninstallKB951698_DX9$\spuninst\spuninst.exe"
Security Update for Windows 2000 (KB941569) --> "C:\WINNT\$NtUninstallKB941569$\spuninst\spuninst.exe"
Vbsedit --> MsiExec.exe /X{C8BC7F74-65A7-428F-80C6-D8034103781C}
VIA Rhine-Family Fast-Ethernet Adapter --> Rundll32.exe vuins32.dll,vuins32Ex $Rhine $VIA
VIA/S3G Display Driver --> C:\PROGRA~1\VIA\UChromeP\s3minset.exe /u C:\PROGRA~1\VIA\UChromeP\UChromeP.uns
Video DVD Maker v3.9.0.20 --> "C:\Program Files\Video DVD Maker\Uninstall.exe" "C:\Program Files\Video DVD Maker\install.log" -u
VideoLAN VLC media player 0.8.6i --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Warcraft III: All Products --> C:\WINNT\War3Unin.exe C:\WINNT\War3Unin.dat
Windows Media Player system update (9 Series) --> C:\PROGRA~1\WINDOW~2\setup_wm.exe /Uninstall
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
Yahoo! Install Manager --> C:\WINNT\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe



-- Application Event Log -------------------------------------------------------


No Errors/Warnings found.



-- Security Event Log ----------------------------------------------------------


No Errors/Warnings found.



-- System Event Log ------------------------------------------------------------


Event Record #/Type1762 / Error
Event Submitted/Written: 08/24/2008 00:48:07 PM
Event ID/Source: 1000 / Dhcp
Event Description:
Your computer has lost the lease to its IP address 192.168.0.101 on the
Network Card with network address 00142A306FFB.


Event Record #/Type1761 / Warning
Event Submitted/Written: 08/24/2008 00:48:07 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 00142A306FFB.  The following
error occured:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.


Event Record #/Type1760 / Error
Event Submitted/Written: 08/24/2008 00:45:37 PM / 08/24/2008 00:45:38 PM
Event ID/Source: 8003 / MRxSmb
Event Description:
The master browser has received a server announcement from the computer OWNER-PC
that believes that it is the master browser for the domain on transport NetBT_Tcpip_{9153AB1E-30DC-4D11-.
The master browser is stopping or an election is being forced.


-- End of Deckard's System Scanner: finished at 2008-08-24 12:49:24 ------------

I will post smitfraudfix soon

Edited by happygeek: fixed formatting

0

Hi and welcome to the Daniweb forums :).

==========

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

here is the log

SmitFraudFix v2.331

Scan done at 13:13:27.00, Sun 08/24/2008
Run from C:\Documents and Settings\Administrator.CORRINA-GFYHSR2\Desktop\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\VTTimer.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hamachi\hamachi.exe
D:\Josh from C\Xfire\xfire.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator.CORRINA-GFYHSR2


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator.CORRINA-GFYHSR2\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1.COR\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"SubscribedURL"=""
"FriendlyName"="Privacy Protection"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="avgrsstx.dll"
"LoadAppInit_DLLs"=dword:00000001


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINNT\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: VIA Rhine II Fast Ethernet Adapter
DNS Server Search Order: 192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{FCDE184E-1B5C-414A-B4DC-F8A42796CF21}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{FCDE184E-1B5C-414A-B4DC-F8A42796CF21}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{FCDE184E-1B5C-414A-B4DC-F8A42796CF21}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

0

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".


The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

0

here is the log i got

SmitFraudFix v2.331

Scan done at 17:04:36.76, Sun 08/24/2008
Run from C:\Documents and Settings\Administrator.CORRINA-GFYHSR2\Desktop\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{FCDE184E-1B5C-414A-B4DC-F8A42796CF21}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{FCDE184E-1B5C-414A-B4DC-F8A42796CF21}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{FCDE184E-1B5C-414A-B4DC-F8A42796CF21}: DhcpNameServer=192.168.0.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

0

I have closed your third thread here. Please stick to this thread until we are done. You may have multiple problems on your pc, but you need to give this a chance to work. If you start threads here there and everywhere, you are going to have different helpers scratching their heads wondering why certain things have changed that should not have and vice versa.
If you have a problem with that then let me know and I will close this thread and you can then start a new thread where hopefully you will get the assistance you obviously need :).

==============

Please download DAFT and save it to your desktop:

  1. Double-click the daft.exe icon. Read the disclaimer and click OK.
  2. Click on the Scan button.
  3. Place a checkmark next to the following entries:

    .reg
    .scr

  4. Click the Fix button.
  5. Re-scan and save a logfile. By default, it will save as daft.txt.

Post the contents of that logfile with your next post.

===========

Please download ComboFix by sUBs from HERE or HERE

  • You must download it to and run it from your Desktop
  • Physically disconnect from the internet.
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
  • Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix once only!

0

I'm sorry for starting the new threads. I'll see if this helped. all it said after i rescanned was

DAFT Log saved on 2008-08-25 13:27:39
-----------------------------------------------------------------------
All associations okay!

0

And combo fix is here

ComboFix 08-07-24.6 - Administrator 08/25/2008 13:31:53.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.49 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator.CORRINA-GFYHSR2\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\system32\mcrh.tmp
C:\WINNT\Web\default.htt

.
((((((((((((((((((((((((( Files Created from 2008-07-25 to 2008-08-25 )))))))))))))))))))))))))))))))
.

2008-08-25 00:00 . 08-08-25 00:00 323,584 --------- C:\WINNT\system32\rqRLcBrq.dll
2008-08-25 00:00 . 08-08-25 00:01 347 --ahs---- C:\WINNT\system32\qrBcLRqr.ini
2008-08-24 21:08 . 08-08-24 21:08 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_2c4.dat
2008-08-24 21:07 . 08-08-24 21:07 323,584 --------- C:\WINNT\system32\yaywvtTM.dll
2008-08-24 21:07 . 08-08-24 23:48 347 --ahs---- C:\WINNT\system32\MTtvwyay.ini
2008-08-24 19:37 . 08-08-24 19:53 347 --ahs---- C:\WINNT\system32\GNmSDfhk.ini
2008-08-24 19:20 . 99-10-12 15:57 68,912 --a------ C:\WINNT\system32\drivers\USBAUDIO.sys
2008-08-24 19:20 . 99-10-12 15:57 68,912 --a--c--- C:\WINNT\system32\dllcache\usbaudio.sys
2008-08-24 18:14 . 08-08-24 18:14 323,584 --------- C:\WINNT\system32\byXPGyvt.dll
2008-08-24 18:14 . 08-08-24 19:15 347 --ahs---- C:\WINNT\system32\tvyGPXyb.ini
2008-08-24 16:24 . 08-08-24 16:30 347 --ahs---- C:\WINNT\system32\AIhPYJlm.ini
2008-08-24 15:17 . 08-08-24 15:17 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_208.dat
2008-08-24 15:10 . 08-08-24 15:15 347 --ahs---- C:\WINNT\system32\qAJjkUtv.ini
2008-08-24 14:58 . 08-08-24 14:58 <DIR> d-------- C:\Program Files\Microsoft Bootvis
2008-08-24 14:47 . 08-08-24 14:48 <DIR> d-------- C:\Program Files\Cacheman
2008-08-24 14:43 . 08-08-24 14:43 0 --a------ C:\WINNT\exctrlst.INI
2008-08-24 14:39 . 08-08-24 14:39 <DIR> d-------- C:\Program Files\Resource Kit
2008-08-24 13:42 . 08-08-24 16:59 <DIR> d-------- C:\Logs
2008-08-24 13:13 . 08-08-24 17:04 2,508 --a------ C:\WINNT\system32\tmp.reg
2008-08-24 13:12 . 07-09-06 00:22 289,144 --a------ C:\WINNT\system32\VCCLSID.exe
2008-08-24 13:12 . 06-04-27 17:49 288,417 --a------ C:\WINNT\system32\SrchSTS.exe
2008-08-24 13:12 . 08-05-29 09:35 86,528 --a------ C:\WINNT\system32\VACFix.exe
2008-08-24 13:12 . 08-05-18 21:40 82,944 --a------ C:\WINNT\system32\IEDFix.exe
2008-08-24 13:12 . 08-07-02 13:33 82,432 --a------ C:\WINNT\system32\IEDFix.C.exe
2008-08-24 13:12 . 08-05-23 18:21 81,920 --a------ C:\WINNT\system32\404Fix.exe
2008-08-24 13:12 . 03-06-05 21:13 53,248 --a------ C:\WINNT\system32\Process.exe
2008-08-24 13:12 . 04-07-31 18:50 51,200 --a------ C:\WINNT\system32\dumphive.exe
2008-08-24 13:12 . 07-10-04 00:36 25,600 --a------ C:\WINNT\system32\WS2Fix.exe
2008-08-24 12:50 . 08-08-24 12:50 116,864 --a------ C:\WINNT\system32\oolinlkh.dll
2008-08-24 12:50 . 08-08-24 12:50 116,864 --a------ C:\WINNT\system32\fqibbb.dll
2008-08-24 12:48 . 08-08-25 00:01 619,490 ---hs---- C:\WINNT\system32\afrkejra.ini
2008-08-24 12:48 . 08-08-24 12:48 94,848 --a------ C:\WINNT\system32\arjekrfa.dll
2008-08-24 12:47 . 08-08-24 12:47 <DIR> d-------- C:\Deckard
2008-08-24 12:47 . 08-08-24 14:59 347 --ahs---- C:\WINNT\system32\QYcKknmp.ini
2008-08-23 14:02 . 08-08-23 14:02 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_22c.dat
2008-08-23 13:34 . 08-08-23 13:34 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-23 13:28 . 08-08-23 14:03 354 ---hs---- C:\WINNT\system32\umgvdosw.ini
2008-08-22 13:25 . 08-08-22 13:25 <DIR> d-------- C:\Program Files\Vbsedit
2008-08-22 13:25 . 08-08-22 13:25 <DIR> d-------- C:\Documents and Settings\Administrator.CORRINA-GFYHSR2\Application Data\Adersoft
2008-08-22 12:32 . 08-08-22 12:32 <DIR> d-------- C:\Xfire

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-25 17:32 --------- d-----w C:\Documents and Settings\Administrator.CORRINA-GFYHSR2\Application Data\Hamachi
2008-08-22 20:38 --------- d-----w C:\Program Files\GetRight
2008-07-24 16:35 --------- d-----w C:\Program Files\EsetOnlineScanner
2008-07-24 16:19 --------- d-----w C:\Program Files\Quick Batch File Compiler
2008-07-24 02:51 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-07-24 02:51 --------- d-----w C:\Documents and Settings\All Users.WINNT\Application Data\Malwarebytes
2008-07-24 02:51 --------- d-----w C:\Documents and Settings\Administrator.CORRINA-GFYHSR2\Application Data\Malwarebytes
2008-07-24 00:09 38,472 ----a-w C:\WINNT\system32\drivers\mbamswissarmy.sys
2008-07-24 00:09 17,144 ----a-w C:\WINNT\system32\drivers\mbam.sys
2008-07-23 21:48 --------- d-----w C:\Program Files\Batch File Compiler Professional Edition v4.0 DEMO
2008-07-23 21:20 --------- d-----w C:\Documents and Settings\Administrator.CORRINA-GFYHSR2\Application Data\uTorrent
2008-07-23 03:50 --------- d---a-w C:\Documents and Settings\All Users.WINNT\Application Data\TEMP
2008-07-23 03:47 33,152 ------w C:\WINNT\system32\nnnooOfe.dll
2008-07-23 00:48 58,000 ----a-w C:\WINNT\system32\drivers\cdr4_2K.sys
2008-07-23 00:48 57,344 ----a-w C:\WINNT\uneng.exe
2008-07-23 00:48 49,152 ----a-w C:\WINNT\system32\cdrtc.dll
2008-07-23 00:48 45,056 ----a-w C:\WINNT\system32\cdral.dll
2008-07-23 00:48 23,420 ----a-w C:\WINNT\system32\drivers\cdralw2k.sys
2008-07-23 00:48 --------- d---a-w C:\Program Files\Common Files\Adaptec Shared
2008-07-22 03:01 --------- d-----w C:\Program Files\BOTS
2008-07-21 22:11 --------- d-----w C:\Documents and Settings\Administrator.CORRINA-GFYHSR2\Application Data\Xfire
2008-07-21 21:31 --------- d-----w C:\Program Files\IzPack
2008-07-21 21:17 --------- d-----w C:\Program Files\Launch4j
2008-07-17 17:21 --------- d-----w C:\Program Files\Video DVD Maker
2008-07-17 17:21 --------- d-----w C:\Documents and Settings\Administrator.CORRINA-GFYHSR2\Application Data\Video DVD Maker FREE
2008-07-16 22:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-16 17:20 --------- d-----w C:\Documents and Settings\Administrator.CORRINA-GFYHSR2\Application Data\MP3Rocket
2008-07-16 14:13 --------- d-----w C:\Program Files\wise DVD Creator 8.0
2008-07-15 23:09 42,320 ----a-w C:\WINNT\system32\xfcodec.dll
2008-07-15 21:13 --------- d---a-w C:\Program Files\iPod
2008-07-15 20:53 --------- d-----w C:\Documents and Settings\Administrator.CORRINA-GFYHSR2\Application Data\Apple Computer
2008-07-15 20:52 --------- d---a-w C:\Program Files\iTunes
2008-07-15 20:52 --------- d---a-w C:\Documents and Settings\All Users.WINNT\Application Data\Apple Computer
2008-07-15 19:40 --------- d-----w C:\Program Files\FinalBurner
2008-07-15 19:07 --------- d-----w C:\Program Files\007DVD
2008-07-15 17:20 --------- d-----w C:\Program Files\Apple Software Update
2008-07-15 17:20 --------- d-----w C:\Documents and Settings\All Users.WINNT\Application Data\Apple
2008-07-15 17:01 --------- d---a-w C:\Program Files\QuickTime
2008-07-15 16:57 --------- d-----w C:\Documents and Settings\Administrator.CORRINA-GFYHSR2\Application Data\vlc
2008-07-15 16:54 --------- d-----w C:\Program Files\VideoLAN
2008-07-15 14:43 --------- d-----w C:\Program Files\MP3 Rocket
2008-07-15 14:42 --------- d---a-w C:\Program Files\Java
2008-07-13 17:12 --------- d---a-w C:\Program Files\Common Files\Pure Networks Shared
2008-07-13 17:12 --------- d-----w C:\Documents and Settings\All Users.WINNT\Application Data\Pure Networks
2008-07-08 19:14 --------- d-----w C:\Program Files\DAEMON Tools Toolbar
2008-07-08 19:14 --------- d-----w C:\Program Files\DAEMON Tools Lite
2008-07-08 19:07 717,296 ----a-w C:\WINNT\system32\drivers\sptd.sys
2008-07-08 19:07 --------- d-----w C:\Documents and Settings\Administrator.CORRINA-GFYHSR2\Application Data\DAEMON Tools
2008-07-08 17:06 --------- d-----w C:\Program Files\uTorrent
2008-07-08 16:24 25,280 ----a-w C:\WINNT\system32\drivers\hamachi.sys
2008-06-25 09:41 64,784 ----a-w C:\WINNT\system32\mswsock.dll
2008-06-25 09:41 105,744 ----a-w C:\WINNT\system32\msafd.dll
2008-06-07 03:47 10,520 ----a-w C:\WINNT\system32\avgrsstx.dll
2008-05-30 18:11 467,984 ----a-w C:\WINNT\system32\d3dx10_38.dll
2008-05-30 18:11 3,850,760 ----a-w C:\WINNT\system32\D3DX9_38.dll
2008-05-30 18:11 1,491,992 ----a-w C:\WINNT\system32\D3DCompiler_38.dll
2008-05-30 18:01 80,896 ----a-w C:\WINNT\system32\dxdllreg.exe
2008-05-25 02:30 4,194,304,000 --sha-w C:\gobackio.bin
2008-05-25 01:33 558,142 ----a-w C:\WINNT\java\Packages\4KD7RVNJ.ZIP
2008-05-25 01:33 271 ---h--w C:\Program Files\desktop.ini
2008-05-25 01:33 21,952 ---h--w C:\Program Files\folder.htt
2008-05-25 01:33 156,441 ----a-w C:\WINNT\java\Packages\MFL3ZFL3.ZIP
2008-03-08 03:58 0 ----a-w C:\Program Files\temp01
2005-01-21 00:53 45,056 ----a-r C:\Program Files\SetAttrib.exe
2004-11-30 07:23 40,960 ----a-r C:\Program Files\delete.exe
2003-01-01 11:38 9,143,496 ----a-w C:\Program Files\INSTALL_MSN_MESSENGER_NT.EXE
1999-12-07 12:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{769D8280-A207-4EEA-9963-F8B156C32855}]
08-07-22 23:47 33152 --------- C:\WINNT\system32\nnnooOfe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{aa7a9fe8-481f-4547-854b-d341bd9d604b}]
08-08-24 12:50 116864 --a------ C:\WINNT\system32\fqibbb.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [07-09-04 19:40 6856704]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [08-07-08 12:22 486856]
"Cacheman"="C:\PROGRA~1\Cacheman\Cacheman.exe" [03-07-31 14:13 1290752]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpeedTouch USB Diagnostics"="C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" [02-05-03 10:40 4341760]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [08-05-15 19:19 79224]
"nmctxth"="C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [08-01-08 17:20 451896]
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [08-01-18 10:32 451896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [07-03-14 03:43 83608]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [07-04-27 09:41 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [06-06-14 16:24 278528]
"acf5173c"="C:\WINNT\system32\arjekrfa.dll" [08-08-24 12:48 94848]
"Synchronization Manager"="mobsync.exe" [03-06-19 12:05 111376 C:\WINNT\system32\mobsync.exe]
"VTTimer"="VTTimer.exe" [05-03-08 03:33 53248 C:\WINNT\system32\VTTimer.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 12:05 186640]

C:\Documents and Settings\Administrator.CORRINA-GFYHSR2\Start Menu\Programs\Startup\
Hamachi.lnk - C:\Program Files\Hamachi\hamachi.exe [2008-07-08 12:24:43 624416]
Xfire.lnk - D:\Josh from C\Xfire\xfire.exe [2008-07-15 19:09:02 3050832]

C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\
GetRight.lnk - C:\Program Files\GetRight\GetRight.exe [2008-06-06 23:29:38 4628752]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{769D8280-A207-4EEA-9963-F8B156C32855}"= "C:\WINNT\system32\nnnooOfe.dll" [08-07-22 23:47 33152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnooOfe]
08-07-22 23:47 33152 C:\WINNT\system32\nnnooOfe.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINNT\system32\rqRLcBrq

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

R0 videX32;videX32;C:\WINNT\system32\DRIVERS\videX32.sys [08-01-03 18:49 ]
R1 aswSP;avast! Self Protection;C:\WINNT\system32\drivers\aswSP.sys [08-05-15 19:20 ]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINNT\system32\Drivers\avgldx86.sys [08-06-06 23:47 ]
R2 aswFsBlk;aswFsBlk;C:\WINNT\system32\DRIVERS\aswFsBlk.sys [08-05-15 19:16 ]
R2 aswMon;avast! Standard Shield Support;C:\WINNT\system32\drivers\aswMon.sys [08-01-17 12:34 ]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINNT\system32\Drivers\avgtdix.sys [08-06-06 23:47 ]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINNT\system32\DRIVERS\fetnd5bv.sys [07-09-21 19:24 ]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-07-15 22:19:04 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-23 21:00:01 C:\WINNT\Tasks\RegCure Program Check.job"
- D:\Josh from C\RegCure\RegCure.exe
"2008-07-17 14:06:20 C:\WINNT\Tasks\RegCure.job"
- D:\Josh from C\RegCure\RegCure.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{C1D2F57A-9944-435E-A16F-CA98B29D8884} - C:\WINNT\system32\yayaAQiH.dll
Toolbar-{A976B7DF-9CDC-436C-A5BA-D0CD8CB4A8AA} - (no file)
ShellExecuteHooks-{6809e580-a3a7-11d1-9a00-00a0c945b006} - (no file)


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Local Page = C:\windows\system32\blank.htm
R0 -: HKLM-Main,Local Page = C:\windows\system32\blank.htm
O8 -: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 -: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 -: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm

O16 -: DirectAnimation Java Classes - file://C:\WINNT\Java\classes\dajava.cab
C:\WINNT\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://C:\WINNT\Java\classes\xmldso.cab
C:\WINNT\Downloaded Program Files\Microsoft XML Parser for Java.osd


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-25 13:32:59
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINNT\system32\winlogon.exe
-> C:\WINNT\system32\nnnooOfe.dll
.
Completion time: 2008-08-25 13:38:18
ComboFix-quarantined-files.txt 2008-08-25 17:38:13

Pre-Run: 22,947,532,800 bytes free
Post-Run: 23,001,214,976 bytes free

221 --- E O F --- 2008-07-23 07:00:49

0

Please go to Jotti's or to virustotal and have these files scanned. Post the results back here.

C:\WINNT\system32\yaywvtTM.dll
C:\WINNT\system32\byXPGyvt.dll
C:\WINNT\system32\rqRLcBrq.dll
C:\WINNT\system32\oolinlkh.dll
C:\WINNT\system32\fqibbb.dll
C:\WINNT\system32\arjekrfa.dll
C:\WINNT\system32\nnnooOfe.dll
C:\WINNT\system32\drivers\cdr4_2K.sys
C:\Program Files\delete.exe

0

Hard to beleive most of them had viruses and only 4 or 5 scanners detected them


ok well i just copied the page for each scan


File: yaywvtTM.dll
Status: INFECTED/MALWARE
MD5: ea62b5390c1e1c59e8ed230771b8e1aa
Packers detected: -

Scanner results
Scan taken on 26 Jul 2008 03:50:12 (GMT)
A-Squared Found nothing
AntiVir Found TR/Vundo.Gen
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found Vundo
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found Win32/Adware.Virtumonde.FP application
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found Troj/Virtum-Gen
VirusBuster Found nothing
VBA32 Found nothing

File: byXPGyvt.dll
Status: INFECTED/MALWARE
MD5: 6b9b80c301808adb16a7f569b655e3d9
Packers detected: -

Scanner results
Scan taken on 26 Jul 2008 03:53:06 (GMT)
A-Squared Found nothing
AntiVir Found TR/Vundo.Gen
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found Vundo
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found Win32/Adware.Virtumonde.FP application
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found Troj/Virtum-Gen
VirusBuster Found nothing
VBA32 Found nothing

File: rqRLcBrq.dll
Status: INFECTED/MALWARE
MD5: 76e70eac009a3d9c095f15aafa9ae13e
Packers detected: -

Scanner results
Scan taken on 26 Jul 2008 03:55:40 (GMT)
A-Squared Found nothing
AntiVir Found TR/Vundo.Gen
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found Vundo
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found Win32/Adware.Virtumonde.FP application
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found Troj/Virtum-Gen
VirusBuster Found nothing
VBA32 Found nothing


File: oolinlkh.dll
Status: INFECTED/MALWARE
MD5: b2c06dbe4b47025ff6e299f21683a0b1
Packers detected: -

Scanner results
Scan taken on 26 Jul 2008 03:58:04 (GMT)
A-Squared Found nothing
AntiVir Found TR/Crypt.XPACK.Gen
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found Vundo
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found Virus.Trojan.Win32.Monderb
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found Troj/Virtum-Gen
VirusBuster Found nothing
VBA32 Found nothing


File: fqibbb.dll
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: b2c06dbe4b47025ff6e299f21683a0b1
Packers detected: -

Scanner results
Scan taken on 26 Jul 2008 04:00:26 (GMT)
A-Squared Found nothing
AntiVir Found TR/Crypt.XPACK.Gen
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found Vundo
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found Virus.Trojan.Win32.Monderb
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found Troj/Virtum-Gen
VirusBuster Found nothing
VBA32 Found nothing

File: arjekrfa.dll
Status: INFECTED/MALWARE
MD5: b09b89aa1a328ef28235b4c6216a93e5
Packers detected: -

Scanner results
Scan taken on 26 Jul 2008 04:02:32 (GMT)
A-Squared Found nothing
AntiVir Found TR/Crypt.XPACK.Gen
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found Vundo
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found Trojan.Crypt.XPACK
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found Troj/Virtum-Gen
VirusBuster Found nothing
VBA32 Found nothing


File: nnnooOfe.dll
Status: INFECTED/MALWARE
MD5: 50206e16eb1b95c275d0d5ea1eba4757
Packers detected: -

Scanner results
Scan taken on 26 Jul 2008 04:04:31 (GMT)
A-Squared Found nothing
AntiVir Found TR/Vundo.Gen
ArcaVir Found nothing
Avast Found Win32:Trojan-gen {Other}
AVG Antivirus Found Generic10.BHHQ
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Trojan.Win32.Monderb.ads
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found Trojan.Win32.Monderb.ads
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found Troj/Virtum-Gen
VirusBuster Found nothing
VBA32 Found nothing

File: cdr4_2K.sys
Status: OK
MD5: 9880f86f4261699273f818ae50216b8c
Packers detected: -

Scanner results
Scan taken on 26 Jul 2008 04:06:27 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing


File: delete.exe
Status: OK
MD5: eeebbecd173aa30fcb629900c56e6106
Packers detected: -

Scanner results
Scan taken on 26 Jul 2008 04:08:23 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

0

1. Please open Notepad Click Start , then Run
Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
KillAll::

File::
C:\WINNT\system32\yaywvtTM.dll
C:\WINNT\system32\byXPGyvt.dll
C:\WINNT\system32\rqRLcBrq.dll
C:\WINNT\system32\oolinlkh.dll
C:\WINNT\system32\fqibbb.dll
C:\WINNT\system32\arjekrfa.dll
C:\WINNT\system32\nnnooOfe.dll
C:\WINNT\system32\qrBcLRqr.ini
C:\WINNT\system32\MTtvwyay.ini
C:\WINNT\system32\GNmSDfhk.ini
C:\WINNT\system32\tvyGPXyb.ini
C:\WINNT\system32\AIhPYJlm.ini
C:\WINNT\system32\qAJjkUtv.ini
C:\WINNT\system32\QYcKknmp.ini

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{769D8280-A207-4EEA-9963-F8B156C32855}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{aa7a9fe8-481f-4547-854b-d341bd9d604b}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"acf5173c"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{769D8280-A207-4EEA-9963-F8B156C32855}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnooOfe]Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter youre-enable all the programs that were disabled during the running of ComboFix:Combofix.txt
A new HijackThis log.
Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Attachments CFScript.gif 27.09 KB
0

Ok here they are

ComboFix 08-07-24.6 - Administrator 08/26/2008 10:37:01.2 - NTFSx86
Running from: C:\Documents and Settings\Administrator.CORRINA-GFYHSR2\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator.CORRINA-GFYHSR2\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
- REDUCED FUNCTIONALITY MODE -

FILE ::
C:\WINNT\system32\AIhPYJlm.ini
C:\WINNT\system32\arjekrfa.dll
C:\WINNT\system32\byXPGyvt.dll
C:\WINNT\system32\fqibbb.dll
C:\WINNT\system32\GNmSDfhk.ini
C:\WINNT\system32\MTtvwyay.ini
C:\WINNT\system32\nnnooOfe.dll
C:\WINNT\system32\oolinlkh.dll
C:\WINNT\system32\qAJjkUtv.ini
C:\WINNT\system32\qrBcLRqr.ini
C:\WINNT\system32\QYcKknmp.ini
C:\WINNT\system32\rqRLcBrq.dll
C:\WINNT\system32\tvyGPXyb.ini
C:\WINNT\system32\yaywvtTM.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\system32\AIhPYJlm.ini
C:\WINNT\system32\arjekrfa.dll
C:\WINNT\system32\byXPGyvt.dll
C:\WINNT\system32\fqibbb.dll
C:\WINNT\system32\GNmSDfhk.ini
C:\WINNT\system32\MTtvwyay.ini
C:\WINNT\system32\nnnooOfe.dll
C:\WINNT\system32\oolinlkh.dll
C:\WINNT\system32\qAJjkUtv.ini
C:\WINNT\system32\qrBcLRqr.ini
C:\WINNT\system32\QYcKknmp.ini
C:\WINNT\system32\rqRLcBrq.dll
C:\WINNT\system32\tvyGPXyb.ini
C:\WINNT\system32\yaywvtTM.dll

.
((((((((((((((((((((((((( Files Created from 2008-07-26 to 2008-08-26 )))))))))))))))))))))))))))))))
.

2008-08-25 13:45 . 08-08-25 14:05 347 --ahs---- C:\WINNT\system32\hiOXbccf.ini
2008-08-24 19:20 . 99-10-12 15:57 68,912 --a------ C:\WINNT\system32\drivers\USBAUDIO.sys
2008-08-24 19:20 . 99-10-12 15:57 68,912 --a--c--- C:\WINNT\system32\dllcache\usbaudio.sys
2008-08-24 14:58 . 08-08-24 14:58 <DIR> d-------- C:\Program Files\Microsoft Bootvis
2008-08-24 14:47 . 08-08-24 14:48 <DIR> d-------- C:\Program Files\Cacheman
2008-08-24 14:43 . 08-08-24 14:43 0 --a------ C:\WINNT\exctrlst.INI
2008-08-24 14:39 . 08-08-24 14:39 <DIR> d-------- C:\Program Files\Resource Kit
2008-08-24 13:42 . 08-08-24 16:59 <DIR> d-------- C:\Logs
2008-08-24 13:13 . 08-08-24 17:04 2,508 --a------ C:\WINNT\system32\tmp.reg
2008-08-24 13:12 . 07-09-06 00:22 289,144 --a------ C:\WINNT\system32\VCCLSID.exe
2008-08-24 13:12 . 06-04-27 17:49 288,417 --a------ C:\WINNT\system32\SrchSTS.exe
2008-08-24 13:12 . 08-05-29 09:35 86,528 --a------ C:\WINNT\system32\VACFix.exe
2008-08-24 13:12 . 08-05-18 21:40 82,944 --a------ C:\WINNT\system32\IEDFix.exe
2008-08-24 13:12 . 08-07-02 13:33 82,432 --a------ C:\WINNT\system32\IEDFix.C.exe
2008-08-24 13:12 . 08-05-23 18:21 81,920 --a------ C:\WINNT\system32\404Fix.exe
2008-08-24 13:12 . 03-06-05 21:13 53,248 --a------ C:\WINNT\system32\Process.exe
2008-08-24 13:12 . 04-07-31 18:50 51,200 --a------ C:\WINNT\system32\dumphive.exe
2008-08-24 13:12 . 07-10-04 00:36 25,600 --a------ C:\WINNT\system32\WS2Fix.exe
2008-08-24 12:48 . 08-08-25 00:01 619,490 ---hs---- C:\WINNT\system32\afrkejra.ini
2008-08-24 12:47 . 08-08-24 12:47 <DIR> d-------- C:\Deckard
2008-08-23 13:34 . 08-08-23 13:34 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-23 13:28 . 08-08-23 14:03 354 ---hs---- C:\WINNT\system32\umgvdosw.ini
2008-08-22 13:25 . 08-08-22 13:25 <DIR> d-------- C:\Program Files\Vbsedit
2008-08-22 13:25 . 08-08-22 13:25 <DIR> d-------- C:\Documents and Settings\Administrator.CORRINA-GFYHSR2\Application Data\Adersoft
2008-08-22 12:32 . 08-08-22 12:32 <DIR> d-------- C:\Xfire

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-26 14:35 --------- d-----w C:\Documents and Settings\Administrator.CORRINA-GFYHSR2\Application Data\Hamachi
2008-08-25 18:39 --------- d-----w C:\Documents and Settings\Administrator.CORRINA-GFYHSR2\Application Data\Xfire
2008-08-22 20:38 --------- d-----w C:\Program Files\GetRight
2008-07-24 16:35 --------- d-----w C:\Program Files\EsetOnlineScanner
2008-07-24 16:19 --------- d-----w C:\Program Files\Quick Batch File Compiler
2008-07-24 02:51 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-07-24 02:51 --------- d-----w C:\Documents and Settings\All Users.WINNT\Application Data\Malwarebytes
2008-07-24 02:51 --------- d-----w C:\Documents and Settings\Administrator.CORRINA-GFYHSR2\Application Data\Malwarebytes
2008-07-24 00:09 38,472 ----a-w C:\WINNT\system32\drivers\mbamswissarmy.sys
2008-07-24 00:09 17,144 ----a-w C:\WINNT\system32\drivers\mbam.sys
2008-07-23 21:48 --------- d-----w C:\Program Files\Batch File Compiler Professional Edition v4.0 DEMO
2008-07-23 21:20 --------- d-----w C:\Documents and Settings\Administrator.CORRINA-GFYHSR2\Application Data\uTorrent
2008-07-23 03:50 --------- d---a-w C:\Documents and Settings\All Users.WINNT\Application Data\TEMP
2008-07-23 00:48 58,000 ----a-w C:\WINNT\system32\drivers\cdr4_2K.sys
2008-07-23 00:48 57,344 ----a-w C:\WINNT\uneng.exe
2008-07-23 00:48 23,420 ----a-w C:\WINNT\system32\drivers\cdralw2k.sys
2008-07-23 00:48 --------- d---a-w C:\Program Files\Common Files\Adaptec Shared
2008-07-22 03:01 --------- d-----w C:\Program Files\BOTS
2008-07-21 21:31 --------- d-----w C:\Program Files\IzPack
2008-07-21 21:17 --------- d-----w C:\Program Files\Launch4j
2008-07-17 17:21 --------- d-----w C:\Program Files\Video DVD Maker
2008-07-17 17:21 --------- d-----w C:\Documents and Settings\Administrator.CORRINA-GFYHSR2\Application Data\Video DVD Maker FREE
2008-07-16 22:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-16 17:20 --------- d-----w C:\Documents and Settings\Administrator.CORRINA-GFYHSR2\Application Data\MP3Rocket
2008-07-16 14:13 --------- d-----w C:\Program Files\wise DVD Creator 8.0
2008-07-15 21:13 --------- d---a-w C:\Program Files\iPod
2008-07-15 20:53 --------- d-----w C:\Documents and Settings\Administrator.CORRINA-GFYHSR2\Application Data\Apple Computer
2008-07-15 20:52 --------- d---a-w C:\Program Files\iTunes
2008-07-15 20:52 --------- d---a-w C:\Documents and Settings\All Users.WINNT\Application Data\Apple Computer
2008-07-15 19:40 --------- d-----w C:\Program Files\FinalBurner
2008-07-15 19:07 --------- d-----w C:\Program Files\007DVD
2008-07-15 17:20 --------- d-----w C:\Program Files\Apple Software Update
2008-07-15 17:20 --------- d-----w C:\Documents and Settings\All Users.WINNT\Application Data\Apple
2008-07-15 17:01 --------- d---a-w C:\Program Files\QuickTime
2008-07-15 16:57 --------- d-----w C:\Documents and Settings\Administrator.CORRINA-GFYHSR2\Application Data\vlc
2008-07-15 16:54 --------- d-----w C:\Program Files\VideoLAN
2008-07-15 14:43 --------- d-----w C:\Program Files\MP3 Rocket
2008-07-15 14:42 --------- d---a-w C:\Program Files\Java
2008-07-13 17:12 --------- d---a-w C:\Program Files\Common Files\Pure Networks Shared
2008-07-13 17:12 --------- d-----w C:\Documents and Settings\All Users.WINNT\Application Data\Pure Networks
2008-07-08 19:14 --------- d-----w C:\Program Files\DAEMON Tools Toolbar
2008-07-08 19:14 --------- d-----w C:\Program Files\DAEMON Tools Lite
2008-07-08 19:07 717,296 ----a-w C:\WINNT\system32\drivers\sptd.sys
2008-07-08 19:07 --------- d-----w C:\Documents and Settings\Administrator.CORRINA-GFYHSR2\Application Data\DAEMON Tools
2008-07-08 17:06 --------- d-----w C:\Program Files\uTorrent
2008-07-08 16:24 25,280 ----a-w C:\WINNT\system32\drivers\hamachi.sys
2008-05-25 01:33 271 ---h--w C:\Program Files\desktop.ini
2008-05-25 01:33 21,952 ---h--w C:\Program Files\folder.htt
2008-03-08 03:58 0 ----a-w C:\Program Files\temp01
2005-01-21 00:53 45,056 ----a-r C:\Program Files\SetAttrib.exe
2004-11-30 07:23 40,960 ----a-r C:\Program Files\delete.exe
2003-01-01 11:38 9,143,496 ----a-w C:\Program Files\INSTALL_MSN_MESSENGER_NT.EXE
1999-12-07 12:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((( snapshot@Mon 2008-08-25_13.37.51.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-25 03:21:18 2,889,088 ----a-w C:\WINNT\system32\Macromed\Flash\NPSWF32.dll
+ 2008-03-25 03:21:20 218,496 ----a-w C:\WINNT\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2008-08-26 03:33:20 70,264 ----a-w C:\WINNT\system32\Macromed\Flash\uninstall_plugin.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [07-09-04 19:40 6856704]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [08-07-08 12:22 486856]
"Cacheman"="C:\PROGRA~1\Cacheman\Cacheman.exe" [03-07-31 14:13 1290752]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpeedTouch USB Diagnostics"="C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" [02-05-03 10:40 4341760]
"nmctxth"="C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [08-01-08 17:20 451896]
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [08-01-18 10:32 451896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [07-03-14 03:43 83608]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [07-04-27 09:41 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [06-06-14 16:24 278528]
"Synchronization Manager"="mobsync.exe" [03-06-19 12:05 111376 C:\WINNT\system32\mobsync.exe]
"VTTimer"="VTTimer.exe" [05-03-08 03:33 53248 C:\WINNT\system32\VTTimer.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 12:05 186640]

C:\Documents and Settings\Administrator.CORRINA-GFYHSR2\Start Menu\Programs\Startup\
Hamachi.lnk - C:\Program Files\Hamachi\hamachi.exe [2008-07-08 12:24:43 624416]
Xfire.lnk - D:\Josh from C\Xfire\xfire.exe [2008-07-15 19:09:02 3050832]

C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\
GetRight.lnk - C:\Program Files\GetRight\GetRight.exe [2008-06-06 23:29:38 4628752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINNT\system32\fccbXOih

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

R0 videX32;videX32;C:\WINNT\system32\DRIVERS\videX32.sys [08-01-03 18:49 ]
R1 aswSP;avast! Self Protection;C:\WINNT\system32\drivers\aswSP.sys [08-05-15 19:20 ]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINNT\system32\Drivers\avgldx86.sys [08-06-06 23:47 ]
R2 aswFsBlk;aswFsBlk;C:\WINNT\system32\DRIVERS\aswFsBlk.sys [08-05-15 19:16 ]
R2 aswMon;avast! Standard Shield Support;C:\WINNT\system32\drivers\aswMon.sys [08-01-17 12:34 ]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINNT\system32\Drivers\avgtdix.sys [08-06-06 23:47 ]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINNT\system32\DRIVERS\fetnd5bv.sys [07-09-21 19:24 ]

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS
.
Contents of the 'Scheduled Tasks' folder
"2008-07-15 22:19:04 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-23 21:00:01 C:\WINNT\Tasks\RegCure Program Check.job"
- D:\Josh from C\RegCure\RegCure.exe
"2008-07-17 14:06:20 C:\WINNT\Tasks\RegCure.job"
- D:\Josh from C\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-26 10:41:21
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINNT\TEMP\_avast4_\unp135926609.tmp

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2008-08-26 10:50:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-26 14:50:36
ComboFix2.txt 2008-08-25 17:38:19

Pre-Run: 22,861,541,376 bytes free
Post-Run: 23,031,025,664 bytes free

199 --- E O F --- 2008-07-23 07:00:49


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:45, on 2008-08-26
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\VTTimer.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\wuauclt.exe
C:\PROGRA~1\Cacheman\Cacheman.exe
C:\Program Files\GetRight\GetRight.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hamachi\hamachi.exe
D:\Josh from C\Xfire\xfire.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Cacheman] C:\PROGRA~1\Cacheman\Cacheman.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O4 - Startup: Xfire.lnk = D:\Josh from C\Xfire\xfire.exe
O4 - Global Startup: GetRight.lnk = C:\Program Files\GetRight\GetRight.exe
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - ALWIL Software - (no file)
O23 - Service: AVG8 WatchDog (avg8wd) - ALWIL Software - (no file)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINNT\PSEXESVC.EXE (file missing)

--
End of file - 6128 bytes

0

Is your anti-virus fully functional? How is the pc behaving now?

=

Please use the Internet Explorer browser (or FireFox with IETab), and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.Once the files are downloaded click on Next
Click on Scan Settings and configure as follows: Scan using the following Anti-Virus database:Extended

Scan Options:Scan Archives
Scan Mail Bases


Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on:Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.

Attachments Kas-SaveReport-1.gif 40.15 KB Kas-Savetxt.gif 2.56 KB
This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.