0

I have tried many things totry and get my desktop back, i have to go through the command promps to do everything. UnHackMe did not work, AWC3 did not work, AML reg cleaner did not work, Daisy did not work, Hijack this did nothing, and Dr.Web cure it had no effect either. Please Help Me!!

3
Contributors
13
Replies
14
Views
8 Years
Discussion Span
Last Post by jholland1964
0

We need a lot more information than you have given. Did you find and remove an infection from your computer? If so, HOW, what programs did you use? What exactly happened immediately BEFORE this problem developed? If you were using specific programs, what were they?
If you were surfing the web, where?
What is your operating system? What is your anti-virus program? What is your firewall?
HiJackThis...you say did nothing, it is not a fixer program essentially. It is a scanner program. Were you able to generate a log with it? If so we need to see it.

0

We need a lot more information than you have given. Did you find and remove an infection from your computer? If so, HOW, what programs did you use? What exactly happened immediately BEFORE this problem developed? If you were using specific programs, what were they?
If you were surfing the web, where?
What is your operating system? What is your anti-virus program? What is your firewall?
HiJackThis...you say did nothing, it is not a fixer program essentially. It is a scanner program. Were you able to generate a log with it? If so we need to see it.

I can post a log now from Hijack this, the other programs I used each said they removed viruses, but I have been running NOD32 and the number count for each Virus removal program was in the 70's to 90's. So I dont know what to think. I am running Windows XP media edition and the last thing i remember doing before this problem occurred was playing COD4. I shut down the comp and after I turned it on everything was gone.

Here is the HiJack this log..

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:50:57 AM, on 9/26/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\iTunes\iTunes.exe
C:\WINDOWS\TASKMAN.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\The Free Man\Desktop\launch(2).exe
C:\DOCUME~1\THEFRE~1\LOCALS~1\Temp\RarSFX1\_start.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [D-Link RangeBooster G WUA-2340] C:\Program Files\D-Link\RangeBooster G WUA-2340\AirPlusCFG.exe
O4 - HKLM\..\Run: [TrayServer] C:\Program Files\MAGIX\Movie_Edit_Pro_12_e-version\TrayServer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATICustomerCare] "C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3 Beta\AWC.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 8758 bytes

0

Do you have any logs from your NOD program? That would really help if we could see at least one of these which show what infections were removed and where they were located.
That said, there were several programs running when this HJT log was created that I, for one, would like to see turned off for the duration.
Now while I am not familiar with Advanced SystemCare 3 so I cannot comment on it's reliabilty but one thing I do see is that it is a BETA version, meaning that it is a TEST version, not the final version.
In fact the download page I found for this program DOES contain this warning;

Advanced Windows Care V2 is available for those not comfortable beta testing


So that tells you right there this is a TEST version.
I always recommend NOT using a BETA version of a program. A beta version is the first version released outside the organization or community that develops the software, for the purpose of evaluation or real-world. Beta version software is likely to be useful for internal demonstrations and previews to select customers, but unstable and not yet ready for release.. A beta version usually contains all the features of what will be in the final version BUT also most likely contains known bugs and issues which hopefully will be worked out before the actual release of the finished program. Like I said I always discourage ordinary folks from using any beta version but ESPECIALLY anti-virus, anti-spy programs and definitely programs which purport to remove of fix something which may be plaguing a computer. I also don't recommend this type of "fix it all" programs which Advanced System Care seems to be, also from the download page;

A one-click approach to help protect, repair and optimize your computer.

While this makes it seem easy, there is no one click approach to cleaning or optimizing your computer. The better approach is to use several specialized FOCUSED programs.
I would recommend that you turn this program OFF or better yet, uninstall it.
You are also running a P2P file sharing program, Bittorrent. A very likely way the infection came on in the first place. TURN this OFF for the duration, or better yet Uninstall it.
You have the following unnecessary programs running;
iTunes, iPod, AIM, PunkBuster for sure.
Shut those off, along with that Bittorrent.

I suggest that you do the following, and please remove that Advanced SystemCare 3 program because it could interfere with any fixes done.
Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.

* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.
Reboot the computer

Please Run the ESET Online Scanner and attach the ScanLog with your post for assistance.

* You will need to use Internet Explorer to to complete this scan.
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is Un-checked at this time (we may have it clean what it finds at a later time), and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us also
Reboot the computer.
Run a NEW HiJackThis scan and save that log also. Post back here with all three requested logs.

0

the beta is gone along with bittorrent. Punkbuster will not allow me to stop its process, it is denying my access. I have Malwarebytes running a full scan right now and as for the log I cannot access internet explorer, is the eset online scan compatible with mozilla? I appreciate all the help you are giving me I hope everything works out so I dont have to rely on ubunbtu.

0

ok, i have performed everything asked. here they are as follows

1) Malwarebytes log

Malwarebytes' Anti-Malware 1.28
Database version: 1210
Windows 5.1.2600 Service Pack 3

9/26/2008 10:31:30 PM
(log1)mbam-log-2008-09-26 (22-31-00).txt

Scan type: Full Scan (C:\|)
Objects scanned: 128516
Time elapsed: 40 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{f0d4b230-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{f0d4b23a-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{f0d4b23c-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{b15fd82e-85bc-430d-90cb-65db1b030510} (Adware.AskSBAR) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{f0d4b23b-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{f0d4b23b-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\AskSBar\bar\1.bin\A2HIGHIN.EXE (Trojan.Agent) -> No action taken.
C:\Program Files\AskSBar\bar\1.bin\A2PLUGIN.DLL (Adware.MyWebSearch) -> No action taken.
C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL (Adware.AskSBAR) -> No action taken.
C:\Program Files\AskSBar\bar\1.bin\NPASKSBR.DLL (Trojan.Agent) -> No action taken.
C:\WINDOWS\BM43024f4c.xml (Trojan.Vundo) -> No action taken.

Task 2 - Trend Micro log
 Detected vulnerabilities

Vulnerability in TNEF Decoding in Microsoft Outlook and Microsoft Exchange Could Allow Remote Code Execution (902412)

Transfering more information about this vulnerability...
An error occurred while trying to retrieve more information about this vulnerability. There is currently no more information available.
This update resolves a newly-discovered, privately-reported vulnerability that can allow a remote malicious user to run arbitrary codes on an affected system. A vulnerability that exi...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Exchange 2000 Server Service Pack 3
Microsoft Exchange Server 5.0 Service Pack 2
Microsoft Exchange Server 5.5 Service Pack 4
Microsoft Office 2000
Microsoft Office 2000 Service Pack 3
Microsoft Office 2003
Microsoft Office 2003 Service Pack 1
Microsoft Office XP
Microsoft Office XP Service Pack 3
Microsoft Outlook 2000
Microsoft Outlook 2002
Malware exploiting this vulnerability:  unknown
This update resolves a newly-discovered, privately-reported vulnerability that can allow a remote malicious user to run arbitrary codes on an affected system. A vulnerability that exists in Microsoft Outlook and Microsoft Exchange Server allows remote code execution because of the way they decode the Transport Neutral Encapsulation Format (TNEF) in the MIME attachment.
More information about this vulnerability and its elimination.

Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (905413)

Transfering more information about this vulnerability...
An error occurred while trying to retrieve more information about this vulnerability. There is currently no more information available.
If a user is logged on with administrative user rights on vulnerable versions of Microsoft Office, a malicious user who successfully exploits this vulnerability may take com...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Excel 2000
Microsoft Excel 2002
Microsoft Excel 2003
Microsoft Excel 2003 Viewer
Microsoft Excel 2004 for Mac
Microsoft Excel X for Mac
Microsoft Office 2000 Multilingual User Interface Packs
Microsoft Office 2000 Service Pack 3
Microsoft Office 2003 Service Pack 1
Microsoft Office 2003 Service Pack 2
Microsoft Office 2004 for Mac
Microsoft Office X for Mac
Microsoft Office XP Multilingual User Interface Packs
Microsoft Office XP Service Pack 3
Microsoft Outlook 2000
Microsoft Outlook 2002
Microsoft Word 2000
Microsoft Word 2002
Microsoft Works Suite 2000
Microsoft Works Suite 2001
Microsoft Works Suite 2002
Microsoft Works Suite 2003
Microsoft Works Suite 2004
Microsoft Works Suite 2005
Microsoft Works Suite 2006
Microsoft PowerPoint 2000
Microsoft PowerPoint 2002
Malware exploiting this vulnerability:  unknown
If a user is logged on with administrative user rights on vulnerable versions of Microsoft Office, a malicious user who successfully exploits this vulnerability may take complete control of the client workstation. The malicious user may then install programs; view, change, or delete data; or create new accounts with full user rights. Users with fewer user rights on the system based on their accounts could be less impacted than users with administrative user rights.
More information about this vulnerability and its elimination.

Vulnerability in Microsoft Word Could Allow Remote Code Execution (917336)

Transfering more information about this vulnerability...
An error occurred while trying to retrieve more information about this vulnerability. There is currently no more information available.
This vulnerability could allow remote attackers to execute arbitrary code via a specially-crafted document. This vulnerability exists in an object pointer, located in one of the data struct...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Office 2000 Service Pack 3
Microsoft Office 2003 Service Pack 1
Microsoft Office 2003 Service Pack 2
Microsoft Office XP Service Pack 3
Microsoft Word 2000
Microsoft Word 2002
Microsoft Word 2003
Microsoft Word Viewer 2003
Microsoft Works Suite 2000
Microsoft Works Suite 2001
Microsoft Works Suite 2002
Microsoft Works Suite 2003
Microsoft Works Suite 2004
Microsoft Works Suite 2005
Microsoft Works Suite 2006
Malware exploiting this vulnerability:  unknown
This vulnerability could allow remote attackers to execute arbitrary code via a specially-crafted document. This vulnerability exists in an object pointer, located in one of the data structures, being read while parsing the document. When a certain error occurs, this pointer can be manipulated to execute arbitrary codes.
More information about this vulnerability and its elimination.

Vulnerability in Microsoft PowerPoint Could Allow Remote Code Execution (916768)

Transfering more information about this vulnerability...
An error occurred while trying to retrieve more information about this vulnerability. There is currently no more information available.
This vulnerability allows remote code execution using a malformed record vulnerability. An attacker exploits this vulnerability by creating a PowerPoint file that does not crash PowerPoint program i...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Office 2000 Service Pack 3
Microsoft Office 2003 Service Pack 1
Microsoft Office 2003 Service Pack 2
Microsoft Office 2004 for Mac
Microsoft Office X for Mac
Microsoft Office XP Service Pack 3
Microsoft PowerPoint 2000
Microsoft PowerPoint 2002
Microsoft PowerPoint 2003
Microsoft PowerPoint 2004
Microsoft Powerpoint X for Mac
Malware exploiting this vulnerability:  unknown
This vulnerability allows remote code execution using a malformed record vulnerability. An attacker exploits this vulnerability by creating a PowerPoint file that does not crash PowerPoint program itself when opened by a user. If a user with administrative user rights opens the said file, an attacker who successfully exploits this vulnerability may take complete control of the system.
More information about this vulnerability and its elimination.

Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution

Transfering more information about this vulnerability...
An error occurred while trying to retrieve more information about this vulnerability. There is currently no more information available.
This security advisory resolves several vulnerabilities in Microsoft Excel, which, when exploited, could allow attackers to take complete control over an af...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Excel 2000
Microsoft Excel 2002
Microsoft Excel 2003
Microsoft Excel 2003 Viewer
Microsoft Excel 2004 for Mac
Microsoft Excel X for Mac
Microsoft Office 2000 Service Pack 3
Microsoft Office 2003 Service Pack 1
Microsoft Office 2003 Service Pack 2
Microsoft Office 2004 for Mac
Microsoft Office v. X for Mac
Microsoft Office XP Service Pack 3
Malware exploiting this vulnerability:  unknown
This security advisory resolves several vulnerabilities in Microsoft Excel, which, when exploited, could allow attackers to take complete control over an affected system.
More information about this vulnerability and its elimination.

Vulnerabilities in Microsoft Office Filters Could Allow Remote Code Execution

Transfering more information about this vulnerability...
An error occurred while trying to retrieve more information about this vulnerability. There is currently no more information available.
A vulnerability in the way Microsoft Office parses a PNG or GIF file before it passes to the allocated buffer could allow remote attackers to remotely execute a...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Office 2000 Service Pack 3
Microsoft Office 2003 Service Pack 1
Microsoft Office 2003 Service Pack 2
Microsoft Office OneNote 2003
Microsoft Office XP Service Pack 3
Microsoft Project 2000
Microsoft Project 2002
Microsoft Project 2003
Microsoft Works Suite 2004
Microsoft Works Suite 2005
Microsoft Works Suite 2006
Malware exploiting this vulnerability:  unknown
A vulnerability in the way Microsoft Office parses a PNG or GIF file before it passes to the allocated buffer could allow remote attackers to remotely execute arbitrary code on an affected system via a specially-crafted PNG or GIF file.
More information about this vulnerability and its elimination.

Vulnerabilities in Microsoft Office Could Allow Remote Code Execution

Transfering more information about this vulnerability...
An error occurred while trying to retrieve more information about this vulnerability. There is currently no more information available.
This update resolves two newly discovered, privately reported and public vulnerabilities. Each vulnerability is documented. For details, refer to the descri...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Office 2000 Service Pack 3
Microsoft Office XP Service Pack 3
Microsoft Office 2003 Service Pack 1 or Service Pack 2
Microsoft Office 2004 for Mac
Microsoft Office v. X for Mac
Microsoft PowerPoint 2000
Microsoft PowerPoint 2002
Microsoft Office PowerPoint 2003
PowerPoint 2004 for Mac
PowerPoint 2004 v. X for Mac
Malware exploiting this vulnerability:  unknown
This update resolves two newly discovered, privately reported and public vulnerabilities. Each vulnerability is documented. For details, refer to the description of the CVEIDs enumerated.
More information about this vulnerability and its elimination.

Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (924163)

Transfering more information about this vulnerability...
An error occurred while trying to retrieve more information about this vulnerability. There is currently no more information available.
This update addresses several vulnerabilities, which when successfully exploited, could allow remote code execution, in several versions of Microsoft PowerPoint. To exploit the said vulnerabilities, a remote user may design a Web site t...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Office 2000 Service Pack 3
Microsoft Office 2003 Service Pack 1
Microsoft Office 2003 Service Pack 2
Microsoft Office 2004 for Mac
Microsoft Office v. X for Mac
Microsoft Office XP Service Pack 3
Microsoft Powerpoint 2000
Microsoft PowerPoint 2002
Microsoft PowerPoint 2003
Microsoft PowerPoint 2004
Microsoft PowerPoint v. X for Mac
Malware exploiting this vulnerability:  unknown
This update addresses several vulnerabilities, which when successfully exploited, could allow remote code execution, in several versions of Microsoft PowerPoint. To exploit the said vulnerabilities, a remote user may design a Web site that hosts a PowerPoint (.PPT) file used to exploit this vulnerability. The said vulnerabilities may also be exploited via email, where a remote user sends an email message with a malicious .PPT file attached. Once exploited, the remote malicious user gains control of the system. Users who have fewer rights are less affected than users with administrative rights.
More information about this vulnerability and its elimination.

Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (924164)

Transfering more information about this vulnerability...
An error occurred while trying to retrieve more information about this vulnerability. There is currently no more information available.
This update addresses several vulnerabilities, which when successfully exploited, could allow remote code execution, in several versions of Microsoft Excel. To exploit the said vulnerabilities, a remote user may design a Web site that h...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Excel 2002
Microsoft Excel v. X for Mac
Microsoft Office 2000 Service Pack 3
Microsoft Office 2003 Service Pack 1
Microsoft Office 2003 Service Pack 2
Microsoft Office v. X for Mac
Microsoft Office XP Service Pack 3
Microsoft Works Suite 2004
Microsoft Works Suite 2005
Microsoft Works Suite 2006
Microsoft Excel 2003 Viewer
Microsoft Office 2004 for Mac
Microsoft Excel 2004 for Mac
Malware exploiting this vulnerability:  unknown
This update addresses several vulnerabilities, which when successfully exploited, could allow remote code execution, in several versions of Microsoft Excel. To exploit the said vulnerabilities, a remote user may design a Web site that hosts an Excel (.XLS) file used to exploit this vulnerability. The said vulnerabilities may also be exploited via email, where a remote user sends an email message with a malicious .XLS file attached. Once exploited, the remote malicious user gains control of the system. Users who have fewer rights are less affected than users with administrative rights.
More information about this vulnerability and its elimination.

Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (924554)

Transfering more information about this vulnerability...
An error occurred while trying to retrieve more information about this vulnerability. There is currently no more information available.
A vulnerability exists in the way Word parses a file containing a malformed string; opens a specially-crafted mail merge file, opens a specially-crafted file with a malformed s...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Office 2000 Service Pack 3
Microsoft Word 2000
Microsoft Office XP Service Pack 2
Microsoft Office XP Service Pack 3
Microsoft Works Suite 2004
Microsoft Works Suite 2005
Microsoft Works Suite 2006
Microsoft Office v. X for Mac
Microsoft Word 2003
Microsoft Word 2003 Viewer
Microsoft Office 2004 for Mac
Microsoft Office XP Service Pack 1
Malware exploiting this vulnerability:  unknown
A vulnerability exists in the way Word parses a file containing a malformed string; opens a specially-crafted mail merge file, opens a specially-crafted file with a malformed stack, and when Word for Mac opens a specially-crafted file that contains a malformed string.
More information about this vulnerability and its elimination.

Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (927198)

Transfering more information about this vulnerability...
An error occurred while trying to retrieve more information about this vulnerability. There is currently no more information available.
This update resolves vulnerabilities in Microsoft Excel that could allow remote code execution. An attacker could exploit the said vulnerabilities when Excel parses a file and processes a malformed IMDATA, Column, or Palette record. The vu...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Office 2000 Service Pack 3
Microsoft Excel 2000
Microsoft Office XP Service Pack 3
Microsoft Excel 2002
Microsoft Office 2003 Service Pack 2
Microsoft Excel 2003
Microsoft Office Excel Viewer 2003
Microsoft Works Suite 2004
Microsoft Works Suite 2005
Microsoft Office 2004 for Mac
Microsoft Office v. X for Mac
Malware exploiting this vulnerability:  unknown
This update resolves vulnerabilities in Microsoft Excel that could allow remote code execution. An attacker could exploit the said vulnerabilities when Excel parses a file and processes a malformed IMDATA, Column, or Palette record. The vulnerabilities, however, cannot be exploited automatically through email. For an attack to be successful, a user must open an attachment to the email message. The attacker who successfully exploited the vulnerabilities could take full control of an affected system and could gain the same user rights as the local user, like install applications, and view and change data.
More information about this vulnerability and its elimination.

Vulnerabilities in Microsoft Outlook Could Allow Remote Code Execution (925938)

Transfering more information about this vulnerability...
An error occurred while trying to retrieve more information about this vulnerability. There is currently no more information available.
This update resolves vulnerabilities in Microsoft Outlook that could allow remote code execution when Outlook parses a file and processes a malformed VEVENT record or an Office Saved Searches (.OSS) file. The attacker who s...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Office 2000 Service Pack 3
Microsoft Outlook 2000
Microsoft Office XP Service Pack 3
Microsoft Outlook 2002
Microsoft Office 2003 Service Pack 2
Microsoft Outlook 2003
Malware exploiting this vulnerability:  unknown
This update resolves vulnerabilities in Microsoft Outlook that could allow remote code execution when Outlook parses a file and processes a malformed VEVENT record or an Office Saved Searches (.OSS) file. The attacker who successfully exploited the vulnerabilities could take full control of an affected system and could gain the same user rights as the local user, like install applications, and view and change data. One of the vulnerabilities, however, is only a denial of service vulnerability, causing an affected system to stop responding.
More information about this vulnerability and its elimination.

Vulnerability in Microsoft RichEdit Could Allow Remote Code Execution (918118)

Transfering more information about this vulnerability...
An error occurred while trying to retrieve more information about this vulnerability. There is currently no more information available.
This update resolves a newly discovered, privately reported vulnerability in the RichEdit component in Microsoft Windows and Microsoft Office. When successfully exploited by a remote malicious user, ...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Access 2000
Microsoft Access 2002
Microsoft Access 2003
Microsoft Excel 2000
Microsoft Excel 2002
Microsoft Excel 2003
Microsoft FrontPage 2000
Microsoft FrontPage 2002
Microsoft FrontPage 2003
Microsoft Global Input Method Editor for Office 2000 (Japanese)
Microsoft InfoPath 2003
Microsoft Learning Essentials 1.0
1.1
and 1.5 for Microsoft Office
Microsoft Office 2000 Multilanguage Packs
Microsoft Office 2000 Service Pack 3
Microsoft Office 2003 Service Pack 2
Microsoft Office 2004 for Mac
Microsoft Office XP Service Pack 3
Microsoft OneNote 2003
Microsoft Outlook 2000
Microsoft Outlook 2002
Microsoft Outlook 2003
Microsoft Powerpoint 2000
Microsoft PowerPoint 2002
Microsoft PowerPoint 2003
Microsoft Project 2000 Service Release 1
Microsoft Project 2002 Service Pack 1
Microsoft Publisher 2000
Microsoft Publisher 2002
Microsoft Publisher 2003
Microsoft Visio 2002 Service Pack 2
Microsoft Visio 2003
Microsoft Windows 2000 Service Pack 4
Microsoft Windows Server 2003
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Microsoft Windows XP Professional x64 Edition
Microsoft Windows XP Service Pack 2
Microsoft Word 2000
Microsoft Word 2002
Microsoft Word 2003
Microsoft Word 2003 Viewer
Malware exploiting this vulnerability:  unknown
This update resolves a newly discovered, privately reported vulnerability in the RichEdit component in Microsoft Windows and Microsoft Office. When successfully exploited by a remote malicious user, these vulnerabilities allow the said user to gain control of the affected system. Users who are currently logged on with administrative user rights are more vulnerable than users who have fewer user rights.
More information about this vulnerability and its elimination.

Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (932554)

Transfering more information about this vulnerability...
An error occurred while trying to retrieve more information about this vulnerability. There is currently no more information available.
This update addresses two newly discovered, privately and publicly reported vulnerabilities. When successfully exploited by a remote malicious user, these vulnerabilities allow the said user to ...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Access 2000
Microsoft Access 2002
Microsoft Access 2003
Microsoft Excel 2000
Microsoft Excel 2002
Microsoft Excel 2003
Microsoft Excel 2003 Viewer
Microsoft Office 2000 Service Pack 3
Microsoft Office 2003 Service Pack 2
Microsoft Office 2004 for Mac
Microsoft Office XP Service Pack 3
Microsoft OneNote 2003
Microsoft Outlook 2000
Microsoft Outlook 2002
Microsoft Outlook 2003
Microsoft Powerpoint 2000
Microsoft PowerPoint 2002
Microsoft PowerPoint 2003
Microsoft Project 2000 Service Release 1
Microsoft Project 2002 Service Pack 1
Microsoft Project 2003
Microsoft Publisher 2000
Microsoft Publisher 2002
Microsoft Publisher 2003
Microsoft Visio 2002
Microsoft Visio 2002 Service Pack 2
Microsoft Visio 2003
Microsoft Word 2000
Microsoft Word 2002
Microsoft Word 2003
Microsoft Word 2003 Viewer
Malware exploiting this vulnerability:  unknown
This update addresses two newly discovered, privately and publicly reported vulnerabilities. When successfully exploited by a remote malicious user, these vulnerabilities allow the said user to gain control of the affected system. Users who are currently logged on with administrative user rights are more vulnerable than users who have fewer user rights.
More information about this vulnerability and its elimination.

Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (934233)

Transfering more information about this vulnerability...
An error occurred while trying to retrieve more information about this vulnerability. There is currently no more information available.
This security advisory addresses several vulnerabilities in Microsoft Excel. These vulnerabilities exist because of the way Microsoft Excel handles specially crafted files that contain mal...
More information about this vulnerability and its elimination.
Affected programs and services: 2007 Microsoft Office System
Microsoft Excel 2000
Microsoft Excel 2002
Microsoft Excel 2003
Microsoft Excel 2003 Viewer
Microsoft Office 2000 Service Pack 3
Microsoft Office 2003 Service Pack 2
Microsoft Office 2004 for Mac
Microsoft Office 2007
Microsoft Office Compatibility Pack for Word
Excel
and PowerPoint 2007 File Formats
Microsoft Office XP Service Pack 3
Malware exploiting this vulnerability:  unknown
This security advisory addresses several vulnerabilities in Microsoft Excel. These vulnerabilities exist because of the way Microsoft Excel handles specially crafted files that contain malformed records or font values. Once successfully exploited, these vulnerabilities allow an attacker to gain user rights similar to the currently logged on user.
More information about this vulnerability and its elimination.

Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (934232)

Transfering more information about this vulnerability...
An error occurred while trying to retrieve more information about this vulnerability. There is currently no more information available.
This security bulletin replaces Microsoft Security Bulletin MS07-014 and resolves three vulnerabilities affecting Microsoft Word.; The Word Array Overflow Vulnerability (CVE...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Internet Explorer 5.01 Service Pack 4 (Microsoft Windows 2000 Service Pack 4
Microsoft Internet Explorer 6 (Microsoft Windows Server 2003 with SP1 for Itanium-based Systems)
Microsoft Internet Explorer 6 (Microsoft Windows Server 2003 x64 Edition)
Microsoft Internet Explorer 6 (Microsoft Windows XP Professional x64 Edition)
Microsoft Internet Explorer 6 (Microsoft Windows XP Service Pack 2)
Microsoft Internet Explorer 6 (Windows Server 2003 for Itanium-based Systems)
Microsoft Internet Explorer 6 Service Pack 1 (Microsoft Windows 2000 Service Pack 4)
Microsoft Windows 2000 Service Pack 4
Microsoft Windows Server 2003
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Microsoft Windows XP Professional x64 Edition
Microsoft Windows XP Service Pack 2
Malware exploiting this vulnerability:  unknown
This security bulletin replaces Microsoft Security Bulletin MS07-014 and resolves three vulnerabilities affecting Microsoft Word.; The Word Array Overflow Vulnerability (CVE-2007-0035) could allow a remote malicious user to gain the same user rights as the local user because of the way Microsoft Word handles data within an array.; The Word Document Stream Vulnerability (CVE-2007-0870) could allow a remote malicious user to gain the same user rights as the local user because of the way Microsoft Word handles a specially crafted Word Document stream.; The Word RTF Parsing Vulnerability (CVE-2007-1202) could allow a remote malicious user to gain the same user rights as the local user because of the way Microsoft Word parses certain rich text properties within a file.
More information about this vulnerability and its elimination.

Vulnerability in Microsoft Office Could Allow Remote Code Execution (934873)

Transfering more information about this vulnerability...
An error occurred while trying to retrieve more information about this vulnerability. There is currently no more information available.
This update replaces security update MS07-015. A remote code execution vulnerability exists in the way Microsoft Office handles a specially crafted drawing object, which may be included as an attachment to ...
More information about this vulnerability and its elimination.
Affected programs and services: 2007 Microsoft Office System
Microsoft Office 2000 Service Pack 3
Microsoft Office 2003 Service Pack 2
Microsoft Office 2004 for Mac
Microsoft Office XP Service Pack 3
Malware exploiting this vulnerability:  unknown
This update replaces security update MS07-015. A remote code execution vulnerability exists in the way Microsoft Office handles a specially crafted drawing object, which may be included as an attachment to an email message or hosted on a malicious Web site. A remote malicious user could exploit this vulnerability by constructing a specially crafted Office file containing a malformed drawing object that could allow remote code execution.
More information about this vulnerability and its elimination.

MS07-036

Transfering more information about this vulnerability...
An error occurred while trying to retrieve more information about this vulnerability. There is currently no more information available.
More information about this vulnerability and its elimination.
Affected programs and services: unknown
Malware exploiting this vulnerability:  unknown
More information about this vulnerability and its elimination.

Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (936227)

Transfering more information about this vulnerability...
An error occurred while trying to retrieve more information about this vulnerability. There is currently no more information available.
This critical security update resolves a privately reported vulnerability. This vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. The...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Office 2003 Service Pack 2
Microsoft Office Groove Server 2007
Microsoft Office SharePoint Server
Windows 2000 Service Pack 4
Windows Server 2003 Service Pack 1
Windows Server 2003 Service Pack 2
Windows Server 2003 with SP1 for Itanium-based Systems
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Server 2003 x64 Edition
Windows Server 2003 x64 Edition Service Pack 2
Windows Vista
Windows Vista x64 Edition
Windows XP Professional x64 Edition
Windows XP Professional x64 Edition Service Pack 2
Windows XP Service Pack 2
Malware exploiting this vulnerability:  unknown
This critical security update resolves a privately reported vulnerability. This vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. The vulnerability could be exploited through attacks on Microsoft XML Core Services. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
More information about this vulnerability and its elimination.

Vulnerability in Microsoft Excel Could Allow Remote Code Execution (940965)

Transfering more information about this vulnerability...
An error occurred while trying to retrieve more information about this vulnerability. There is currently no more information available.
This security update resolves a privately reported vulnerability in addition to other security issues identified during the course of the investigation. These vulnerabilities could allow remote code execut...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Office 2000 Service Pack 3
Microsoft Office XP Service Pack 3
Microsoft Office 2003 Service Pack 2
Microsoft Office 2004 for Mac
Malware exploiting this vulnerability:  unknown
This security update resolves a privately reported vulnerability in addition to other security issues identified during the course of the investigation. These vulnerabilities could allow remote code execution if a user opens a specially crafted Excel file. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
More information about this vulnerability and its elimination.

Vulnerability in Microsoft Word Could Allow Remote Code Execution (947077)

Transfering more information about this vulnerability...
An error occurred while trying to retrieve more information about this vulnerability. There is currently no more information available.
This critical update resolves a remote code execution vulnerability caused by a memory calculation error when parsing a specially crafted Word file.
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Office 2000 Service Pack 3
Microsoft Office 2003 Service Pack 2
Microsoft Office XP Service Pack 3
Malware exploiting this vulnerability:  unknown
This critical update resolves a remote code execution vulnerability caused by a memory calculation error when parsing a specially crafted Word file.
More information about this vulnerability and its elimination.

Vulnerability in Microsoft Office Could Allow Remote Code Execution (947108)

Transfering more information about this vulnerability...
An error occurred while trying to retrieve more information about this vulnerability. There is currently no more information available.
This security advisory resolves a vulnerability in Microsoft Office that allows remote code execution if a user opens a specially crafted Microsoft Office file wit...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Office 2000 Service Pack 3
Microsoft Office 2003 Service Pack 2
Microsoft Office 2004 for Mac
Microsoft Office XP Service Pack 3
Malware exploiting this vulnerability:  unknown
This security advisory resolves a vulnerability in Microsoft Office that allows remote code execution if a user opens a specially crafted Microsoft Office file with a malformed object inserted into the document.
More information about this vulnerability and its elimination.

task 3 - HackThis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:15:39 AM, on 9/27/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.myspace.com/[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://go.microsoft.com/fwlink/?LinkId=69157[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://go.microsoft.com/fwlink/?LinkId=69157[/url]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [D-Link RangeBooster G WUA-2340] C:\Program Files\D-Link\RangeBooster G WUA-2340\AirPlusCFG.exe
O4 - HKLM\..\Run: [TrayServer] C:\Program Files\MAGIX\Movie_Edit_Pro_12_e-version\TrayServer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATICustomerCare] "C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - [url]http://upload.facebook.com/controls/FacebookPhotoUploader5.cab[/url]
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 8023 bytes

I hope this gives you all the information you need. and by the way thank you again.

Edited by mike_2000_17: Fixed formatting

0

Ok, you MISSED the key portion of the Malwarbytes' Anti-Malware program and you do need to run it again and complete the instructions


* Be sure that everything is checked, and click Remove Selected.

The scan found infections and they need to be removed. Please UPDATE the program again and Select Everything found and fix it.
Reboot the computer.

Once you have done this then do the following;

Download ComboFix
Click on the Save button and then when it asks you where to save it, make sure you save it directly to your Windows Desktop.
Once the download is complete you will see the Combofix on the desktop.

*Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.

Doubleclick the combofix icon on the desktop to run the program.

Windows will issue a prompt asking whether you wish to run the program, click Run
You will then see a Disclaimer screen asking you to agree to the disclaimer. Press the number 1 key to accept the disclaimer.

Now just sit back and allow the program to run

Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

When ComboFix has finished running, you will see a screen stating that it is preparing the log report.
This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.

When all is complete then please post back here with the MBA-M log and the Combofix
log

Judy

0

here are both log reports.

mbam-Malwarebytes' Anti-Malware 1.27
Database version: 1127
Windows 5.1.2600 Service Pack 2

9/29/2008 3:11:23 PM
mbam-log-2008-09-29 (15-11-23).txt

Scan type: Full Scan (C:\|)
Objects scanned: 121576
Time elapsed: 30 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

CmboFix- ComboFix 08-09-28.01 - The Free Man 2008-09-29 15:13:30.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1577 [GMT -4:00]
Running from: C:\Documents and Settings\The Free Man\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\_005638_.tmp.dll
C:\WINDOWS\system32\_005639_.tmp.dll
C:\WINDOWS\system32\_005640_.tmp.dll
C:\WINDOWS\system32\_005641_.tmp.dll
C:\WINDOWS\system32\_005644_.tmp.dll
C:\WINDOWS\system32\_005648_.tmp.dll
C:\WINDOWS\system32\_005649_.tmp.dll
C:\WINDOWS\system32\_005650_.tmp.dll
C:\WINDOWS\system32\_005651_.tmp.dll
C:\WINDOWS\system32\_005653_.tmp.dll
C:\WINDOWS\system32\_005654_.tmp.dll
C:\WINDOWS\system32\_005657_.tmp.dll
C:\WINDOWS\system32\_005658_.tmp.dll
C:\WINDOWS\system32\_005661_.tmp.dll
C:\WINDOWS\system32\_005664_.tmp.dll
C:\WINDOWS\system32\_005667_.tmp.dll
C:\WINDOWS\system32\_005668_.tmp.dll
C:\WINDOWS\system32\_005673_.tmp.dll
C:\WINDOWS\system32\_005675_.tmp.dll
C:\WINDOWS\system32\_005678_.tmp.dll
C:\WINDOWS\system32\_005680_.tmp.dll
C:\WINDOWS\system32\_005681_.tmp.dll
C:\WINDOWS\system32\_005682_.tmp.dll
C:\WINDOWS\system32\_005683_.tmp.dll
C:\WINDOWS\system32\_005684_.tmp.dll
C:\WINDOWS\system32\_005687_.tmp.dll
C:\WINDOWS\system32\_005688_.tmp.dll
C:\WINDOWS\system32\_005689_.tmp.dll
C:\WINDOWS\system32\_005690_.tmp.dll
C:\WINDOWS\system32\_005691_.tmp.dll
C:\WINDOWS\system32\_005696_.tmp.dll
C:\WINDOWS\system32\_005698_.tmp.dll
C:\WINDOWS\system32\_005699_.tmp.dll

.
((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-29 )))))))))))))))))))))))))))))))
.

2008-09-29 12:39 . 2008-04-14 05:42 1,135,616 --a------ C:\WINDOWS\system32\SET127D.tmp
2008-09-29 12:39 . 2008-04-14 05:42 354,304 --a------ C:\WINDOWS\system32\SET1287.tmp
2008-09-29 12:39 . 2008-04-14 05:40 177,152 --a------ C:\WINDOWS\system32\SET12A2.tmp
2008-09-29 12:39 . 2008-04-14 05:42 80,896 --a------ C:\WINDOWS\system32\SET1284.tmp
2008-09-29 12:39 . 2008-04-14 05:42 32,256 --a------ C:\WINDOWS\system32\SET1279.tmp
2008-09-29 12:39 . 2008-04-14 05:42 6,656 --a------ C:\WINDOWS\system32\SET127B.tmp
2008-09-29 12:37 . 2008-04-14 05:42 471,552 --a------ C:\WINDOWS\system32\SET5FD.tmp
2008-09-29 12:37 . 2008-04-14 05:41 95,744 --a------ C:\WINDOWS\system32\SET603.tmp
2008-09-29 12:35 . 2008-04-14 05:42 8,461,312 --a------ C:\WINDOWS\system32\SET1D9.tmp
2008-09-29 12:34 . 2006-12-29 00:31 19,569 --a------ C:\WINDOWS\003780_.tmp
2008-09-29 12:27 . 2008-09-29 12:41 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-09-29 12:20 . 2001-08-17 22:37 99,865 --a--c--- C:\WINDOWS\system32\dllcache\xlog.exe
2008-09-29 12:20 . 2004-08-10 04:13 73,728 --a--c--- C:\WINDOWS\system32\dllcache\ehresja.dll
2008-09-29 12:20 . 2004-08-10 04:13 69,632 --a--c--- C:\WINDOWS\system32\dllcache\ehresko.dll
2008-09-29 12:20 . 2004-08-10 04:13 69,632 --a--c--- C:\WINDOWS\system32\dllcache\ehresfr.dll
2008-09-29 12:20 . 2004-08-10 04:13 69,632 --a--c--- C:\WINDOWS\system32\dllcache\ehresde.dll
2008-09-29 12:20 . 2004-08-10 04:13 61,440 --a--c--- C:\WINDOWS\system32\dllcache\ehreschs.dll
2008-09-29 12:20 . 2001-08-17 22:37 27,648 --a--c--- C:\WINDOWS\system32\dllcache\xrxftplt.exe
2008-09-29 12:20 . 2001-08-17 22:36 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2008-09-29 12:20 . 2001-08-17 12:11 16,970 --a--c--- C:\WINDOWS\system32\dllcache\xem336n5.sys
2008-09-29 12:20 . 2001-08-17 22:37 4,608 --a--c--- C:\WINDOWS\system32\dllcache\xrxflnch.exe
2008-09-29 12:18 . 2001-08-17 13:28 794,654 --a--c--- C:\WINDOWS\system32\dllcache\usr1801.sys
2008-09-29 12:17 . 2004-08-10 08:00 571,392 --a------ C:\WINDOWS\system32\dllcache\tintlgnt.ime
2008-09-29 12:16 . 2001-08-17 12:18 285,760 --a--c--- C:\WINDOWS\system32\dllcache\stlnata.sys
2008-09-29 12:15 . 2001-08-17 14:56 147,200 --a--c--- C:\WINDOWS\system32\dllcache\smidispb.dll
2008-09-29 12:14 . 2001-08-17 22:36 386,560 --a--c--- C:\WINDOWS\system32\dllcache\sgiul50.dll
2008-09-29 12:13 . 2001-08-17 22:36 495,616 --a--c--- C:\WINDOWS\system32\dllcache\sblfx.dll
2008-09-29 12:12 . 2001-08-17 13:28 899,146 --a--c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-09-29 12:11 . 2004-08-10 08:00 482,304 --a------ C:\WINDOWS\system32\dllcache\pintlgnt.ime
2008-09-29 12:10 . 2001-08-17 14:05 351,616 --a--c--- C:\WINDOWS\system32\dllcache\ovcodek2.sys
2008-09-29 12:09 . 2001-08-17 12:11 128,000 --a--c--- C:\WINDOWS\system32\dllcache\n100325.sys
2008-09-29 12:08 . 2001-08-17 13:28 802,683 --a--c--- C:\WINDOWS\system32\dllcache\ltsm.sys
2008-09-29 12:07 . 2001-08-17 22:36 372,824 --a--c--- C:\WINDOWS\system32\dllcache\iconf32.dll
2008-09-29 12:06 . 2004-08-10 08:00 10,096,640 --a--c--- C:\WINDOWS\system32\dllcache\hwxcht.dll
2008-09-29 12:05 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2008-09-29 12:04 . 2001-08-17 12:17 629,952 --a--c--- C:\WINDOWS\system32\dllcache\eqn.sys
2008-09-29 12:03 . 2001-08-17 12:14 952,007 --a--c--- C:\WINDOWS\system32\dllcache\diwan.sys
2008-09-29 12:02 . 2001-08-17 12:13 980,034 --a--c--- C:\WINDOWS\system32\dllcache\cicap.sys
2008-09-29 12:01 . 2001-08-17 13:28 871,388 --a--c--- C:\WINDOWS\system32\dllcache\bcmdm.sys
2008-09-29 12:00 . 2004-08-10 08:00 169,984 --a--c--- C:\WINDOWS\system32\dllcache\iisui.dll
2008-09-29 12:00 . 2004-08-10 08:00 94,720 --a--c--- C:\WINDOWS\system32\dllcache\certmap.ocx
2008-09-29 12:00 . 2001-08-17 14:56 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll
2008-09-29 12:00 . 2004-08-10 08:00 19,968 --a--c--- C:\WINDOWS\system32\dllcache\inetsloc.dll
2008-09-29 12:00 . 2004-08-10 08:00 14,336 --a--c--- C:\WINDOWS\system32\dllcache\iisreset.exe
2008-09-29 12:00 . 2004-08-10 08:00 7,680 --a--c--- C:\WINDOWS\system32\dllcache\inetmgr.exe
2008-09-29 12:00 . 2004-08-10 08:00 7,168 --a--c--- C:\WINDOWS\system32\dllcache\wamregps.dll
2008-09-29 12:00 . 2004-08-10 08:00 6,144 --a--c--- C:\WINDOWS\system32\dllcache\ftpsapi2.dll
2008-09-29 12:00 . 2004-08-10 08:00 5,632 --a--c--- C:\WINDOWS\system32\dllcache\iisrstap.dll
2008-09-29 12:00 . 2004-08-10 08:00 4,639 --a------ C:\WINDOWS\system32\dllcache\mplayer2.exe
2008-09-29 11:57 . 2008-09-29 13:21 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2008-09-29 11:47 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-09-29 11:32 . 2008-09-29 11:32 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-09-29 11:30 . 2008-09-29 11:31 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-09-29 11:17 . 2008-09-29 11:17 13,646 --a------ C:\WINDOWS\system32\wpa.bak
2008-09-29 11:11 . 2008-09-29 15:15 1,080 --a------ C:\WINDOWS\system32\settingsbkup.sfm
2008-09-29 11:11 . 2008-09-29 15:15 1,080 --a------ C:\WINDOWS\system32\settings.sfm
2008-09-29 10:56 . 2004-08-10 08:00 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe
2008-09-29 10:56 . 2008-09-29 10:56 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-09-29 10:56 . 2008-09-29 10:56 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-09-29 10:56 . 2008-09-29 10:56 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-09-29 10:56 . 2008-09-29 10:56 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-09-29 10:56 . 2008-09-29 10:56 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-09-29 10:56 . 2008-09-29 10:56 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-09-29 10:25 . 2004-08-10 08:00 1,086,058 -ra------ C:\WINDOWS\SET8A.tmp
2008-09-29 10:25 . 2004-08-10 08:00 106,147 -ra------ C:\WINDOWS\SET87.tmp
2008-09-29 10:25 . 2004-08-10 08:00 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2008-09-29 10:25 . 2004-08-10 08:00 24,661 --a--c--- C:\WINDOWS\system32\dllcache\spxcoins.dll
2008-09-29 10:25 . 2004-08-10 08:00 13,753 -ra------ C:\WINDOWS\SET96.tmp
2008-09-29 10:25 . 2004-08-10 08:00 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2008-09-29 10:25 . 2004-08-10 08:00 13,312 --a--c--- C:\WINDOWS\system32\dllcache\irclass.dll
2008-09-29 09:15 . 2008-09-29 09:17 <DIR> d-------- C:\WINDOWS\system32\Catroot2.old
2008-09-29 09:11 . 2008-09-29 09:11 5,251,072 --a------ C:\WINDOWS\sectest.db
2008-09-28 20:20 . 2008-09-28 20:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Geek Squad
2008-09-26 23:10 . 2008-09-27 01:20 <DIR> d-------- C:\Documents and Settings\The Free Man\.housecall6.6
2008-09-26 13:12 . 2008-09-29 13:34 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-26 13:12 . 2008-09-26 13:12 <DIR> d-------- C:\Documents and Settings\The Free Man\Application Data\Malwarebytes
2008-09-26 13:12 . 2008-09-26 13:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-26 13:12 . 2008-09-08 00:11 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-26 13:12 . 2008-09-08 00:11 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-25 22:13 . 2008-09-25 22:13 <DIR> d-------- C:\Program Files\ATI
2008-09-23 21:05 . 2008-06-30 11:30 188,547 --a------ C:\wubildr
2008-09-23 21:05 . 2008-06-30 11:30 8,192 --a------ C:\wubildr.mbr
2008-09-23 21:00 . 2008-09-23 21:00 <DIR> d-------- C:\ubuntu
2008-09-23 20:01 . 2008-09-23 20:40 <DIR> d-------- C:\Documents and Settings\The Free Man\Application Data\InfraRecorder
2008-09-23 19:58 . 2008-09-23 19:58 <DIR> d-------- C:\Program Files\InfraRecorder
2008-09-23 19:16 . 2008-09-23 19:16 <DIR> d-------- C:\Program Files\Alex Feinman
2008-09-23 17:38 . 2008-09-23 17:39 <DIR> d--h-c--- C:\WINDOWS\ie8
2008-09-22 23:50 . 2008-09-23 00:03 <DIR> d-------- C:\Documents and Settings\The Free Man\DoctorWeb
2008-09-22 23:37 . 2008-09-22 23:37 <DIR> d-------- C:\WINDOWS\ERUNT
2008-09-22 23:34 . 2008-09-22 23:46 <DIR> d-------- C:\SDFix
2008-09-22 23:28 . 2008-09-22 23:28 <DIR> d-------- C:\_OTMoveIt
2008-09-22 23:15 . 2008-09-22 23:15 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-22 21:12 . 2008-09-22 21:12 <DIR> d-------- C:\Program Files\IObit
2008-09-22 21:12 . 2008-09-22 22:30 <DIR> d-------- C:\Documents and Settings\The Free Man\Application Data\IObit
2008-09-22 21:12 . 2008-04-17 16:19 90,668 --a------ C:\WINDOWS\system32\vobis32.dll
2008-09-22 20:53 . 2008-09-22 20:53 <DIR> d-------- C:\Program Files\AML Products
2008-09-22 20:53 . 2000-05-22 16:58 608,448 --a------ C:\WINDOWS\system32\comctl32.ocx
2008-09-22 20:34 . 2008-09-22 20:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-09-17 16:17 . 2008-09-22 15:02 <DIR> d-------- C:\RootkitNO
2008-09-17 16:16 . 2008-09-22 20:31 <DIR> d-------- C:\Program Files\UnHackMe
2008-09-17 16:16 . 2008-09-17 16:16 (2) -rahs-ot- C:\WINDOWS\winstart.bat
2008-09-17 01:38 . 2008-09-17 16:25 874,481 --ahs---- C:\WINDOWS\system32\LmmnoUvw.ini2
2008-09-17 01:36 . 2008-09-18 02:11 <DIR> d-------- C:\ConverterOutput
2008-09-17 01:33 . 2008-09-17 01:33 <DIR> d-------- C:\Program Files\Cucusoft
2008-09-11 12:48 . 2008-09-11 12:48 <DIR> d-------- C:\Program Files\iTunes
2008-09-11 12:48 . 2008-09-11 12:48 <DIR> d-------- C:\Program Files\iPod
2008-09-11 12:48 . 2008-09-11 12:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-09-11 12:43 . 2008-09-05 22:16 1,900,544 --a------ C:\WINDOWS\system32\usbaaplrc.dll
2008-09-11 12:43 . 2008-09-05 22:16 36,864 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2008-09-09 13:40 . 2008-09-09 22:25 <DIR> d-------- C:\Program Files\Project64 v1.5
2008-09-07 22:01 . 2008-09-25 21:57 4,096 --a------ C:\WINDOWS\system32\crash
2008-09-07 19:33 . 2008-09-07 19:33 <DIR> d-------- C:\Program Files\Multimedia Card Reader
2008-09-06 15:09 . 2008-09-06 15:09 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-09-06 15:09 . 2008-09-06 15:09 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-09-01 23:50 . 2008-09-01 23:50 376 --a------ C:\WINDOWS\ODBC.INI
2008-09-01 23:49 . 2008-09-01 23:49 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-09-01 23:49 . 2008-09-01 23:49 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-09-01 09:39 . 2008-09-01 09:39 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-09-01 09:39 . 2008-09-01 09:39 <DIR> d-------- C:\WINDOWS\system32\en
2008-09-01 09:39 . 2008-09-01 09:39 <DIR> d-------- C:\WINDOWS\system32\bits
2008-09-01 09:39 . 2008-09-01 09:39 <DIR> d-------- C:\WINDOWS\l2schemas

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-29 02:21 --------- d-----w C:\Program Files\DIGStream
2008-09-27 03:48 --------- d-----w C:\Program Files\BAE
2008-09-27 02:35 --------- d-----w C:\Program Files\Conduit
2008-09-26 17:02 --------- d-----w C:\Program Files\FrostWire
2008-09-26 17:02 --------- d-----w C:\Program Files\Common Files\LightScribe
2008-09-26 02:39 137,480 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-09-23 03:20 --------- d-----w C:\Program Files\Google
2008-09-22 14:36 --------- d-----w C:\Documents and Settings\The Free Man\Application Data\DNA
2008-09-21 14:45 --------- d-----w C:\Documents and Settings\The Free Man\Application Data\Vso
2008-09-17 20:07 --------- d-----w C:\Program Files\DNA
2008-09-16 14:23 --------- d-----w C:\Documents and Settings\The Free Man\Application Data\Xfire
2008-09-11 16:46 --------- d-----w C:\Program Files\QuickTime
2008-08-30 23:36 --------- d-----w C:\Documents and Settings\The Free Man\Application Data\U3
2008-08-23 06:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\LightScribe
2008-08-23 05:30 --------- d-----w C:\Documents and Settings\The Free Man\Application Data\Nero
2008-08-23 05:27 --------- d-----w C:\Program Files\Common Files\Nero
2008-08-23 05:25 --------- d-----w C:\Program Files\Nero
2008-08-23 05:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-08-23 03:14 --------- d-----w C:\Program Files\MpcStar
2008-08-23 03:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-22 01:18 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-20 21:55 --------- d-s---w C:\Program Files\Xfire
2008-08-19 22:28 --------- d-----w C:\Program Files\Vuze
2008-08-19 22:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Azureus
2008-08-19 22:26 3,532 ----a-w C:\drmHeader.bin
2008-08-13 07:05 --------- d-----w C:\Documents and Settings\The Free Man\Application Data\TigerPlayer
2008-08-13 07:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-08-11 18:06 --------- d-----w C:\Program Files\Common Files\MAGIX Shared
2008-08-11 18:05 --------- d-----w C:\Program Files\MAGIX
2008-08-11 18:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\MAGIX
2008-08-09 21:42 --------- d-----w C:\Program Files\Common Files\Corel
2008-08-08 06:06 --------- d-----w C:\Documents and Settings\The Free Man\Application Data\DivX
2008-08-07 06:08 --------- d-----w C:\Program Files\ReaJpeg
2008-08-07 05:49 --------- d-----w C:\Program Files\DivX
2008-08-06 21:55 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-06 21:52 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2008-08-06 21:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-08-06 15:14 --------- d-----w C:\Program Files\Absolute MP3 Splitter
2008-08-06 15:01 --------- d-----w C:\Documents and Settings\The Free Man\Application Data\.wyzo
2008-08-06 01:52 --------- d-----w C:\Documents and Settings\The Free Man\Application Data\Viewpoint
2008-08-05 20:54 --------- d-----w C:\Program Files\Apple Software Update
2008-08-05 19:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-08-05 19:12 --------- d-----w C:\Program Files\Viewpoint
2008-08-05 19:12 --------- d-----w C:\Program Files\AIM6
2008-08-05 19:12 --------- d-----w C:\Documents and Settings\The Free Man\Application Data\acccore
2008-08-05 19:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-08-05 19:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\acccore
2008-08-05 19:11 --------- d-----w C:\Program Files\Common Files\AOL
2008-08-05 19:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-08-05 18:53 --------- d-----w C:\Program Files\ANI
2008-08-05 18:52 --------- d-----w C:\Program Files\D-Link
2008-07-08 18:15 47,360 ----a-w C:\Documents and Settings\The Free Man\Application Data\pcouffin.sys
2008-05-14 19:57 1,206,366 ----a-w C:\Program Files\WinRAR 3.70 final.exe
2008-04-29 01:55 22,328 ----a-w C:\Documents and Settings\The Free Man\Application Data\PnkBstrK.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 15360]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="C:\WINDOWS\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
"TSClientAXDisabler"="C:\WINDOWS\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-18 2247]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DevconDefaultDB"="C:\WINDOWS\READREG" [X]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 59392]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"CTDVDDET"="C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 122880]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"D-Link RangeBooster G WUA-2340"="C:\Program Files\D-Link\RangeBooster G WUA-2340\AirPlusCFG.exe" [2006-09-01 1880064]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]
"LoadCustomizer"="C:\Documents and Settings\All Users\Application Data\Geek Squad\Customizer\LoadCustomizer.exe" [2008-09-29 25088]
"CTHelper"="CTHELPER.EXE" [2005-11-08 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-03-02 C:\WINDOWS\system32\CTXFIHLP.EXE]
"ATIModeChange"="Ati2mdxx.exe" [2008-03-28 C:\WINDOWS\system32\Ati2mdxx.exe]
"AsioReg"="CTASIO.DLL" [2005-11-08 C:\WINDOWS\system32\CTASIO.DLL]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-10 44544]
"SetDefaultMIDI"="MIDIDEF.EXE" [2005-11-08 C:\WINDOWS\MIDIDEF.EXE]

C:\Documents and Settings\The Free Man\Start Menu\Programs\Startup\MRI_DISABLED
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
Xfire.lnk - C:\Program Files\Xfire\Xfire.exe [2006-08-29 2240080]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MRI_DISABLED
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-07-25 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.tscc"= C:\PROGRA~1\MpcStar\Codecs\tscc\tsccvid.dll
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnHackMe Monitor

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-09-03 20:12 111936 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICustomerCare]
--a------ 2007-10-04 18:38 307200 C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]
--a------ 2008-03-13 16:48 1443072 C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-09-08 23:02 289576 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 15:09 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrayServer]
--a------ 2006-10-04 15:41 86016 C:\Program Files\MAGIX\Movie_Edit_Pro_12_e-version\Trayserver.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\kav\\kav7\\setup.exe"=
"C:\\Program Files\\THQ\\Dawn Of War\\W40k.exe"=
"C:\\Program Files\\THQ\\Dawn Of War\\W40kWA.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\THQ\\DarkCrusade\\DarkCrusade.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\My Music\\frostwire\\LimeWire.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Vuze\\Azureus.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9224:TCP"= 9224:TCP:BitComet 9224 TCP
"9224:UDP"= 9224:UDP:BitComet 9224 UDP

R0 klbg;Kaspersky Lab Boot Guard Driver;C:\WINDOWS\system32\drivers\klbg.sys [2008-01-29 32784]
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-03-13 33800]
R3 A5AGU;D-Link USB Wireless Network Adapter Service;C:\WINDOWS\system32\DRIVERS\A5AGU.sys [2006-05-08 347648]
R3 athena;athena;C:\WINDOWS\system32\DRIVERS\athena.sys [2006-02-24 107392]
R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2006-02-15 1096192]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;C:\WINDOWS\system32\DRIVERS\klfltdev.sys [2008-03-13 26640]
S2 NOD32FiXTemDono;Eset Nod32 Boot;C:\WINDOWS\system32\regedt32.exe [2004-08-10 3584]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe [2005-11-17 1527900]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\The Free Man\Application Data\Mozilla\Firefox\Profiles\y1tjyp83.default\
FF -: plugin - C:\Program Files\Adobe\Acrobat 6.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\DNA\plugins\npbtdna.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\MpcStar\Codecs\Real\browser\plugins\nppl3260.dll
FF -: plugin - C:\Program Files\MpcStar\Codecs\Real\browser\plugins\nprpjplug.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-29 15:17:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\catchme]
"ImagePath"="\??\C:\DOCUME~1\THEFRE~1\LOCALS~1\Temp\catchme.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\catchme]
"ImagePath"="\??\C:\DOCUME~1\THEFRE~1\LOCALS~1\Temp\catchme.sys"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
C:\ComboFix\pv.cfexe
.
**************************************************************************
.
Completion time: 2008-09-29 15:19:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-29 19:19:39
ComboFix2.txt 2008-09-23 03:07:10

Pre-Run: 111,138,979,840 bytes free
Post-Run: 111,112,929,280 bytes free

362

0

Can I ask you, have you been file sharing while this process is going on?

I notice you have not replied. The reason I asked this question is that I see no fewer than 5 p2p programs on this system, Azureus, BitComet, LimeWire, Vuze, Frostwire. Azureus WAS running when the Combofix was run AS was ESET NOD32. The instructions clearly state

Close or disable all running Antivirus, Antispyware, and Firewall

Nero was also running was AOL.
I had to spend much of the day yesterday away from the computer. Last night and this morning I spent much of the time going through the combofix log. You stated in your opening post and I can see by the log that you have run multiple programs on the computer in an attempt to fix the problem IObit,Trend Micro,OTMoveIt, SDFix, ERUNT, DoctorWeb, UnHackMe, Daisy, ESET NOD32, PLUS, as requested by me, MBA-M and Combofix. Several of these I am not familiar with and several others I would have not recommended without seeing the Combofix log and HiJackThis log first. OTMoveIT is no longer in use and was replaced in January by OTMoveIT2. OTMoveIT is a tool to be used for SPECIFIC files, not just a general remover. You must list specific files to be removed, and if the wrong ones are removed then severe damage can be done to a computer. Sometimes the removal must be done in Safe Mode when prompted by the program. UnHackMe is used to find and remove invisible trojans or rootkits. It is not a free program though it does have a free trial period before purchase is required. I do not know if you used a legitimate paid for version the trial version or downloaded a "shared" version via p2p.
I do believe with the amount of p2p you are obviously doing this is where the original infection entered the computer, that and also the fact that your java program is out of date, along with all of those vulnerabilities noted in the Trend Micro scan, that eventual infection on this computer was pretty much a "given".
After consulting with another member of this forum and also having him go through the combofix log, I really am sorry to say, that he and I are in agreement that with the multitude of total unknown and new entries showing in your combofix log and the multitude of items all ready removed by combofix, along with the large number of programs all ready run before you posted, I think there is serious damage to the operating system files on the computer. I would have to recommend at this time a full reformat of the computer. I do NOT give this recommendation lightly or often, in fact anyone who knows me well on the various forums where I offer help will tell you this is something I almost never say.
I am very sorry about this but this is the answer I have to give. You must give serious thought to the outright dangers of p2p file sharing because I am firmly convinced, unless it is proven otherwise, that the problems here all began with one shared file and continued downhill from there to where you are today. I am truly sorry I couldn't be of anymore help but I feel you would be better to "cut your losses" and reformat and reinstall...leaving out ALL of those p2p file sharing programs.
Judy

0

thanks for the help, i ended up downloading another copy of xp and reformatting the hardrive. i learned my lesson though, all my downloading and file testing is done on ubuntu before they go over to windows. I dont want to go through all that again.

0

thanks for the help, i ended up downloading another copy of xp and reformatting the hardrive.

As I understand it, the only copies of XP that can be downloaded are Pirate versions. Naughty.

i learned my lesson though,

Obviously not.

0

Totally agree Crunchie. Didn't reply here as I figured that obviously this was a lost cause. Obviously people never learn.
Judy

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.