0

Hi, iam having a problem with my PC that always display a mesage like this.... - Exception Processing Message c00000a3 Parameters 75b6cb7c87cbn...............below is my HJT logfile

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:43:38 PM, on 4/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\WINDOWS\System32\driver32\mirc.exe
C:\WINDOWS\system32\vghhost.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\vghhost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\user\Application Data\Microsoft\lsass.exe
C:\Documents and Settings\user\Application Data\Microsoft\lsass.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunes.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\user\My Documents\Downloads\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [fun] C:\WINDOWS\system32\fun.exe
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [UpdateShield] %windir%\System32\r2c\mIRC.exe
O4 - HKLM\..\Run: [WinXPService] C:\WINDOWS\System32\driver32\mirc.exe
O4 - HKLM\..\Run: [Video Graphic] vghhost.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\RunServices: [Video Graphic] vghhost.exe
O4 - HKCU\..\Run: [crazy] C:\Documents and Settings\All Users\Application Data\pissu.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [lsass.exe] C:\Documents and Settings\user\Application Data\Microsoft\lsass.exe
O4 - Global Startup: DriveGuard.lnk = C:\Program Files\WinDriveGuard\DriveGuard.exe
O4 - Global Startup: MSconfig.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Nero Registry InCD Service (NeroRegInCDSrv) - Unknown owner - C:\Program Files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 7468 bytes

2
Contributors
17
Replies
18
Views
8 Years
Discussion Span
Last Post by jholland1964
Featured Replies
  • [B]The instructions below are for this individual poster [COLOR="Red"]ONLY[/COLOR]. It should [COLOR="Red"]NOT[/COLOR] be used by anyone else. This is to be used on[COLOR="Red"] THIS ONE computer[/COLOR] and [COLOR="Red"]NO OTHER[/COLOR].[/B] · Make sure that [B]combofix.exe[/B] that you downloaded is on your Desktop but Do not run it! o [B]If it is … Read More

0

You have a very infected computer. There are multiple worms and several trojans showing in your log.

Update your anti-virus program and run a full system scan with it, allow it to fix/remove/quarantine anything found. Reboot the computer

Do the following:
download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.
Reboot the computer.

Run a new HJT scan, save the log. Post back here the MBA-M log and the new HJT log.
Judy

0

Hi there, iam using ESET NOD32 Antivirus and also updated virus signature database....is it good enough to protect my computer or do I have to get another anti-virus program....thanks for your help..

0

Usually this is a pretty good program. For now leave it and do the full scan with it. Follow all the other instructions and we will see what is removed.
Judy

0

Thank you so much for your help. After using MBA-M i don't see these pop up messages again on my PC. But I just want to know how to find these Worms and Trojan from the log file and how to fix it , that is if you have links to where i can read and learn new stuff like that.By the way i still have to post up those log files.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:29:11 PM, on 4/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\WINDOWS\System32\driver32\mirc.exe
C:\WINDOWS\system32\vghhost.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\vghhost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\user\My Documents\Downloads\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [fun] C:\WINDOWS\system32\fun.exe
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [UpdateShield] %windir%\System32\r2c\mIRC.exe
O4 - HKLM\..\Run: [WinXPService] C:\WINDOWS\System32\driver32\mirc.exe
O4 - HKLM\..\Run: [Video Graphic] vghhost.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\RunServices: [Video Graphic] vghhost.exe
O4 - HKCU\..\Run: [crazy] C:\Documents and Settings\All Users\Application Data\pissu.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: DriveGuard.lnk = C:\Program Files\WinDriveGuard\DriveGuard.exe
O4 - Global Startup: MSconfig.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Nero Registry InCD Service (NeroRegInCDSrv) - Unknown owner - C:\Program Files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 7238 bytes

Malwarebytes' Anti-Malware 1.36
Database version: 1997
Windows 5.1.2600 Service Pack 3

4/18/2009 7:22:29 PM
mbam-log-2009-04-18 (19-22-29).txt

Scan type: Full Scan (C:\|)
Objects scanned: 161152
Time elapsed: 57 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\user\My Documents\Semester 2\Software\so\SOFTWARE\SOFTWARE\My Software\SOFTWARE\Sony Setup\keygen2.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\My Documents\Semester 2\Software\so\SOFTWARE\SOFTWARE\My Software\SOFTWARE\Sony Setup\Sonic Foundry Universal Keygen- SSG.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\My Documents\Semester 2\Software\so\SOFTWARE\SOFTWARE\My Software\SOFTWARE\Sony Setup\SONY VEGAS ^.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\Microsoft\lsass.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

Well, thank you so much for your help....and if you have those links or info. I'd love to read it....

0

You do have multiple infections on there, most of them spread by removable storage devices, peer-to-peer file sharing, Chat programs.
If you have a removable drive I don't see that it was scanned by MBA-M, it must be. You show chat programs operating during the scans, these should all be turned off and of course if you are doing P2P sharing STOP.
I would like you to do the following:

Run the ESET Online Scanner and attach the ScanLog with your post for assistance.

* You will need to use Internet Explorer to to complete this scan.
* You will need to temporarily Disable your current Anti-virus program.

* Be sure the option to Remove found threats is checked at this time and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.
Reboot the computer.
Update MBA-M and do another Full System Scan with it, SCAN ALL DRIVES including Removable Drives. Before doing the Full Scan you ARE given the option of choosing what drives to scan, if you have a removable drive be sure it is also scanned.
When the scan is complete * Be sure that everything is checked, and click Remove Selected.
Save the log.
Reboot the computer.
Run a new HJT scan and save the log. Post back here with the three logs in this order, ESET Online Scan log, MBA-M log and finally the HJT log.

0

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=4019 (20090418)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=d8569ad9c72e4b41810d6a9c919e2e0d
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-04-20 02:25:49
# local_time=2009-04-20 02:25:49 (+1200, Fiji Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=534310
# found=0
# scan_time=2818
# nod_component=V3 Build:0x30000000 ()

Malwarebytes' Anti-Malware 1.36
Database version: 1997
Windows 5.1.2600 Service Pack 3

4/20/2009 4:16:41 PM
mbam-log-2009-04-20 (16-16-41).txt

Scan type: Full Scan (C:\|G:\|)
Objects scanned: 161506
Time elapsed: 56 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:19:04 PM, on 4/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\WINDOWS\System32\driver32\mirc.exe
C:\WINDOWS\system32\vghhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\vghhost.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
G:\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\iTunes\iTunes.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe
C:\Documents and Settings\user\My Documents\Downloads\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [fun] C:\WINDOWS\system32\fun.exe
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [UpdateShield] %windir%\System32\r2c\mIRC.exe
O4 - HKLM\..\Run: [WinXPService] C:\WINDOWS\System32\driver32\mirc.exe
O4 - HKLM\..\Run: [Video Graphic] vghhost.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\RunServices: [Video Graphic] vghhost.exe
O4 - HKCU\..\Run: [crazy] C:\Documents and Settings\All Users\Application Data\pissu.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: DriveGuard.lnk = C:\Program Files\WinDriveGuard\DriveGuard.exe
O4 - Global Startup: MSconfig.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Nero Registry InCD Service (NeroRegInCDSrv) - Unknown owner - C:\Program Files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 7542 bytes

0

Sorry, infections still showing. Please do the following and please follow instructions EXACTLY. I will stress here these instructions are for THIS poster ONLY. This is NOT a tool to be run as a general matter of course. It is for specific circumstances only and should be run only when directed to do so and never without supervision.

download ComboFix, You will get a prompt asking if you want to run or save the file. Choose SAVE and save it to the desk top. DO NOT RUN it YET
You are almost ready to start ComboFix, but before you do so, you need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:

* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.

Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.
Windows may issue a prompt because ComboFix does not have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue.
ComboFix is now preparing to run and when it has finished you will see the Disclaimer screen you should press the number 1 key and then press the enter key to continue.
ComboFix will create a System Restore point so that if any problems occur while using the program you can restore back to your previous configuration. When ComboFix has finished creating the restore point, it will then backup your Windows Registry.
Once the Windows Registry has finished being backed up, ComboFix will disconnect your computer from the Internet. Therefore, do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet as your connection will be completely restored at a later stage in the program.

When ComboFix has finished running, you will see a screen stating that it is preparing the log report
This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
When ComboFix has finished, it will automatically close the program and change your clock back to its original format. It will then display the log file automatically
You should now post this log here when all is complete.

0

hi there,
below is the log after running the combo fix

ComboFix 09-04-22.A0 - user 04/22/2009 21:29.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1468 [GMT 12:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated)
* Created a new restore point
.
ADS - WINDOWS: deleted 24 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\Programs\Startup\msconfig.exe
c:\windows\system32\drivers\npf.sys
c:\windows\system32\packet.dll
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2009-03-22 to 2009-04-22 )))))))))))))))))))))))))))))))
.

2009-04-21 09:50 . 2009-04-21 09:50 -------- d-sh--r C:\BIN
2009-04-18 04:32 . 2009-04-18 04:32 -------- d-----w c:\documents and settings\user\Application Data\Malwarebytes
2009-04-18 04:32 . 2009-04-06 03:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-18 04:32 . 2009-04-06 03:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-18 04:32 . 2009-04-18 04:32 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-17 22:36 . 2009-04-17 22:36 -------- d-----w c:\documents and settings\All Users\Application Data\SlySoft
2009-04-15 08:05 . 2009-04-15 08:05 -------- d-----w c:\documents and settings\user\Application Data\Digsby
2009-04-15 08:05 . 2009-04-15 08:06 -------- d-----w c:\documents and settings\user\Local Settings\Application Data\Digsby
2009-04-15 00:02 . 2009-04-15 00:02 -------- d-----w c:\documents and settings\LocalService\Application Data\Softland
2009-04-14 21:31 . 2009-04-14 21:32 -------- d-----w c:\documents and settings\user\Application Data\gtk-2.0
2009-04-14 19:45 . 2009-04-14 19:45 -------- d-----w c:\documents and settings\user\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-04-14 18:39 . 2009-04-14 18:41 356 ----a-w c:\windows\pdf2word.INI
2009-04-14 18:17 . 2008-07-09 01:02 21656 ----a-w c:\windows\system32\dopdfmn6.dll
2009-04-14 18:17 . 2008-07-09 01:02 18072 ----a-w c:\windows\system32\dopdfmi6.dll
2009-04-14 18:17 . 2008-03-27 03:42 7477 ----a-w c:\windows\system32\dopdf6.ctm
2009-04-14 01:02 . 2009-04-14 02:15 -------- d-----w c:\documents and settings\All Users\Application Data\DriverScanner
2009-04-14 01:02 . 2009-04-14 01:02 -------- d-----w c:\documents and settings\user\Application Data\Uniblue
2009-04-14 00:22 . 2009-04-14 01:02 -------- dc-h--w c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}
2009-04-11 20:26 . 2008-03-05 03:56 3786760 ----a-w c:\windows\system32\D3DX9_37.dll
2009-04-11 20:25 . 2009-04-22 09:32 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-11 02:34 . 2009-04-11 02:35 95128 ----a-w c:\windows\system32\driver32\uiiui.exe
2009-04-11 01:46 . 2009-04-11 16:23 487840 ----a-w c:\windows\system32\driver32\guygunu.exe
2009-04-06 08:54 . 2009-04-06 08:54 -------- d-----w c:\documents and settings\user\Local Settings\Application Data\DFX
2009-04-06 08:53 . 2009-04-06 08:53 -------- d-----w c:\documents and settings\All Users\Application Data\DFX
2009-04-05 22:27 . 2009-04-05 22:27 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2009-04-04 21:27 . 2009-04-04 21:27 3932228 ----a-w C:\clipImage.bmp
2009-04-04 21:17 . 2009-04-04 21:17 -------- d-----w C:\MyCaptures
2009-04-03 21:17 . 2009-04-03 21:17 -------- d-sh--r C:\sys
2009-04-03 20:58 . 2009-04-03 20:58 -------- d-----w c:\documents and settings\user\Local Settings\Application Data\ESET
2009-04-03 20:54 . 2009-04-03 20:54 -------- d-----w c:\documents and settings\All Users\Application Data\ESET
2009-04-03 19:44 . 2009-04-03 19:44 -------- d-----w c:\windows\system32\scripting
2009-04-03 19:44 . 2009-04-03 19:44 -------- d-----w c:\windows\l2schemas
2009-04-03 19:44 . 2009-04-03 19:44 -------- d-----w c:\windows\system32\en
2009-04-03 19:44 . 2009-04-03 19:44 -------- d-----w c:\windows\system32\bits
2009-04-03 19:42 . 2009-04-03 19:45 -------- d-----w c:\windows\ServicePackFiles
2009-04-01 01:08 . 2008-10-16 02:06 27496 ----a-w c:\windows\system32\mucltui.dll.mui
2009-04-01 01:08 . 2008-10-16 02:06 268648 ----a-w c:\windows\system32\mucltui.dll
2009-04-01 01:08 . 2008-10-16 02:06 208744 ----a-w c:\windows\system32\muweb.dll
2009-03-30 08:54 . 2009-03-30 08:54 -------- d-----w c:\documents and settings\user\Application Data\Ulead Systems
2009-03-30 02:14 . 2004-08-03 10:29 73216 ------w c:\windows\system32\drivers\atintuxx.sys
2009-03-29 20:28 . 2009-03-29 20:28 -------- d-----w c:\windows\Sun
2009-03-27 06:26 . 2004-12-23 05:27 27392 ----a-w c:\windows\system32\drivers\ULCDRHlp.sys
2009-03-27 06:04 . 2006-12-08 00:02 251672 ----a-w c:\windows\system32\xactengine2_5.dll
2009-03-27 06:04 . 2006-11-29 01:06 3426072 ----a-w c:\windows\system32\d3dx9_32.dll
2009-03-27 06:04 . 2006-11-14 23:38 15128 ----a-w c:\windows\system32\x3daudio1_1.dll
2009-03-27 06:04 . 2006-09-28 04:05 237848 ----a-w c:\windows\system32\xactengine2_4.dll
2009-03-27 06:00 . 2009-03-30 23:32 -------- d-----w c:\documents and settings\All Users\Application Data\Ulead Systems
2009-03-27 06:00 . 2007-02-26 08:20 49152 ----a-w c:\windows\system32\TempDel.EXE
2009-03-27 06:00 . 2009-03-27 06:26 -------- d-----w C:\WFDB
2009-03-27 06:00 . 2005-01-06 04:55 9446 ----a-w c:\windows\system32\drivers\WFIOCTL.sys
2009-03-27 06:00 . 2009-04-17 18:31 -------- d-----w C:\WinFast WorkArea
2009-03-27 05:56 . 2008-04-13 18:39 5504 ----a-w c:\windows\system32\drivers\mstee.sys
2009-03-27 05:56 . 2008-04-13 18:46 10880 ----a-w c:\windows\system32\drivers\ndisip.sys
2009-03-27 05:56 . 2008-04-14 00:12 16384 ----a-w c:\windows\system32\ipsink.ax
2009-03-27 05:56 . 2008-04-13 18:46 15232 ----a-w c:\windows\system32\drivers\streamip.sys
2009-03-27 05:56 . 2008-04-13 18:46 11136 ----a-w c:\windows\system32\drivers\slip.sys
2009-03-27 05:56 . 2008-04-13 18:46 19200 ----a-w c:\windows\system32\drivers\wstcodec.sys
2009-03-27 05:56 . 2008-04-13 18:46 85248 ----a-w c:\windows\system32\drivers\nabtsfec.sys
2009-03-27 05:56 . 2008-04-13 18:46 17024 ----a-w c:\windows\system32\drivers\ccdecode.sys
2009-03-27 05:55 . 2008-04-14 00:12 91136 ----a-w c:\windows\system32\kswdmcap.ax
2009-03-27 05:55 . 2008-04-14 00:12 61952 ----a-w c:\windows\system32\kstvtune.ax
2009-03-27 05:55 . 2008-04-14 00:12 28672 ----a-w c:\windows\system32\vidcap.ax
2009-03-27 05:55 . 2008-04-14 00:12 53760 ----a-w c:\windows\system32\vfwwdm32.dll
2009-03-27 05:55 . 2008-04-14 00:12 43008 ----a-w c:\windows\system32\ksxbar.ax
2009-03-27 05:55 . 2006-04-20 03:20 19456 ----a-w c:\windows\system32\drivers\wf2ktunr.sys
2009-03-27 05:55 . 2006-04-20 02:50 59776 ----a-w c:\windows\system32\drivers\wf2kvcap.sys
2009-03-27 05:55 . 2006-04-20 02:49 9600 ----a-w c:\windows\system32\drivers\wf2kXbar.sys
2009-03-27 05:55 . 2009-03-27 05:55 -------- d-----w c:\windows\system32\DX9
2009-03-27 05:55 . 2002-06-03 10:52 2238 ----a-w c:\windows\system32\WFDRV.ico
2009-03-27 05:54 . 2009-03-27 05:55 -------- d-----w c:\windows\system32\WinFast
2009-03-25 06:44 . 2009-03-25 06:44 -------- d-----w c:\documents and settings\user\Local Settings\Application Data\Microsoft Help
2009-03-25 06:44 . 2009-04-10 07:18 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-24 22:49 . 2009-03-24 22:50 -------- d-----w c:\documents and settings\user\.dia
2009-03-24 03:59 . 2008-12-20 23:15 52224 -c----w c:\windows\system32\dllcache\msfeedsbs.dll
2009-03-24 03:59 . 2008-12-20 23:15 459264 -c----w c:\windows\system32\dllcache\msfeeds.dll
2009-03-24 03:59 . 2008-12-20 23:15 267776 -c----w c:\windows\system32\dllcache\iertutil.dll
2009-03-24 03:59 . 2008-12-20 23:15 383488 -c----w c:\windows\system32\dllcache\ieapfltr.dll
2009-03-24 03:59 . 2008-12-20 23:15 63488 -c----w c:\windows\system32\dllcache\icardie.dll
2009-03-24 03:59 . 2008-12-19 09:10 13824 -c----w c:\windows\system32\dllcache\ieudinit.exe
2009-03-24 03:59 . 2007-04-17 09:32 2455488 -c----w c:\windows\system32\dllcache\ieapfltr.dat
2009-03-24 03:59 . 2007-03-08 05:10 991232 -c----w c:\windows\system32\dllcache\ieframe.dll.mui
2009-03-24 03:59 . 2008-12-20 23:15 6066688 -c----w c:\windows\system32\dllcache\ieframe.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-21 21:30 . 2009-03-11 00:22 -------- d-----w c:\documents and settings\user\Application Data\uTorrent
2009-04-20 03:10 . 2009-03-04 19:34 -------- d-----w c:\program files\Windows Media Connect 2
2009-04-20 02:26 . 2009-04-20 00:51 -------- d-----w c:\program files\EsetOnlineScanner
2009-04-19 08:00 . 2009-04-19 08:00 -------- d-----w c:\program files\Microsoft Games
2009-04-18 04:32 . 2009-04-18 04:32 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-18 02:23 . 2009-03-04 00:25 -------- d-----w c:\program files\Google
2009-04-17 22:27 . 2009-04-17 22:27 -------- d-----w c:\program files\SlySoft
2009-04-14 18:17 . 2009-04-14 18:17 -------- d-----w c:\program files\Softland
2009-04-14 06:23 . 2009-04-14 06:23 334 ----a-w C:\doPDFInstall.log
2009-04-14 01:02 . 2009-04-14 01:02 -------- d-----w c:\program files\Uniblue
2009-04-12 21:09 . 2009-04-12 21:09 -------- d-----w c:\program files\ESET
2009-04-12 10:25 . 2009-02-18 21:48 68840 ----a-w c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-10 21:20 . 2009-04-10 21:20 -------- d-----w c:\program files\CleanUp!
2009-04-06 08:53 . 2009-04-06 08:53 -------- d-----w c:\program files\DFX
2009-04-06 08:53 . 2009-04-06 08:53 -------- d-----w c:\program files\Common Files\DFX
2009-04-04 21:17 . 2009-04-04 21:17 -------- d-----w c:\program files\Quick Screen Capture
2009-04-03 19:47 . 2009-02-18 21:05 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-03 19:40 . 2004-08-04 12:00 250048 --sha-r C:\ntldr
2009-03-30 23:32 . 2009-02-18 21:41 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-30 23:32 . 2009-03-27 06:00 -------- d-----w c:\program files\Common Files\Ulead Systems
2009-03-30 08:52 . 2009-02-18 21:40 -------- d-----w c:\program files\Common Files\InstallShield
2009-03-27 06:00 . 2009-03-27 06:00 -------- d-----w c:\program files\WinFast
2009-03-25 06:45 . 2009-02-18 21:56 -------- d-----w c:\program files\Microsoft Works
2009-03-24 22:49 . 2009-03-24 22:49 -------- d-----w c:\program files\Dia
2009-03-24 08:20 . 2009-03-23 09:40 -------- d-----w c:\program files\Mozilla Firefox 3.1 Beta 3
2009-03-23 02:09 . 2009-03-23 02:09 -------- d-----w c:\program files\Opera
2009-03-22 23:46 . 2009-03-23 10:18 1077 ----a-w C:\sales.txt
2009-03-20 20:37 . 2009-03-05 19:43 -------- d-----w c:\program files\GRETECH
2009-03-19 05:51 . 2009-03-19 05:51 32 ----a-w C:\ALCSetup.log
2009-03-19 05:50 . 2009-03-19 05:50 -------- d-----w c:\program files\Realtek AC97
2009-03-18 23:45 . 2009-03-18 23:45 93848 ----a-w c:\windows\system32\drivers\epfwtdir.sys
2009-03-18 23:44 . 2009-03-18 23:44 107256 ----a-w c:\windows\system32\drivers\ehdrv.sys
2009-03-18 23:41 . 2009-03-18 23:41 113960 ----a-w c:\windows\system32\drivers\eamon.sys
2009-03-18 19:55 . 2009-03-18 19:55 -------- d-----w c:\program files\Motorola Phone Tools
2009-03-18 19:55 . 2009-03-18 19:55 -------- d-----w c:\documents and settings\All Users\Application Data\BVRP Software
2009-03-18 19:54 . 2009-03-18 19:54 -------- d-----w c:\documents and settings\user\Application Data\InstallShield
2009-03-18 03:33 . 2009-03-14 23:57 -------- d-----w c:\documents and settings\user\Application Data\CyberLink
2009-03-18 03:33 . 2009-03-14 23:57 -------- d-----w c:\documents and settings\All Users\Application Data\CyberLink
2009-03-18 00:53 . 2009-03-18 00:53 -------- d-----w c:\program files\MSXML 4.0
2009-03-11 00:56 . 2009-03-11 00:50 -------- d-----w c:\documents and settings\user\Application Data\LimeWire
2009-03-11 00:22 . 2009-03-11 00:22 -------- d-----w c:\program files\uTorrent
2009-03-09 20:01 . 2009-03-03 22:05 -------- d-s---r c:\program files\WinDriveGuard
2009-03-09 18:31 . 2009-03-09 18:31 -------- d-----w c:\program files\Common Files\Cisco Systems
2009-03-04 19:39 . 2009-03-04 19:39 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-03-04 19:38 . 2009-03-04 19:38 -------- d-----w c:\program files\Common Files\Adobe
2009-03-04 19:37 . 2009-03-04 19:37 -------- d-----w c:\program files\Java
2009-03-04 19:37 . 2009-03-04 19:37 -------- d-----w c:\program files\Common Files\Java
2009-03-04 06:29 . 2009-03-04 06:29 -------- d-----w c:\program files\Rockstar Games
2009-03-04 00:34 . 2009-03-04 00:34 -------- d-----w c:\program files\iTunes
2009-03-04 00:34 . 2009-03-04 00:34 -------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-03-04 00:34 . 2009-03-04 00:34 -------- d-----w c:\program files\iPod
2009-03-04 00:34 . 2009-03-03 12:22 -------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-03-04 00:34 . 2009-03-04 00:34 -------- d-----w c:\program files\Bonjour
2009-03-04 00:33 . 2009-03-04 00:33 -------- d-----w c:\program files\QuickTime
2009-03-04 00:33 . 2009-03-03 12:22 -------- d-----w c:\program files\Common Files\Apple
2009-03-04 00:33 . 2009-03-04 00:33 -------- d-----w c:\program files\Apple Software Update
2009-03-03 19:12 . 2009-03-03 19:12 -------- d-----w c:\documents and settings\user\Application Data\Media Player Classic
2009-03-03 12:23 . 2009-03-03 12:23 -------- d-----w c:\documents and settings\user\Application Data\Apple Computer
2009-03-03 12:22 . 2009-03-03 12:22 -------- d-----w c:\documents and settings\All Users\Application Data\Apple
2009-03-03 12:21 . 2009-03-03 12:20 -------- d-----w c:\program files\K-Lite Codec Pack
2009-02-18 21:03 . 2009-02-18 21:03 21640 ----a-w c:\windows\system32\emptyregdb.dat
2009-02-17 13:33 . 2009-02-17 13:33 89256 ----a-w c:\windows\system32\ElbyCDIO.dll
2009-02-09 11:13 . 2004-08-04 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2008-04-14 00:12 . 2004-08-04 12:00 1130496 --sh--r c:\windows\system32\vghhost.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-21 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-21 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-21 137752]
"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2008-04-10 29757440]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 52256]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-02-27 570664]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2008-02-18 1629480]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2008-02-18 1057064]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-24 144784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-11 34672]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"WinFast Schedule"="c:\program files\WinFast\WFTVFM\WFWIZ.exe" [2007-11-22 2846720]
"WinXPService"="c:\windows\System32\driver32\mirc.exe" [2009-04-06 2109440]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-03-18 2029640]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2009-01-29 57344]
"Video Graphic"="vghhost.exe" - c:\windows\system32\vghhost.exe [2008-04-14 1130496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Video Graphic"="vghhost.exe" - c:\windows\system32\vghhost.exe [2008-04-14 1130496]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\VIA\\VIAudioi\\HDADeck\\HDeck.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Games\\Motocross Madness 2\\MCM2.EXE"=

R2 NeroRegInCDSrv;Nero Registry InCD Service; [x]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2009-03-18 107256]
S1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2009-03-18 93848]
S2 BT848;WinFast TV2000 XP WDM Video Capture;c:\windows\system32\drivers\wf2kvcap.sys [2006-04-20 59776]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-03-18 731840]
S2 tv2ktunr;WinFast TV2000 XP WDM TVTuner;c:\windows\system32\drivers\wf2ktunr.sys [2006-04-20 19456]
S2 Tv2kXbar;WinFast TV2000 XP WDM Crossbar;c:\windows\system32\drivers\wf2kxbar.sys [2006-04-20 9600]
S3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\l1e51x86.sys [2008-03-11 36864]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2008-02-14 222976]
S3 WFIOCTL;WFIOCTL;c:\program files\WinFast\WFTVFM\WFIOCTL.SYS [2005-01-06 9446]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{018b0268-0ce5-11de-97bd-00221576db1d}]
\Shell\AutoRun\command - System\DriveGuard\DriveProtect.exe -run 
\Shell\Explore\Command - System\DriveGuard\DriveProtect.exe -run  
\Shell\Open\Command - System\DriveGuard\DriveProtect.exe -run 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{167d5d9f-0794-11de-979c-00221576db1d}]
\Shell\AutoRun\command - g:\bin\RECYCLE\Bin.exe
\Shell\open\command - g:\bin\RECYCLE\Bin.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{67KLN5J0-4OPM-00WE-AAX5-74CC2A323342}]
c:\bin\RECYCLE\Bin.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 00:34]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-crazy - c:\documents and settings\All Users\Application Data\pissu.exe
HKLM-Run-fun - c:\windows\system32\fun.exe
HKLM-Run-UpdateShield - c:\windows\System32\r2c\mIRC.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\pwhrqvhl.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-22 21:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1244)
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Bonjour\mdnsNSP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\dwwin.exe
.
**************************************************************************
.
Completion time: 2009-04-22 21:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-22 09:35

Pre-Run: 71,019,307,008 bytes free
Post-Run: 71,095,296,000 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

301 --- E O F --- 2009-04-10 07:18

0

Update and run MBA-M again, a Full System scan. Let it fix or remove all items found. Reboot the system.
Run a new HJT scan and save the log.
Post back here with both new logs.

0

Malwarebytes' Anti-Malware 1.36
Database version: 2029
Windows 5.1.2600 Service Pack 3

4/23/2009 8:25:22 PM
mbam-log-2009-04-23 (20-25-22).txt

Scan type: Full Scan (C:\|G:\|)
Objects scanned: 146720
Time elapsed: 50 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\video graphic (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\video graphic (Worm.Sdbot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\vghhost.exe (Worm.Sdbot) -> Delete on reboot.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:28:13 PM, on 4/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\WINDOWS\System32\driver32\mirc.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\user\My Documents\Downloads\Software_downloads\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [WinXPService] C:\WINDOWS\System32\driver32\mirc.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: DriveGuard.lnk = C:\Program Files\WinDriveGuard\DriveGuard.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Nero Registry InCD Service (NeroRegInCDSrv) - Unknown owner - C:\Program Files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 6766 bytes

1

The instructions below are for this individual poster ONLY. It should NOT be used by anyone else. This is to be used on THIS ONE computer and NO OTHER.

· Make sure that combofix.exe that you downloaded is on your Desktop but Do not run it!
o If it is not on your Desktop, the below will not work.
Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

KillAll::

File::

C:\Program Files\WinDriveGuard\DriveGuard.exe
c:\windows\system32\driver32\uiiui.exe
c:\windows\system32\driver32\guygunu.exe
c:\windows\System32\driver32\mirc.exe


Registry::

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]mirc.exe

· Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
· At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
· You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
· Now use your mouse to drag CFscript.txt on top of ComboFix.exe
· Follow the prompts.

Post back here with the new combofix log and the new HJT log with all start ups enabled.

0

ComboFix 09-04-25.A3 - user 04/26/2009 23:12.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1386 [GMT 12:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\user\Desktop\CFscript.txt
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\program files\WinDriveGuard\DriveGuard.exe
c:\windows\system32\driver32\guygunu.exe
c:\windows\System32\driver32\mirc.exe
c:\windows\system32\driver32\uiiui.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\driver32\guygunu.exe
c:\windows\System32\driver32\mirc.exe
c:\windows\system32\driver32\uiiui.exe
c:\windows\system32\drivers\npf.sys
c:\windows\system32\packet.dll
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2009-05-26 to 2009-4-26 )))))))))))))))))))))))))))))))
.

2009-04-25 09:50 . 2009-04-25 09:50 -------- d--h--w c:\windows\PIF
2009-04-21 09:50 . 2009-04-21 09:50 -------- d-sh--r C:\BIN
2009-04-20 00:51 . 2009-04-20 02:26 -------- d-----w c:\program files\EsetOnlineScanner
2009-04-19 08:00 . 2009-04-19 08:00 -------- d-----w c:\program files\Microsoft Games
2009-04-18 04:32 . 2009-04-18 04:32 -------- d-----w c:\documents and settings\user\Application Data\Malwarebytes
2009-04-18 04:32 . 2009-04-06 03:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-18 04:32 . 2009-04-06 03:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-18 04:32 . 2009-04-18 04:32 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-18 04:32 . 2009-04-23 03:25 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-17 22:36 . 2009-04-17 22:36 -------- d-----w c:\documents and settings\All Users\Application Data\SlySoft
2009-04-17 22:27 . 2009-04-17 22:27 -------- d-----w c:\program files\SlySoft
2009-04-15 08:05 . 2009-04-15 08:05 -------- d-----w c:\documents and settings\user\Application Data\Digsby
2009-04-15 08:05 . 2009-04-15 08:06 -------- d-----w c:\documents and settings\user\Local Settings\Application Data\Digsby
2009-04-15 00:02 . 2009-04-15 00:02 -------- d-----w c:\documents and settings\LocalService\Application Data\Softland
2009-04-14 21:31 . 2009-04-14 21:32 -------- d-----w c:\documents and settings\user\Application Data\gtk-2.0
2009-04-14 19:45 . 2009-04-14 19:45 -------- d-----w c:\documents and settings\user\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-04-14 18:39 . 2009-04-14 18:41 356 ----a-w c:\windows\pdf2word.INI
2009-04-14 18:17 . 2008-07-09 01:02 21656 ----a-w c:\windows\system32\dopdfmn6.dll
2009-04-14 18:17 . 2008-07-09 01:02 18072 ----a-w c:\windows\system32\dopdfmi6.dll
2009-04-14 18:17 . 2008-03-27 03:42 7477 ----a-w c:\windows\system32\dopdf6.ctm
2009-04-14 18:17 . 2009-04-14 18:17 -------- d-----w c:\program files\Softland
2009-04-14 01:02 . 2009-04-14 02:15 -------- d-----w c:\documents and settings\All Users\Application Data\DriverScanner
2009-04-14 01:02 . 2009-04-14 01:02 -------- d-----w c:\program files\Uniblue
2009-04-14 01:02 . 2009-04-14 01:02 -------- d-----w c:\documents and settings\user\Application Data\Uniblue
2009-04-14 00:22 . 2009-04-14 01:02 -------- dc-h--w c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}
2009-04-12 21:09 . 2009-04-12 21:09 -------- d-----w c:\program files\ESET
2009-04-11 20:26 . 2008-03-05 03:56 3786760 ----a-w c:\windows\system32\D3DX9_37.dll
2009-04-11 20:25 . 2009-04-23 02:57 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-10 21:20 . 2009-04-10 21:20 -------- d-----w c:\program files\CleanUp!
2009-04-06 08:54 . 2009-04-06 08:54 -------- d-----w c:\documents and settings\user\Local Settings\Application Data\DFX
2009-04-06 08:53 . 2009-04-06 08:53 -------- d-----w c:\documents and settings\All Users\Application Data\DFX
2009-04-06 08:53 . 2009-04-06 08:53 -------- d-----w c:\program files\DFX
2009-04-06 08:53 . 2009-04-06 08:53 -------- d-----w c:\program files\Common Files\DFX
2009-04-05 22:27 . 2009-04-05 22:27 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2009-04-04 21:27 . 2009-04-04 21:27 3932228 ----a-w C:\clipImage.bmp
2009-04-04 21:17 . 2009-04-04 21:17 -------- d-----w c:\program files\Quick Screen Capture
2009-04-04 21:17 . 2009-04-04 21:17 -------- d-----w C:\MyCaptures
2009-04-03 21:17 . 2009-04-03 21:17 -------- d-sh--r C:\sys
2009-04-03 20:58 . 2009-04-03 20:58 -------- d-----w c:\documents and settings\user\Local Settings\Application Data\ESET
2009-04-03 20:54 . 2009-04-03 20:54 -------- d-----w c:\documents and settings\All Users\Application Data\ESET
2009-04-03 19:44 . 2009-04-03 19:44 -------- d-----w c:\windows\system32\scripting
2009-04-03 19:44 . 2009-04-03 19:44 -------- d-----w c:\windows\l2schemas
2009-04-03 19:44 . 2009-04-03 19:44 -------- d-----w c:\windows\system32\en
2009-04-03 19:44 . 2009-04-03 19:44 -------- d-----w c:\windows\system32\bits
2009-04-03 19:42 . 2009-04-03 19:45 -------- d-----w c:\windows\ServicePackFiles
2009-04-01 01:08 . 2008-10-16 02:06 27496 ----a-w c:\windows\system32\mucltui.dll.mui
2009-04-01 01:08 . 2008-10-16 02:06 268648 ----a-w c:\windows\system32\mucltui.dll
2009-04-01 01:08 . 2008-10-16 02:06 208744 ----a-w c:\windows\system32\muweb.dll
2009-03-30 08:54 . 2009-03-30 08:54 -------- d-----w c:\documents and settings\user\Application Data\Ulead Systems
2009-03-30 02:14 . 2004-08-03 10:29 73216 ------w c:\windows\system32\drivers\atintuxx.sys
2009-03-29 20:28 . 2009-03-29 20:28 -------- d-----w c:\windows\Sun

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-26 08:08 . 2009-03-11 00:22 -------- d-----w c:\documents and settings\user\Application Data\uTorrent
2009-04-20 03:10 . 2009-03-04 19:34 -------- d-----w c:\program files\Windows Media Connect 2
2009-04-18 02:23 . 2009-03-04 00:25 -------- d-----w c:\program files\Google
2009-04-14 06:23 . 2009-04-14 06:23 334 ----a-w C:\doPDFInstall.log
2009-04-12 10:25 . 2009-02-18 21:48 68840 ----a-w c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-10 07:18 . 2009-03-25 06:44 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-04-03 19:47 . 2009-02-18 21:05 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-03 19:40 . 2004-08-04 12:00 250048 --sha-r C:\ntldr
2009-03-30 23:32 . 2009-03-27 06:00 -------- d-----w c:\documents and settings\All Users\Application Data\Ulead Systems
2009-03-30 23:32 . 2009-02-18 21:41 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-30 23:32 . 2009-03-27 06:00 -------- d-----w c:\program files\Common Files\Ulead Systems
2009-03-30 08:52 . 2009-02-18 21:40 -------- d-----w c:\program files\Common Files\InstallShield
2009-03-27 06:00 . 2009-03-27 06:00 -------- d-----w c:\program files\WinFast
2009-03-25 06:45 . 2009-02-18 21:56 -------- d-----w c:\program files\Microsoft Works
2009-03-24 22:49 . 2009-03-24 22:49 -------- d-----w c:\program files\Dia
2009-03-24 08:20 . 2009-03-23 09:40 -------- d-----w c:\program files\Mozilla Firefox 3.1 Beta 3
2009-03-23 02:09 . 2009-03-23 02:09 -------- d-----w c:\program files\Opera
2009-03-22 23:46 . 2009-03-23 10:18 1077 ----a-w C:\sales.txt
2009-03-20 20:37 . 2009-03-05 19:43 -------- d-----w c:\program files\GRETECH
2009-03-19 05:51 . 2009-03-19 05:51 32 ----a-w C:\ALCSetup.log
2009-03-19 05:50 . 2009-03-19 05:50 -------- d-----w c:\program files\Realtek AC97
2009-03-18 23:45 . 2009-03-18 23:45 93848 ----a-w c:\windows\system32\drivers\epfwtdir.sys
2009-03-18 23:44 . 2009-03-18 23:44 107256 ----a-w c:\windows\system32\drivers\ehdrv.sys
2009-03-18 23:41 . 2009-03-18 23:41 113960 ----a-w c:\windows\system32\drivers\eamon.sys
2009-03-18 19:55 . 2009-03-18 19:55 -------- d-----w c:\program files\Motorola Phone Tools
2009-03-18 19:55 . 2009-03-18 19:55 -------- d-----w c:\documents and settings\All Users\Application Data\BVRP Software
2009-03-18 19:54 . 2009-03-18 19:54 -------- d-----w c:\documents and settings\user\Application Data\InstallShield
2009-03-18 03:33 . 2009-03-14 23:57 -------- d-----w c:\documents and settings\user\Application Data\CyberLink
2009-03-18 03:33 . 2009-03-14 23:57 -------- d-----w c:\documents and settings\All Users\Application Data\CyberLink
2009-03-18 00:53 . 2009-03-18 00:53 -------- d-----w c:\program files\MSXML 4.0
2009-03-11 00:56 . 2009-03-11 00:50 -------- d-----w c:\documents and settings\user\Application Data\LimeWire
2009-03-11 00:22 . 2009-03-11 00:22 -------- d-----w c:\program files\uTorrent
2009-03-09 20:01 . 2009-03-03 22:05 -------- d-s---r c:\program files\WinDriveGuard
2009-03-09 18:31 . 2009-03-09 18:31 -------- d-----w c:\program files\Common Files\Cisco Systems
2009-03-04 19:39 . 2009-03-04 19:39 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-03-04 19:38 . 2009-03-04 19:38 -------- d-----w c:\program files\Common Files\Adobe
2009-03-04 19:37 . 2009-03-04 19:37 -------- d-----w c:\program files\Java
2009-03-04 19:37 . 2009-03-04 19:37 -------- d-----w c:\program files\Common Files\Java
2009-03-04 06:29 . 2009-03-04 06:29 -------- d-----w c:\program files\Rockstar Games
2009-03-04 00:34 . 2009-03-04 00:34 -------- d-----w c:\program files\iTunes
2009-03-04 00:34 . 2009-03-04 00:34 -------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-03-04 00:34 . 2009-03-04 00:34 -------- d-----w c:\program files\iPod
2009-03-04 00:34 . 2009-03-03 12:22 -------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-03-04 00:34 . 2009-03-04 00:34 -------- d-----w c:\program files\Bonjour
2009-03-04 00:33 . 2009-03-04 00:33 -------- d-----w c:\program files\QuickTime
2009-03-04 00:33 . 2009-03-03 12:22 -------- d-----w c:\program files\Common Files\Apple
2009-03-04 00:33 . 2009-03-04 00:33 -------- d-----w c:\program files\Apple Software Update
2009-03-03 19:12 . 2009-03-03 19:12 -------- d-----w c:\documents and settings\user\Application Data\Media Player Classic
2009-03-03 12:23 . 2009-03-03 12:23 -------- d-----w c:\documents and settings\user\Application Data\Apple Computer
2009-03-03 12:22 . 2009-03-03 12:22 -------- d-----w c:\documents and settings\All Users\Application Data\Apple
2009-03-03 12:21 . 2009-03-03 12:20 -------- d-----w c:\program files\K-Lite Codec Pack
2009-02-18 21:03 . 2009-02-18 21:03 21640 ----a-w c:\windows\system32\emptyregdb.dat
2009-02-17 13:33 . 2009-02-17 13:33 89256 ----a-w c:\windows\system32\ElbyCDIO.dll
2009-02-09 11:13 . 2004-08-04 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-04-22_09.33.24 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-04 12:00 . 2009-04-22 09:33 41040 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2009-04-24 10:25 41040 c:\windows\system32\perfc009.dat
+ 2009-02-18 21:02 . 2004-08-04 12:00 19429 c:\windows\system32\MsDtc\Trace\msdtcvtr.bat
+ 2008-01-18 15:13 . 2008-01-18 15:13 2247 c:\windows\ServicePackFiles\i386\tscdsbl.bat
+ 2008-01-18 15:13 . 2008-01-18 15:13 2247 c:\windows\Installer\tsclientmsitrans\tscdsbl.bat
+ 2004-08-04 12:00 . 2009-04-24 10:25 314838 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2009-04-22 09:33 314838 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-21 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-21 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-21 137752]
"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2008-04-10 29757440]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 52256]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-02-27 570664]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2008-02-18 1629480]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2008-02-18 1057064]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-24 144784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-11 34672]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"WinFast Schedule"="c:\program files\WinFast\WFTVFM\WFWIZ.exe" [2007-11-22 2846720]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-03-18 2029640]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2009-01-29 57344]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\VIA\\VIAudioi\\HDADeck\\HDeck.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Games\\Motocross Madness 2\\MCM2.EXE"=

R2 NeroRegInCDSrv;Nero Registry InCD Service; [x]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2009-03-18 107256]
S1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2009-03-18 93848]
S2 BT848;WinFast TV2000 XP WDM Video Capture;c:\windows\system32\drivers\wf2kvcap.sys [2006-04-20 59776]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-03-18 731840]
S2 tv2ktunr;WinFast TV2000 XP WDM TVTuner;c:\windows\system32\drivers\wf2ktunr.sys [2006-04-20 19456]
S2 Tv2kXbar;WinFast TV2000 XP WDM Crossbar;c:\windows\system32\drivers\wf2kxbar.sys [2006-04-20 9600]
S3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\l1e51x86.sys [2008-03-11 36864]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2008-02-14 222976]
S3 WFIOCTL;WFIOCTL;c:\program files\WinFast\WFTVFM\WFIOCTL.SYS [2005-01-06 9446]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{018b0268-0ce5-11de-97bd-00221576db1d}]
\Shell\AutoRun\command - System\DriveGuard\DriveProtect.exe -run 
\Shell\Explore\Command - System\DriveGuard\DriveProtect.exe -run  
\Shell\Open\Command - System\DriveGuard\DriveProtect.exe -run 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{167d5d9f-0794-11de-979c-00221576db1d}]
\Shell\AutoRun\command - g:\bin\RECYCLE\Bin.exe
\Shell\open\command - g:\bin\RECYCLE\Bin.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{67KLN5J0-4OPM-00WE-AAX5-74CC2A323342}]
c:\bin\RECYCLE\Bin.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 00:34]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-WinXPService - c:\windows\System32\driver32\mirc.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\pwhrqvhl.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-27 06:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\dllhost.exe
.
**************************************************************************
.
Completion time: 2009-04-26 6:18 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-26 18:17
ComboFix2.txt 2009-04-22 09:35

Pre-Run: 73,739,141,120 bytes free
Post-Run: 73,767,157,760 bytes free

254 --- E O F --- 2009-04-10 07:18


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:34:36 PM, on 4/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\user\My Documents\Downloads\Software_downloads\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [vcrt80.dll] C:\WINDOWS\system32:vcrt80.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: DriveGuard.lnk = C:\Program Files\WinDriveGuard\DriveGuard.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Nero Registry InCD Service (NeroRegInCDSrv) - Unknown owner - C:\Program Files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 7055 bytes

0

After running messsage displayed was - There were no rootkits found on your computer.

0

Download and Save Blacklight to your desktop:

Double-click on the file, then accept the agreement. Hit the scan button and wait until it's finished running.

You'll see a list of all items found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).

Copy and paste this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"

0

04/30/09 15:03:59 [Info]: BlackLight Engine 2.2.1092 initialized
04/30/09 15:03:59 [Info]: OS: 5.1 build 2600 (Service Pack 3)
04/30/09 15:04:00 [Note]: 7019 4
04/30/09 15:04:00 [Note]: 7005 0
04/30/09 15:04:03 [Note]: 7006 0
04/30/09 15:04:03 [Note]: 7011 1568
04/30/09 15:04:03 [Note]: 7035 0
04/30/09 15:04:04 [Note]: 7026 0
04/30/09 15:04:04 [Note]: 7026 0
04/30/09 15:04:07 [Note]: FSRAW library version 1.7.1024
04/30/09 15:08:30 [Note]: 2000 1012
04/30/09 15:21:44 [Note]: 7007 0

0

Run at least two of these online scans and allow them to fix whatever is found. Try to get a log from each one, if not at least make a note of what was found and it's location:

http://support.f-secure.com/enu/home/ols.shtml

http://housecall.trendmicro.com/us/index.html

http://www.pandasecurity.com/homeusers/solutions/activescan/?

Reboot the computer after each. Save the logs.

Once you have completed those then run a new HJT scan and save the log. Post back here with all logs and info on anything found.
Judy

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.