« previous next »
Pages: [1] 2

Author Topic: huge problem, computer restarts  (Read 1266 times)

Offline maninneed

  • Jr. Member
  • **
  • Posts: 81
  • Karma: +0/-0
    • View Profile
huge problem, computer restarts
« on: February 25, 2009, 05:23:41 PM »
I am having huge problems, i downloaded something via bittorent and then a file named wapapa.exe was installed on my computer in the c:\ drive, when I restarted the computer a blue screen kept reapiring and my computer was restarting all the time....I went into safe mode and I installed spyware doctor,spyware blaster and ad aware and I ran them all, they cleaned some things but I am now unable to start the hijack this because of unkown reasons...

I helped a lot of people at my work and the sad irony is that now my computer that I need the most is having these problems...

What can I do?please help.I will stay awake the whole night to manage to repair it asap...thank u very much
Logged

Offline maninneed

  • Jr. Member
  • **
  • Posts: 81
  • Karma: +0/-0
    • View Profile
huge problem, computer restarts
« Reply #1 on: February 25, 2009, 05:24:59 PM »
I forgot to mention that I deleted both the things I downloaded and the wapapa.exe
Logged

Offline maninneed

  • Jr. Member
  • **
  • Posts: 81
  • Karma: +0/-0
    • View Profile
huge problem, computer restarts
« Reply #2 on: February 25, 2009, 05:28:33 PM »
now I managed a hijack this log...


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:27:53 PM, on 2/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\TEMP\B342.tmp
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\ADMINI~1.LIS\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\NRUYIE6I\HiJackThis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: D - {401BEA53-7ECB-32C4-91B9-135B8C3329BC} - C:\WINDOWS\system32\xwr71552.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\awtrRJyA.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7B8A6987-10EC-4731-ADAC-35F534E72097} - C:\WINDOWS\system32\awtusqnl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: {383da1c4-5a1f-920a-5744-95fdc566a83b} - {b38a665c-df59-4475-a029-f1a54c1ad383} - C:\WINDOWS\system32\acwuip.dll
O4 - HKLM\..\Run: [321] c:\cxfagn.exe
O4 - HKLM\..\Run: [yt8a] C:\WINDOWS\system32\yt8a.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3BB4FE3B-7A37-11D3-A41E-0060080C03B3} (Entire Screen Builder Web Viewer) - http://193.205.23.35/vblu/NWWClientFull.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: acwuip.dll
O20 - Winlogon Notify: awtrRJyA - C:\WINDOWS\SYSTEM32\awtrRJyA.dll
O20 - Winlogon Notify: crypt - C:\WINDOWS\SYSTEM32\crypts.dll
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\msvcrtd.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe

--
End of file - 4570 bytes
Logged

Offline maninneed

  • Jr. Member
  • **
  • Posts: 81
  • Karma: +0/-0
    • View Profile
huge problem, computer restarts
« Reply #3 on: February 25, 2009, 05:39:07 PM »
I am also posting RSIT logs in order to save time if needed:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:27:53 PM, on 2/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\TEMP\B342.tmp
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\ADMINI~1.LIS\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\NRUYIE6I\HiJackThis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: D - {401BEA53-7ECB-32C4-91B9-135B8C3329BC} - C:\WINDOWS\system32\xwr71552.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\awtrRJyA.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7B8A6987-10EC-4731-ADAC-35F534E72097} - C:\WINDOWS\system32\awtusqnl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: {383da1c4-5a1f-920a-5744-95fdc566a83b} - {b38a665c-df59-4475-a029-f1a54c1ad383} - C:\WINDOWS\system32\acwuip.dll
O4 - HKLM\..\Run: [321] c:\cxfagn.exe
O4 - HKLM\..\Run: [yt8a] C:\WINDOWS\system32\yt8a.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3BB4FE3B-7A37-11D3-A41E-0060080C03B3} (Entire Screen Builder Web Viewer) - http://193.205.23.35/vblu/NWWClientFull.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: acwuip.dll
O20 - Winlogon Notify: awtrRJyA - C:\WINDOWS\SYSTEM32\awtrRJyA.dll
O20 - Winlogon Notify: crypt - C:\WINDOWS\SYSTEM32\crypts.dll
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\msvcrtd.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe

--
End of file - 4570 bytes


log:

Logfile of random's system information tool 1.05 (written by random/random)
Run by Administrator at 2009-02-25 23:36:42
Microsoft Windows XP Professional Service Pack 2
System drive C: has 4 GB (20%) free of 20 GB
Total RAM: 895 MB (76% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:36:43 PM, on 2/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\TEMP\B342.tmp
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\ADMINI~1.LIS\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\NRUYIE6I\HiJackThis[1].exe
C:\DOCUME~1\ADMINI~1.LIS\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\BF8VX3D8\RSIT[1].exe
C:\Program Files\trend micro\Administrator.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: D - {401BEA53-7ECB-32C4-91B9-135B8C3329BC} - C:\WINDOWS\system32\xwr71552.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\awtrRJyA.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7B8A6987-10EC-4731-ADAC-35F534E72097} - C:\WINDOWS\system32\awtusqnl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: {383da1c4-5a1f-920a-5744-95fdc566a83b} - {b38a665c-df59-4475-a029-f1a54c1ad383} - C:\WINDOWS\system32\acwuip.dll
O4 - HKLM\..\Run: [321] c:\cxfagn.exe
O4 - HKLM\..\Run: [yt8a] C:\WINDOWS\system32\yt8a.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3BB4FE3B-7A37-11D3-A41E-0060080C03B3} (Entire Screen Builder Web Viewer) - http://193.205.23.35/vblu/NWWClientFull.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: acwuip.dll
O20 - Winlogon Notify: awtrRJyA - C:\WINDOWS\SYSTEM32\awtrRJyA.dll
O20 - Winlogon Notify: crypt - C:\WINDOWS\SYSTEM32\crypts.dll
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\msvcrtd.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe

--
End of file - 4716 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\1-Click Maintenance.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{401BEA53-7ECB-32C4-91B9-135B8C3329BC}]
D - C:\WINDOWS\system32\xwr71552.dll [2009-02-25 176128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
C:\WINDOWS\system32\awtrRJyA.dll [2009-02-25 37376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7B8A6987-10EC-4731-ADAC-35F534E72097}]
C:\WINDOWS\system32\awtusqnl.dll [2009-02-25 237056]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b38a665c-df59-4475-a029-f1a54c1ad383}]
C:\WINDOWS\system32\acwuip.dll [2009-02-25 104448]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"321"=c:\cxfagn.exe [2009-02-25 20480]
"yt8a"=C:\WINDOWS\system32\yt8a.exe [2008-10-20 36638]
"KernelFaultCheck"=C:\WINDOWS\system32\dumprep 0 -k []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="acwuip.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\awtrRJyA]
C:\WINDOWS\system32\awtrRJyA.dll [2009-02-25 37376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt]
C:\WINDOWS\system32\crypts.dll [2009-02-25 32256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"=C:\WINDOWS\system32\awtrRJyA.dll [2009-02-25 37376]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
C:\WINDOWS\system32\awtusqnl

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe"="C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe:*:Enabled:CyberLink PowerDVD"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\DNA\btdna.exe"="C:\Program Files\DNA\btdna.exe:*:Enabled:DNA"
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"
"C:\Program Files\THQ\Company of Heroes\RelicCOH.exe"="C:\Program Files\THQ\Company of Heroes\RelicCOH.exe:*:Enabled:RelicCOH"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\Program Files\Valve\hl.exe"="C:\Program Files\Valve\hl.exe:*:Enabled:Half-Life Launcher"
"C:\Documents and Settings\Korisnik\Application Data\PowerChallenge\PowerSoccer\PowerSoccer.exe"="C:\Documents and Settings\Korisnik\Application Data\PowerChallenge\PowerSoccer\PowerSoccer.exe:*:Enabled:PowerSoccer"
"C:\Program Files\Dream Match Tennis Pro\FA.exe"="C:\Program Files\Dream Match Tennis Pro\FA.exe:*:Enabled:FA"
"D:\FM09\fm.exe"="D:\FM09\fm.exe:*:Enabled:Football Manager 2009"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"
"C:\Program Files\Valve\cstrike.exe"="C:\Program Files\Valve\cstrike.exe:*:Enabled:Counter-Strike Launcher"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
shell\AutoRun\command - C:\yt8a.exe
shell\Explore\command - C:\yt8a.exe
shell\Open\command - C:\yt8a.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
shell\AutoRun\command - D:\yt8a.exe
shell\Explore\command - D:\yt8a.exe
shell\Open\command - D:\yt8a.exe


======List of files/folders created in the last 1 months======

2009-02-25 23:36:42 ----D---- C:\rsit
2009-02-25 23:36:42 ----D---- C:\Program Files\trend micro
2009-02-25 23:05:04 ----A---- C:\WINDOWS\system32\nnnkLdEu.dll
2009-02-25 21:28:50 ----A---- C:\WINDOWS\system32\crypts.dll
2009-02-25 21:28:50 ----A---- C:\desae.exe
2009-02-25 21:28:48 ----A---- C:\itamcndf.exe
2009-02-25 21:28:43 ----A---- C:\jttgds.exe
2009-02-25 21:28:42 ----A---- C:\cxfagn.exe
2009-02-25 21:28:41 ----A---- C:\flirxnj.exe
2009-02-25 21:28:38 ----A---- C:\WINDOWS\system32\fwlyifew.dll
2009-02-25 21:28:38 ----A---- C:\WINDOWS\instsp1.exe
2009-02-25 21:28:23 ----ASH---- C:\WINDOWS\system32\HhPXyyay.ini2
2009-02-25 21:28:23 ----ASH---- C:\WINDOWS\system32\HhPXyyay.ini
2009-02-25 21:28:18 ----A---- C:\WINDOWS\system32\yayyXPhH.dll.vir
2009-02-25 21:19:54 ----A---- C:\WINDOWS\system32\urqPGArO.dll
2009-02-25 20:26:41 ----D---- C:\Documents and Settings\Administrator.LIST-COMP\Application Data\Lavasoft
2009-02-25 20:26:33 ----D---- C:\Program Files\Lavasoft
2009-02-25 20:20:01 ----D---- C:\Program Files\Spyware Doctor
2009-02-25 18:31:43 ----D---- C:\Documents and Settings\Administrator.LIST-COMP\Application Data\Mozilla
2009-02-25 17:56:38 ----D---- C:\Program Files\SpywareBlaster
2009-02-25 17:50:46 ----D---- C:\Documents and Settings\Administrator.LIST-COMP\Application Data\Sun
2009-02-25 17:47:41 ----A---- C:\WINDOWS\system32\jjujywsj.dll
2009-02-25 17:47:41 ----A---- C:\WINDOWS\system32\acwuip.dll
2009-02-25 17:45:15 ----D---- C:\Documents and Settings\Administrator.LIST-COMP\Application Data\Macromedia
2009-02-25 17:45:14 ----D---- C:\Documents and Settings\Administrator.LIST-COMP\Application Data\Adobe
2009-02-25 17:45:00 ----SH---- C:\WINDOWS\system32\nxhpasic.ini
2009-02-25 17:44:17 ----ASH---- C:\Documents and Settings\Administrator.LIST-COMP\Application Data\desktop.ini
2009-02-25 17:44:16 ----SD---- C:\Documents and Settings\Administrator.LIST-COMP\Application Data\Microsoft
2009-02-25 17:44:09 ----SHD---- C:\WINDOWS\CSC
2009-02-25 17:36:42 ----A---- C:\WINDOWS\ntbtlog.txt
2009-02-25 09:21:35 ----D---- C:\WINDOWS\Minidump
2009-02-25 08:59:40 ----A---- C:\WINDOWS\system32\731b1343-.txt
2009-02-25 08:58:12 ----ASH---- C:\WINDOWS\system32\lnqsutwa.ini2
2009-02-25 08:58:11 ----ASH---- C:\WINDOWS\system32\lnqsutwa.ini
2009-02-25 08:58:09 ----A---- C:\WINDOWS\system32\awtusqnl.dll
2009-02-25 08:53:41 ----A---- C:\WINDOWS\system32\msvcrtd.exe
2009-02-25 08:52:56 ----A---- C:\WINDOWS\system32\awtrRJyA.dll
2009-02-25 08:52:44 ----A---- C:\lsass.exe
2009-02-25 08:45:09 ----A---- C:\WINDOWS\system32\xwr71552.dll
2009-02-25 08:45:09 ----A---- C:\WINDOWS\system32\xa82968921.exe
2009-02-25 08:45:09 ----A---- C:\WINDOWS\system32\xa82968562.exe
2009-02-25 08:45:09 ----A---- C:\WINDOWS\system32\wr71552.dll
2009-02-13 15:45:50 ----HDC---- C:\WINDOWS\$NtUninstallKB960715$
2009-02-12 20:23:18 ----A---- C:\WINDOWS\ModemLog_Nokia N95 USB Modem #2.txt
2009-02-09 10:28:25 ----HD---- C:\WINDOWS\PIF
2009-01-28 23:24:04 ----A---- C:\WINDOWS\ModemLog_Nokia N95 USB Modem.txt
2009-01-28 23:20:46 ----N---- C:\WINDOWS\system32\spmsgXP_2k3.dll
2009-01-28 23:20:41 ----HDC---- C:\WINDOWS\$NtUninstallWdf01007$
2009-01-28 23:20:07 ----D---- C:\Documents and Settings\All Users\Application Data\PC Suite
2009-01-28 23:19:40 ----D---- C:\Program Files\Common Files\PCSuite
2009-01-28 23:19:35 ----D---- C:\Program Files\Common Files\Nokia
2009-01-28 23:19:18 ----D---- C:\Program Files\PC Connectivity Solution
2009-01-28 23:19:09 ----A---- C:\WINDOWS\system32\wdfcoinstaller01007.dll
2009-01-28 23:19:09 ----A---- C:\WINDOWS\system32\nmwcdcocls.dll
2009-01-28 23:19:06 ----A---- C:\WINDOWS\system32\nmwcdcls.dll
2009-01-28 23:19:05 ----D---- C:\Program Files\Nokia
2009-01-28 23:18:18 ----D---- C:\Documents and Settings\All Users\Application Data\Installations

======List of files/folders modified in the last 1 months======

2009-02-25 23:36:42 ----RD---- C:\Program Files
2009-02-25 23:24:38 ----D---- C:\WINDOWS\Temp
2009-02-25 23:14:49 ----D---- C:\WINDOWS\system32
2009-02-25 23:11:08 ----D---- C:\WINDOWS
2009-02-25 20:26:35 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-02-25 20:19:15 ----SHD---- C:\RECYCLER
2009-02-25 18:31:56 ----D---- C:\Program Files\Mozilla Firefox
2009-02-25 17:44:15 ----D---- C:\Documents and Settings
2009-02-25 17:39:36 ----D---- C:\WINDOWS\system32\config
2009-02-25 17:38:54 ----D---- C:\WINDOWS\system32\wbem
2009-02-25 17:38:53 ----D---- C:\WINDOWS\Registration
2009-02-25 08:51:00 ----D---- C:\WINDOWS\Prefetch
2009-02-24 17:56:55 ----SHD---- C:\WINDOWS\Installer
2009-02-24 13:03:26 ----HD---- C:\WINDOWS\inf
2009-02-24 13:03:26 ----D---- C:\WINDOWS\system32\CatRoot2
2009-02-24 09:43:33 ----D---- C:\Program Files\DNA
2009-02-24 09:01:23 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-02-14 10:16:14 ----A---- C:\WINDOWS\ModemLog_Agere Systems HDA Modem v6081.txt
2009-02-13 15:45:38 ----HD---- C:\WINDOWS\$hf_mig$
2009-02-13 13:25:43 ----D---- C:\Program Files\PokerStars
2009-02-12 19:59:40 ----D---- C:\Program Files\Common Files
2009-02-12 12:20:44 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-02-12 05:56:17 ----A---- C:\WINDOWS\system32\MRT.exe
2009-02-05 02:57:56 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-01-28 23:21:37 ----D---- C:\WINDOWS\system32\drivers
2009-01-28 23:21:28 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-01-28 23:20:51 ----A---- C:\WINDOWS\imsins.BAK
2009-01-28 23:19:59 ----DC---- C:\WINDOWS\system32\DRVSTORE

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-08-23 12032]
R3 Bonifay;Bonifay; C:\WINDOWS\System32\DRIVERS\Bonifay.sys [2004-02-19 11776]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-07 138752]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2006-03-03 34176]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2006-03-03 13056]
R3 nvsmu;nvsmu; C:\WINDOWS\system32\DRIVERS\nvsmu.sys [2006-03-06 11136]
R3 RT61;Ralink RT61 Wireless Driver; C:\WINDOWS\system32\DRIVERS\RT61.sys [2006-09-07 385280]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-03 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-03 17024]
S1 AmdK8;AMD Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2006-06-18 36864]
S1 glaide32;glaide32; \??\C:\WINDOWS\system32\drivers\glaide32.sys []
S1 nod32drv;nod32drv; C:\WINDOWS\system32\drivers\nod32drv.sys [2007-10-10 15424]
S2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B}; \??\C:\Program Files\CyberLink\PowerDVD\000.fcl []
S2 AMON;AMON; C:\WINDOWS\system32\drivers\amon.sys [2007-10-10 512096]
S2 Hardlock;Hardlock; \??\C:\WINDOWS\system32\drivers\hardlock.sys []
S3 AgereSoftModem;Agere Systems Soft Modem; C:\WINDOWS\system32\DRIVERS\AGRSM.sys [2005-09-26 1145728]
S3 ak9bg5df;ak9bg5df; C:\WINDOWS\system32\drivers\ak9bg5df.sys []
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2004-08-04 60800]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2004-08-03 17024]
S3 CmBatt;Microsoft AC Adapter Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2004-08-04 14080]
S3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2006-09-12 4381184]
S3 LVPr2Mon;Logitech LVPr2Mon Driver; C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys [2008-07-26 25624]
S3 LVUSBSta;Logitech USB Monitor Filter; C:\WINDOWS\system32\DRIVERS\LVUSBSta.sys [2007-10-12 41752]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-03 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2004-08-03 85376]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2004-08-03 10880]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2004-08-04 61824]
S3 nmwcd;Nokia USB Phone Parent; C:\WINDOWS\system32\drivers\ccdcmb.sys [2008-09-15 17664]
S3 nmwcdc;Nokia USB Generic; C:\WINDOWS\system32\drivers\ccdcmbo.sys [2008-09-15 22016]
S3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2006-06-14 3660672]
S3 pccsmcfd;PCCS Mode Change Filter Driver; C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys [2008-08-26 18816]
S3 PID_PEPI;Logitech QuickCam IM(PID_PEPI); C:\WINDOWS\system32\DRIVERS\LV302V32.SYS [2007-10-12 1279000]
S3 sdbus;sdbus; C:\WINDOWS\system32\DRIVERS\sdbus.sys [2004-08-03 67584]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2004-08-03 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2004-08-03 15360]
S3 upperdev;upperdev; C:\WINDOWS\system32\DRIVERS\usbser_lowerflt.sys [2008-09-15 8064]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2004-08-03 59264]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 usbser;USB Modem Driver; C:\WINDOWS\system32\drivers\usbser.sys [2004-08-03 25600]
S3 UsbserFilt;UsbserFilt; C:\WINDOWS\system32\DRIVERS\usbser_lowerfltj.sys [2008-09-15 8064]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S3 Wdf01000;Kernel Mode Driver Frameworks service; C:\WINDOWS\System32\Drivers\wdf01000.sys [2008-03-27 503008]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2004-08-03 19328]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

S2 Bonjour Service;##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##; C:\Program Files\Bonjour\mDNSResponder.exe [2006-02-28 229376]
S2 LVCOMSer;LVCOMSer; C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe [2008-07-26 186904]
S2 LVPrcSrv;Process Monitor; C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe [2008-07-26 150040]
S2 msupdate;Microsoft security update service; c:\windows\system32\msvcrtd.exe [2009-02-25 24576]
S2 NOD32krn;NOD32 Kernel Service; C:\Program Files\Eset\nod32krn.exe [2007-10-10 552064]
S2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2006-06-14 143427]
S2 O2Flash;O2Micro Flash Memory; C:\WINDOWS\system32\o2flash.exe [2005-01-27 36864]
S2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\CyberLink\Shared files\RichVideo.exe [2007-02-07 173616]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2007-10-10 654848]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 ServiceLayer;ServiceLayer; C:\Program Files\PC Connectivity Solution\ServiceLayer.exe [2008-11-11 620544]
S3 SolidWorks Licensing Service;SolidWorks Licensing Service; C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe [2008-05-17 72704]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]

-----------------EOF-----------------
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
huge problem, computer restarts
« Reply #4 on: February 25, 2009, 07:21:43 PM »
Download ComboFix from one of these locations:

[color=\"#0000FF\"]Link 1[/color]
[color=\"#0000FF\"]Link 2[/color]
[color=\"#0000FF\"]Link 3[/color]
  • If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:


    * It is important you rename Combofix during the download, but not after.
        * Please do not rename Combofix to other names, but only to the one indicated.

      --------------------------------------------------------------------
[color=\"#2E8B57\"]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with some tools[/color]
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


[color=\"#2e8b57\"]**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
[/color]


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combo-Fix.txt in your next reply
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline maninneed

  • Jr. Member
  • **
  • Posts: 81
  • Karma: +0/-0
    • View Profile
huge problem, computer restarts
« Reply #5 on: February 25, 2009, 08:06:35 PM »
it rebooted and came back into normal...thank u so much, i ve uninstalled  nod 32 because i couldnt stop it in the safe mode and combofix asked it to be stoped...

A message concerning computer risk with firewall etc keeps reappearing and I have put the windows firewall on several times but it keeps turning off....

ComboFix 09-02-25.02 - Administrator 2009-02-26  1:50:51.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.895.725 [GMT 1:00]
Running from: c:\documents and settings\Administrator.LIST-COMP\Desktop\Combo-Fix.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\lsass.exe
c:\windows\system32\acwuip.dll
c:\windows\system32\awtrRJyA.dll
c:\windows\system32\awtusqnl.dll
c:\windows\system32\bgrfuehn.ini
c:\windows\system32\cbXNEVnO.dll
c:\windows\system32\crypts.dll
c:\windows\system32\HhPXyyay.ini
c:\windows\system32\HhPXyyay.ini2
c:\windows\system32\jjujywsj.dll
c:\windows\system32\jkexgjcx.dll
c:\windows\system32\lnqsutwa.ini
c:\windows\system32\lnqsutwa.ini2
c:\windows\system32\msvcrtd.exe
c:\windows\system32\nheufrgb.dll
c:\windows\system32\nnnkLdEu.dll
c:\windows\system32\nxhpasic.ini
c:\windows\system32\OnVENXbc.ini
c:\windows\system32\OnVENXbc.ini2
c:\windows\system32\rqfmta.dll
c:\windows\system32\urqPGArO.dll
c:\windows\system32\yayyXPhH.dll.vir
D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://codecs.sytes.net
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSUPDATE
-------\Service_msupdate


(((((((((((((((((((((((((   Files Created from 2009-01-26 to 2009-02-26  )))))))))))))))))))))))))))))))
.

2009-02-26 01:55 . 2009-02-26 01:55   20,480   --a------   C:\lsass.exe
2009-02-25 23:36 . 2009-02-25 23:36   <DIR>   d--------   C:\rsit
2009-02-25 23:36 . 2009-02-25 23:36   <DIR>   d--------   c:\program files\trend micro
2009-02-25 21:29 . 2009-02-26 01:55   100,590   --a------   c:\windows\system32\drivers\glaide32.sys
2009-02-25 21:28 . 2009-02-25 21:28   81,920   --a------   C:\itamcndf.exe
2009-02-25 21:28 . 2009-02-25 21:28   69,120   --a------   c:\windows\system32\fwlyifew.dll
2009-02-25 21:28 . 2009-02-25 21:28   24,576   --a------   C:\flirxnj.exe
2009-02-25 21:28 . 2009-02-25 21:28   20,480   --a------   C:\cxfagn.exe
2009-02-25 21:28 . 2009-02-25 21:28   9,728   --a------   c:\windows\instsp1.exe
2009-02-25 21:28 . 2009-02-25 21:28   8,704   --a------   C:\jttgds.exe
2009-02-25 21:28 . 2009-02-25 21:29   705   --a------   C:\desae.exe
2009-02-25 21:28 . 2009-02-25 21:28   2   --a------   C:\2016991122
2009-02-25 21:27 . 2009-02-25 21:27   <DIR>   d--------   c:\documents and settings\Korisnik\Application Data\Lavasoft
2009-02-25 20:26 . 2009-02-25 20:26   <DIR>   d--------   c:\program files\Lavasoft
2009-02-25 20:26 . 2009-02-25 20:26   <DIR>   d--------   c:\documents and settings\Administrator.LIST-COMP\Application Data\Lavasoft
2009-02-25 20:20 . 2009-02-25 20:21   <DIR>   d--------   c:\program files\Spyware Doctor
2009-02-25 17:56 . 2009-02-25 17:57   <DIR>   d--------   c:\program files\SpywareBlaster
2009-02-25 17:46 . 2009-02-25 17:46   <DIR>   d---s----   c:\documents and settings\Administrator.LIST-COMP\UserData
2009-02-25 17:44 . 2009-02-25 17:46   <DIR>   d--------   c:\documents and settings\Administrator.LIST-COMP
2009-02-25 17:37 . 2009-02-25 17:38   <DIR>   d---s----   c:\documents and settings\Administrator
2009-02-25 08:51 . 2009-02-25 08:51   <DIR>   d--------   c:\documents and settings\Korisnik\Application Data\Thinstall
2009-02-25 08:45 . 2009-02-25 08:45   1,882,624   --a------   c:\windows\system32\xa82968921.exe
2009-02-25 08:45 . 2009-02-25 08:45   1,882,624   --a------   c:\windows\system32\xa82968562.exe
2009-02-25 08:45 . 2009-02-25 08:45   176,128   --a------   c:\windows\system32\xwr71552.dll
2009-02-25 08:45 . 2009-02-25 08:45   176,128   --a------   c:\windows\system32\wr71552.dll
2009-02-19 12:29 . 2009-02-19 12:29   <DIR>   d---s----   c:\documents and settings\Korisnik\UserData
2009-02-09 10:28 . 2009-02-09 10:28   <DIR>   d--h-----   c:\windows\PIF
2009-01-28 23:21 . 2004-08-03 23:08   25,600   --a------   c:\windows\system32\drivers\usbser.sys
2009-01-28 23:21 . 2004-08-03 23:08   25,600   --a--c---   c:\windows\system32\dllcache\usbser.sys
2009-01-28 23:20 . 2009-01-28 23:21   <DIR>   d--------   c:\documents and settings\Korisnik\Application Data\PC Suite
2009-01-28 23:20 . 2009-01-28 23:35   <DIR>   d--------   c:\documents and settings\Korisnik\Application Data\Nokia
2009-01-28 23:20 . 2009-01-28 23:20   <DIR>   d--------   c:\documents and settings\All Users\Application Data\PC Suite
2009-01-28 23:20 . 2008-03-21 13:57   14,640   --a------   c:\windows\system32\spmsgXP_2k3.dll
2009-01-28 23:20 . 2009-01-28 23:20   0   --ah-----   c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-01-28 23:20 . 2009-01-28 23:20   0   --ah-----   c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2009-01-28 23:19 . 2009-01-28 23:19   <DIR>   d--------   c:\program files\PC Connectivity Solution
2009-01-28 23:19 . 2009-01-28 23:19   <DIR>   d--------   c:\program files\Nokia
2009-01-28 23:19 . 2009-01-28 23:19   <DIR>   d--------   c:\program files\Common Files\PCSuite
2009-01-28 23:19 . 2009-01-28 23:19   <DIR>   d--------   c:\program files\Common Files\Nokia
2009-01-28 23:19 . 2008-09-15 07:29   1,112,288   --a------   c:\windows\system32\wdfcoinstaller01007.dll
2009-01-28 23:19 . 2008-09-15 07:56   659,968   --a------   c:\windows\system32\nmwcdcocls.dll
2009-01-28 23:19 . 2008-09-15 07:56   91,136   --a------   c:\windows\system32\nmwcdcls.dll
2009-01-28 23:19 . 2008-09-15 07:56   22,016   --a------   c:\windows\system32\drivers\ccdcmbo.sys
2009-01-28 23:19 . 2008-08-26 09:26   18,816   --a------   c:\windows\system32\drivers\pccsmcfd.sys
2009-01-28 23:19 . 2008-09-15 07:56   17,664   --a------   c:\windows\system32\drivers\ccdcmb.sys
2009-01-28 23:19 . 2008-09-15 07:56   8,064   --a------   c:\windows\system32\drivers\usbser_lowerfltj.sys
2009-01-28 23:19 . 2008-09-15 07:56   8,064   --a------   c:\windows\system32\drivers\usbser_lowerflt.sys
2009-01-28 23:18 . 2009-01-28 23:18   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Installations

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-26 00:47   ---------   d-----w   c:\program files\ESET
2009-02-25 16:38   ---------   d-----w   c:\documents and settings\Korisnik\Application Data\DNA
2009-02-25 16:38   ---------   d-----w   c:\documents and settings\Korisnik\Application Data\BitTorrent
2009-02-24 08:43   ---------   d-----w   c:\program files\DNA
2009-02-24 07:28   ---------   d-----w   c:\documents and settings\Korisnik\Application Data\Skype
2009-02-24 00:29   ---------   d-----w   c:\documents and settings\Korisnik\Application Data\skypePM
2009-02-13 12:25   ---------   d-----w   c:\program files\PokerStars
2009-01-15 12:08   ---------   d-----w   c:\program files\ABBYY FineReader 8.0 Professional Edition
2009-01-15 12:08   ---------   d-----w   c:\documents and settings\Korisnik\Application Data\ABBYY
2009-01-13 17:11   ---------   d--h--w   c:\program files\InstallShield Installation Information
2009-01-08 17:30   ---------   d-----w   c:\program files\TikGames
2009-01-08 17:30   ---------   d-----w   c:\documents and settings\All Users\Application Data\Trymedia
2008-10-20 07:25   36,638   --sha-w   c:\windows\system32\yt8a.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{401BEA53-7ECB-32C4-91B9-135B8C3329BC}]
2009-02-25 08:45   176128   --a------   c:\windows\system32\xwr71552.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"31249"="C:\cxfagn.exe" [2009-02-25 20480]

c:\documents and settings\Korisnik\Start Menu\Programs\Startup\
Freecom Personal Media Suite.lnk - c:\program files\Freecom Personal Media Suite\FCPMS.exe [2004-02-19 4071472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=rqfmta.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360hotfix.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360rpt.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360safe.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360safebox.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360tray.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\adam.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\agentsvr.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\antiarp.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\appsvc32.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\arvmon.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\autoguarder.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\autoruns.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avgrssvc.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avmonitor.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avp.com]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avp.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ccenter.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ccsvchst.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\filedsty.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\findt2005.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ftcleanershell.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\hijackthis.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\icesword.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\iparmo.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\iparmor.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ishelp.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ispwdsvc.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kabaload.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kascrscn.scr]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kasmain.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kastask.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kav32.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kavdx.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kavpfw.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kavsetup.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kavstart.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\killhidepid.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kislnchr.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kmailmon.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kmfilter.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kpfw32.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kpfw32x.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kpfwsvc.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kregex.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\krepair.com]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ksloader.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kvcenter.kxp]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kvdetect.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kvfw.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kvfwmcl.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kvmonxp.kxp]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kvmonxp_1.kxp]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kvol.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kvolself.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kvreport.kxp]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kvscan.kxp]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kvsrvxp.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kvstub.kxp]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kvupload.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kvwsc.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kvxp.kxp]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kvxp_1.kxp]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kwatch.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kwatch9x.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kwatchx.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\loaddll.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\magicset.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\mcconsol.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\mmqczj.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\mmsk.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\navsetup.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\nod32krn.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\nod32kui.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pfw.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pfwliveupdate.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\qhset.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\qqdoctor.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ras.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rav.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ravcopy.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ravmon.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ravmond.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ravstore.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ravstub.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ravt08.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ravtask.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\regclean.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwcfg.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwmain.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwolusr.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwproxy.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwsrv.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rsagent.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rsaupd.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rstray.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\runiep.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\safebank.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\safeboxtray.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\safelive.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\scan32.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\shcfg32.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\smartassistant.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\smartup.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\sreng.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\srengps.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\symlcsvc.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\syscheck.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\syscheck2.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\syssafe.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\toolsup.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\trojandetector.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\trojanwall.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\trojdie.kxp]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\uihost.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\umxagent.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\umxattachment.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\umxcfg.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\umxfwhlp.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\umxpol.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\uplive.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\wopticlean.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\zxsweep.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ÐÞ¸´¹¤¾ß.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Valve\\hl.exe"=
"c:\\Documents and Settings\\Korisnik\\Application Data\\PowerChallenge\\PowerSoccer\\PowerSoccer.exe"=
"d:\\FM09\\fm.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Valve\\cstrike.exe"=

R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2006-08-18 36576]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2006-06-21 29184]
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};c:\program files\CyberLink\PowerDVD\000.fcl [2006-11-02 15:51:58 13560]
R3 Bonifay;Bonifay;c:\windows\system32\drivers\Bonifay.sys [2004-02-19 11776]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{18869ea7-638b-11dd-b2f1-0019dbed7285}]
\Shell\AutoRun\command - H:\yt8a.exe
\Shell\Explore\Command - H:\yt8a.exe
\Shell\Open\Command - H:\yt8a.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{406edd12-d665-11dd-b373-0019dbed7285}]
\Shell\AutoRun\command - G:\yt8a.exe
\Shell\Explore\Command - G:\yt8a.exe
\Shell\Open\Command - G:\yt8a.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{69dec918-dd66-11dd-b37c-0019dbed7285}]
\Shell\AutoRun\command - G:\yt8a.exe
\Shell\Explore\Command - G:\yt8a.exe
\Shell\Open\Command - G:\yt8a.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9c4fde34-f8e9-11dd-b3b9-0019dbed7285}]
\Shell\AutoRun\command - G:\yt8a.exe
\Shell\Explore\Command - G:\yt8a.exe
\Shell\Open\Command - G:\yt8a.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{afe035b1-dcb9-11dd-b37b-0019dbed7285}]
\Shell\AutoRun\command - G:\yt8a.exe
\Shell\Explore\Command - G:\yt8a.exe
\Shell\Open\Command - G:\yt8a.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e1df925c-6d55-11dd-b306-0019dbed7285}]
\Shell\Auto\command - auto.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe
\Shell\open\command - RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-13 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe []
.
- - - - ORPHANS REMOVED - - - -

BHO-{97722c55-d656-4d21-9d37-eaf00c1e1636} - c:\windows\system32\rqfmta.dll
BHO-{A09CD448-B273-4314-B087-AF16DC20AA67} - c:\windows\system32\awtusqnl.dll


.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {3BB4FE3B-7A37-11D3-A41E-0060080C03B3} - hxxp://193.205.23.35/vblu/NWWClientFull.cab
FF - ProfilePath - c:\documents and settings\Korisnik\Application Data\Mozilla\Firefox\Profiles\cxuvm1tr.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\program files\Nokia\Nokia PC Suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-26 01:55:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\glaide32]
"ImagePath"="\??\c:\windows\system32\drivers\glaide32.sys"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\logishrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\o2flash.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\program files\Common Files\logishrd\LVCOMSER\LVComSer.exe
c:\windows\system32\wscntfy.exe
C:\lsass.exe
.
**************************************************************************
.
Completion time: 2009-02-26  1:58:02 - machine was rebooted [Korisnik]
ComboFix-quarantined-files.txt  2009-02-26 00:57:58

Pre-Run: 4,079,820,800 bytes free
Post-Run: 4,948,656,128 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

470   --- E O F ---   2009-02-18 17:59:14


hijack this:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:06, on 2009-02-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\cxfagn.exe
C:\Program Files\Freecom Personal Media Suite\FCPMS.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\o2flash.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Korisnik\Desktop\HiJackThis(2).exe
c:\lsass.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: D - {401BEA53-7ECB-32C4-91B9-135B8C3329BC} - C:\WINDOWS\system32\xwr71552.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [17431] C:\cxfagn.exe
O4 - HKLM\..\Run: [yt8a] C:\WINDOWS\system32\yt8a.exe
O4 - Startup: Freecom Personal Media Suite.lnk = C:\Program Files\Freecom Personal Media Suite\FCPMS.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3BB4FE3B-7A37-11D3-A41E-0060080C03B3} (Entire Screen Builder Web Viewer) - http://193.205.23.35/vblu/NWWClientFull.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: rqfmta.dll
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe

--
End of file - 4775 bytes
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
huge problem, computer restarts
« Reply #6 on: February 25, 2009, 08:45:27 PM »
download Flash_Disinfector and save it to your desktop
  • Double on Flash_Disinfector.exe  to run it. If you receive a prompt, please allow it.
       
  • You will be prompted to plug in your flash drive. Plug it in. If you have more than one, plug them in
  • Flash_Disinfector will start disinfecting your flash and hard drives. This takes a few seconds. Your desktop will disappear in the meantime.
  • When done, a message box will appear. Click OK. Your desktop should now appear. If it doesn't, press Ctrl + Shift + Esc to open Task Manager.
       
  • Click on File > New Task (Run...). Type in explorer.exe and press Enter. Your desktop should now appear.
[color=\"#4169E1\"]Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.[/color]

Download [color=\"#FF0000\"]> ATF Cleaner <[/color] by Atribune and save it to your Desktop.

Double Click on ATF-Cleaner.exe to Run it
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
*Prefetch (Windows XP) only.
Java Cache

The rest are optional - if you want to remove the lot, check "Select All".
Let it finish cleaning
Click Exit from the Main menu

download Malwarebytes' Anti-Malware from Here or Here
Save the installer to desktop

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to [color=\"#006400\"]Update Malwarebytes' Anti-Malware[/color] and [color=\"#006400\"]Launch Malwarebytes' Anti-Malware[/color], then click Finish.
       
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
       
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
       
  • Make sure that everything is checked, and click Remove Selected.
        * When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
       
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

With that log from MBAM also run Rsit.exe again, post the log that opens
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline maninneed

  • Jr. Member
  • **
  • Posts: 81
  • Karma: +0/-0
    • View Profile
huge problem, computer restarts
« Reply #7 on: February 26, 2009, 03:27:40 AM »
when I pasted the two logs in the web browser appeared method not supported so I will upload the two logs

Malwarebytes' Anti-Malware 1.34
Database version: 1805
Windows 5.1.2600 Service Pack 2

2009-02-26 09:18:11
mbam-log-2009-02-26 (09-18-11).txt

Scan type: Quick Scan
Objects scanned: 69337
Time elapsed: 4 minute(s), 27 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 127
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
C:\cxfagn.exe (Trojan.Agent) -> Unloaded process successfully.
c:\lsass.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{401bea53-7ecb-32c4-91b9-135b8c3329bc} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{401bea53-7ecb-32c4-91b9-135b8c3329bc} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{ae367d57-41f7-3a26-a758-1f311f50bc8f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8e0fec09-2722-376e-b5d9-5226c2902c15} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{401bea53-7ecb-32c4-91b9-135b8c3329bc} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVSetup.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zxsweep.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVFW.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVwsc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAVmon.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAVmonD.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCAN32.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\�޸�����.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntiArp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\arvmon.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoGuarder.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\findt2005.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IsHelp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\killhidepid.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavCopy.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStore.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ravt08.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwolusr.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartassistant.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREngPS.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\syscheck.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Syscheck2.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ToolsUp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileDsty.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FTCleanerShell.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KaScrScn.SCR (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSetup.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMailMon.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMFilter.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFWSvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRepair.COM (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KsLoader.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVCenter.kxp (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvfwMcl.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP_1.kxp (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvol.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvolself.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvReport.kxp (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVStub.kxp (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvupload.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch9x.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatchX.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\loaddll.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmqczj.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHSET.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegClean.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safelive.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shcfg32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmartUp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcsvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysSafe.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAgent.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAttachment.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxFwHlp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxPol.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpLive.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVScan.kxp (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safebank.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxCfg.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icesword.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RSTray.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP_1.kxp (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\13716 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\xwr71552.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\instsp1.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fwlyifew.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wr71552.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\glaide32.sys (Rootkit.Agent) -> Delete on reboot.
C:\desae.exe (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.
C:\itamcndf.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\jttgds.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\cxfagn.exe (Trojan.Agent) -> Delete on reboot.
C:\flirxnj.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\lsass.exe (Trojan.Agent) -> Delete on reboot.


Logfile of random's system information tool 1.05 (written by random/random)
Run by Korisnik at 2009-02-26 09:22:38
Microsoft Windows XP Professional Service Pack 2
System drive C: has 5 GB (24%) free of 20 GB
Total RAM: 895 MB (69% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:22, on 2009-02-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Freecom Personal Media Suite\FCPMS.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\o2flash.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Korisnik\Desktop\RSIT.exe
C:\Documents and Settings\Korisnik\Desktop\Korisnik.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [1302] C:\cxfagn.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - Startup: Freecom Personal Media Suite.lnk = C:\Program Files\Freecom Personal Media Suite\FCPMS.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3BB4FE3B-7A37-11D3-A41E-0060080C03B3} (Entire Screen Builder Web Viewer) - http://193.205.23.35/vblu/NWWClientFull.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: rqfmta.dll
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe

--
End of file - 4623 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\1-Click Maintenance.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"1302"=C:\cxfagn.exe []
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2006-06-14 7573504]

C:\Documents and Settings\Korisnik\Start Menu\Programs\Startup
Freecom Personal Media Suite.lnk - C:\Program Files\Freecom Personal Media Suite\FCPMS.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="rqfmta.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=36
"NoDriveAutoRun"=FFFFFFFF
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe"="C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe:*:Enabled:CyberLink PowerDVD"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\DNA\btdna.exe"="C:\Program Files\DNA\btdna.exe:*:Enabled:DNA"
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\Program Files\Valve\hl.exe"="C:\Program Files\Valve\hl.exe:*:Enabled:Half-Life Launcher"
"C:\Documents and Settings\Korisnik\Application Data\PowerChallenge\PowerSoccer\PowerSoccer.exe"="C:\Documents and Settings\Korisnik\Application Data\PowerChallenge\PowerSoccer\PowerSoccer.exe:*:Enabled:PowerSoccer"
"D:\FM09\fm.exe"="D:\FM09\fm.exe:*:Enabled:Football Manager 2009"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"
"C:\Program Files\Valve\cstrike.exe"="C:\Program Files\Valve\cstrike.exe:*:Enabled:Counter-Strike Launcher"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{406edd12-d665-11dd-b373-0019dbed7285}]
shell\AutoRun\command - G:\yt8a.exe
shell\Explore\command - G:\yt8a.exe
shell\Open\command - G:\yt8a.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{69dec918-dd66-11dd-b37c-0019dbed7285}]
shell\AutoRun\command - G:\yt8a.exe
shell\Explore\command - G:\yt8a.exe
shell\Open\command - G:\yt8a.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9c4fde34-f8e9-11dd-b3b9-0019dbed7285}]
shell\AutoRun\command - G:\yt8a.exe
shell\Explore\command - G:\yt8a.exe
shell\Open\command - G:\yt8a.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{afe035b1-dcb9-11dd-b37b-0019dbed7285}]
shell\AutoRun\command - G:\yt8a.exe
shell\Explore\command - G:\yt8a.exe
shell\Open\command - G:\yt8a.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e1df925c-6d55-11dd-b306-0019dbed7285}]
shell\Auto\command - auto.exe
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe
shell\open\command - RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe


======List of files/folders created in the last 1 months======

2009-02-26 09:11:22 ----D---- C:\Documents and Settings\Korisnik\Application Data\Malwarebytes
2009-02-26 09:11:16 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-02-26 09:11:16 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-02-26 01:58:03 ----A---- C:\ComboFix.txt
2009-02-26 01:52:39 ----D---- C:\WINDOWS\temp
2009-02-26 01:50:24 ----A---- C:\Boot.bak
2009-02-26 01:50:18 ----RASHD---- C:\cmdcons
2009-02-26 01:45:59 ----A---- C:\WINDOWS\zip.exe
2009-02-26 01:45:59 ----A---- C:\WINDOWS\VFIND.exe
2009-02-26 01:45:59 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-02-26 01:45:59 ----A---- C:\WINDOWS\SWSC.exe
2009-02-26 01:45:59 ----A---- C:\WINDOWS\SWREG.exe
2009-02-26 01:45:59 ----A---- C:\WINDOWS\sed.exe
2009-02-26 01:45:59 ----A---- C:\WINDOWS\NIRCMD.exe
2009-02-26 01:45:59 ----A---- C:\WINDOWS\grep.exe
2009-02-26 01:45:59 ----A---- C:\WINDOWS\fdsv.exe
2009-02-26 01:45:49 ----D---- C:\WINDOWS\ERDNT
2009-02-26 01:45:49 ----D---- C:\Qoobox
2009-02-25 23:36:42 ----D---- C:\rsit
2009-02-25 23:36:42 ----D---- C:\Program Files\trend micro
2009-02-25 21:27:39 ----D---- C:\Documents and Settings\Korisnik\Application Data\Lavasoft
2009-02-25 20:26:33 ----D---- C:\Program Files\Lavasoft
2009-02-25 20:20:01 ----D---- C:\Program Files\Spyware Doctor
2009-02-25 17:56:38 ----D---- C:\Program Files\SpywareBlaster
2009-02-25 17:44:09 ----SHD---- C:\WINDOWS\CSC
2009-02-25 17:36:42 ----A---- C:\WINDOWS\ntbtlog.txt
2009-02-25 09:21:35 ----D---- C:\WINDOWS\Minidump
2009-02-25 08:59:40 ----A---- C:\WINDOWS\system32\731b1343-.txt
2009-02-25 08:51:08 ----D---- C:\Documents and Settings\Korisnik\Application Data\Thinstall
2009-02-25 08:45:09 ----A---- C:\WINDOWS\system32\xa82968921.exe
2009-02-25 08:45:09 ----A---- C:\WINDOWS\system32\xa82968562.exe
2009-02-13 15:45:50 ----HDC---- C:\WINDOWS\$NtUninstallKB960715$
2009-02-12 20:23:18 ----A---- C:\WINDOWS\ModemLog_Nokia N95 USB Modem #2.txt
2009-02-09 10:28:25 ----HD---- C:\WINDOWS\PIF
2009-01-28 23:24:04 ----A---- C:\WINDOWS\ModemLog_Nokia N95 USB Modem.txt
2009-01-28 23:20:46 ----A---- C:\WINDOWS\system32\spmsgXP_2k3.dll
2009-01-28 23:20:41 ----HDC---- C:\WINDOWS\$NtUninstallWdf01007$
2009-01-28 23:20:09 ----D---- C:\Documents and Settings\Korisnik\Application Data\Nokia
2009-01-28 23:20:07 ----D---- C:\Documents and Settings\Korisnik\Application Data\PC Suite
2009-01-28 23:20:07 ----D---- C:\Documents and Settings\All Users\Application Data\PC Suite
2009-01-28 23:19:40 ----D---- C:\Program Files\Common Files\PCSuite
2009-01-28 23:19:35 ----D---- C:\Program Files\Common Files\Nokia
2009-01-28 23:19:18 ----D---- C:\Program Files\PC Connectivity Solution
2009-01-28 23:19:09 ----A---- C:\WINDOWS\system32\wdfcoinstaller01007.dll
2009-01-28 23:19:09 ----A---- C:\WINDOWS\system32\nmwcdcocls.dll
2009-01-28 23:19:06 ----A---- C:\WINDOWS\system32\nmwcdcls.dll
2009-01-28 23:19:05 ----D---- C:\Program Files\Nokia
2009-01-28 23:18:18 ----D---- C:\Documents and Settings\All Users\Application Data\Installations

======List of files/folders modified in the last 1 months======

2009-02-26 09:21:15 ----D---- C:\WINDOWS\system32
2009-02-26 09:20:20 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-02-26 09:19:13 ----D---- C:\WINDOWS\Prefetch
2009-02-26 09:19:12 ----D---- C:\WINDOWS\system32\drivers
2009-02-26 09:18:11 ----D---- C:\WINDOWS
2009-02-26 09:11:16 ----RD---- C:\Program Files
2009-02-26 02:08:46 ----D---- C:\Program Files\Mozilla Firefox
2009-02-26 01:56:50 ----D---- C:\WINDOWS\system32\CatRoot2
2009-02-26 01:55:21 ----A---- C:\WINDOWS\system.ini
2009-02-26 01:53:28 ----D---- C:\WINDOWS\system32\config
2009-02-26 01:51:38 ----D---- C:\WINDOWS\AppPatch
2009-02-26 01:51:36 ----D---- C:\Program Files\Common Files
2009-02-26 01:50:25 ----RASH---- C:\boot. ini
2009-02-26 01:47:32 ----D---- C:\Program Files\ESET
2009-02-25 20:26:35 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-02-25 17:44:15 ----D---- C:\Documents and Settings
2009-02-25 17:38:54 ----D---- C:\WINDOWS\system32\wbem
2009-02-25 17:38:53 ----D---- C:\WINDOWS\Registration
2009-02-25 17:38:41 ----D---- C:\Documents and Settings\Korisnik\Application Data\DNA
2009-02-25 17:38:41 ----D---- C:\Documents and Settings\Korisnik\Application Data\BitTorrent
2009-02-24 17:56:55 ----SHD---- C:\WINDOWS\Installer
2009-02-24 13:03:26 ----HD---- C:\WINDOWS\inf
2009-02-24 09:43:33 ----D---- C:\Program Files\DNA
2009-02-24 08:28:56 ----D---- C:\Documents and Settings\Korisnik\Application Data\Skype
2009-02-24 01:29:06 ----D---- C:\Documents and Settings\Korisnik\Application Data\skypePM
2009-02-14 10:16:14 ----A---- C:\WINDOWS\ModemLog_Agere Systems HDA Modem v6081.txt
2009-02-13 15:45:38 ----HD---- C:\WINDOWS\$hf_mig$
2009-02-13 13:25:43 ----D---- C:\Program Files\PokerStars
2009-02-12 20:17:06 ----SD---- C:\Documents and Settings\Korisnik\Application Data\Microsoft
2009-02-12 12:20:44 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-02-12 05:56:17 ----A---- C:\WINDOWS\system32\MRT.exe
2009-02-05 02:57:56 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-01-28 23:21:28 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-01-28 23:20:51 ----A---- C:\WINDOWS\imsins.BAK
2009-01-28 23:19:59 ----DC---- C:\WINDOWS\system32\DRVSTORE

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK8;AMD Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2006-06-18 36864]
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B}; \??\C:\Program Files\CyberLink\PowerDVD\000.fcl []
R2 Hardlock;Hardlock; \??\C:\WINDOWS\system32\drivers\hardlock.sys []
R3 AgereSoftModem;Agere Systems Soft Modem; C:\WINDOWS\system32\DRIVERS\AGRSM.sys [2005-09-26 1145728]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2004-08-04 60800]
R3 Bonifay;Bonifay; C:\WINDOWS\System32\DRIVERS\Bonifay.sys [2004-02-19 11776]
R3 CmBatt;Microsoft AC Adapter Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2004-08-04 14080]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-07 138752]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2006-09-12 4381184]
R3 LVPr2Mon;Logitech LVPr2Mon Driver; C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys [2008-07-26 25624]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2004-08-04 61824]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2006-06-14 3660672]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2006-03-03 34176]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2006-03-03 13056]
R3 nvsmu;nvsmu; C:\WINDOWS\system32\DRIVERS\nvsmu.sys [2006-03-06 11136]
R3 RT61;Ralink RT61 Wireless Driver; C:\WINDOWS\system32\DRIVERS\RT61.sys [2006-09-07 385280]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-03 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-03 17024]
S1 glaide32;glaide32; \??\C:\WINDOWS\system32\drivers\glaide32.sys []
S3 afj0buip;afj0buip; C:\WINDOWS\system32\drivers\afj0buip.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2004-08-03 17024]
S3 LVUSBSta;Logitech USB Monitor Filter; C:\WINDOWS\system32\DRIVERS\LVUSBSta.sys [2007-10-12 41752]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-03 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2004-08-03 85376]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2004-08-03 10880]
S3 nmwcd;Nokia USB Phone Parent; C:\WINDOWS\system32\drivers\ccdcmb.sys [2008-09-15 17664]
S3 nmwcdc;Nokia USB Generic; C:\WINDOWS\system32\drivers\ccdcmbo.sys [2008-09-15 22016]
S3 pccsmcfd;PCCS Mode Change Filter Driver; C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys [2008-08-26 18816]
S3 PID_PEPI;Logitech QuickCam IM(PID_PEPI); C:\WINDOWS\system32\DRIVERS\LV302V32.SYS [2007-10-12 1279000]
S3 sdbus;sdbus; C:\WINDOWS\system32\DRIVERS\sdbus.sys [2004-08-03 67584]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2004-08-03 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2004-08-03 15360]
S3 upperdev;upperdev; C:\WINDOWS\system32\DRIVERS\usbser_lowerflt.sys [2008-09-15 8064]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2004-08-03 59264]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 usbser;USB Modem Driver; C:\WINDOWS\system32\drivers\usbser.sys [2004-08-03 25600]
S3 UsbserFilt;UsbserFilt; C:\WINDOWS\system32\DRIVERS\usbser_lowerfltj.sys [2008-09-15 8064]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S3 Wdf01000;Kernel Mode Driver Frameworks service; C:\WINDOWS\System32\Drivers\wdf01000.sys [2008-03-27 503008]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2004-08-03 19328]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-08-23 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Bonjour Service;##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##; C:\Program Files\Bonjour\mDNSResponder.exe [2006-02-28 229376]
R2 LVCOMSer;LVCOMSer; C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe [2008-07-26 186904]
R2 LVPrcSrv;Process Monitor; C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe [2008-07-26 150040]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2006-06-14 143427]
R2 O2Flash;O2Micro Flash Memory; C:\WINDOWS\system32\o2flash.exe [2005-01-27 36864]
R2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\CyberLink\Shared files\RichVideo.exe [2007-02-07 173616]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2007-10-10 654848]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 ServiceLayer;ServiceLayer; C:\Program Files\PC Connectivity Solution\ServiceLayer.exe [2008-11-11 620544]
S3 SolidWorks Licensing Service;SolidWorks Licensing Service; C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe [2008-05-17 72704]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]

-----------------EOF-----------------
« Last Edit: February 27, 2009, 06:17:13 PM by guestolo »
Logged

Offline maninneed

  • Jr. Member
  • **
  • Posts: 81
  • Karma: +0/-0
    • View Profile
huge problem, computer restarts
« Reply #8 on: February 26, 2009, 01:03:03 PM »
I just wanted to add that youtbe videos do not load anymore
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
huge problem, computer restarts
« Reply #9 on: February 27, 2009, 06:46:34 PM »
Delete your copy of ComboFix from desktop
Redownload a fresh copy from
[color=\"#0000FF\"]Link 1[/color]
[color=\"#0000FF\"]Link 2[/color]
[color=\"#0000FF\"]Link 3[/color]

Don't rename it, just download normally

Copy ALL the BLUE text below and Paste to notepad
Don't use anything else than notepad or the script will not work

[color=\"#0000FF\"]
KillAll::
Driver::
glaide32
File::
C:\WINDOWS\system32\xa82968921.exe
C:\WINDOWS\system32\xa82968562.exe
G:\yt8a.exe
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe
C:\WINDOWS\tasks\1-Click Maintenance.job
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"=-
"AppInit_DLLS"=""
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"1302"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\glaide32]
"ImagePath"=-
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\glaide32]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{406edd12-d665-11dd-b373-0019dbed7285}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{69dec918-dd66-11dd-b37c-0019dbed7285}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9c4fde34-f8e9-11dd-b3b9-0019dbed7285}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{afe035b1-dcb9-11dd-b37b-0019dbed7285}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e1df925c-6d55-11dd-b306-0019dbed7285}]
[/color]
Save this as txtfile on your desktop, with the exact name of
CFScript

Drag CFScript.txt into ComboFix.exe
Combofix will start>>Follow the prompts
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

When finished, it shall produce a log for you  with the same name C:\ComboFix.txt..

Post that log
In addition
supply an uninstall list from Hijackthis
Open Hijackthis>>Open MISC TOOLS SECTION>>Open UNINSTALL MANAGER
Click the SAVE LIST... button
Save the list to your desktop then copy>>Paste back here the Whole contents
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline maninneed

  • Jr. Member
  • **
  • Posts: 81
  • Karma: +0/-0
    • View Profile
huge problem, computer restarts
« Reply #10 on: February 28, 2009, 06:55:49 AM »
Youtube works now, when I start the computer a message appears if I want to run Microsoft Windows Recovery Console or Windows, I think I should uninstall the nod32 fix file that is left since I uninstalled nod32 when I was in the safe mode on the begging of my post.Also, i dont need this power challenge football.


ComboFix 09-02-27.02 - Korisnik 2009-02-28  6:21:39.3 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.895.609 [GMT 1:00]
Running from: c:\documents and settings\Korisnik\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Korisnik\Desktop\CFScript.txt
 * Created a new restore point

FILE ::
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe
c:\windows\system32\xa82968562.exe
c:\windows\system32\xa82968921.exe
c:\windows\tasks\1-Click Maintenance.job
G:\yt8a.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\autorun.inf
c:\windows\system32\xa82968562.exe
c:\windows\system32\xa82968921.exe
c:\windows\tasks\1-Click Maintenance.job
D:\Autorun.inf

.
(((((((((((((((((((((((((   Files Created from 2009-01-28 to 2009-02-28  )))))))))))))))))))))))))))))))
.

2009-02-27 09:08 . 2009-02-27 09:08   182,784   --a------   c:\program files\KB27035.exe
2009-02-27 09:08 . 2009-02-27 09:08   176,128   --a------   c:\windows\system32\hq85938.dll
2009-02-26 18:09 . 2009-02-26 18:09   915,968   --a------   c:\windows\system32\xa31722453.exe
2009-02-26 18:09 . 2009-02-26 18:09   915,968   --a------   c:\windows\system32\xa31722218.exe
2009-02-26 18:08 . 2009-02-26 18:08   1,882,624   --a------   c:\windows\system32\xa31654203.exe
2009-02-26 18:08 . 2009-02-26 18:08   1,882,624   --a------   c:\windows\system32\xa31653796.exe
2009-02-26 18:08 . 2009-02-26 18:08   915,968   --a------   c:\windows\system32\xa31667343.exe
2009-02-26 18:08 . 2009-02-26 18:08   915,968   --a------   c:\windows\system32\xa31666812.exe
2009-02-26 18:08 . 2009-02-26 18:08   915,968   --a------   c:\windows\system32\xa31661468.exe
2009-02-26 18:08 . 2009-02-26 18:08   915,968   --a------   c:\windows\system32\xa31661250.exe
2009-02-26 18:08 . 2009-02-26 18:08   176,128   --a------   c:\windows\system32\xwr71552.dll
2009-02-26 18:08 . 2009-02-26 18:08   176,128   --a------   c:\windows\system32\xwr58633.dll
2009-02-26 18:08 . 2009-02-26 18:08   176,128   --a------   c:\windows\system32\wr71552.dll
2009-02-26 18:08 . 2009-02-26 18:08   176,128   --a------   c:\windows\system32\wr58633.dll
2009-02-26 09:11 . 2009-02-26 09:11   <DIR>   d--------   c:\program files\Malwarebytes' Anti-Malware
2009-02-26 09:11 . 2009-02-26 09:11   <DIR>   d--------   c:\documents and settings\Korisnik\Application Data\Malwarebytes
2009-02-26 09:11 . 2009-02-26 09:11   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-26 09:11 . 2009-02-11 10:19   38,496   --a------   c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-26 09:11 . 2009-02-11 10:19   15,504   --a------   c:\windows\system32\drivers\mbam.sys
2009-02-25 23:36 . 2009-02-25 23:36   <DIR>   d--------   C:\rsit
2009-02-25 23:36 . 2009-02-25 23:36   <DIR>   d--------   c:\program files\trend micro
2009-02-25 21:28 . 2009-02-25 21:28   2   --a------   C:\2016991122
2009-02-25 21:27 . 2009-02-25 21:27   <DIR>   d--------   c:\documents and settings\Korisnik\Application Data\Lavasoft
2009-02-25 20:26 . 2009-02-25 20:26   <DIR>   d--------   c:\program files\Lavasoft
2009-02-25 20:26 . 2009-02-25 20:26   <DIR>   d--------   c:\documents and settings\Administrator.LIST-COMP\Application Data\Lavasoft
2009-02-25 20:20 . 2009-02-25 20:21   <DIR>   d--------   c:\program files\Spyware Doctor
2009-02-25 17:56 . 2009-02-25 17:57   <DIR>   d--------   c:\program files\SpywareBlaster
2009-02-25 17:46 . 2009-02-25 17:46   <DIR>   d---s----   c:\documents and settings\Administrator.LIST-COMP\UserData
2009-02-25 17:44 . 2009-02-25 17:46   <DIR>   d--------   c:\documents and settings\Administrator.LIST-COMP
2009-02-25 17:37 . 2009-02-25 17:38   <DIR>   d---s----   c:\documents and settings\Administrator
2009-02-25 08:51 . 2009-02-25 08:51   <DIR>   d--------   c:\documents and settings\Korisnik\Application Data\Thinstall
2009-02-09 10:28 . 2009-02-09 10:28   <DIR>   d--h-----   c:\windows\PIF
2009-01-28 23:21 . 2004-08-03 23:08   25,600   --a------   c:\windows\system32\drivers\usbser.sys
2009-01-28 23:21 . 2004-08-03 23:08   25,600   --a--c---   c:\windows\system32\dllcache\usbser.sys
2009-01-28 23:20 . 2009-01-28 23:21   <DIR>   d--------   c:\documents and settings\Korisnik\Application Data\PC Suite
2009-01-28 23:20 . 2009-01-28 23:35   <DIR>   d--------   c:\documents and settings\Korisnik\Application Data\Nokia
2009-01-28 23:20 . 2009-01-28 23:20   <DIR>   d--------   c:\documents and settings\All Users\Application Data\PC Suite
2009-01-28 23:20 . 2008-03-21 13:57   14,640   --a------   c:\windows\system32\spmsgXP_2k3.dll
2009-01-28 23:20 . 2009-01-28 23:20   0   --ah-----   c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-01-28 23:20 . 2009-01-28 23:20   0   --ah-----   c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2009-01-28 23:19 . 2009-01-28 23:19   <DIR>   d--------   c:\program files\PC Connectivity Solution
2009-01-28 23:19 . 2009-01-28 23:19   <DIR>   d--------   c:\program files\Nokia
2009-01-28 23:19 . 2009-01-28 23:19   <DIR>   d--------   c:\program files\Common Files\PCSuite
2009-01-28 23:19 . 2009-01-28 23:19   <DIR>   d--------   c:\program files\Common Files\Nokia
2009-01-28 23:19 . 2008-09-15 07:29   1,112,288   --a------   c:\windows\system32\wdfcoinstaller01007.dll
2009-01-28 23:19 . 2008-09-15 07:56   659,968   --a------   c:\windows\system32\nmwcdcocls.dll
2009-01-28 23:19 . 2008-09-15 07:56   91,136   --a------   c:\windows\system32\nmwcdcls.dll
2009-01-28 23:19 . 2008-09-15 07:56   22,016   --a------   c:\windows\system32\drivers\ccdcmbo.sys
2009-01-28 23:19 . 2008-08-26 09:26   18,816   --a------   c:\windows\system32\drivers\pccsmcfd.sys
2009-01-28 23:19 . 2008-09-15 07:56   17,664   --a------   c:\windows\system32\drivers\ccdcmb.sys
2009-01-28 23:19 . 2008-09-15 07:56   8,064   --a------   c:\windows\system32\drivers\usbser_lowerfltj.sys
2009-01-28 23:19 . 2008-09-15 07:56   8,064   --a------   c:\windows\system32\drivers\usbser_lowerflt.sys
2009-01-28 23:18 . 2009-01-28 23:18   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Installations

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-27 17:26   ---------   d-----w   c:\documents and settings\Korisnik\Application Data\BitTorrent
2009-02-26 00:47   ---------   d-----w   c:\program files\ESET
2009-02-25 16:38   ---------   d-----w   c:\documents and settings\Korisnik\Application Data\DNA
2009-02-24 08:43   ---------   d-----w   c:\program files\DNA
2009-02-24 07:28   ---------   d-----w   c:\documents and settings\Korisnik\Application Data\Skype
2009-02-24 00:29   ---------   d-----w   c:\documents and settings\Korisnik\Application Data\skypePM
2009-02-13 12:25   ---------   d-----w   c:\program files\PokerStars
2009-01-15 12:08   ---------   d-----w   c:\program files\ABBYY FineReader 8.0 Professional Edition
2009-01-15 12:08   ---------   d-----w   c:\documents and settings\Korisnik\Application Data\ABBYY
2009-01-13 17:11   ---------   d--h--w   c:\program files\InstallShield Installation Information
2009-01-08 17:30   ---------   d-----w   c:\program files\TikGames
2009-01-08 17:30   ---------   d-----w   c:\documents and settings\All Users\Application Data\Trymedia
2008-10-20 07:25   36,638   --sha-w   c:\windows\system32\yt8a.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BDB3DF8B-E46A-394C-8E70-53525CA25F3B}]
2009-02-27 09:08   176128   --a------   c:\windows\system32\hq85938.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-14 7573504]

c:\documents and settings\Korisnik\Start Menu\Programs\Startup\
Freecom Personal Media Suite.lnk - c:\program files\Freecom Personal Media Suite\FCPMS.exe [2004-02-19 4071472]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Valve\\hl.exe"=
"c:\\Documents and Settings\\Korisnik\\Application Data\\PowerChallenge\\PowerSoccer\\PowerSoccer.exe"=
"d:\\FM09\\fm.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Valve\\cstrike.exe"=

R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2006-08-18 36576]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2006-06-21 29184]
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};c:\program files\CyberLink\PowerDVD\000.fcl [2006-11-02 15:51:58 13560]
R3 Bonifay;Bonifay;c:\windows\system32\drivers\Bonifay.sys [2004-02-19 11776]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {3BB4FE3B-7A37-11D3-A41E-0060080C03B3} - hxxp://193.205.23.35/vblu/NWWClientFull.cab
FF - ProfilePath - c:\documents and settings\Korisnik\Application Data\Mozilla\Firefox\Profiles\cxuvm1tr.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\program files\Nokia\Nokia PC Suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-28 06:25:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\logishrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\o2flash.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\logishrd\LVCOMSER\LVComSer.exe
.
**************************************************************************
.
Completion time: 2009-02-28  6:28:40 - machine was rebooted [Korisnik]
ComboFix-quarantined-files.txt  2009-02-28 05:28:37
ComboFix2.txt  2009-02-26 00:58:03

Pre-Run: 4,539,224,064 bytes free
Post-Run: 4,527,095,808 bytes free

169   --- E O F ---   2009-02-18 17:59:14

ABBYY FineReader 8.0 Professional Edition
Ad-Aware SE Professional
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Photoshop CS3
Adobe Reader 8.1.2
Adobe Setup
Adobe Shockwave Player 11
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Agere Systems HDA Modem v6081
Color LaserJet 2600n
COSMOSMotion 2007 SP0
COSMOSWorks 2007 SP0
Counter-Strike 1.6 v17 Full
DWGeditor
eDrawings 2007
Football Manager 2009
Freecom Personal Media Suite 1.27
GTA San Andreas
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows XP (KB935448)
Hotfix for Windows XP (KB952287)
Java(tm) 6 Update 7
K-Lite Codec Pack 3.4.0 Full
Logitech QuickCam
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2005 Redistributable
Monopoly (remove only)
Mozilla Firefox (3.0.6)
MSN
MSVC80_x86
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MV2Player (remove only)
Nero 8 Micro v8.0.3.0
NOD32 FiX
Nokia Connectivity Cable Driver
Nokia PC Suite
Nokia PC Suite
NVIDIA Drivers
O2Micro Flash Memory Card Windows Driver V2.07
PC Connectivity Solution
PDF Settings
PokerStars
PowerDVD
Realtek High Definition Audio Driver
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Skypeâ„¢ 3.8
SolidWorks 2007 SP0
SolidWorks Explorer 2007 sp0
SolidWorks Installation Manager
Spyware Doctor 2.0
SpywareBlaster 4.1
Update for Windows XP (KB898461)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
VideoLAN VLC media player 0.8.6i
Winamp (remove only)
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor  (05/27/2006 1.3.2.0)
Windows Driver Package - Nokia Modem  (10/27/2008 3.9)
Windows Driver Package - Nokia Modem  (10/27/2008 7.01.0.1)
Windows Driver Package - Nokia pccsmcfd  (08/22/2008 7.0.0.0)
Windows Driver Package - Ralink Technology, Inc. (RT61) Net  (09/07/2006 1.01.03.0000)
Windows Installer 3.1 (KB893803)
Windows Live installer
Windows Live Messenger
WinRAR archiver
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
huge problem, computer restarts
« Reply #11 on: February 28, 2009, 10:45:58 AM »
As mentioned earlier
Quote
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

This delay should only be a few seconds, is it longer than that?

can you delete your copy of cfscript.txt
We're going to redo that step

Copy ALL the BLUE text below and Paste to notepad
Don't use anything else than notepad or the script will not work

[color=\"#0000FF\"]
File::
c:\program files\KB27035.exe
c:\windows\system32\hq85938.dll
c:\windows\system32\xa31722453.exe
c:\windows\system32\xa31722218.exe
c:\windows\system32\xa31654203.exe
c:\windows\system32\xa31653796.exe
c:\windows\system32\xa31667343.exe
c:\windows\system32\xa31666812.exe
c:\windows\system32\xa31661468.exe
c:\windows\system32\xa31661250.exe
c:\windows\system32\xwr71552.dll
c:\windows\system32\xwr58633.dll
c:\windows\system32\wr71552.dll
c:\windows\system32\wr58633.dll
c:\windows\system32\yt8a.exe
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BDB3DF8B-E46A-394C-8E70-53525CA25F3B}]
[/color]
Save this as txtfile on your desktop, with the exact name of
CFScript

Drag CFScript.txt into ComboFix.exe
Combofix will start>>Follow the prompts
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

When finished, it shall produce a log for you  with the same name C:\ComboFix.txt..
I'll need to see that log again later

Can you access your Add and Remove programs
Go ahead and uninstall
Javaâ„¢ 6 Update 7
NOD32 FiX

Reboot the computer
Back in Windows
 
Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
[color=\"blue\"]Updating Java:[/color]
  • Download the latest version of  Java Runtime Environment (JRE) 6.
  • Scroll down to where it says "JRE 6 Update 12".
  • Click the "Download" button to the right.
  • In the Window that opens, select Windows,>>Check the "agree" box and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Then from your desktop double-click on jre-6u12-windows-i586-p.exe that you downloaded to install the newest version.
Do you plan on reinstalling Nod32?
If so, do it now and update and run a full virus scan
If not, and it is outdated, let me know please, you must have Anti-Virus installed to help secure this comptuer

Post that log from Combofix, also include a fresh Hijackthis log
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline maninneed

  • Jr. Member
  • **
  • Posts: 81
  • Karma: +0/-0
    • View Profile
huge problem, computer restarts
« Reply #12 on: February 28, 2009, 05:48:33 PM »
The menu with windows xp and windows recovery does not last for long so its not a problem, however when I try to reboot the "saving system settings" screen tends to last for very long time so I do it psychically  by pressing the button...another problem is the fact that windows security center reminds me to put the system on automatic updating but i cant do it( I do it in the control panel but it does n t change in the security center)

I have installed the AVG antivirus program and I have scanned my computer, it did not find anything very dangerous.

here are the logs that You asked for:



ComboFix 09-02-27.02 - Korisnik 2009-02-28 18:38:50.4 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.895.567 [GMT 1:00]
Running from: c:\documents and settings\Korisnik\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Korisnik\Desktop\CFScript.txt
 * Created a new restore point

FILE ::
c:\program files\KB27035.exe
c:\windows\system32\hq85938.dll
c:\windows\system32\wr58633.dll
c:\windows\system32\wr71552.dll
c:\windows\system32\xa31653796.exe
c:\windows\system32\xa31654203.exe
c:\windows\system32\xa31661250.exe
c:\windows\system32\xa31661468.exe
c:\windows\system32\xa31666812.exe
c:\windows\system32\xa31667343.exe
c:\windows\system32\xa31722218.exe
c:\windows\system32\xa31722453.exe
c:\windows\system32\xwr58633.dll
c:\windows\system32\xwr71552.dll
c:\windows\system32\yt8a.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\KB27035.exe
c:\windows\system32\hq85938.dll
c:\windows\system32\wr58633.dll
c:\windows\system32\wr71552.dll
c:\windows\system32\xa31653796.exe
c:\windows\system32\xa31654203.exe
c:\windows\system32\xa31661250.exe
c:\windows\system32\xa31661468.exe
c:\windows\system32\xa31666812.exe
c:\windows\system32\xa31667343.exe
c:\windows\system32\xa31722218.exe
c:\windows\system32\xa31722453.exe
c:\windows\system32\xwr58633.dll
c:\windows\system32\xwr71552.dll
c:\windows\system32\yt8a.exe

.
(((((((((((((((((((((((((   Files Created from 2009-01-28 to 2009-02-28  )))))))))))))))))))))))))))))))
.

2009-02-26 09:11 . 2009-02-26 09:11   <DIR>   d--------   c:\program files\Malwarebytes' Anti-Malware
2009-02-26 09:11 . 2009-02-26 09:11   <DIR>   d--------   c:\documents and settings\Korisnik\Application Data\Malwarebytes
2009-02-26 09:11 . 2009-02-26 09:11   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-26 09:11 . 2009-02-11 10:19   38,496   --a------   c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-26 09:11 . 2009-02-11 10:19   15,504   --a------   c:\windows\system32\drivers\mbam.sys
2009-02-25 23:36 . 2009-02-25 23:36   <DIR>   d--------   C:\rsit
2009-02-25 23:36 . 2009-02-25 23:36   <DIR>   d--------   c:\program files\trend micro
2009-02-25 21:28 . 2009-02-25 21:28   2   --a------   C:\2016991122
2009-02-25 21:27 . 2009-02-25 21:27   <DIR>   d--------   c:\documents and settings\Korisnik\Application Data\Lavasoft
2009-02-25 20:26 . 2009-02-25 20:26   <DIR>   d--------   c:\program files\Lavasoft
2009-02-25 20:26 . 2009-02-25 20:26   <DIR>   d--------   c:\documents and settings\Administrator.LIST-COMP\Application Data\Lavasoft
2009-02-25 20:20 . 2009-02-25 20:21   <DIR>   d--------   c:\program files\Spyware Doctor
2009-02-25 17:56 . 2009-02-25 17:57   <DIR>   d--------   c:\program files\SpywareBlaster
2009-02-25 17:46 . 2009-02-25 17:46   <DIR>   d---s----   c:\documents and settings\Administrator.LIST-COMP\UserData
2009-02-25 17:44 . 2009-02-25 17:46   <DIR>   d--------   c:\documents and settings\Administrator.LIST-COMP
2009-02-25 17:37 . 2009-02-25 17:38   <DIR>   d---s----   c:\documents and settings\Administrator
2009-02-25 08:51 . 2009-02-25 08:51   <DIR>   d--------   c:\documents and settings\Korisnik\Application Data\Thinstall
2009-02-09 10:28 . 2009-02-09 10:28   <DIR>   d--h-----   c:\windows\PIF
2009-01-28 23:21 . 2004-08-03 23:08   25,600   --a------   c:\windows\system32\drivers\usbser.sys
2009-01-28 23:21 . 2004-08-03 23:08   25,600   --a--c---   c:\windows\system32\dllcache\usbser.sys
2009-01-28 23:20 . 2009-01-28 23:21   <DIR>   d--------   c:\documents and settings\Korisnik\Application Data\PC Suite
2009-01-28 23:20 . 2009-01-28 23:35   <DIR>   d--------   c:\documents and settings\Korisnik\Application Data\Nokia
2009-01-28 23:20 . 2009-01-28 23:20   <DIR>   d--------   c:\documents and settings\All Users\Application Data\PC Suite
2009-01-28 23:20 . 2008-03-21 13:57   14,640   --a------   c:\windows\system32\spmsgXP_2k3.dll
2009-01-28 23:20 . 2009-01-28 23:20   0   --ah-----   c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-01-28 23:20 . 2009-01-28 23:20   0   --ah-----   c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2009-01-28 23:19 . 2009-01-28 23:19   <DIR>   d--------   c:\program files\PC Connectivity Solution
2009-01-28 23:19 . 2009-01-28 23:19   <DIR>   d--------   c:\program files\Nokia
2009-01-28 23:19 . 2009-01-28 23:19   <DIR>   d--------   c:\program files\Common Files\PCSuite
2009-01-28 23:19 . 2009-01-28 23:19   <DIR>   d--------   c:\program files\Common Files\Nokia
2009-01-28 23:19 . 2008-09-15 07:29   1,112,288   --a------   c:\windows\system32\wdfcoinstaller01007.dll
2009-01-28 23:19 . 2008-09-15 07:56   659,968   --a------   c:\windows\system32\nmwcdcocls.dll
2009-01-28 23:19 . 2008-09-15 07:56   91,136   --a------   c:\windows\system32\nmwcdcls.dll
2009-01-28 23:19 . 2008-09-15 07:56   22,016   --a------   c:\windows\system32\drivers\ccdcmbo.sys
2009-01-28 23:19 . 2008-08-26 09:26   18,816   --a------   c:\windows\system32\drivers\pccsmcfd.sys
2009-01-28 23:19 . 2008-09-15 07:56   17,664   --a------   c:\windows\system32\drivers\ccdcmb.sys
2009-01-28 23:19 . 2008-09-15 07:56   8,064   --a------   c:\windows\system32\drivers\usbser_lowerfltj.sys
2009-01-28 23:19 . 2008-09-15 07:56   8,064   --a------   c:\windows\system32\drivers\usbser_lowerflt.sys
2009-01-28 23:18 . 2009-01-28 23:18   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Installations

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-27 17:26   ---------   d-----w   c:\documents and settings\Korisnik\Application Data\BitTorrent
2009-02-26 00:47   ---------   d-----w   c:\program files\ESET
2009-02-25 16:38   ---------   d-----w   c:\documents and settings\Korisnik\Application Data\DNA
2009-02-24 08:43   ---------   d-----w   c:\program files\DNA
2009-02-24 07:28   ---------   d-----w   c:\documents and settings\Korisnik\Application Data\Skype
2009-02-24 00:29   ---------   d-----w   c:\documents and settings\Korisnik\Application Data\skypePM
2009-02-13 12:25   ---------   d-----w   c:\program files\PokerStars
2009-01-15 12:08   ---------   d-----w   c:\program files\ABBYY FineReader 8.0 Professional Edition
2009-01-15 12:08   ---------   d-----w   c:\documents and settings\Korisnik\Application Data\ABBYY
2009-01-13 17:11   ---------   d--h--w   c:\program files\InstallShield Installation Information
2009-01-08 17:30   ---------   d-----w   c:\program files\TikGames
2009-01-08 17:30   ---------   d-----w   c:\documents and settings\All Users\Application Data\Trymedia
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-14 7573504]

c:\documents and settings\Korisnik\Start Menu\Programs\Startup\
Freecom Personal Media Suite.lnk - c:\program files\Freecom Personal Media Suite\FCPMS.exe [2004-02-19 4071472]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Valve\\hl.exe"=
"c:\\Documents and Settings\\Korisnik\\Application Data\\PowerChallenge\\PowerSoccer\\PowerSoccer.exe"=
"d:\\FM09\\fm.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Valve\\cstrike.exe"=

R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2006-08-18 36576]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2006-06-21 29184]
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};c:\program files\CyberLink\PowerDVD\000.fcl [2006-11-02 15:51:58 13560]
R3 Bonifay;Bonifay;c:\windows\system32\drivers\Bonifay.sys [2004-02-19 11776]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {3BB4FE3B-7A37-11D3-A41E-0060080C03B3} - hxxp://193.205.23.35/vblu/NWWClientFull.cab
FF - ProfilePath - c:\documents and settings\Korisnik\Application Data\Mozilla\Firefox\Profiles\cxuvm1tr.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\program files\Nokia\Nokia PC Suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-28 18:39:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
Completion time: 2009-02-28 18:41:23
ComboFix-quarantined-files.txt  2009-02-28 17:41:06
ComboFix2.txt  2009-02-28 05:28:44
ComboFix3.txt  2009-02-26 00:58:03

Pre-Run: 4,503,142,400 bytes free
Post-Run: 4,483,489,792 bytes free

157   --- E O F ---   2009-02-18 17:59:14


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:38, on 2009-02-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Freecom Personal Media Suite\FCPMS.exe
C:\Documents and Settings\Korisnik\Desktop\Korisnik.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\o2flash.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wscntfy.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - Startup: Freecom Personal Media Suite.lnk = C:\Program Files\Freecom Personal Media Suite\FCPMS.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3BB4FE3B-7A37-11D3-A41E-0060080C03B3} (Entire Screen Builder Web Viewer) - http://193.205.23.35/vblu/NWWClientFull.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe

--
End of file - 5198 bytes
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
huge problem, computer restarts
« Reply #13 on: February 28, 2009, 06:33:32 PM »
Quote
another problem is the fact that windows security center reminds me to put the system on automatic updating but i cant do it( I do it in the control panel but it does n t change in the security center)

This indicates the Background Intelligent Transfer service is corrupt
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
Can you do the following

Can you look and see if the following folder is present, the one in bold
C:\Documents and Settings\All Users\Application Data\Microsoft\Network

You will have to
Set Windows To Show Hidden Files and Folders
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Click Yes to confirm.
    * Click OK.
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline maninneed

  • Jr. Member
  • **
  • Posts: 81
  • Karma: +0/-0
    • View Profile
huge problem, computer restarts
« Reply #14 on: February 28, 2009, 07:40:41 PM »
network folder is present and it has two folders in it: connections(has two folders in it cm and pbk)  and  downloader...Do i have any other issues?can you see in the logs?
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
huge problem, computer restarts
« Reply #15 on: March 01, 2009, 04:38:41 AM »
Can you try the following
Download and save to desktop Dial-a-Fix.zip
For an alternate download location you can try HERE

Extract the contents to it's own folder
Open the newly extracted folder
Double click on Dial-a-fix.exe to  run it
At the bottom of the main screen, Click the GREEN checkmark
This should select all setting
Then click GO

Ensure date/time is selected properly when prompted, then let the tool continue
When it's done
Reboot the computer
Let me then know if Windows Updates now works properly
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline maninneed

  • Jr. Member
  • **
  • Posts: 81
  • Karma: +0/-0
    • View Profile
huge problem, computer restarts
« Reply #16 on: March 01, 2009, 05:50:10 AM »
this message appeared, then i downloaded secedit-sfw.exe but it remains unclear to me how establish permission settings in the secedit
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
huge problem, computer restarts
« Reply #17 on: March 01, 2009, 12:11:25 PM »
Download and save to desktop
Reset_Subinacl.zip

Extract the contents to your desktop
There will be two files (reset.cmd and subinacl.exe) extracted to your desktop
Double click the reset.cmd file

You will see a DOS-like window processing.

(Note: It may take several minutes, please be patient. When it is finished, you will receive a message stating "Finished, press any key to continue".)

Reboot, try running Dial-A-Fix again with previous instructions
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline maninneed

  • Jr. Member
  • **
  • Posts: 81
  • Karma: +0/-0
    • View Profile
huge problem, computer restarts
« Reply #18 on: March 01, 2009, 05:07:56 PM »
You have done it...now it s ok now, thank you very much, is my computer repair ended now?
Logged

Offline maninneed

  • Jr. Member
  • **
  • Posts: 81
  • Karma: +0/-0
    • View Profile
huge problem, computer restarts
« Reply #19 on: March 01, 2009, 07:30:30 PM »
another question, do the changes that we made have to with increasing time that chesscube.com needs to initialize
Logged
Pages: [1] 2
« previous next »