Help - Search - Members - Calendar
Full Version: What Should I do? :(
Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?
hemingway11
Jun 22 2008, 10:23 AM
Hi everyone,
I need help from you guys regarding my laptop. My system was infected with viruses and malwares and I had cleaned up using anti virus, adaware and spybot s&d etc.... Although my laptop seems to be back to normal after all these long and tedious processes, erractic problems still persist and I can't seem to find any solutions to it. The symptoms are:

1) I am unable to run my task manager through <CTL> , <ALT>, <DEL> as well as through C:\WINDOWS. Nothing occur everytime I press the " Task Manager" button.


2) My Language bar seems to "locked up"; everytime I uncheck the "turn off advanced text services" check box, it will remain checked after I apply the change. Not only that, I couldn't select any of the check box on the "Language Bar Setting".


3) Everytime I click on the "shutdown" button (either from the " Start Menu" or <CTL> , <ALT>, <DEL> function), my system seem to "freeze up" for a couples of minutes before the "Shutdown" dialog box appear for me to select the options.


Apart from these, I think my system is operating normally, period.

Below are my hijackthis log file for your references

----------------------------------------------------------------------------------------------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:52:59 PM, on 6/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec

Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec

Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec

Shared\SNDSrvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec

AntiVirus\DefWatch.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft

Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog

Devices\SoundMAX\SMAgent.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Analog

Devices\SoundMAX\PmProxy.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Drag'n Drop

CD+DVD\BinFiles\DragDrop.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\Common Files\Symantec

Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program

Files\Google\GoogleToolbarNotifier\GoogleToolba

rNotifier.exe
C:\Program Files\Norton Utilities\SYSDOC32.EXE
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend

Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32

-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-

C3F9-4EFB-9B51-7695ECA05670} - C:\Program

Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Program Files\Adobe\Acrobat 7.0

\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: flashget urlcatch - {2F364306-AA45-

47B5-9F9D-39A8B94E7EF7} -

D:\Program\FlashGet\jccatch.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-

828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program

Files\BitComet\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-

68BC-4B02-94D6-2FC0DE4A7897} - C:\Program

Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-

462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-

A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper -

{9030D464-4C02-4ABF-8ECC-5164760863C6} -

C:\Program Files\Common Files\Microsoft

Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-

01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO -

{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -

C:\Program

Files\Google\GoogleToolbarNotifier\3.0.1225.986

8\swg.dll
O2 - BHO: Windows Live Toolbar Helper -

{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} -

C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-

81EF-470C-9057-481BA8380DBA} -

D:\Program\FlashGet\getflash.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5

-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD

-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program

Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-

11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-

9B18-009027A5CD4F} - c:\program

files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [PmProxy] C:\Program

Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [00THotkey]

C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Apoint] C:\Program

Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program

Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px]

C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD]

C:\Program Files\Drag'n Drop

CD+DVD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [IMJPMIG8.1]

"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil

/RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002]

C:\WINDOWS\system32

\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync]

C:\WINDOWS\system32

\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A]

C:\WINDOWS\system32

\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Synchronization Manager] %

SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program

Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1

\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Windows Defender]

"C:\Program Files\Windows

Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched]

"C:\Program Files\Java\jre1.6.0_05

\bin\jusched.exe"
O4 - HKLM\..\Run: [igfxtray]

C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd]

C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers]

C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RRT-Auto] C:\Documents and

Settings\Administrator\Desktop\RRT\RRT.exe auto
O4 - HKLM\..\RunServices: [Windows Recylinder

Check] vdkvdqcfde.exe
O4 - HKLM\..\RunServices: [Wscript]

C:\WINDOWS\system32\sysutil32.exe
O4 - HKCU\..\Run: [swg] C:\Program

Files\Google\GoogleToolbarNotifier\GoogleToolba

rNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program

Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [UnHackMe Monitor] C:\Program

Files\UnHackMe\hackmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting]

"C:\PROGRA~1\COMMON~1\MICROS~1

\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting]

"C:\PROGRA~1\COMMON~1\MICROS~1

\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed

Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0

\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk =

C:\Program Files\Microsoft Office\Office10

\OSA.EXE
O4 - Global Startup: Norton System Doctor.lnk =

C:\Program Files\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: RAMASST.lnk =

C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &D&ownload &with

BitComet - res://C:\Program

Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all

video with BitComet - res://C:\Program

Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all

with BitComet - res://C:\Program

Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download All with

FlashGet - D:\Program\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with

FlashGet - D:\Program\FlashGet\jc_link.htm
O8 - Extra context menu item: &Windows Live

Search - res://C:\Program Files\Windows Live

Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search -

file:///C:\Program Files\Yahoo!

\Common/ycsrch.htm
O8 - Extra context menu item: Add to Windows

&Live Favorites -

http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to

Microsoft Excel - res://C:\PROGRA~1\MICROS~2

\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary

- file:///C:\Program Files\Yahoo!

\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps -

file:///C:\Program Files\Yahoo!

\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS -

file:///C:\Program Files\Yahoo!

\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-

11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-

68BC-4B02-94D6-2FC0DE4A7897} - C:\Program

Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-

4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program

Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206

(file missing)
O9 - Extra button: ?ì3μ - {D6E814A0-E0C5-11d4-

8D29-0050BA6940E3} -

D:\Program\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: ?ì3μ(FlashGet) -

{D6E814A0-E0C5-11d4-8D29-0050BA6940E3} -

D:\Program\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-

11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger

- {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF:

START_PAGE_URL=http://www.singnet.com.sg
O15 - ESC Trusted Zone:

http://*.update.microsoft.com
O16 - DPF: {00B71CFB-6864-4346-A978-

C0A14556272C} (Checkers Class) -

http://messenger.zone.msn.com/binary/msgrchkr.

cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-

494B6333150B} (Minesweeper Flags Class) -

http://messenger.zone.msn.com/binary/MineSwee

per.cab31267.cab
O16 - DPF: {2B866353-E598-4403-8E4D-

B871AB30DC55} (Speed Class) -

http://www.singnet.com.sg/technical/helptools/m

edia/SpeedCtrl.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-

115447494D24} (UnoCtrl Class) -

http://messenger.zone.msn.com/EN-MY/a-

UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-

4DFAD1796A8D} (MessengerStatsClient Class) -

http://messenger.zone.msn.com/binary/Messenge

rStatsClient.cab31267.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-

B4171D8556A7} (PhotoPickConvert Class) -

http://appdirectory.messenger.msn.com/AppDirect

ory/P4Apps/PhotoSwap/PhtPkMSN.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-

3EE46475B072} (MessengerStatsClient Class) -

http://messenger.zone.msn.com/binary/Messenge

rStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-

444553540000} (Shockwave Flash Object) -

http://fpdownload2.macromedia.com/get/shockwa

ve/cabs/flash/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-

F385591623AF} (Solitaire Showdown Class) -

http://messenger.zone.msn.com/binary/SolitaireS

howdown.cab31267.cab
O17 -

HKLM\System\CCS\Services\Tcpip\Parameters:

Domain = npstd.npnet.np.edu.sg
O17 - HKLM\Software\..\Telephony: DomainName

= npstd.npnet.np.edu.sg
O17 - HKLM\System\CS1

\Services\Tcpip\Parameters: Domain =

npstd.npnet.np.edu.sg
O17 - HKLM\System\CS2

\Services\Tcpip\Parameters: Domain =

npstd.npnet.np.edu.sg
O17 - HKLM\System\CS3

\Services\Tcpip\Parameters: Domain =

npstd.npnet.np.edu.sg
O20 - Winlogon Notify: !SASWinLogon - C:\Program

Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Symantec Event Manager (ccEvtMgr)

- Symantec Corporation - C:\Program

Files\Common Files\Symantec

Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation

(ccPwdSvc) - Symantec Corporation - C:\Program

Files\Common Files\Symantec

Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager

(ccSetMgr) - Symantec Corporation - C:\Program

Files\Common Files\Symantec

Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition

Watcher (DefWatch) - Symantec Corporation -

C:\Program Files\Symantec

AntiVirus\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsushita

Electric Industrial Co., Ltd. -

C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) -

Google - C:\Program

Files\Google\Common\Google

Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager

(IDriverT) - Macrovision Corporation - C:\Program

Files\Common Files\InstallShield\Driver\11\Intel

32\IDriverT.exe
O23 - Service: Macromedia Licensing Service -

Unknown owner - C:\Program Files\Common

Files\Macromedia Shared\Service\Macromedia

Licensing.exe
O23 - Service: Norton Unerase Protection

(NProtectService) - Symantec Corporation -

C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: SAVRoam (SavRoam) - symantec -

C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service

(SNDSrvc) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service

(SoundMAX Agent Service (default)) - Analog

Devices, Inc. - C:\Program Files\Analog

Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) -

Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec

Corporation - C:\Program Files\Speed

Disk\nopdb.exe
O23 - Service: Symantec AntiVirus - Symantec

Corporation - C:\Program Files\Symantec

AntiVirus\Rtvscan.exe
O23 - Service: SecuROM User Access Service (V7)

(UserAccess7) - Unknown owner -

C:\WINDOWS\system32\UAService7.exe

--
End of file - 13261 bytes


----------------------------------------------------------------------------------------------------------------------------

Hope anyone out there could help me solve my fustrating problem and thanks you for sparing your precious time to read and help out with the problem.

yourock.gif hemingway11


LoPhatPhuud
Jun 22 2008, 06:40 PM
Your log is almost unreadable. When Notepad is open, select the 'Format' menu and make sure the Word wrap is turned off.


Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.


Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
hemingway11
Jun 25 2008, 08:58 AM
Sorry for the posting of the hijackthis log, I forgot to disable the wordwrap function OMG.gif
-----------------------------------------------------------------------------------------------------------------------------

Anyway, I had followed your suggestions mentioned above and it really helps! ( Thanks! :) ). My task manager is now back to normal and my shut down process has returned to normal. However, my language bar is still a headache to me. Thus, I am posting my ComboFix log as well as the new hijackthis log on for your further references.

=====================================================================

ComboFix Log


ComboFix 08-06-20.4 - Administrator 2008-06-25 14:32:23.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.936.86.1033.18.156 [GMT 8:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\VVFKUWL4\www.inter-focus.cn
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\VVFKUWL4\www.inter-focus.cn\flashad-v5-stop_firstput_mute.swf\IFFLASHAD.sol
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\VVFKUWL4\www.inter-focus.cn\flashad.swf\IFFLASHAD.sol
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.inter-focus.cn
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.inter-focus.cn\settings.sol
C:\Program Files\Common Files\misc001
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\Config.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF


((((((((((((((((((((((((( Files Created from 2008-05-25 to 2008-06-25 )))))))))))))))))))))))))))))))
.

2008-06-22 16:08 . 2008-06-22 16:09 134 --a------ C:\WINDOWS\rootkitno.ini
2008-06-22 16:00 . 2008-06-22 16:00 <DIR> d----c--- C:\RootkitNO
2008-06-22 15:35 . 2008-06-22 15:35 30,946 --a------ C:\WINDOWS\system32\drivers\Partizan.sys
2008-06-22 15:35 . 2008-06-22 15:35 25,088 --a------ C:\WINDOWS\system32\Partizan.exe
2008-06-22 13:14 . C:\WINDOWS\(2) C:\ComboFix\winstart.bat
2008-06-22 13:13 . 2008-06-22 16:36 <DIR> d-------- C:\Program Files\UnHackMe
2008-06-22 13:13 . 2005-04-03 14:02 8,944 --a------ C:\WINDOWS\system32\drivers\UnHackMeDrv.sys
2008-06-22 13:02 . 2008-06-22 13:02 19,177 --a------ C:\WINDOWS\system32\rrt_is.wav
2008-06-22 13:02 . 2008-06-22 13:02 8,123 --a------ C:\WINDOWS\system32\rrt_vf.wav
2008-06-22 13:02 . 2008-06-22 13:02 8,093 --a------ C:\WINDOWS\system32\rrt_tv.wav
2008-06-22 13:02 . 2008-06-22 13:02 7,162 --a------ C:\WINDOWS\system32\rrt_tn.wav
2008-06-22 12:24 . 2004-08-04 00:56 116,224 --a--c--- C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2008-06-22 12:24 . 2001-08-17 22:37 27,648 --a--c--- C:\WINDOWS\system32\dllcache\xrxftplt.exe
2008-06-22 12:24 . 2001-08-17 22:36 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2008-06-22 12:24 . 2001-08-17 22:36 17,408 --a--c--- C:\WINDOWS\system32\dllcache\xrxscnui.dll
2008-06-22 12:24 . 2001-08-17 22:37 4,608 --a--c--- C:\WINDOWS\system32\dllcache\xrxflnch.exe
2008-06-22 12:23 . 2001-08-17 22:37 99,865 --a--c--- C:\WINDOWS\system32\dllcache\xlog.exe
2008-06-22 12:23 . 2004-08-03 22:29 19,455 --a--c--- C:\WINDOWS\system32\dllcache\wvchntxx.sys
2008-06-22 12:23 . 2001-08-17 12:11 16,970 --a--c--- C:\WINDOWS\system32\dllcache\xem336n5.sys
2008-06-22 12:23 . 2004-08-03 22:29 12,063 --a--c--- C:\WINDOWS\system32\dllcache\wsiintxx.sys
2008-06-22 12:23 . 2004-08-04 00:56 8,192 --a--c--- C:\WINDOWS\system32\dllcache\wshirda.dll
2008-06-22 12:21 . 2001-08-17 13:28 794,654 --a--c--- C:\WINDOWS\system32\dllcache\usr1801.sys
2008-06-22 12:20 . 2001-08-17 12:18 285,760 --a--c--- C:\WINDOWS\system32\dllcache\stlnata.sys
2008-06-22 12:19 . 2001-08-17 22:36 495,616 --a--c--- C:\WINDOWS\system32\dllcache\sblfx.dll
2008-06-22 12:18 . 2001-08-17 13:28 899,146 --a--c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-06-22 12:17 . 2001-08-17 12:50 198,144 --a--c--- C:\WINDOWS\system32\dllcache\nv3.sys
2008-06-22 12:16 . 2001-08-17 13:28 797,500 --a--c--- C:\WINDOWS\system32\dllcache\ltsmt.sys
2008-06-22 12:15 . 2001-08-17 13:28 727,786 --a--c--- C:\WINDOWS\system32\dllcache\ltck000c.sys
2008-06-22 12:14 . 2004-08-04 00:56 702,845 --a--c--- C:\WINDOWS\system32\dllcache\i81xdnt5.dll
2008-06-22 12:13 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2008-06-22 12:12 . 2001-08-17 12:14 952,007 --a--c--- C:\WINDOWS\system32\dllcache\diwan.sys
2008-06-22 12:11 . 2001-08-17 12:13 980,034 --a--c--- C:\WINDOWS\system32\dllcache\cicap.sys
2008-06-22 12:10 . 2001-08-17 13:28 714,698 --a--c--- C:\WINDOWS\system32\dllcache\cbmdmkxx.sys
2008-06-22 12:09 . 2001-08-17 13:28 871,388 --a--c--- C:\WINDOWS\system32\dllcache\bcmdm.sys
2008-06-22 12:08 . 2001-08-17 13:28 762,780 --a--c--- C:\WINDOWS\system32\dllcache\3cwmcru.sys
2008-06-21 23:29 . 2008-06-21 23:29 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-21 23:29 . 2008-06-21 23:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-21 23:29 . 2008-06-21 23:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-06-21 23:28 . 2008-06-21 23:28 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-21 17:15 . 2008-06-21 17:15 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-21 14:02 . 2008-06-21 14:03 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-21 11:51 . 2008-06-21 11:51 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-21 11:51 . 2008-06-21 11:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-21 11:51 . 2008-06-21 11:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-06-21 11:51 . 2008-06-19 17:48 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-21 11:51 . 2008-06-19 17:47 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-21 10:32 . 2008-06-21 10:32 <DIR> d----c--- C:\EmergencyUtils
2008-06-21 10:18 . 2008-06-21 10:18 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-06-21 01:19 . 2008-06-21 01:20 <DIR> d-------- C:\Program Files\Panda Security
2008-06-21 00:25 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2008-06-21 00:25 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2008-06-20 17:59 . 2002-08-29 20:00 66,082 --a--c--- C:\WINDOWS\system32\dllcache\c_10021.nls
2008-06-20 17:59 . 2002-08-29 20:00 66,082 --------- C:\WINDOWS\system32\c_10021.nls
2008-06-20 17:59 . 2002-08-29 20:00 6,144 --a------ C:\WINDOWS\system32\ftlx041e.dll
2008-06-20 17:59 . 2002-08-29 20:00 6,144 --a--c--- C:\WINDOWS\system32\dllcache\ftlx041e.dll
2008-06-15 18:34 . 2008-06-15 19:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-06-15 17:54 . 2008-06-15 19:32 <DIR> d-------- C:\Program Files\MSECACHE
2008-06-15 16:45 . 2008-06-15 16:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Uniblue
2008-06-15 16:44 . 2008-06-15 16:44 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Uniblue
2008-06-15 16:43 . 2008-06-21 14:45 <DIR> d-------- C:\Program Files\Uniblue
2008-06-15 12:23 . 2008-06-15 12:23 15,398 --a------ C:\WINDOWS\system32\sztng.exe
2008-06-15 12:22 . 2008-06-15 12:22 12,864 --a------ C:\WINDOWS\system32\xrysmt.exe
2008-06-03 16:23 . 2008-06-03 16:23 <DIR> d-------- C:\Program Files\VS Revo Group

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-25 06:48 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-06-21 14:53 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-21 09:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-15 11:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-14 09:56 --------- d-----w C:\Program Files\lolifox
2008-06-06 15:08 --------- d-----w C:\Program Files\FlashGet
2008-05-17 11:42 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-17 11:39 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AdobeUM
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 04:12 --------- d-----w C:\Program Files\MSN Messenger
2008-05-07 12:29 --------- d-----w C:\Program Files\Java
2008-05-06 07:40 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Sony
2006-07-30 07:18 29,960 -c--a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2006-01-25 07:54 1,194 -c--a-w C:\Program Files\cinema.htm
2006-01-25 07:19 772 -c--a-w C:\Program Files\Untitled-1.htm
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-26 11:57 68856]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PmProxy"="C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe" [2003-02-28 18:54 40960]
"00THotkey"="C:\WINDOWS\System32\00THotkey.exe" [2003-04-16 11:01 258048]
"000StTHK"="000StTHK.exe" [2001-06-24 11:28 24576 C:\WINDOWS\system32\000StTHK.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2002-12-25 13:38 159744]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-22 09:00 126976]
"TFNF5"="TFNF5.exe" [2001-08-03 16:08 73728 C:\WINDOWS\system32\TFNF5.exe]
"Tpwrtray"="TPWRTRAY.EXE" [2002-12-11 01:49 237568 C:\WINDOWS\system32\TPWRTRAY.EXE]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 09:29 40960]
"Drag'n Drop CD+DVD"="C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe" [2003-01-10 07:54 991232]
"LTSMMSG"="LTSMMSG.exe" [2003-04-18 09:06 32768 C:\WINDOWS\ltsmmsg.exe]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 13:32 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 13:31 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 13:32 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 13:32 455168]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 15:56 143360]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-12-22 00:33 48800]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-05-28 04:06 85744]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-02-07 08:39 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-02-07 08:36 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-02-07 08:40 118784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"RRT-Auto"="C:\Documents and Settings\Administrator\Desktop\RRT\RRT.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Windows Recylinder Check"="vdkvdqcfde.exe" []
"Wscript"="C:\WINDOWS\system32\sysutil32.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 15:38 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 16:01:04 83360]
Norton System Doctor.lnk - C:\Program Files\Norton Utilities\SYSDOC32.EXE [2005-05-16 03:10:42 24614]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2003-05-22 07:37:50 155648]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Wscript REG_SZ C:\WINDOWS\system32\sysutil32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Microsoft Visual Studio .NET 2003\\Common7\\IDE\\devenv.exe"=
"C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"C:\\WINDOWS\\system32\\muzapp.exe"=
"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"D:\\Program\\FlashGet\\flashget.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12059:TCP"= 12059:TCP:BitComet 12059 TCP
"12059:UDP"= 12059:UDP:BitComet 12059 UDP
"65534:TCP"= 65534:TCP:BitComet 65534 TCP
"65534:UDP"= 65534:UDP:BitComet 65534 UDP
"15583:TCP"= 15583:TCP:BitComet 15583 TCP
"15583:UDP"= 15583:UDP:BitComet 15583 UDP
"21963:TCP"= 21963:TCP:BitComet 21963 TCP
"21963:UDP"= 21963:UDP:BitComet 21963 UDP

R0 d346bus;d346bus;C:\WINDOWS\system32\DRIVERS\d346bus.sys [2004-03-12 22:41]
R0 d346prt;d346prt;C:\WINDOWS\system32\Drivers\d346prt.sys [2004-03-12 22:41]
R2 VPCAppSv;Virtual PC Application Services;C:\WINDOWS\system32\DRIVERS\VPCAppSv.sys [2002-05-21 09:31]
R3 Partizan;Partizan;C:\WINDOWS\system32\drivers\Partizan.sys [2008-06-22 15:35]
S3 AtmElan;ATM Emulated LAN;C:\WINDOWS\system32\DRIVERS\atmlane.sys [2004-08-04 13:58]
S3 AtmLane;ATM LAN Emulation;C:\WINDOWS\system32\DRIVERS\atmlane.sys [2004-08-04 13:58]
S3 W700bus;Sony Ericsson W700 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\W700bus.sys [2006-07-03 18:17]
S3 W700mdfl;Sony Ericsson W700 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\W700mdfl.sys [2006-07-03 18:17]
S3 W700mdm;Sony Ericsson W700 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\W700mdm.sys [2006-07-03 18:17]
S3 W700mgmt;Sony Ericsson W700 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\W700mgmt.sys [2006-07-03 18:17]
S3 W700obex;Sony Ericsson W700 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\W700obex.sys [2006-07-03 18:17]
S3 wlags48b;Wireless LAN PCCard Driver;C:\WINDOWS\system32\DRIVERS\wlags48b.sys [2002-06-28 07:29]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ec5d0af0-c737-11db-9e2a-00c0a89a19c7}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-06-25 07:01:07 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"

s

€!?
\- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-06-25 06:47:52 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-06-15 11:49:59 C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
"2008-06-15 11:49:12 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-25 14:48:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

C:\WINDOWS\explorer.exe [3336] 0x8611C188

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Speed Disk\NOPDB.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Apoint2K\ApntEx.exe
.
**************************************************************************
.
Completion time: 2008-06-25 15:08:52 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-25 07:07:39

Pre-Run: 1,286,127,616 bytes free
Post-Run: 1,408,372,736 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

250 --- E O F --- 2008-06-14 15:13:15
=====================================================================

Hijackthis Log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:42:04 PM, on 6/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Norton Utilities\SYSDOC32.EXE
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - D:\Program\FlashGet\jccatch.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - D:\Program\FlashGet\getflash.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RRT-Auto] C:\Documents and Settings\Administrator\Desktop\RRT\RRT.exe auto
O4 - HKLM\..\RunServices: [Windows Recylinder Check] vdkvdqcfde.exe
O4 - HKLM\..\RunServices: [Wscript] C:\WINDOWS\system32\sysutil32.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download All with FlashGet - D:\Program\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - D:\Program\FlashGet\jc_link.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: ?ì3μ - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Program\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: ?ì3μ(FlashGet) - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Program\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.singnet.com.sg
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {2B866353-E598-4403-8E4D-B871AB30DC55} (Speed Class) - http://www.singnet.com.sg/technical/helpto...a/SpeedCtrl.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-MY/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppD...ap/PhtPkMSN.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = npstd.npnet.np.edu.sg
O17 - HKLM\Software\..\Telephony: DomainName = npstd.npnet.np.edu.sg
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = npstd.npnet.np.edu.sg
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = npstd.npnet.np.edu.sg
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = npstd.npnet.np.edu.sg
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

--
End of file - 12903 bytes




----------------------------------------------------------------------------------------------------------------------------
Hope you will help me solve this last problems and thanks again for your selfless assistances.

***********yourock.gif LoPhatPhuud.**********

Thanks again!

From:heimingway11
LoPhatPhuud
Jun 25 2008, 09:49 PM
Your system is still heavily infected, including a backdoor trojan. Due to malicious damage and possible stealth installation, I normally recommend t hat your reformat and re-install. Change and passwords,etc, as they may have been compromised.

We can continue, but understand there is no guarantee that your system will be clean, safe andf usable. The choice is yours, but I strongly recommend backing up any valuable data, then wipe the drive and start over.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2010 Invision Power Services, Inc.