Full Version: Please Help Have Problem With Dilet.org On Laptop
Lavasoft Support Forums > Archived Topics > Archives: Resolved/Inactive Topics > Resolved/Inactive HijackThis Logs
about three days ago started to have a problem with laptop, bottom toolbar showing dilet.org and then showing a white screen and unable to do anything,have ran ad aware and still having same prblems please can you help, thanks lully
Hi,
Please do not attach your logs... but copy and paste them in the thread instead.
Uninstall Errorsafe Free via software > add/remove programs.
Reboot your computer afterwards..
I see some NOD32 related components running, although it misses some processes which makes me think this isn't the full version, but a "ripped version" most probably installed by Hitman Pro.
Did you purchase NOD32? In case you didn't, and you're not planning to purchase it, uninstall it and install a free Alternative instead.
For example, Avira Antivirus is a great free Antivirus. Look in my signature below under Antivirus for the download.
Then,
* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://as.starware.com/dp/search?x=wKX1ILE.../ZSt2WKO8MDRVI=
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\System32\arpl.exe
O4 - HKLM\..\Run: [was_check] C:\Program Files\ErrorSafe Free\PASmon.exe
O4 - HKLM\..\Run: [UERScw] C:\Program Files\ErrorSafe Free\UERScw.exe -c
O4 - HKCU\..\Run: [ErrorSafeFree] C:\Program Files\ErrorSafe Free\uers.exe /scan
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZJxdm027YYGB
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - http://www.viewpoint.co.kr/vet_install/MetaStream3.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab
* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!
Then, * Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished and after reboot (in case it asks to reboot), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt.
Post the contents of this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
Please do not attach your logs... but copy and paste them in the thread instead.
Uninstall Errorsafe Free via software > add/remove programs.
Reboot your computer afterwards..
I see some NOD32 related components running, although it misses some processes which makes me think this isn't the full version, but a "ripped version" most probably installed by Hitman Pro.
Did you purchase NOD32? In case you didn't, and you're not planning to purchase it, uninstall it and install a free Alternative instead.
For example, Avira Antivirus is a great free Antivirus. Look in my signature below under Antivirus for the download.
Then,
* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://as.starware.com/dp/search?x=wKX1ILE.../ZSt2WKO8MDRVI=
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\System32\arpl.exe
O4 - HKLM\..\Run: [was_check] C:\Program Files\ErrorSafe Free\PASmon.exe
O4 - HKLM\..\Run: [UERScw] C:\Program Files\ErrorSafe Free\UERScw.exe -c
O4 - HKCU\..\Run: [ErrorSafeFree] C:\Program Files\ErrorSafe Free\uers.exe /scan
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZJxdm027YYGB
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - http://www.viewpoint.co.kr/vet_install/MetaStream3.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab
* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!
Then, * Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished and after reboot (in case it asks to reboot), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt.
Post the contents of this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
Hello and many thanks for coming back to us so soon, We have performed all you have asked and will paste our logs from the Hijackthis and the combo fix to this reply, Thanks again.
Lully.
"User" - 2007-07-25 0:35:03 [GMT 1:00] - ComboFix 07-07-24.5 - Service Pack 1 NTFS
* Created a new restore point
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOCUME~1\User\APPLIC~1.\Starware
C:\DOCUME~1\User\APPLIC~1.\Starware\Manager\ManagerOptions.xml
C:\DOCUME~1\User\APPLIC~1.\Starware\Manager\ManagerOptions.xml.backup
C:\DOCUME~1\User\APPLIC~1\FunWebProducts
C:\DOCUME~1\User\APPLIC~1\FunWebProducts\Data\User\avatar.dat
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\ScreenSaver\Images3288310.urr
C:\Program Files\FunWebProducts\ScreenSaver\Images329FCB7.urr
C:\Program Files\FunWebProducts\ScreenSaver\Images32A14DA.dat
C:\Program Files\FunWebProducts\ScreenSaver\Images\wrkparam.lst
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\History\search2
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
C:\WINDOWS\system32\append.dll
((((((((((((((((((((((((( Files Created from 2007-06-24 to 2007-07-24 )))))))))))))))))))))))))))))))
2007-07-29 21:34 <DIR> d-------- C:\WINDOWS\pss
2007-07-29 20:57 557,056 --a------ C:\DOCUME~1\User\chatlnk.exe
2007-07-25 00:33 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-25 00:22 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-24 11:13 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\Error Safe Free
2007-07-24 11:08 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-07-24 11:07 87,760 --a------ C:\DOCUME~1\User\APPLIC~1\errsafer.exe
2007-07-23 19:55 13,477 --a------ C:\dnsbak.reg
2007-07-22 20:36 322,968 --a------ C:\DOCUME~1\User\APPLIC~1\protector.exe
2007-07-21 17:58 8,704 --a------ C:\WINDOWS\system32\arpl.exe
2007-07-21 17:58 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\tiny
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-07-21 17:12:15 -------- d-----w C:\Program Files\Citrix
2007-06-17 20:04:23 -------- d-----w C:\Program Files\BOB Books
2007-06-07 10:31:23 -------- d-----w C:\DOCUME~1\User\APPLIC~1\Samsung
2007-06-04 09:08:05 -------- d-----w C:\Program Files\MSN Messenger
2007-06-04 08:46:43 -------- d-----w C:\DOCUME~1\User\APPLIC~1\MSN6
2007-01-26 21:45:13 774,144 ----a-w C:\Program Files\RngInterstitial.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-07-24 23:07]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2005-05-31 18:37]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Broadband Desktop Help.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BT Broadband Desktop Help.lnk
backup=C:\WINDOWS\pss\BT Broadband Desktop Help.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
backup=C:\WINDOWS\pss\Exif Launcher.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
C:\Program Files\Apoint\Apoint.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA]
atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\btbb_wcm_McciTrayApp]
C:\Program Files\btbb_wcm\McciTrayApp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
ICO.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nod32kui]
"C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\WINDOWS\System32\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
R1 DMICall;Sony DMI Call service;C:\WINDOWS\System32\DRIVERS\DMICall.sys
R2 Sentinel;Sentinel;C:\WINDOWS\System32\Drivers\SENTINEL.SYS
R3 ati2mpab;ati2mpab;C:\WINDOWS\System32\DRIVERS\ati2mpab.sys
R3 BridgeMP;MAC Bridge Miniport;C:\WINDOWS\System32\DRIVERS\bridge.sys
R3 HSFHWVIA;HSFHWVIA;C:\WINDOWS\System32\DRIVERS\HSFHWVIA.sys
R3 USB_RNDIS;Thomson ST Remote NDIS Device Driver;C:\WINDOWS\System32\DRIVERS\usb8023.sys
S3 Bridge;MAC Bridge;C:\WINDOWS\System32\DRIVERS\bridge.sys
S3 cpuz;cpuz;\??\F:\cpu-z-130\cpuz.sys
S3 MRENDIS5;MRENDIS5 NDIS Protocol Driver;\??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS
S3 SNTNLUSB;Rainbow USB SuperPro;C:\WINDOWS\System32\DRIVERS\SNTNLUSB.SYS
S3 ss_bus;Samsung Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\System32\DRIVERS\ss_bus.sys
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\System32\DRIVERS\ss_mdfl.sys
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\System32\DRIVERS\ss_mdm.sys
S3 usb_rndisx;USB RNDIS Adapter;C:\WINDOWS\System32\DRIVERS\usb8023x.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7c93bd70-da3e-11d7-b076-08004691be1e}]
play\command- C:\Program Files\InterVideo\WinDVD4\WinDVD.exe
Contents of the 'Scheduled Tasks' folder
2007-07-24 22:51:04 C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
2007-07-24 23:14:39 C:\WINDOWS\tasks\Symantec NetDetect.job
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-25 00:39:49
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit]
"LastKey"="My Computer"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer]
"Logon User Name"="Administrator"
"CleanShutdown"=dword:00000001
"FaultCount"=dword:00000000
"FaultTime"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning]
"CD Recorder Drive"="\\?\Volume{0ccc1f12-eb95-11d6-860e-806d6172696f}\"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{0ccc1f12-eb95-11d6-860e-806d6172696f}]
"Drive Type"=dword:00000002
"CurrentCDWriteSpeed"=dword:ffffffff
"MaxCDWriteSpeed"=dword:00000010
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList]
"MRUList"="ba"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.log\OpenWithList]
"MRUList"="a"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData"="C:\Documents and Settings\Administrator\Application Data"
"Cookies"="C:\Documents and Settings\Administrator\Cookies"
"Desktop"="C:\Documents and Settings\Administrator\Desktop"
"Favorites"="C:\Documents and Settings\Administrator\Favorites"
"NetHood"="C:\Documents and Settings\Administrator\NetHood"
"Personal"="C:\Documents and Settings\Administrator\My Documents"
"PrintHood"="C:\Documents and Settings\Administrator\PrintHood"
"Recent"="C:\Documents and Settings\Administrator\Recent"
"SendTo"="C:\Documents and Settings\Administrator\SendTo"
"Start Menu"="C:\Documents and Settings\Administrator\Start Menu"
"Templates"="C:\Documents and Settings\Administrator\Templates"
"Programs"="C:\Documents and Settings\Administrator\Start Menu\Programs"
"Startup"="C:\Documents and Settings\Administrator\Start Menu\Programs\Startup"
"Local Settings"="C:\Documents and Settings\Administrator\Local Settings"
"Local AppData"="C:\Documents and Settings\Administrator\Local Settings\Application Data"
"Cache"="C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files"
"History"="C:\Documents and Settings\Administrator\Local Settings\History"
"My Pictures"="C:\Documents and Settings\Administrator\My Documents\My Pictures"
"My Music"="C:\Documents and Settings\Administrator\My Documents\My Music"
"Administrative Tools"="C:\Documents and Settings\Administrator\Start Menu\Programs\Administrative Tools"
"CD Burning"="C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\CD Burning"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\WebView\BarricadedFolders]
"shell:ControlPanelFolder"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"NoNetAutodial"=dword:00000000
"EnableAutodial"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1804"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1601"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=""C:\Program Files\Messenger\msmsgs.exe" /background"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ThemeManager]
"DllName"=str(2):"(null)ystemRoot\resources\Themes\luna\luna.msstyles"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Themes\LastTheme]
"Wallpaper"=str(2):"(null)ystemRoot\VAIO Serenus Wallpaper TrueColor 1280X768.bmp"
"DisplayName of Modified"="Windows XP (Modified)"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\1\Shell]
"Vid"="{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"
"Mode"=dword:00000006
[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\26\Shell]
"WinPos1024x768(1).left"=dword:00000042
"WinPos1024x768(1).top"=dword:00000057
"WinPos1024x768(1).right"=dword:00000362
"WinPos1024x768(1).bottom"=dword:000002af
[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\DUIBags\ShellFolders\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}]
"ExpandDetailsTasks"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@netcfgx.dll,-50001"="Transmission Control Protocol/Internet Protocol. The default wide area network protocol that provides communication across diverse interconnected networks."
"@netcfgx.dll,-50003"="Allows other computers to access resources on your computer using a Microsoft network."
"@netcfgx.dll,-50015"="Quality of Service Packet Scheduler. This component provides network traffic control, including rate-of-flow and prioritization services."
"@netcfgx.dll,-50002"="Allows your computer to access resources on a Microsoft network."
"@shell32.dll,-31150"="USERPROFILE\Start Menu\Programs\Internet Explorer.lnk"
"@shell32.dll,-31151"="ALLUSERSPROFILE\Start Menu\Programs\Get Online with MSN.lnk"
"@shell32.dll,-31152"="ALLUSERSPROFILE\Start Menu\Programs\MSN Explorer.lnk"
"@shell32.dll,-31153"="USERPROFILE\Start Menu\Programs\Windows Media Player.lnk"
"@shell32.dll,-31154"="ALLUSERSPROFILE\Start Menu\Programs\Accessories\Windows Movie Maker.lnk"
"@shell32.dll,-31155"="USERPROFILE\Start Menu\Programs\Accessories\Tour Windows XP.lnk"
"@shell32.dll,-31156"="ALLUSERSPROFILE\Start Menu\Programs\Accessories\System Tools\Files and Settings Transfer Wizard.lnk"
"@explorer.exe,-7024"="Internet"
"@explorer.exe,-7025"="E-mail"
"@explorer.exe,-7021"="&Help and Support"
"@explorer.exe,-7020"="&Search"
"@explorer.exe,-7023"="&Run..."
"C:\sysprep\factory.exe"="Factory pre-installation utility"
"C:\sysprep\sysprep.exe"="sysprep utility"
"@C:\WINDOWS\inf\unregmp2.exe,-9903"="AIFF Format Sound"
"@C:\WINDOWS\inf\unregmp2.exe,-9904"="AU Format Sound"
"@C:\WINDOWS\inf\unregmp2.exe,-9905"="Video Clip"
"@C:\WINDOWS\System32\shimgvw.dll,-304"="Bitmap Image"
"@"C:\Program Files\Windows NT\Accessories\WORDPAD.EXE",-209"="Wordpad Document"
"@C:\WINDOWS\System32\shimgvw.dll,-301"="EMF Image"
"@C:\WINDOWS\System32\shimgvw.dll,-302"="GIF Image"
"@C:\WINDOWS\System32\shimgvw.dll,-303"="JPEG Image"
"@C:\WINDOWS\inf\unregmp2.exe,-10001"="M3U file"
"@C:\WINDOWS\inf\unregmp2.exe,-10002"="MP3 Format Sound"
"@C:\WINDOWS\System32\shimgvw.dll,-305"="PNG Image"
"@"C:\Program Files\Windows NT\Accessories\WORDPAD.EXE",-190"="Rich Text Document"
"@C:\WINDOWS\System32\shimgvw.dll,-306"="TIF Image"
"@C:\WINDOWS\inf\unregmp2.exe,-9908"="Wave Sound"
"@C:\WINDOWS\System32\shimgvw.dll,-307"="WMF Image"
"@C:\WINDOWS\System32\msxml3r.dll,-1"="XML Document"
"@C:\WINDOWS\System32\msxml3r.dll,-2"="XSL Stylesheet"
"@themeui.dll,-2037"="{Tahoma, 8 pt}"
"@themeui.dll,-2038"="{Tahoma, 8 pt}"
"@themeui.dll,-2039"="{Tahoma, 8 pt}"
"@themeui.dll,-2040"="{Tahoma, 8 pt}"
"@themeui.dll,-2041"="{Tahoma, 8 pt}"
"@themeui.dll,-2042"="{Tahoma, 8 pt}"
"@themeui.dll,-2017"="Windows XP"
"@themeui.dll,-2016"="Windows Classic"
"@themeui.dll,-2015"="More themes online..."
"@C:\WINDOWS\system32\SHELL32.dll,-8503"="S&earch..."
"@C:\WINDOWS\system32\mycomput.dll,-400"="Mana&ge"
"@shell32.dll,-31232"="System Tasks"
"@shell32.dll,-31294"="View system information"
"@shell32.dll,-31327"="Add or remove programs"
"@shell32.dll,-31312"="Change a setting"
"@C:\WINDOWS\system32\SHELL32.dll,-22913"="Shows the disk drives and hardware connected to this computer."
"@shell32.dll,-31317"="System Tasks"
"@shell32.dll,-31319"="Show the contents of this drive"
"@shell32.dll,-31292"="Search for files or folders"
"C:\WINDOWS\System32\logon.scr"="Logon Screen Saver"
"D:\security update\vm-sfix3.exe"="Microsoft VM Security Update"
"@(null)ystemRoot\system32\shell32.dll,-22534"="Performs text-based (command-line) functions."
"C:\WINDOWS\regedit.exe"="Registry Editor"
"C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Set3.tmp"="InstallShield ® Setup Launcher"
"C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\iKernel.exe"="InstallShield ® Setup Engine"
"C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\set4.tmp"="InstallShield ® Setup Launcher"
"@shell32.dll,-31323"="Show the contents of this folder"
"@shell32.dll,-31283"="Picture Tasks"
"@shell32.dll,-31287"="View as a slide show"
"@shell32.dll,-31313"="Order prints online"
"@shell32.dll,-31391"="Print pictures"
"@shell32.dll,-31379"="Copy all items to CD"
"@shell32.dll,-31352"="Copy to CD"
"@shell32.dll,-31234"="These tasks apply to the files and folders you select."
"@shell32.dll,-31250"="Print this file"
"@shell32.dll,-30498"="Files and Folders"
"@shell32.dll,-30506"="Remember each folder's view settings"
"@shell32.dll,-30497"="Show Control Panel in My Computer"
"@shell32.dll,-30507"="Launch folder windows in a separate process"
"@shell32.dll,-30517"="Do not cache thumbnails"
"@shell32.dll,-30514"="Display file size information in folder tips"
"@shell32.dll,-30511"="Display simple folder view in Explorer's Folders list"
"@shell32.dll,-30499"="Hidden files and folders"
"@shell32.dll,-30501"="Do not show hidden files and folders"
"@shell32.dll,-30500"="Show hidden files and folders"
"@shell32.dll,-30503"="Hide extensions for known file types"
"@shell32.dll,-30509"="Automatically search for network folders and printers"
"@shell32.dll,-30513"="Restore previous folder windows at logon"
"@shell32.dll,-30512"="Show encrypted or compressed NTFS files in color"
"@shell32.dll,-30504"="Display the full path in the title bar"
"@shell32.dll,-30505"="Display the full path in the address bar"
"@shell32.dll,-30502"="Show pop-up description for folder and desktop items"
"@shell32.dll,-30518"="Use simple file sharing (Recommended)"
"@shell32.dll,-30508"="Hide protected operating system files (Recommended)"
"@shell32.dll,-30510"="Display the contents of system folders"
"@shell32.dll,-31275"="This section displays the size, file type, and other information about a selected item."
"@shdoclc.dll,-866"="Related"
"@shdoclc.dll,-864"="Show &Related Links"
"@shdoclc.dll,-865"="Shows links related to the current page."
"@shell32.dll,-31273"="These links open other folders and take you quickly to useful places."
"@shell32.dll,-31321"="Hide the contents of this drive"
"C:\WINDOWS\System32\WScript.exe"="Microsoft ® Windows Based Script Host"
"@shell32.dll,-31325"="Hide the contents of this folder"
"C:\WINDOWS\system32\mshta.exe"="Microsoft ® HTML Application host"
"@shell32.dll,-12710"="&Run"
"@C:\Program Files\MSN\MSNCoreFiles\MSNMTLLC.DLL,-3501"="MSN Explorer"
"@shell32.dll,-30488"="Control Panel"
"@shell32.dll,-30492"="Don't display this item"
"@shell32.dll,-30491"="Display as a menu"
"@shell32.dll,-30490"="Display as a link"
"@shell32.dll,-30475"="Enable dragging and dropping"
"@shell32.dll,-30484"="Favorites menu"
"@shell32.dll,-30480"="My Computer"
"@shell32.dll,-30485"="My Documents"
"@shell32.dll,-30487"="My Music"
"@shell32.dll,-30486"="My Pictures"
"@shell32.dll,-30482"="Network Connections"
"@shell32.dll,-30495"="Display as Connect to menu"
"@shell32.dll,-30494"="Link to Network Connections Folder"
"@shell32.dll,-30515"="System Administrative Tools"
"@shell32.dll,-30478"="Display on the All Programs menu and the Start menu"
"@shell32.dll,-30479"="Display on the All Programs menu"
"@shell32.dll,-30489"="Help and Support"
"@shell32.dll,-30481"="My Network Places"
"@shell32.dll,-30516"="Manufacturer Link"
"@shell32.dll,-30493"="Printers and Faxes"
"@shell32.dll,-30483"="Run command"
"@shell32.dll,-30496"="Search"
"@shell32.dll,-30471"="Scroll Programs"
"@shell32.dll,-12691"="My Recent Documents"
"C:\remove\CLEANREG\MSGBOXW.EXE"="MSGBOXW"
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"load"=""
scanning hidden files ...
scan completed successfully
hidden files: 0"User" - 2007-07-25 0:35:03 [GMT 1:00] - ComboFix 07-07-24.5 - Service Pack 1 NTFS
* Created a new restore point
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOCUME~1\User\APPLIC~1.\Starware
C:\DOCUME~1\User\APPLIC~1.\Starware\Manager\ManagerOptions.xml
C:\DOCUME~1\User\APPLIC~1.\Starware\Manager\ManagerOptions.xml.backup
C:\DOCUME~1\User\APPLIC~1\FunWebProducts
C:\DOCUME~1\User\APPLIC~1\FunWebProducts\Data\User\avatar.dat
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\ScreenSaver\Images3288310.urr
C:\Program Files\FunWebProducts\ScreenSaver\Images329FCB7.urr
C:\Program Files\FunWebProducts\ScreenSaver\Images32A14DA.dat
C:\Program Files\FunWebProducts\ScreenSaver\Images\wrkparam.lst
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\History\search2
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
C:\WINDOWS\system32\append.dll
((((((((((((((((((((((((( Files Created from 2007-06-24 to 2007-07-24 )))))))))))))))))))))))))))))))
2007-07-29 21:34 <DIR> d-------- C:\WINDOWS\pss
2007-07-29 20:57 557,056 --a------ C:\DOCUME~1\User\chatlnk.exe
2007-07-25 00:33 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-25 00:22 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-24 11:13 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\Error Safe Free
2007-07-24 11:08 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-07-24 11:07 87,760 --a------ C:\DOCUME~1\User\APPLIC~1\errsafer.exe
2007-07-23 19:55 13,477 --a------ C:\dnsbak.reg
2007-07-22 20:36 322,968 --a------ C:\DOCUME~1\User\APPLIC~1\protector.exe
2007-07-21 17:58 8,704 --a------ C:\WINDOWS\system32\arpl.exe
2007-07-21 17:58 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\tiny
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-07-21 17:12:15 -------- d-----w C:\Program Files\Citrix
2007-06-17 20:04:23 -------- d-----w C:\Program Files\BOB Books
2007-06-07 10:31:23 -------- d-----w C:\DOCUME~1\User\APPLIC~1\Samsung
2007-06-04 09:08:05 -------- d-----w C:\Program Files\MSN Messenger
2007-06-04 08:46:43 -------- d-----w C:\DOCUME~1\User\APPLIC~1\MSN6
2007-01-26 21:45:13 774,144 ----a-w C:\Program Files\RngInterstitial.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-07-24 23:07]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2005-05-31 18:37]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Broadband Desktop Help.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BT Broadband Desktop Help.lnk
backup=C:\WINDOWS\pss\BT Broadband Desktop Help.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
backup=C:\WINDOWS\pss\Exif Launcher.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
C:\Program Files\Apoint\Apoint.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA]
atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\btbb_wcm_McciTrayApp]
C:\Program Files\btbb_wcm\McciTrayApp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
ICO.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nod32kui]
"C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\WINDOWS\System32\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
R1 DMICall;Sony DMI Call service;C:\WINDOWS\System32\DRIVERS\DMICall.sys
R2 Sentinel;Sentinel;C:\WINDOWS\System32\Drivers\SENTINEL.SYS
R3 ati2mpab;ati2mpab;C:\WINDOWS\System32\DRIVERS\ati2mpab.sys
R3 BridgeMP;MAC Bridge Miniport;C:\WINDOWS\System32\DRIVERS\bridge.sys
R3 HSFHWVIA;HSFHWVIA;C:\WINDOWS\System32\DRIVERS\HSFHWVIA.sys
R3 USB_RNDIS;Thomson ST Remote NDIS Device Driver;C:\WINDOWS\System32\DRIVERS\usb8023.sys
S3 Bridge;MAC Bridge;C:\WINDOWS\System32\DRIVERS\bridge.sys
S3 cpuz;cpuz;\??\F:\cpu-z-130\cpuz.sys
S3 MRENDIS5;MRENDIS5 NDIS Protocol Driver;\??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS
S3 SNTNLUSB;Rainbow USB SuperPro;C:\WINDOWS\System32\DRIVERS\SNTNLUSB.SYS
S3 ss_bus;Samsung Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\System32\DRIVERS\ss_bus.sys
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\System32\DRIVERS\ss_mdfl.sys
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\System32\DRIVERS\ss_mdm.sys
S3 usb_rndisx;USB RNDIS Adapter;C:\WINDOWS\System32\DRIVERS\usb8023x.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7c93bd70-da3e-11d7-b076-08004691be1e}]
play\command- C:\Program Files\InterVideo\WinDVD4\WinDVD.exe
Contents of the 'Scheduled Tasks' folder
2007-07-24 22:51:04 C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
2007-07-24 23:14:39 C:\WINDOWS\tasks\Symantec NetDetect.job
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-25 00:39:49
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit]
"LastKey"="My Computer"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer]
"Logon User Name"="Administrator"
"CleanShutdown"=dword:00000001
"FaultCount"=dword:00000000
"FaultTime"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning]
"CD Recorder Drive"="\\?\Volume{0ccc1f12-eb95-11d6-860e-806d6172696f}\"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{0ccc1f12-eb95-11d6-860e-806d6172696f}]
"Drive Type"=dword:00000002
"CurrentCDWriteSpeed"=dword:ffffffff
"MaxCDWriteSpeed"=dword:00000010
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList]
"MRUList"="ba"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.log\OpenWithList]
"MRUList"="a"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData"="C:\Documents and Settings\Administrator\Application Data"
"Cookies"="C:\Documents and Settings\Administrator\Cookies"
"Desktop"="C:\Documents and Settings\Administrator\Desktop"
"Favorites"="C:\Documents and Settings\Administrator\Favorites"
"NetHood"="C:\Documents and Settings\Administrator\NetHood"
"Personal"="C:\Documents and Settings\Administrator\My Documents"
"PrintHood"="C:\Documents and Settings\Administrator\PrintHood"
"Recent"="C:\Documents and Settings\Administrator\Recent"
"SendTo"="C:\Documents and Settings\Administrator\SendTo"
"Start Menu"="C:\Documents and Settings\Administrator\Start Menu"
"Templates"="C:\Documents and Settings\Administrator\Templates"
"Programs"="C:\Documents and Settings\Administrator\Start Menu\Programs"
"Startup"="C:\Documents and Settings\Administrator\Start Menu\Programs\Startup"
"Local Settings"="C:\Documents and Settings\Administrator\Local Settings"
"Local AppData"="C:\Documents and Settings\Administrator\Local Settings\Application Data"
"Cache"="C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files"
"History"="C:\Documents and Settings\Administrator\Local Settings\History"
"My Pictures"="C:\Documents and Settings\Administrator\My Documents\My Pictures"
"My Music"="C:\Documents and Settings\Administrator\My Documents\My Music"
"Administrative Tools"="C:\Documents and Settings\Administrator\Start Menu\Programs\Administrative Tools"
"CD Burning"="C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\CD Burning"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\WebView\BarricadedFolders]
"shell:ControlPanelFolder"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"NoNetAutodial"=dword:00000000
"EnableAutodial"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1804"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1601"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=""C:\Program Files\Messenger\msmsgs.exe" /background"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ThemeManager]
"DllName"=str(2):"(null)ystemRoot\resources\Themes\luna\luna.msstyles"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Themes\LastTheme]
"Wallpaper"=str(2):"(null)ystemRoot\VAIO Serenus Wallpaper TrueColor 1280X768.bmp"
"DisplayName of Modified"="Windows XP (Modified)"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\1\Shell]
"Vid"="{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"
"Mode"=dword:00000006
[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\26\Shell]
"WinPos1024x768(1).left"=dword:00000042
"WinPos1024x768(1).top"=dword:00000057
"WinPos1024x768(1).right"=dword:00000362
"WinPos1024x768(1).bottom"=dword:000002af
[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\DUIBags\ShellFolders\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}]
"ExpandDetailsTasks"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@netcfgx.dll,-50001"="Transmission Control Protocol/Internet Protocol. The default wide area network protocol that provides communication across diverse interconnected networks."
"@netcfgx.dll,-50003"="Allows other computers to access resources on your computer using a Microsoft network."
"@netcfgx.dll,-50015"="Quality of Service Packet Scheduler. This component provides network traffic control, including rate-of-flow and prioritization services."
"@netcfgx.dll,-50002"="Allows your computer to access resources on a Microsoft network."
"@shell32.dll,-31150"="USERPROFILE\Start Menu\Programs\Internet Explorer.lnk"
"@shell32.dll,-31151"="ALLUSERSPROFILE\Start Menu\Programs\Get Online with MSN.lnk"
"@shell32.dll,-31152"="ALLUSERSPROFILE\Start Menu\Programs\MSN Explorer.lnk"
"@shell32.dll,-31153"="USERPROFILE\Start Menu\Programs\Windows Media Player.lnk"
"@shell32.dll,-31154"="ALLUSERSPROFILE\Start Menu\Programs\Accessories\Windows Movie Maker.lnk"
"@shell32.dll,-31155"="USERPROFILE\Start Menu\Programs\Accessories\Tour Windows XP.lnk"
"@shell32.dll,-31156"="ALLUSERSPROFILE\Start Menu\Programs\Accessories\System Tools\Files and Settings Transfer Wizard.lnk"
"@explorer.exe,-7024"="Internet"
"@explorer.exe,-7025"="E-mail"
"@explorer.exe,-7021"="&Help and Support"
"@explorer.exe,-7020"="&Search"
"@explorer.exe,-7023"="&Run..."
"C:\sysprep\factory.exe"="Factory pre-installation utility"
"C:\sysprep\sysprep.exe"="sysprep utility"
"@C:\WINDOWS\inf\unregmp2.exe,-9903"="AIFF Format Sound"
"@C:\WINDOWS\inf\unregmp2.exe,-9904"="AU Format Sound"
"@C:\WINDOWS\inf\unregmp2.exe,-9905"="Video Clip"
"@C:\WINDOWS\System32\shimgvw.dll,-304"="Bitmap Image"
"@"C:\Program Files\Windows NT\Accessories\WORDPAD.EXE",-209"="Wordpad Document"
"@C:\WINDOWS\System32\shimgvw.dll,-301"="EMF Image"
"@C:\WINDOWS\System32\shimgvw.dll,-302"="GIF Image"
"@C:\WINDOWS\System32\shimgvw.dll,-303"="JPEG Image"
"@C:\WINDOWS\inf\unregmp2.exe,-10001"="M3U file"
"@C:\WINDOWS\inf\unregmp2.exe,-10002"="MP3 Format Sound"
"@C:\WINDOWS\System32\shimgvw.dll,-305"="PNG Image"
"@"C:\Program Files\Windows NT\Accessories\WORDPAD.EXE",-190"="Rich Text Document"
"@C:\WINDOWS\System32\shimgvw.dll,-306"="TIF Image"
"@C:\WINDOWS\inf\unregmp2.exe,-9908"="Wave Sound"
"@C:\WINDOWS\System32\shimgvw.dll,-307"="WMF Image"
"@C:\WINDOWS\System32\msxml3r.dll,-1"="XML Document"
"@C:\WINDOWS\System32\msxml3r.dll,-2"="XSL Stylesheet"
"@themeui.dll,-2037"="{Tahoma, 8 pt}"
"@themeui.dll,-2038"="{Tahoma, 8 pt}"
"@themeui.dll,-2039"="{Tahoma, 8 pt}"
"@themeui.dll,-2040"="{Tahoma, 8 pt}"
"@themeui.dll,-2041"="{Tahoma, 8 pt}"
"@themeui.dll,-2042"="{Tahoma, 8 pt}"
"@themeui.dll,-2017"="Windows XP"
"@themeui.dll,-2016"="Windows Classic"
"@themeui.dll,-2015"="More themes online..."
"@C:\WINDOWS\system32\SHELL32.dll,-8503"="S&earch..."
"@C:\WINDOWS\system32\mycomput.dll,-400"="Mana&ge"
"@shell32.dll,-31232"="System Tasks"
"@shell32.dll,-31294"="View system information"
"@shell32.dll,-31327"="Add or remove programs"
"@shell32.dll,-31312"="Change a setting"
"@C:\WINDOWS\system32\SHELL32.dll,-22913"="Shows the disk drives and hardware connected to this computer."
"@shell32.dll,-31317"="System Tasks"
"@shell32.dll,-31319"="Show the contents of this drive"
"@shell32.dll,-31292"="Search for files or folders"
"C:\WINDOWS\System32\logon.scr"="Logon Screen Saver"
"D:\security update\vm-sfix3.exe"="Microsoft VM Security Update"
"@(null)ystemRoot\system32\shell32.dll,-22534"="Performs text-based (command-line) functions."
"C:\WINDOWS\regedit.exe"="Registry Editor"
"C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Set3.tmp"="InstallShield ® Setup Launcher"
"C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\iKernel.exe"="InstallShield ® Setup Engine"
"C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\set4.tmp"="InstallShield ® Setup Launcher"
"@shell32.dll,-31323"="Show the contents of this folder"
"@shell32.dll,-31283"="Picture Tasks"
"@shell32.dll,-31287"="View as a slide show"
"@shell32.dll,-31313"="Order prints online"
"@shell32.dll,-31391"="Print pictures"
"@shell32.dll,-31379"="Copy all items to CD"
"@shell32.dll,-31352"="Copy to CD"
"@shell32.dll,-31234"="These tasks apply to the files and folders you select."
"@shell32.dll,-31250"="Print this file"
"@shell32.dll,-30498"="Files and Folders"
"@shell32.dll,-30506"="Remember each folder's view settings"
"@shell32.dll,-30497"="Show Control Panel in My Computer"
"@shell32.dll,-30507"="Launch folder windows in a separate process"
"@shell32.dll,-30517"="Do not cache thumbnails"
"@shell32.dll,-30514"="Display file size information in folder tips"
"@shell32.dll,-30511"="Display simple folder view in Explorer's Folders list"
"@shell32.dll,-30499"="Hidden files and folders"
"@shell32.dll,-30501"="Do not show hidden files and folders"
"@shell32.dll,-30500"="Show hidden files and folders"
"@shell32.dll,-30503"="Hide extensions for known file types"
"@shell32.dll,-30509"="Automatically search for network folders and printers"
"@shell32.dll,-30513"="Restore previous folder windows at logon"
"@shell32.dll,-30512"="Show encrypted or compressed NTFS files in color"
"@shell32.dll,-30504"="Display the full path in the title bar"
"@shell32.dll,-30505"="Display the full path in the address bar"
"@shell32.dll,-30502"="Show pop-up description for folder and desktop items"
"@shell32.dll,-30518"="Use simple file sharing (Recommended)"
"@shell32.dll,-30508"="Hide protected operating system files (Recommended)"
"@shell32.dll,-30510"="Display the contents of system folders"
"@shell32.dll,-31275"="This section displays the size, file type, and other information about a selected item."
"@shdoclc.dll,-866"="Related"
"@shdoclc.dll,-864"="Show &Related Links"
"@shdoclc.dll,-865"="Shows links related to the current page."
"@shell32.dll,-31273"="These links open other folders and take you quickly to useful places."
"@shell32.dll,-31321"="Hide the contents of this drive"
"C:\WINDOWS\System32\WScript.exe"="Microsoft ® Windows Based Script Host"
"@shell32.dll,-31325"="Hide the contents of this folder"
"C:\WINDOWS\system32\mshta.exe"="Microsoft ® HTML Application host"
"@shell32.dll,-12710"="&Run"
"@C:\Program Files\MSN\MSNCoreFiles\MSNMTLLC.DLL,-3501"="MSN Explorer"
"@shell32.dll,-30488"="Control Panel"
"@shell32.dll,-30492"="Don't display this item"
"@shell32.dll,-30491"="Display as a menu"
"@shell32.dll,-30490"="Display as a link"
"@shell32.dll,-30475"="Enable dragging and dropping"
"@shell32.dll,-30484"="Favorites menu"
"@shell32.dll,-30480"="My Computer"
"@shell32.dll,-30485"="My Documents"
"@shell32.dll,-30487"="My Music"
"@shell32.dll,-30486"="My Pictures"
"@shell32.dll,-30482"="Network Connections"
"@shell32.dll,-30495"="Display as Connect to menu"
"@shell32.dll,-30494"="Link to Network Connections Folder"
"@shell32.dll,-30515"="System Administrative Tools"
"@shell32.dll,-30478"="Display on the All Programs menu and the Start menu"
"@shell32.dll,-30479"="Display on the All Programs menu"
"@shell32.dll,-30489"="Help and Support"
"@shell32.dll,-30481"="My Network Places"
"@shell32.dll,-30516"="Manufacturer Link"
"@shell32.dll,-30493"="Printers and Faxes"
"@shell32.dll,-30483"="Run command"
"@shell32.dll,-30496"="Search"
"@shell32.dll,-30471"="Scroll Programs"
"@shell32.dll,-12691"="My Recent Documents"
"C:\remove\CLEANREG\MSGBOXW.EXE"="MSGBOXW"
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"load"=""
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-07-25 0:40:53
C:\ComboFix-quarantined-files.txt ... 2007-07-25 00:40
--- E O F ---
**************************************************************************
Completion time: 2007-07-25 0:40:53
C:\ComboFix-quarantined-files.txt ... 2007-07-25 00:40
--- E O F ---
Lully.
"User" - 2007-07-25 0:35:03 [GMT 1:00] - ComboFix 07-07-24.5 - Service Pack 1 NTFS
* Created a new restore point
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOCUME~1\User\APPLIC~1.\Starware
C:\DOCUME~1\User\APPLIC~1.\Starware\Manager\ManagerOptions.xml
C:\DOCUME~1\User\APPLIC~1.\Starware\Manager\ManagerOptions.xml.backup
C:\DOCUME~1\User\APPLIC~1\FunWebProducts
C:\DOCUME~1\User\APPLIC~1\FunWebProducts\Data\User\avatar.dat
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\ScreenSaver\Images3288310.urr
C:\Program Files\FunWebProducts\ScreenSaver\Images329FCB7.urr
C:\Program Files\FunWebProducts\ScreenSaver\Images32A14DA.dat
C:\Program Files\FunWebProducts\ScreenSaver\Images\wrkparam.lst
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\History\search2
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
C:\WINDOWS\system32\append.dll
((((((((((((((((((((((((( Files Created from 2007-06-24 to 2007-07-24 )))))))))))))))))))))))))))))))
2007-07-29 21:34 <DIR> d-------- C:\WINDOWS\pss
2007-07-29 20:57 557,056 --a------ C:\DOCUME~1\User\chatlnk.exe
2007-07-25 00:33 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-25 00:22 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-24 11:13 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\Error Safe Free
2007-07-24 11:08 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-07-24 11:07 87,760 --a------ C:\DOCUME~1\User\APPLIC~1\errsafer.exe
2007-07-23 19:55 13,477 --a------ C:\dnsbak.reg
2007-07-22 20:36 322,968 --a------ C:\DOCUME~1\User\APPLIC~1\protector.exe
2007-07-21 17:58 8,704 --a------ C:\WINDOWS\system32\arpl.exe
2007-07-21 17:58 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\tiny
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-07-21 17:12:15 -------- d-----w C:\Program Files\Citrix
2007-06-17 20:04:23 -------- d-----w C:\Program Files\BOB Books
2007-06-07 10:31:23 -------- d-----w C:\DOCUME~1\User\APPLIC~1\Samsung
2007-06-04 09:08:05 -------- d-----w C:\Program Files\MSN Messenger
2007-06-04 08:46:43 -------- d-----w C:\DOCUME~1\User\APPLIC~1\MSN6
2007-01-26 21:45:13 774,144 ----a-w C:\Program Files\RngInterstitial.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-07-24 23:07]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2005-05-31 18:37]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Broadband Desktop Help.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BT Broadband Desktop Help.lnk
backup=C:\WINDOWS\pss\BT Broadband Desktop Help.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
backup=C:\WINDOWS\pss\Exif Launcher.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
C:\Program Files\Apoint\Apoint.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA]
atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\btbb_wcm_McciTrayApp]
C:\Program Files\btbb_wcm\McciTrayApp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
ICO.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nod32kui]
"C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\WINDOWS\System32\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
R1 DMICall;Sony DMI Call service;C:\WINDOWS\System32\DRIVERS\DMICall.sys
R2 Sentinel;Sentinel;C:\WINDOWS\System32\Drivers\SENTINEL.SYS
R3 ati2mpab;ati2mpab;C:\WINDOWS\System32\DRIVERS\ati2mpab.sys
R3 BridgeMP;MAC Bridge Miniport;C:\WINDOWS\System32\DRIVERS\bridge.sys
R3 HSFHWVIA;HSFHWVIA;C:\WINDOWS\System32\DRIVERS\HSFHWVIA.sys
R3 USB_RNDIS;Thomson ST Remote NDIS Device Driver;C:\WINDOWS\System32\DRIVERS\usb8023.sys
S3 Bridge;MAC Bridge;C:\WINDOWS\System32\DRIVERS\bridge.sys
S3 cpuz;cpuz;\??\F:\cpu-z-130\cpuz.sys
S3 MRENDIS5;MRENDIS5 NDIS Protocol Driver;\??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS
S3 SNTNLUSB;Rainbow USB SuperPro;C:\WINDOWS\System32\DRIVERS\SNTNLUSB.SYS
S3 ss_bus;Samsung Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\System32\DRIVERS\ss_bus.sys
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\System32\DRIVERS\ss_mdfl.sys
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\System32\DRIVERS\ss_mdm.sys
S3 usb_rndisx;USB RNDIS Adapter;C:\WINDOWS\System32\DRIVERS\usb8023x.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7c93bd70-da3e-11d7-b076-08004691be1e}]
play\command- C:\Program Files\InterVideo\WinDVD4\WinDVD.exe
Contents of the 'Scheduled Tasks' folder
2007-07-24 22:51:04 C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
2007-07-24 23:14:39 C:\WINDOWS\tasks\Symantec NetDetect.job
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-25 00:39:49
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit]
"LastKey"="My Computer"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer]
"Logon User Name"="Administrator"
"CleanShutdown"=dword:00000001
"FaultCount"=dword:00000000
"FaultTime"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning]
"CD Recorder Drive"="\\?\Volume{0ccc1f12-eb95-11d6-860e-806d6172696f}\"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{0ccc1f12-eb95-11d6-860e-806d6172696f}]
"Drive Type"=dword:00000002
"CurrentCDWriteSpeed"=dword:ffffffff
"MaxCDWriteSpeed"=dword:00000010
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList]
"MRUList"="ba"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.log\OpenWithList]
"MRUList"="a"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData"="C:\Documents and Settings\Administrator\Application Data"
"Cookies"="C:\Documents and Settings\Administrator\Cookies"
"Desktop"="C:\Documents and Settings\Administrator\Desktop"
"Favorites"="C:\Documents and Settings\Administrator\Favorites"
"NetHood"="C:\Documents and Settings\Administrator\NetHood"
"Personal"="C:\Documents and Settings\Administrator\My Documents"
"PrintHood"="C:\Documents and Settings\Administrator\PrintHood"
"Recent"="C:\Documents and Settings\Administrator\Recent"
"SendTo"="C:\Documents and Settings\Administrator\SendTo"
"Start Menu"="C:\Documents and Settings\Administrator\Start Menu"
"Templates"="C:\Documents and Settings\Administrator\Templates"
"Programs"="C:\Documents and Settings\Administrator\Start Menu\Programs"
"Startup"="C:\Documents and Settings\Administrator\Start Menu\Programs\Startup"
"Local Settings"="C:\Documents and Settings\Administrator\Local Settings"
"Local AppData"="C:\Documents and Settings\Administrator\Local Settings\Application Data"
"Cache"="C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files"
"History"="C:\Documents and Settings\Administrator\Local Settings\History"
"My Pictures"="C:\Documents and Settings\Administrator\My Documents\My Pictures"
"My Music"="C:\Documents and Settings\Administrator\My Documents\My Music"
"Administrative Tools"="C:\Documents and Settings\Administrator\Start Menu\Programs\Administrative Tools"
"CD Burning"="C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\CD Burning"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\WebView\BarricadedFolders]
"shell:ControlPanelFolder"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"NoNetAutodial"=dword:00000000
"EnableAutodial"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1804"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1601"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=""C:\Program Files\Messenger\msmsgs.exe" /background"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ThemeManager]
"DllName"=str(2):"(null)ystemRoot\resources\Themes\luna\luna.msstyles"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Themes\LastTheme]
"Wallpaper"=str(2):"(null)ystemRoot\VAIO Serenus Wallpaper TrueColor 1280X768.bmp"
"DisplayName of Modified"="Windows XP (Modified)"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\1\Shell]
"Vid"="{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"
"Mode"=dword:00000006
[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\26\Shell]
"WinPos1024x768(1).left"=dword:00000042
"WinPos1024x768(1).top"=dword:00000057
"WinPos1024x768(1).right"=dword:00000362
"WinPos1024x768(1).bottom"=dword:000002af
[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\DUIBags\ShellFolders\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}]
"ExpandDetailsTasks"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@netcfgx.dll,-50001"="Transmission Control Protocol/Internet Protocol. The default wide area network protocol that provides communication across diverse interconnected networks."
"@netcfgx.dll,-50003"="Allows other computers to access resources on your computer using a Microsoft network."
"@netcfgx.dll,-50015"="Quality of Service Packet Scheduler. This component provides network traffic control, including rate-of-flow and prioritization services."
"@netcfgx.dll,-50002"="Allows your computer to access resources on a Microsoft network."
"@shell32.dll,-31150"="USERPROFILE\Start Menu\Programs\Internet Explorer.lnk"
"@shell32.dll,-31151"="ALLUSERSPROFILE\Start Menu\Programs\Get Online with MSN.lnk"
"@shell32.dll,-31152"="ALLUSERSPROFILE\Start Menu\Programs\MSN Explorer.lnk"
"@shell32.dll,-31153"="USERPROFILE\Start Menu\Programs\Windows Media Player.lnk"
"@shell32.dll,-31154"="ALLUSERSPROFILE\Start Menu\Programs\Accessories\Windows Movie Maker.lnk"
"@shell32.dll,-31155"="USERPROFILE\Start Menu\Programs\Accessories\Tour Windows XP.lnk"
"@shell32.dll,-31156"="ALLUSERSPROFILE\Start Menu\Programs\Accessories\System Tools\Files and Settings Transfer Wizard.lnk"
"@explorer.exe,-7024"="Internet"
"@explorer.exe,-7025"="E-mail"
"@explorer.exe,-7021"="&Help and Support"
"@explorer.exe,-7020"="&Search"
"@explorer.exe,-7023"="&Run..."
"C:\sysprep\factory.exe"="Factory pre-installation utility"
"C:\sysprep\sysprep.exe"="sysprep utility"
"@C:\WINDOWS\inf\unregmp2.exe,-9903"="AIFF Format Sound"
"@C:\WINDOWS\inf\unregmp2.exe,-9904"="AU Format Sound"
"@C:\WINDOWS\inf\unregmp2.exe,-9905"="Video Clip"
"@C:\WINDOWS\System32\shimgvw.dll,-304"="Bitmap Image"
"@"C:\Program Files\Windows NT\Accessories\WORDPAD.EXE",-209"="Wordpad Document"
"@C:\WINDOWS\System32\shimgvw.dll,-301"="EMF Image"
"@C:\WINDOWS\System32\shimgvw.dll,-302"="GIF Image"
"@C:\WINDOWS\System32\shimgvw.dll,-303"="JPEG Image"
"@C:\WINDOWS\inf\unregmp2.exe,-10001"="M3U file"
"@C:\WINDOWS\inf\unregmp2.exe,-10002"="MP3 Format Sound"
"@C:\WINDOWS\System32\shimgvw.dll,-305"="PNG Image"
"@"C:\Program Files\Windows NT\Accessories\WORDPAD.EXE",-190"="Rich Text Document"
"@C:\WINDOWS\System32\shimgvw.dll,-306"="TIF Image"
"@C:\WINDOWS\inf\unregmp2.exe,-9908"="Wave Sound"
"@C:\WINDOWS\System32\shimgvw.dll,-307"="WMF Image"
"@C:\WINDOWS\System32\msxml3r.dll,-1"="XML Document"
"@C:\WINDOWS\System32\msxml3r.dll,-2"="XSL Stylesheet"
"@themeui.dll,-2037"="{Tahoma, 8 pt}"
"@themeui.dll,-2038"="{Tahoma, 8 pt}"
"@themeui.dll,-2039"="{Tahoma, 8 pt}"
"@themeui.dll,-2040"="{Tahoma, 8 pt}"
"@themeui.dll,-2041"="{Tahoma, 8 pt}"
"@themeui.dll,-2042"="{Tahoma, 8 pt}"
"@themeui.dll,-2017"="Windows XP"
"@themeui.dll,-2016"="Windows Classic"
"@themeui.dll,-2015"="More themes online..."
"@C:\WINDOWS\system32\SHELL32.dll,-8503"="S&earch..."
"@C:\WINDOWS\system32\mycomput.dll,-400"="Mana&ge"
"@shell32.dll,-31232"="System Tasks"
"@shell32.dll,-31294"="View system information"
"@shell32.dll,-31327"="Add or remove programs"
"@shell32.dll,-31312"="Change a setting"
"@C:\WINDOWS\system32\SHELL32.dll,-22913"="Shows the disk drives and hardware connected to this computer."
"@shell32.dll,-31317"="System Tasks"
"@shell32.dll,-31319"="Show the contents of this drive"
"@shell32.dll,-31292"="Search for files or folders"
"C:\WINDOWS\System32\logon.scr"="Logon Screen Saver"
"D:\security update\vm-sfix3.exe"="Microsoft VM Security Update"
"@(null)ystemRoot\system32\shell32.dll,-22534"="Performs text-based (command-line) functions."
"C:\WINDOWS\regedit.exe"="Registry Editor"
"C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Set3.tmp"="InstallShield ® Setup Launcher"
"C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\iKernel.exe"="InstallShield ® Setup Engine"
"C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\set4.tmp"="InstallShield ® Setup Launcher"
"@shell32.dll,-31323"="Show the contents of this folder"
"@shell32.dll,-31283"="Picture Tasks"
"@shell32.dll,-31287"="View as a slide show"
"@shell32.dll,-31313"="Order prints online"
"@shell32.dll,-31391"="Print pictures"
"@shell32.dll,-31379"="Copy all items to CD"
"@shell32.dll,-31352"="Copy to CD"
"@shell32.dll,-31234"="These tasks apply to the files and folders you select."
"@shell32.dll,-31250"="Print this file"
"@shell32.dll,-30498"="Files and Folders"
"@shell32.dll,-30506"="Remember each folder's view settings"
"@shell32.dll,-30497"="Show Control Panel in My Computer"
"@shell32.dll,-30507"="Launch folder windows in a separate process"
"@shell32.dll,-30517"="Do not cache thumbnails"
"@shell32.dll,-30514"="Display file size information in folder tips"
"@shell32.dll,-30511"="Display simple folder view in Explorer's Folders list"
"@shell32.dll,-30499"="Hidden files and folders"
"@shell32.dll,-30501"="Do not show hidden files and folders"
"@shell32.dll,-30500"="Show hidden files and folders"
"@shell32.dll,-30503"="Hide extensions for known file types"
"@shell32.dll,-30509"="Automatically search for network folders and printers"
"@shell32.dll,-30513"="Restore previous folder windows at logon"
"@shell32.dll,-30512"="Show encrypted or compressed NTFS files in color"
"@shell32.dll,-30504"="Display the full path in the title bar"
"@shell32.dll,-30505"="Display the full path in the address bar"
"@shell32.dll,-30502"="Show pop-up description for folder and desktop items"
"@shell32.dll,-30518"="Use simple file sharing (Recommended)"
"@shell32.dll,-30508"="Hide protected operating system files (Recommended)"
"@shell32.dll,-30510"="Display the contents of system folders"
"@shell32.dll,-31275"="This section displays the size, file type, and other information about a selected item."
"@shdoclc.dll,-866"="Related"
"@shdoclc.dll,-864"="Show &Related Links"
"@shdoclc.dll,-865"="Shows links related to the current page."
"@shell32.dll,-31273"="These links open other folders and take you quickly to useful places."
"@shell32.dll,-31321"="Hide the contents of this drive"
"C:\WINDOWS\System32\WScript.exe"="Microsoft ® Windows Based Script Host"
"@shell32.dll,-31325"="Hide the contents of this folder"
"C:\WINDOWS\system32\mshta.exe"="Microsoft ® HTML Application host"
"@shell32.dll,-12710"="&Run"
"@C:\Program Files\MSN\MSNCoreFiles\MSNMTLLC.DLL,-3501"="MSN Explorer"
"@shell32.dll,-30488"="Control Panel"
"@shell32.dll,-30492"="Don't display this item"
"@shell32.dll,-30491"="Display as a menu"
"@shell32.dll,-30490"="Display as a link"
"@shell32.dll,-30475"="Enable dragging and dropping"
"@shell32.dll,-30484"="Favorites menu"
"@shell32.dll,-30480"="My Computer"
"@shell32.dll,-30485"="My Documents"
"@shell32.dll,-30487"="My Music"
"@shell32.dll,-30486"="My Pictures"
"@shell32.dll,-30482"="Network Connections"
"@shell32.dll,-30495"="Display as Connect to menu"
"@shell32.dll,-30494"="Link to Network Connections Folder"
"@shell32.dll,-30515"="System Administrative Tools"
"@shell32.dll,-30478"="Display on the All Programs menu and the Start menu"
"@shell32.dll,-30479"="Display on the All Programs menu"
"@shell32.dll,-30489"="Help and Support"
"@shell32.dll,-30481"="My Network Places"
"@shell32.dll,-30516"="Manufacturer Link"
"@shell32.dll,-30493"="Printers and Faxes"
"@shell32.dll,-30483"="Run command"
"@shell32.dll,-30496"="Search"
"@shell32.dll,-30471"="Scroll Programs"
"@shell32.dll,-12691"="My Recent Documents"
"C:\remove\CLEANREG\MSGBOXW.EXE"="MSGBOXW"
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"load"=""
scanning hidden files ...
scan completed successfully
hidden files: 0"User" - 2007-07-25 0:35:03 [GMT 1:00] - ComboFix 07-07-24.5 - Service Pack 1 NTFS
* Created a new restore point
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOCUME~1\User\APPLIC~1.\Starware
C:\DOCUME~1\User\APPLIC~1.\Starware\Manager\ManagerOptions.xml
C:\DOCUME~1\User\APPLIC~1.\Starware\Manager\ManagerOptions.xml.backup
C:\DOCUME~1\User\APPLIC~1\FunWebProducts
C:\DOCUME~1\User\APPLIC~1\FunWebProducts\Data\User\avatar.dat
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\ScreenSaver\Images3288310.urr
C:\Program Files\FunWebProducts\ScreenSaver\Images329FCB7.urr
C:\Program Files\FunWebProducts\ScreenSaver\Images32A14DA.dat
C:\Program Files\FunWebProducts\ScreenSaver\Images\wrkparam.lst
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\History\search2
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
C:\WINDOWS\system32\append.dll
((((((((((((((((((((((((( Files Created from 2007-06-24 to 2007-07-24 )))))))))))))))))))))))))))))))
2007-07-29 21:34 <DIR> d-------- C:\WINDOWS\pss
2007-07-29 20:57 557,056 --a------ C:\DOCUME~1\User\chatlnk.exe
2007-07-25 00:33 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-25 00:22 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-24 11:13 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\Error Safe Free
2007-07-24 11:08 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-07-24 11:07 87,760 --a------ C:\DOCUME~1\User\APPLIC~1\errsafer.exe
2007-07-23 19:55 13,477 --a------ C:\dnsbak.reg
2007-07-22 20:36 322,968 --a------ C:\DOCUME~1\User\APPLIC~1\protector.exe
2007-07-21 17:58 8,704 --a------ C:\WINDOWS\system32\arpl.exe
2007-07-21 17:58 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\tiny
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-07-21 17:12:15 -------- d-----w C:\Program Files\Citrix
2007-06-17 20:04:23 -------- d-----w C:\Program Files\BOB Books
2007-06-07 10:31:23 -------- d-----w C:\DOCUME~1\User\APPLIC~1\Samsung
2007-06-04 09:08:05 -------- d-----w C:\Program Files\MSN Messenger
2007-06-04 08:46:43 -------- d-----w C:\DOCUME~1\User\APPLIC~1\MSN6
2007-01-26 21:45:13 774,144 ----a-w C:\Program Files\RngInterstitial.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-07-24 23:07]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2005-05-31 18:37]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Broadband Desktop Help.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BT Broadband Desktop Help.lnk
backup=C:\WINDOWS\pss\BT Broadband Desktop Help.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
backup=C:\WINDOWS\pss\Exif Launcher.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
C:\Program Files\Apoint\Apoint.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA]
atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\btbb_wcm_McciTrayApp]
C:\Program Files\btbb_wcm\McciTrayApp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
ICO.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nod32kui]
"C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\WINDOWS\System32\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
R1 DMICall;Sony DMI Call service;C:\WINDOWS\System32\DRIVERS\DMICall.sys
R2 Sentinel;Sentinel;C:\WINDOWS\System32\Drivers\SENTINEL.SYS
R3 ati2mpab;ati2mpab;C:\WINDOWS\System32\DRIVERS\ati2mpab.sys
R3 BridgeMP;MAC Bridge Miniport;C:\WINDOWS\System32\DRIVERS\bridge.sys
R3 HSFHWVIA;HSFHWVIA;C:\WINDOWS\System32\DRIVERS\HSFHWVIA.sys
R3 USB_RNDIS;Thomson ST Remote NDIS Device Driver;C:\WINDOWS\System32\DRIVERS\usb8023.sys
S3 Bridge;MAC Bridge;C:\WINDOWS\System32\DRIVERS\bridge.sys
S3 cpuz;cpuz;\??\F:\cpu-z-130\cpuz.sys
S3 MRENDIS5;MRENDIS5 NDIS Protocol Driver;\??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS
S3 SNTNLUSB;Rainbow USB SuperPro;C:\WINDOWS\System32\DRIVERS\SNTNLUSB.SYS
S3 ss_bus;Samsung Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\System32\DRIVERS\ss_bus.sys
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\System32\DRIVERS\ss_mdfl.sys
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\System32\DRIVERS\ss_mdm.sys
S3 usb_rndisx;USB RNDIS Adapter;C:\WINDOWS\System32\DRIVERS\usb8023x.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7c93bd70-da3e-11d7-b076-08004691be1e}]
play\command- C:\Program Files\InterVideo\WinDVD4\WinDVD.exe
Contents of the 'Scheduled Tasks' folder
2007-07-24 22:51:04 C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
2007-07-24 23:14:39 C:\WINDOWS\tasks\Symantec NetDetect.job
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-25 00:39:49
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit]
"LastKey"="My Computer"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer]
"Logon User Name"="Administrator"
"CleanShutdown"=dword:00000001
"FaultCount"=dword:00000000
"FaultTime"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning]
"CD Recorder Drive"="\\?\Volume{0ccc1f12-eb95-11d6-860e-806d6172696f}\"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{0ccc1f12-eb95-11d6-860e-806d6172696f}]
"Drive Type"=dword:00000002
"CurrentCDWriteSpeed"=dword:ffffffff
"MaxCDWriteSpeed"=dword:00000010
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList]
"MRUList"="ba"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.log\OpenWithList]
"MRUList"="a"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData"="C:\Documents and Settings\Administrator\Application Data"
"Cookies"="C:\Documents and Settings\Administrator\Cookies"
"Desktop"="C:\Documents and Settings\Administrator\Desktop"
"Favorites"="C:\Documents and Settings\Administrator\Favorites"
"NetHood"="C:\Documents and Settings\Administrator\NetHood"
"Personal"="C:\Documents and Settings\Administrator\My Documents"
"PrintHood"="C:\Documents and Settings\Administrator\PrintHood"
"Recent"="C:\Documents and Settings\Administrator\Recent"
"SendTo"="C:\Documents and Settings\Administrator\SendTo"
"Start Menu"="C:\Documents and Settings\Administrator\Start Menu"
"Templates"="C:\Documents and Settings\Administrator\Templates"
"Programs"="C:\Documents and Settings\Administrator\Start Menu\Programs"
"Startup"="C:\Documents and Settings\Administrator\Start Menu\Programs\Startup"
"Local Settings"="C:\Documents and Settings\Administrator\Local Settings"
"Local AppData"="C:\Documents and Settings\Administrator\Local Settings\Application Data"
"Cache"="C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files"
"History"="C:\Documents and Settings\Administrator\Local Settings\History"
"My Pictures"="C:\Documents and Settings\Administrator\My Documents\My Pictures"
"My Music"="C:\Documents and Settings\Administrator\My Documents\My Music"
"Administrative Tools"="C:\Documents and Settings\Administrator\Start Menu\Programs\Administrative Tools"
"CD Burning"="C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\CD Burning"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\WebView\BarricadedFolders]
"shell:ControlPanelFolder"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"NoNetAutodial"=dword:00000000
"EnableAutodial"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1804"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1601"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=""C:\Program Files\Messenger\msmsgs.exe" /background"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ThemeManager]
"DllName"=str(2):"(null)ystemRoot\resources\Themes\luna\luna.msstyles"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Themes\LastTheme]
"Wallpaper"=str(2):"(null)ystemRoot\VAIO Serenus Wallpaper TrueColor 1280X768.bmp"
"DisplayName of Modified"="Windows XP (Modified)"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\1\Shell]
"Vid"="{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"
"Mode"=dword:00000006
[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\26\Shell]
"WinPos1024x768(1).left"=dword:00000042
"WinPos1024x768(1).top"=dword:00000057
"WinPos1024x768(1).right"=dword:00000362
"WinPos1024x768(1).bottom"=dword:000002af
[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\DUIBags\ShellFolders\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}]
"ExpandDetailsTasks"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@netcfgx.dll,-50001"="Transmission Control Protocol/Internet Protocol. The default wide area network protocol that provides communication across diverse interconnected networks."
"@netcfgx.dll,-50003"="Allows other computers to access resources on your computer using a Microsoft network."
"@netcfgx.dll,-50015"="Quality of Service Packet Scheduler. This component provides network traffic control, including rate-of-flow and prioritization services."
"@netcfgx.dll,-50002"="Allows your computer to access resources on a Microsoft network."
"@shell32.dll,-31150"="USERPROFILE\Start Menu\Programs\Internet Explorer.lnk"
"@shell32.dll,-31151"="ALLUSERSPROFILE\Start Menu\Programs\Get Online with MSN.lnk"
"@shell32.dll,-31152"="ALLUSERSPROFILE\Start Menu\Programs\MSN Explorer.lnk"
"@shell32.dll,-31153"="USERPROFILE\Start Menu\Programs\Windows Media Player.lnk"
"@shell32.dll,-31154"="ALLUSERSPROFILE\Start Menu\Programs\Accessories\Windows Movie Maker.lnk"
"@shell32.dll,-31155"="USERPROFILE\Start Menu\Programs\Accessories\Tour Windows XP.lnk"
"@shell32.dll,-31156"="ALLUSERSPROFILE\Start Menu\Programs\Accessories\System Tools\Files and Settings Transfer Wizard.lnk"
"@explorer.exe,-7024"="Internet"
"@explorer.exe,-7025"="E-mail"
"@explorer.exe,-7021"="&Help and Support"
"@explorer.exe,-7020"="&Search"
"@explorer.exe,-7023"="&Run..."
"C:\sysprep\factory.exe"="Factory pre-installation utility"
"C:\sysprep\sysprep.exe"="sysprep utility"
"@C:\WINDOWS\inf\unregmp2.exe,-9903"="AIFF Format Sound"
"@C:\WINDOWS\inf\unregmp2.exe,-9904"="AU Format Sound"
"@C:\WINDOWS\inf\unregmp2.exe,-9905"="Video Clip"
"@C:\WINDOWS\System32\shimgvw.dll,-304"="Bitmap Image"
"@"C:\Program Files\Windows NT\Accessories\WORDPAD.EXE",-209"="Wordpad Document"
"@C:\WINDOWS\System32\shimgvw.dll,-301"="EMF Image"
"@C:\WINDOWS\System32\shimgvw.dll,-302"="GIF Image"
"@C:\WINDOWS\System32\shimgvw.dll,-303"="JPEG Image"
"@C:\WINDOWS\inf\unregmp2.exe,-10001"="M3U file"
"@C:\WINDOWS\inf\unregmp2.exe,-10002"="MP3 Format Sound"
"@C:\WINDOWS\System32\shimgvw.dll,-305"="PNG Image"
"@"C:\Program Files\Windows NT\Accessories\WORDPAD.EXE",-190"="Rich Text Document"
"@C:\WINDOWS\System32\shimgvw.dll,-306"="TIF Image"
"@C:\WINDOWS\inf\unregmp2.exe,-9908"="Wave Sound"
"@C:\WINDOWS\System32\shimgvw.dll,-307"="WMF Image"
"@C:\WINDOWS\System32\msxml3r.dll,-1"="XML Document"
"@C:\WINDOWS\System32\msxml3r.dll,-2"="XSL Stylesheet"
"@themeui.dll,-2037"="{Tahoma, 8 pt}"
"@themeui.dll,-2038"="{Tahoma, 8 pt}"
"@themeui.dll,-2039"="{Tahoma, 8 pt}"
"@themeui.dll,-2040"="{Tahoma, 8 pt}"
"@themeui.dll,-2041"="{Tahoma, 8 pt}"
"@themeui.dll,-2042"="{Tahoma, 8 pt}"
"@themeui.dll,-2017"="Windows XP"
"@themeui.dll,-2016"="Windows Classic"
"@themeui.dll,-2015"="More themes online..."
"@C:\WINDOWS\system32\SHELL32.dll,-8503"="S&earch..."
"@C:\WINDOWS\system32\mycomput.dll,-400"="Mana&ge"
"@shell32.dll,-31232"="System Tasks"
"@shell32.dll,-31294"="View system information"
"@shell32.dll,-31327"="Add or remove programs"
"@shell32.dll,-31312"="Change a setting"
"@C:\WINDOWS\system32\SHELL32.dll,-22913"="Shows the disk drives and hardware connected to this computer."
"@shell32.dll,-31317"="System Tasks"
"@shell32.dll,-31319"="Show the contents of this drive"
"@shell32.dll,-31292"="Search for files or folders"
"C:\WINDOWS\System32\logon.scr"="Logon Screen Saver"
"D:\security update\vm-sfix3.exe"="Microsoft VM Security Update"
"@(null)ystemRoot\system32\shell32.dll,-22534"="Performs text-based (command-line) functions."
"C:\WINDOWS\regedit.exe"="Registry Editor"
"C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Set3.tmp"="InstallShield ® Setup Launcher"
"C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\iKernel.exe"="InstallShield ® Setup Engine"
"C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\set4.tmp"="InstallShield ® Setup Launcher"
"@shell32.dll,-31323"="Show the contents of this folder"
"@shell32.dll,-31283"="Picture Tasks"
"@shell32.dll,-31287"="View as a slide show"
"@shell32.dll,-31313"="Order prints online"
"@shell32.dll,-31391"="Print pictures"
"@shell32.dll,-31379"="Copy all items to CD"
"@shell32.dll,-31352"="Copy to CD"
"@shell32.dll,-31234"="These tasks apply to the files and folders you select."
"@shell32.dll,-31250"="Print this file"
"@shell32.dll,-30498"="Files and Folders"
"@shell32.dll,-30506"="Remember each folder's view settings"
"@shell32.dll,-30497"="Show Control Panel in My Computer"
"@shell32.dll,-30507"="Launch folder windows in a separate process"
"@shell32.dll,-30517"="Do not cache thumbnails"
"@shell32.dll,-30514"="Display file size information in folder tips"
"@shell32.dll,-30511"="Display simple folder view in Explorer's Folders list"
"@shell32.dll,-30499"="Hidden files and folders"
"@shell32.dll,-30501"="Do not show hidden files and folders"
"@shell32.dll,-30500"="Show hidden files and folders"
"@shell32.dll,-30503"="Hide extensions for known file types"
"@shell32.dll,-30509"="Automatically search for network folders and printers"
"@shell32.dll,-30513"="Restore previous folder windows at logon"
"@shell32.dll,-30512"="Show encrypted or compressed NTFS files in color"
"@shell32.dll,-30504"="Display the full path in the title bar"
"@shell32.dll,-30505"="Display the full path in the address bar"
"@shell32.dll,-30502"="Show pop-up description for folder and desktop items"
"@shell32.dll,-30518"="Use simple file sharing (Recommended)"
"@shell32.dll,-30508"="Hide protected operating system files (Recommended)"
"@shell32.dll,-30510"="Display the contents of system folders"
"@shell32.dll,-31275"="This section displays the size, file type, and other information about a selected item."
"@shdoclc.dll,-866"="Related"
"@shdoclc.dll,-864"="Show &Related Links"
"@shdoclc.dll,-865"="Shows links related to the current page."
"@shell32.dll,-31273"="These links open other folders and take you quickly to useful places."
"@shell32.dll,-31321"="Hide the contents of this drive"
"C:\WINDOWS\System32\WScript.exe"="Microsoft ® Windows Based Script Host"
"@shell32.dll,-31325"="Hide the contents of this folder"
"C:\WINDOWS\system32\mshta.exe"="Microsoft ® HTML Application host"
"@shell32.dll,-12710"="&Run"
"@C:\Program Files\MSN\MSNCoreFiles\MSNMTLLC.DLL,-3501"="MSN Explorer"
"@shell32.dll,-30488"="Control Panel"
"@shell32.dll,-30492"="Don't display this item"
"@shell32.dll,-30491"="Display as a menu"
"@shell32.dll,-30490"="Display as a link"
"@shell32.dll,-30475"="Enable dragging and dropping"
"@shell32.dll,-30484"="Favorites menu"
"@shell32.dll,-30480"="My Computer"
"@shell32.dll,-30485"="My Documents"
"@shell32.dll,-30487"="My Music"
"@shell32.dll,-30486"="My Pictures"
"@shell32.dll,-30482"="Network Connections"
"@shell32.dll,-30495"="Display as Connect to menu"
"@shell32.dll,-30494"="Link to Network Connections Folder"
"@shell32.dll,-30515"="System Administrative Tools"
"@shell32.dll,-30478"="Display on the All Programs menu and the Start menu"
"@shell32.dll,-30479"="Display on the All Programs menu"
"@shell32.dll,-30489"="Help and Support"
"@shell32.dll,-30481"="My Network Places"
"@shell32.dll,-30516"="Manufacturer Link"
"@shell32.dll,-30493"="Printers and Faxes"
"@shell32.dll,-30483"="Run command"
"@shell32.dll,-30496"="Search"
"@shell32.dll,-30471"="Scroll Programs"
"@shell32.dll,-12691"="My Recent Documents"
"C:\remove\CLEANREG\MSGBOXW.EXE"="MSGBOXW"
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"load"=""
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-07-25 0:40:53
C:\ComboFix-quarantined-files.txt ... 2007-07-25 00:40
--- E O F ---
**************************************************************************
Completion time: 2007-07-25 0:40:53
C:\ComboFix-quarantined-files.txt ... 2007-07-25 00:40
--- E O F ---
QUOTE(miekiemoes @ Jul 24 2007, 11:11 AM) 
Hi,
Please do not attach your logs... but copy and paste them in the thread instead.
Uninstall Errorsafe Free via software > add/remove programs.
Reboot your computer afterwards..
I see some NOD32 related components running, although it misses some processes which makes me think this isn't the full version, but a "ripped version" most probably installed by Hitman Pro.
Did you purchase NOD32? In case you didn't, and you're not planning to purchase it, uninstall it and install a free Alternative instead.
For example, Avira Antivirus is a great free Antivirus. Look in my signature below under Antivirus for the download.
Then,
* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://as.starware.com/dp/search?x=wKX1ILE.../ZSt2WKO8MDRVI=
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\System32\arpl.exe
O4 - HKLM\..\Run: [was_check] C:\Program Files\ErrorSafe Free\PASmon.exe
O4 - HKLM\..\Run: [UERScw] C:\Program Files\ErrorSafe Free\UERScw.exe -c
O4 - HKCU\..\Run: [ErrorSafeFree] C:\Program Files\ErrorSafe Free\uers.exe /scan
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZJxdm027YYGB
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - http://www.viewpoint.co.kr/vet_install/MetaStream3.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab
* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!
Then, * Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished and after reboot (in case it asks to reboot), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt.
Post the contents of this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
Please do not attach your logs... but copy and paste them in the thread instead.
Uninstall Errorsafe Free via software > add/remove programs.
Reboot your computer afterwards..
I see some NOD32 related components running, although it misses some processes which makes me think this isn't the full version, but a "ripped version" most probably installed by Hitman Pro.
Did you purchase NOD32? In case you didn't, and you're not planning to purchase it, uninstall it and install a free Alternative instead.
For example, Avira Antivirus is a great free Antivirus. Look in my signature below under Antivirus for the download.
Then,
* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://as.starware.com/dp/search?x=wKX1ILE.../ZSt2WKO8MDRVI=
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\System32\arpl.exe
O4 - HKLM\..\Run: [was_check] C:\Program Files\ErrorSafe Free\PASmon.exe
O4 - HKLM\..\Run: [UERScw] C:\Program Files\ErrorSafe Free\UERScw.exe -c
O4 - HKCU\..\Run: [ErrorSafeFree] C:\Program Files\ErrorSafe Free\uers.exe /scan
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZJxdm027YYGB
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - http://www.viewpoint.co.kr/vet_install/MetaStream3.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab
* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!
Then, * Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished and after reboot (in case it asks to reboot), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt.
Post the contents of this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
Hello,
* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:
Save this as txtfile CFScript
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
Can you also answer my question whether you purchased NOD32 or not? Because I see you disabled it via msconfig as well.
Also, Go to next site:
http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:
C:\DOCUMENTS AND SETTINGS\User\chatlnk.exe
Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results in your next reply.
Do the same for:
C:\DOCUMENTS AND SETTINGS\User\APPLICATION DATA\protector.exe
* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:
QUOTE
File::
C:\DOCUME~1\User\APPLIC~1\errsafer.exe
C:\WINDOWS\system32\arpl.exe
Folder::
C:\DOCUME~1\User\APPLIC~1\Error Safe Free
C:\DOCUME~1\User\APPLIC~1\errsafer.exe
C:\WINDOWS\system32\arpl.exe
Folder::
C:\DOCUME~1\User\APPLIC~1\Error Safe Free
Save this as txtfile CFScript
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
Can you also answer my question whether you purchased NOD32 or not? Because I see you disabled it via msconfig as well.
Also, Go to next site:
http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:
C:\DOCUMENTS AND SETTINGS\User\chatlnk.exe
Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results in your next reply.
Do the same for:
C:\DOCUMENTS AND SETTINGS\User\APPLICATION DATA\protector.exe
Due to the lack of feedback, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.
Everyone else please begin a New Topic.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.
Everyone else please begin a New Topic.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.