Automatic Restarting

maiemax02

maiemax02

New Member
HI guys, im having troubles with regards to my PC automatically restarting whenever i use the command prompt. whenever i type in a command and press enter my PC will just automatically restart.

I performed the tests in ***************IMPORTANT: Please read before posting******************** but still the issue persists.

here are the logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:36:06 AM, on 4/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DAP\DAP.EXE
C:\PROGRA~1\CHIKKA~1\CHIKKA~1.4\ChikkaLauncher.exe
C:\WINDOWS\system32\mdm.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.speedbit.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKCU\..\Run: [ChikkaDefault] C:\PROGRA~1\CHIKKA~1\CHIKKA~1.4\ChikkaLauncher.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O4 - Startup: Winamp.lnk = C:\Program Files\Winamp\winamp.exe
O4 - Startup: Yahoo Messenger.lnk = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

--
End of file - 9355 bytes


Malwarebytes' Anti-Malware 1.36
Database version: 2045
Windows 5.1.2600 Service Pack 3

4/27/2009 1:28:15 AM
mbam-log-2009-04-27 (01-28-15).txt

Scan type: Quick Scan
Objects scanned: 76385
Time elapsed: 4 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\RelevantKnowledge (Spyware.Marketscore) -> Quarantined and deleted successfully.

Files Infected:
(No malicious items detected)


I'd be very thankful to anyone who can help..:D
 
Hello:

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

In your next reply i will need:
  • The ComboFix log
  • A fresh HiJackThis log
  • An update on how your computer is running
 
hey dude thank you very much. I actually did what you told me to and here are the results:

1.)
ComboFix 09-04-25.A3 - kiriranshelo 04/27/2009 1:56.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1506 [GMT 4.5:30]
Running from: c:\documents and settings\kiriranshelo\My Documents\My Completed Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\mdm.exe

.
((((((((((((((((((((((((( Files Created from 2009-05-26 to 2009-4-26 )))))))))))))))))))))))))))))))
.

2009-04-26 21:05 . 2009-04-26 21:05 -------- d-----w c:\program files\Trend Micro
2009-04-26 20:40 . 2009-04-26 20:40 -------- d-----w c:\documents and settings\kiriranshelo\Application Data\Malwarebytes
2009-04-26 20:40 . 2009-04-06 11:02 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-26 20:40 . 2009-04-06 11:02 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-26 20:40 . 2009-04-26 20:42 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-26 20:40 . 2009-04-26 20:40 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-25 11:00 . 2009-04-25 11:00 -------- d-----w C:\logs
2009-04-25 11:00 . 2009-04-25 11:00 -------- d-----w c:\documents and settings\kiriranshelo\ChikkaDefault
2009-04-25 11:00 . 2009-04-25 11:00 -------- d-----w c:\program files\Chikka Messenger
2009-04-24 19:07 . 2009-04-24 19:07 30 --sha-r c:\windows\pc-off.bat
2009-04-21 14:54 . 2009-04-21 14:54 754 ----a-w c:\windows\WORDPAD.INI
2009-04-19 16:05 . 2009-04-19 16:05 -------- d-----w c:\windows\Sun
2009-04-19 11:34 . 2008-03-02 16:10 742220 ----a-w c:\windows\system32\xvidcore.dll
2009-04-19 11:34 . 2007-03-09 05:07 139264 ----a-w c:\windows\system32\viscomqtde.dll
2009-04-19 11:34 . 2007-03-09 05:06 81920 ----a-w c:\windows\system32\viscomwave.dll
2009-04-19 11:34 . 2007-03-09 05:06 856064 ----a-w c:\windows\system32\mpgfiltr.ax
2009-04-19 11:34 . 2007-03-09 05:05 208896 ----a-w c:\windows\system32\VideoEdit.ocx
2009-04-19 11:34 . 2005-11-25 03:16 421888 ----a-w c:\windows\system32\RealMediaSplitter.ax
2009-04-19 11:34 . 2004-09-05 22:36 53248 ----a-w c:\windows\system32\xvid.ax
2009-04-19 11:34 . 2004-07-03 03:38 139264 ----a-w c:\windows\system32\xvidvfw.dll
2009-04-19 11:34 . 2009-04-19 11:34 -------- d-----w c:\program files\Plato Video To 3GP Converter
2009-04-19 11:18 . 2009-04-19 11:18 -------- d-----w c:\program files\YouTube Downloader
2009-04-18 19:01 . 2009-04-18 19:01 -------- d-----w c:\documents and settings\kiriranshelo\Local Settings\Application Data\Identities
2009-04-17 20:13 . 2009-04-17 20:13 -------- d-----w c:\program files\MySQL
2009-04-17 20:13 . 2009-04-17 20:13 -------- d-----w c:\documents and settings\All Users\Application Data\MySQL
2009-04-17 14:08 . 2009-04-17 14:08 126 ----a-w c:\windows\mdm.ini
2009-04-17 14:08 . 2009-04-17 14:08 288 ----a-w c:\windows\ODBC.INI
2009-04-17 14:01 . 2009-04-17 14:01 -------- d-----w c:\program files\Web Publish
2009-04-15 15:52 . 2009-04-15 15:52 -------- d-----w c:\documents and settings\kiriranshelo\Local Settings\Application Data\Adobe
2009-04-15 03:02 . 2009-04-15 03:02 -------- d-----w c:\program files\uTorrent
2009-04-15 03:02 . 2009-04-21 15:00 -------- d-----w c:\documents and settings\kiriranshelo\Application Data\uTorrent
2009-04-15 00:59 . 2009-04-26 19:14 -------- d-----w c:\documents and settings\kiriranshelo\Application Data\Moyea
2009-04-15 00:59 . 2004-08-30 23:55 438272 ----a-w c:\windows\system32\vp6vfw.dll
2009-04-15 00:59 . 2009-04-15 00:59 -------- d-----w c:\program files\Moyea
2009-04-14 20:59 . 2009-04-14 20:59 -------- d-----w c:\documents and settings\kiriranshelo\Local Settings\Application Data\Ahead
2009-04-14 18:28 . 2003-12-05 13:25 36864 ----a-w c:\windows\system32\EGameEncrypt.dll
2009-04-14 18:28 . 2003-03-19 08:50 1060864 ----a-w c:\windows\system32\MFC71.dll
2009-04-14 14:27 . 2009-04-14 14:27 0 ----a-w c:\windows\nsreg.dat
2009-04-14 14:27 . 2009-04-14 14:27 -------- d-----w c:\documents and settings\kiriranshelo\Local Settings\Application Data\Mozilla
2009-04-14 14:00 . 2009-04-14 14:00 -------- d-----w c:\documents and settings\kiriranshelo\Local Settings\Application Data\Yahoo
2009-04-14 13:58 . 2009-04-14 13:58 -------- d-----w c:\documents and settings\kiriranshelo\Application Data\Yahoo!
2009-04-14 13:58 . 2009-04-14 13:58 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-04-14 13:56 . 2009-04-14 14:00 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-04-14 13:56 . 2009-04-14 13:58 -------- d-----w c:\program files\Yahoo!
2009-04-14 13:55 . 2009-04-14 13:55 -------- d-----w c:\documents and settings\kiriranshelo\Local Settings\Application Data\Google
2009-04-14 13:53 . 2009-04-21 13:24 -------- d-----w c:\program files\Google
2009-04-14 12:52 . 2009-04-22 18:06 -------- d-----w c:\documents and settings\kiriranshelo\Application Data\LimeWire
2009-04-14 12:51 . 2009-04-14 12:51 73728 ----a-w c:\windows\system32\javacpl.cpl
2009-04-14 12:51 . 2009-04-14 12:51 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-14 12:51 . 2009-04-14 12:51 -------- d-----w c:\program files\Java
2009-04-14 12:43 . 2009-04-14 12:52 -------- d-----w c:\program files\LimeWire
2009-04-14 12:34 . 2009-04-26 21:00 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-14 12:33 . 2009-04-14 12:33 -------- d-----w c:\documents and settings\All Users\Application Data\SpeedBit
2009-04-14 12:33 . 2009-04-14 12:33 50688 ----a-w c:\windows\system32\wbhelp2.dll
2009-04-14 12:33 . 2009-04-14 12:33 479298 ----a-w c:\windows\system32\wbocx.ocx
2009-04-14 12:33 . 2009-04-14 12:33 172032 ----a-w c:\windows\system32\AniGIF.ocx
2009-04-14 12:33 . 2009-04-14 13:03 -------- d-----w c:\program files\DAP
2009-04-14 12:33 . 2009-04-14 12:33 -------- d-----w c:\program files\AskSBar
2009-04-14 12:30 . 2009-04-24 08:07 -------- d--h--w C:\$AVG8.VAULT$
2009-04-14 12:25 . 2008-04-13 23:45 26368 -c--a-w c:\windows\system32\dllcache\usbstor.sys
2009-04-14 12:23 . 2009-04-14 12:23 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-14 12:23 . 2009-04-14 12:23 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-14 12:23 . 2009-04-14 12:23 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-14 12:23 . 2009-04-26 04:20 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-14 12:23 . 2009-04-14 19:57 -------- d-----w c:\documents and settings\kiriranshelo\Application Data\AVGTOOLBAR
2009-04-14 12:23 . 2009-04-14 12:23 -------- d-----w c:\program files\AVG
2009-04-14 12:23 . 2009-04-14 12:23 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-14 06:55 . 2009-04-14 06:57 -------- d--h--w c:\program files\Zero G Registry
2009-04-14 06:55 . 2009-04-14 06:55 -------- d-----w c:\program files\THQ
2009-04-14 06:55 . 2009-04-14 06:55 -------- d--h--w c:\documents and settings\kiriranshelo\InstallAnywhere
2009-04-13 15:47 . 2009-04-13 15:47 -------- d-----w c:\program files\EA GAMES
2009-04-13 13:55 . 2009-04-14 07:37 -------- d-----w c:\program files\Common Files\EasyInfo
2009-04-13 13:46 . 2009-04-13 13:46 -------- d-----w c:\program files\Common Files\Adobe
2009-04-13 11:28 . 2009-04-13 11:28 -------- d-----w c:\documents and settings\All Users\Application Data\LightScribe
2009-04-13 11:02 . 2009-04-25 12:56 69 ----a-w c:\windows\NeroDigital.ini
2009-04-13 10:58 . 2009-04-13 10:59 -------- d-----w c:\program files\Common Files\LightScribe
2009-04-13 10:57 . 2009-04-13 10:57 -------- d-----w c:\documents and settings\kiriranshelo\Application Data\Nero
2009-04-13 10:56 . 2009-04-13 10:57 -------- d-----w c:\program files\Common Files\Nero
2009-04-13 10:56 . 2009-04-13 10:56 -------- d-----w c:\program files\Nero
2009-04-13 10:56 . 2009-04-13 10:56 -------- d-----w c:\documents and settings\All Users\Application Data\Nero
2009-04-13 10:42 . 2009-04-13 10:42 -------- d-----w c:\program files\AGEIA Technologies
2009-04-13 10:42 . 2009-04-13 10:42 -------- d-----w c:\windows\system32\AGEIA
2009-04-13 10:41 . 2009-04-13 10:41 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-13 10:41 . 2009-04-26 21:00 206492 ----a-w c:\windows\system32\nvapps.xml
2009-04-13 10:41 . 2009-04-13 10:41 -------- d-----w c:\windows\nview
2009-04-13 10:41 . 2008-12-25 16:08 453152 ----a-w c:\windows\system32\nvudisp.exe
2009-04-13 10:41 . 2008-12-25 16:08 18725 ----a-w c:\windows\system32\nvdisp.nvu
2009-04-13 10:39 . 2009-04-13 10:39 940794 ----a-w c:\windows\system32\LoopyMusic.wav
2009-04-13 10:39 . 2009-04-13 10:39 146650 ----a-w c:\windows\system32\BuzzingBee.wav
2009-04-13 10:39 . 2009-04-13 10:39 -------- d-----w c:\windows\system32\Lang
2009-04-13 10:37 . 2008-04-02 01:27 1196032 ------r c:\windows\RtlUpd.exe
2009-04-13 10:35 . 2008-02-26 09:55 9417 ----a-r c:\windows\system32\nvide.nvu
2009-04-13 10:34 . 2008-12-23 17:28 453152 ----a-w c:\windows\system32\NVUNINST.EXE
2009-04-13 10:33 . 2008-04-13 21:35 20992 -c--a-w c:\windows\system32\dllcache\rtl8139.sys
2009-04-13 10:33 . 2008-04-13 21:35 20992 ----a-w c:\windows\system32\drivers\RTL8139.sys
2009-04-13 10:32 . 2009-04-13 10:32 12328 ----a-w c:\documents and settings\kiriranshelo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-25 03:35 . 2009-04-15 10:23 130 ----a-w C:\debug.txt
2009-04-17 13:48 . 2009-04-17 13:48 2678 ----a-w c:\windows\java\Packages\Data\CRNBLBRB.DAT
2009-04-17 13:48 . 2009-04-17 13:48 2678 ----a-w c:\windows\java\Packages\Data\D3XZH31J.DAT
2009-04-17 13:48 . 2009-04-17 13:48 2678 ----a-w c:\windows\java\Packages\Data\BB5BNVPZ.DAT
2009-04-17 13:48 . 2009-04-17 13:48 2678 ----a-w c:\windows\java\Packages\Data\847L73LR.DAT
2009-04-14 18:28 . 2009-04-13 10:37 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-14 13:13 . 2009-04-14 13:12 -------- d-----w c:\documents and settings\kiriranshelo\Application Data\Winamp
2009-04-14 13:13 . 2009-04-14 13:12 -------- d-----w c:\program files\Winamp
2009-04-13 10:48 . 2009-04-07 15:03 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-13 10:37 . 2009-04-13 10:37 -------- d-----w c:\program files\Realtek
2009-04-13 10:37 . 2009-04-13 10:37 315392 ----a-w c:\windows\HideWin.exe
2009-04-13 10:37 . 2009-04-13 10:37 -------- d-----w c:\program files\Common Files\InstallShield
2009-04-13 10:37 . 2009-04-13 10:37 -------- d-----w c:\program files\AMD
2009-04-13 10:37 . 2009-04-13 10:37 -------- d-----w c:\documents and settings\kiriranshelo\Application Data\InstallShield
2009-04-07 15:05 . 2009-04-07 15:05 -------- d-----w c:\program files\microsoft frontpage
2009-04-07 15:02 . 2009-04-07 15:02 21640 ----a-w c:\windows\system32\emptyregdb.dat
2009-04-07 15:01 . 2009-04-07 15:01 -------- d-----w c:\program files\Windows Media Connect 2
.

------- Sigcheck -------

[-] 2008-07-12 19:20 1614848 362BC5AF8EAF712832C58CC13AE05750 c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2009-04-14 12:33 66912 ----a-w c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-08-22 2363392]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-21 39408]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-03-18 4363504]
"DownloadAccelerator"="c:\program files\DAP\DAP.EXE" [2009-04-14 3061248]
"ChikkaDefault"="c:\progra~1\CHIKKA~1\CHIKKA~1.4\ChikkaLauncher.exe" [2007-08-28 36864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-25 13680640]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-25 86016]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-07-09 570664]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-14 1932568]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-14 136600]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-03-09 37888]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-04-10 16861184]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-12-25 1657376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]

c:\documents and settings\kiriranshelo\Start Menu\Programs\Startup\
Winamp.lnk - c:\program files\Winamp\winamp.exe [2009-3-9 1433952]
Yahoo Messenger.lnk - c:\program files\Yahoo!\Messenger\YahooMessenger.exe [2009-4-14 4363504]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-14 12:23 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\EA GAMES\\The Battle for Middle-earth (tm)\\game.dat"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Visual Studio\\Common\\Tools\\VS-Ent98\\Vanalyzr\\VARPC.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-14 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-14 108552]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-04-14 908056]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-14 298264]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{20d96bbe-27f7-11de-b37f-806d6172696f}]
\Shell\AutoRun\command - D:\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{54af874e-2b5c-11de-83ab-0022b0ce0f54}]
\Shell\AutoRun\command - F:\password_viewer.exe %1
\Shell\Explore\command - F:\password_viewer.exe %1
\Shell\Open\command - F:\password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{54af874f-2b5c-11de-83ab-0022b0ce0f54}]
\SheLL\AutOPlay\coMmanD - F:\
\SheLL\AutoRun\command - password_viewer.exe %1
\SheLL\exPLOrE\ComManD - password_viewer.exe %1
\SheLL\OPEn\commAnd - password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{70d03974-30fb-11de-83c8-0022b0ce0f54}]
\Shell\AutoRun\command - E:\password_viewer.exe %1
\Shell\Explore\command - E:\password_viewer.exe %1
\Shell\Open\command - E:\password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{70d03976-30fb-11de-83c8-0022b0ce0f54}]
\Shell\AutoRun\command - E:\password_viewer.exe %1
\Shell\Explore\command - E:\password_viewer.exe %1
\Shell\Open\command - E:\password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{919a0c0e-2ccb-11de-83b4-0022b0ce0f54}]
\Shell\AutoRun\command - F:\password_viewer.exe %1
\Shell\Explore\command - F:\password_viewer.exe %1
\Shell\Open\command - F:\password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f1a7f587-28e6-11de-839a-0022b0ce0f54}]
\Shell\AutoRun\command - E:\password_viewer.exe %1
\Shell\Explore\command - E:\password_viewer.exe %1
\Shell\Open\command - E:\password_viewer.exe %1

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.speedbit.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
FF - ProfilePath - c:\documents and settings\kiriranshelo\Application Data\Mozilla\Firefox\Profiles\4tdr46ai.default\
FF - prefs.js: browser.search.selectedEngine - Searchme
FF - prefs.js: browser.startup.homepage - hxxp://www.searchme.com
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - component: c:\program files\DAP\DAPFireFox\components\DAPFireFox.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-27 01:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.1\bin\mysqld\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.1\my.ini\" MySQL"
.
Completion time: 2009-04-26 1:58
ComboFix-quarantined-files.txt 2009-04-26 21:28

Pre-Run: 230,036,127,744 bytes free
Post-Run: 230,267,187,200 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

254

2.)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:58:34 AM, on 4/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DAP\DAP.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.speedbit.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKCU\..\Run: [ChikkaDefault] C:\PROGRA~1\CHIKKA~1\CHIKKA~1.4\ChikkaLauncher.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O4 - Startup: Winamp.lnk = C:\Program Files\Winamp\winamp.exe
O4 - Startup: Yahoo Messenger.lnk = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

--
End of file - 8446 bytes

3.)
Well, i tried typing some commands in the command prompt and its working fine now. thank you:D one more thing, can you please explain to me which malware caused this, how and if ever this happens again or to another PC, can i do the same process (i.e. Malwarebytes, HiJack then ComboFix) or is there anything else i need to know/do.

very much appreciated dude:D
 
Hey man, glad you got it sorted, Respital's a cool guy. When you posted in the other thread and I replied, it sounded like the bat file pc-off was your problem and it seems Combofix caught it.
Here's the line from Combofix, seems like you got it 3 days ago
2009-04-24 19:07 . 2009-04-24 19:07 30 --sha-r c:\windows\pc-off.bat
Click to expand...

and password_viewer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{54af874e-2b5c-11de-83ab-0022b0ce0f54}]
\Shell\AutoRun\command - F:\password_viewer.exe %1
\Shell\Explore\command - F:\password_viewer.exe %1
\Shell\Open\command - F:\password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{54af874f-2b5c-11de-83ab-0022b0ce0f54}]
\SheLL\AutOPlay\coMmanD - F:\
\SheLL\AutoRun\command - password_viewer.exe %1
\SheLL\exPLOrE\ComManD - password_viewer.exe %1
\SheLL\OPEn\commAnd - password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{70d03974-30fb-11de-83c8-0022b0ce0f54}]
\Shell\AutoRun\command - E:\password_viewer.exe %1
\Shell\Explore\command - E:\password_viewer.exe %1
\Shell\Open\command - E:\password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{70d03976-30fb-11de-83c8-0022b0ce0f54}]
\Shell\AutoRun\command - E:\password_viewer.exe %1
\Shell\Explore\command - E:\password_viewer.exe %1
\Shell\Open\command - E:\password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{919a0c0e-2ccb-11de-83b4-0022b0ce0f54}]
\Shell\AutoRun\command - F:\password_viewer.exe %1
\Shell\Explore\command - F:\password_viewer.exe %1
\Shell\Open\command - F:\password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{f1a7f587-28e6-11de-839a-0022b0ce0f54}]
\Shell\AutoRun\command - E:\password_viewer.exe %1
\Shell\Explore\command - E:\password_viewer.exe %1
\Shell\Open\command - E:\password_viewer.exe %1
Click to expand...
 
Last edited:
You must log in or register to reply here.
Back
Top