Please Advise - Everything Started With Xp Antivirus 2008

Hi guys,

This is my log, and the sympthoms are as follows:

1. the red biohazard screen with the "Your privvacy is in danger" - this might be associated with O24 (down below) - even if I check fix-it it will come back;

2. IE hijacked;

3. taskmgr, regedit and screen properties "disabled by the administrator"

4. system partition not visible in My computer (though, if I type in windows explorer c:\, it works!)

5. DVD dissapeared

I'm running XP SP2, installed around 1 year ago. I'm "protected" by Bitdefender AV 2008 (installed 2 months ago), and the trouble started when XP Antivirus 2008 (4 months old virus) appeared on my PC without being detected by my AV 2-3 days ago.

In the first day, I had the possibility to manually edit the registries and get rid (also manually) of XPA.exe. But the stuff that came with it, it is still resident.

Thanks for any help!

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 17:33: VIRUS ALERT!, on 6/29/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\CyberLink\Shared files\RichVideo.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe

C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe

C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\Temp\WdfTemp\Microsoft Kernel-Mode Driver Framework Install-v1.5-WinXP.exe

e:\34bfa5dfdcf2e9bc829166e90a\update\update.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: QXK Olive - {2D5C76A5-703E-454A-9143-4C5353CA43F5} - C:\WINDOWS\ksendlbtlgs.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: C:\PROGRA~1\DVDXST~1\DVDXUT~1.6\DVDGhost\DVDGHO~1.DLL

O21 - SSODL: xvorfwbd - {60026B58-C9EA-40F4-A780-746CB50601CB} - C:\WINDOWS\xvorfwbd.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Pro Business 2007\Win32\RpcDataSrv.exe

O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Pro Business 2007\RpcSandraSrv.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe

O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

End of file - 8713 bytes

Find more posts tagged with

Comments

rootkit

Download ComboFix from here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Then close all running programs, including web browser, instant messenger, etc and then run ComboFix.

It will ask you whether it should start cleaning or not. Press 1 and hit Enter. Don't stop it while running. While doing this your screen may disappear but don't worry, it's a normal behaviour.

At the end ComboFix will generate a log file. Save it and post it here.

Niels

Hello thunderer,

In addition what crysty2k5 asked you. Please download also smitfraudfix. Save it at your desktop. Double click on it select 1 and press enter to create a scan report. Normally you will find it at the root of your hard disk in other words click on start,my computer there you should find rapport. Post the scan report at your next post.

Kind regards,

Niels

thunderer

Hi Guys

Here are the logs as requested

COMBOFIX

ComboFix 08-06-20.4 - Usual 2008-06-30 13:03:08.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1563 [GMT -7:00]

Running from: C:\Documents and Settings\Usual\Desktop\BIT\Support\ComboFix.exe

* Created a new restore point

* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Documents and Settings\Usual\Application Data\inst.exe

C:\WINDOWS\ksendlbtlgs.dll

C:\WINDOWS\privacy_danger

C:\WINDOWS\privacy_danger\images\capt.gif

C:\WINDOWS\privacy_danger\images\danger.jpg

C:\WINDOWS\privacy_danger\images\down.gif

C:\WINDOWS\privacy_danger\images\spacer.gif

C:\WINDOWS\privacy_danger\index.htm

C:\WINDOWS\wpvmqosg.dll

C:\WINDOWS\xvorfwbd.dll

((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-30 )))))))))))))))))))))))))))))))

2008-06-29 17:20 . 2008-06-29 17:20 <DIR> d-------- C:\Program Files\Trend Micro

2008-06-28 14:26 . 2008-06-28 14:27 250 --a------ C:\WINDOWS\gmer.ini

2008-06-26 21:38 . 2008-06-26 21:38 <DIR> d-------- C:\Program Files\Panda Security

2008-06-26 21:07 . 2008-06-26 21:08 <DIR> d-------- C:\Program Files\Common Files\PC Tools

2008-06-26 21:07 . 2008-06-26 21:07 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\PC Tools

2008-06-26 21:07 . 2008-06-26 21:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools

2008-06-26 21:07 . 2008-04-10 15:14 159,880 --a------ C:\WINDOWS\system32\drivers\pctfw2.sys

2008-06-22 18:26 . 2008-06-26 20:58 <DIR> d-------- C:\Program Files\RogueRemover FREE

2008-06-22 17:45 . 2008-06-22 17:45 <DIR> d--h----- C:\WINDOWS\$hf_mig$

2008-06-22 17:41 . 2008-06-22 17:41 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\BitDefender

2008-06-22 13:45 . 2008-06-22 13:45 0 --a------ C:\WINDOWS\system32\ieupdates.exe.tmp

2008-06-22 11:20 . 2008-06-22 11:20 <DIR> d-------- C:\Documents and Settings\Usual\RescuePRO

2008-06-22 11:13 . 2008-06-22 17:13 <DIR> d-------- C:\Program Files\RescuePRO Deluxe

2008-06-22 11:08 . 2008-06-22 04:04 81,920 --a------ C:\WINDOWS\neltabxw.exe

2008-06-17 18:44 . 2008-06-17 19:10 <DIR> d-------- C:\Program Files\Photo Collage Creator

2008-06-16 21:19 . 2008-06-16 21:19 <DIR> d-------- C:\Documents and Settings\Usual\Application Data\Thinstall

2008-06-10 19:33 . 2008-06-10 19:33 <DIR> d-------- C:\temps

2008-06-07 10:20 . 2008-06-07 10:20 51,712 --a------ C:\WINDOWS\wc98pp.dll

2008-06-06 21:46 . 2008-06-06 21:46 <DIR> d-------- C:\Program Files\FireFly Studios

2008-06-02 20:38 . 2008-06-02 20:46 <DIR> d-------- C:\Program Files\Backgammon Classic 4

2008-06-02 20:32 . 2008-06-02 20:32 128 --ah----- C:\Documents and Settings\Usual\microsoft.dat

2008-05-25 18:43 . 2008-05-25 18:43 <DIR> d-------- C:\Program Files\GSpot

2008-05-25 18:30 . 2004-08-03 16:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll

2008-05-25 18:28 . 2008-06-21 14:57 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF

2008-05-19 16:31 . 2008-05-19 16:31 <DIR> d-------- C:\Program Files\TrafficCounter

2008-05-17 12:55 . 2008-06-18 19:57 54,156 --ah----- C:\WINDOWS\QTFont.qfn

2008-05-17 12:55 . 2008-05-17 12:55 1,409 --a------ C:\WINDOWS\QTFont.for

2008-05-12 18:53 . 2008-05-12 18:53 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll

2008-05-12 18:53 . 2008-05-12 18:53 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe

2008-05-12 18:53 . 2008-05-12 18:53 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb

2008-05-12 18:51 . 2008-05-12 18:51 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll

2008-05-12 18:51 . 2008-05-12 18:51 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll

2008-05-12 18:49 . 2008-05-12 18:49 630,784 --a------ C:\WINDOWS\system32\divxdec.ax

2008-05-12 18:49 . 2008-05-12 18:49 161,096 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe

2008-05-12 18:49 . 2008-05-12 18:49 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll

2008-05-11 16:34 . 2008-05-11 16:34 <DIR> d-------- C:\Program Files\BitDefender

2008-05-11 16:34 . 2008-05-11 16:34 <DIR> d-------- C:\Documents and Settings\Usual\Application Data\Bitdefender

2008-05-11 16:34 . 2008-05-11 16:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BitDefender

2008-05-11 16:33 . 2008-05-11 16:34 <DIR> d-------- C:\Program Files\Common Files\BitDefender

2008-05-11 15:42 . 2008-05-11 15:42 <DIR> d-------- C:\Documents and Settings\Usual\Application Data\ESET

2008-05-08 20:28 . 2008-03-03 14:25 5,702 --ah----- C:\WINDOWS\nod32restoretemdono.reg

2008-05-08 20:18 . 2008-05-11 15:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2008-06-28 03:57 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP

2008-06-28 03:57 --------- d-----w C:\Program Files\Spyware Doctor

2008-06-23 06:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet

2008-06-07 04:46 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-05-26 01:47 --------- d-----w C:\Program Files\DivX

2008-05-26 01:35 --------- d-----w C:\Program Files\ffdshow

2008-05-26 01:30 --------- d-----w C:\Program Files\Windows Media Connect 2

2008-05-25 02:58 --------- d-----w C:\Documents and Settings\Usual\Application Data\Vso

2008-05-24 17:55 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll

2008-05-19 22:57 --------- d-----w C:\Program Files\CommTraffic

2007-08-12 02:29 11,114 ----a-w C:\Documents and Settings\All Users\Application Data\MainApp.dll

2007-06-16 23:45 47,360 ----a-w C:\Documents and Settings\Usual\Application Data\pcouffin.sys

2007-06-16 23:43 81,920 ----a-w C:\Documents and Settings\Usual\Application Data\ezpinst.exe

2006-06-23 14:48 32,768 ----a-r C:\WINDOWS\inf\UpdateUSB.exe

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 16:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-03-13 11:43 81920]

"RTHDCPL"="RTHDCPL.EXE" [2007-03-20 23:49 16126464 C:\WINDOWS\RTHDCPL.exe]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-03-13 11:42 8425472]

"BDAgent"="C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [2008-06-09 14:24 360448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"<NO NAME>"="" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 16:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-07-22 19:30:37 692224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"xvorfwbd"= {60026B58-C9EA-40F4-A780-746CB50601CB} - C:\WINDOWS\xvorfwbd.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=C:\PROGRA~1\DVDXST~1\DVDXUT~1.6\DVDGhost\DVDGHO~1.DLL

"LoadAppInit_Dlls"=-1 (0xffffffff)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msvideo7"= STV680tg.dll

"msacm.ac3filter"= ac3filter.acm

"msacm.avis"= ff_acm.acm

"vidc.xvid"= xvid.dll

"msacm.mpegacm"= mpegacm.acm

"msacm.ulmp3acm"= ulmp3acm.acm

"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk

backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Usual^Start Menu^Programs^Startup^Traffic Counter.lnk]

path=C:\Documents and Settings\Usual\Start Menu\Programs\Startup\Traffic Counter.lnk

backup=C:\WINDOWS\pss\Traffic Counter.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]

--a------ 2007-05-10 22:46 624248 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]

--a------ 2008-02-24 20:12 2476408 C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a------ 2007-05-11 03:06 40048 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDAgent]

C:\Program Files\Softwin\BitDefender10\bdagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitDefender Antiphishing Helper]

--a------ 2007-10-09 15:46 61440 C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D_V_T]

C:\\dvt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]

--a------ 2006-03-20 17:34 213936 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]

--a------ 2006-05-18 11:29 49152 C:\Program Files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

--a------ 2007-03-13 11:42 8425472 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

--a------ 2007-03-13 11:43 1622016 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2007-06-29 06:24 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]

--------- 2005-12-07 22:57 30208 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]

C:\Program Files\Spyware Doctor\SDTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

-ra------ 2007-06-08 15:18 23233576 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter Security Suite]

--a------ 2008-01-23 16:47 847872 C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2007-07-12 04:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]

--a------ 2008-04-18 14:30 3628080 C:\Program Files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\InterVideo\\DVD8\\WinDVD.exe"=

"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"E:\\Gamez\\Age of Empires III\\age3x.exe"=

"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

"E:\\Gamez\\Age of Empires III\\age3y.exe"=

"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=

R1 Asapi;Asapi;C:\WINDOWS\system32\drivers\Asapi.sys [2002-04-17 20:27]

R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-04-10 15:14]

R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;C:\WINDOWS\system32\DRIVERS\atl01_xp.sys [2007-03-14 23:12]

S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys [2005-03-22 19:17]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

bdx REG_MULTI_SZ scan

*Newly Created Service* - 2F306EAD

*Newly Created Service* - 40E4DE43

*Newly Created Service* - CATCHME

Contents of the 'Scheduled Tasks' folder

"2008-06-13 23:52:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-06-30 13:05:52

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Completion time: 2008-06-30 13:07:21

ComboFix-quarantined-files.txt 2008-06-30 20:06:51

Pre-Run: 56,630,915,072 bytes free

Post-Run: 56,664,055,808 bytes free

200

________________________________________________________________________________

_____________________________________________

and the SmitFraudFix rapport

SmitFraudFix v2.328

Scan done at 13:09:38.34, Mon 06/30/2008

Run from C:\Documents and Settings\Usual\Desktop\BIT\Support\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\CyberLink\Shared files\RichVideo.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe

C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\NOTEPAD.EXE

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Usual\Desktop\BIT\Support\SmitfraudFix\Policies.exe

C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

hosts file corrupted !

127.0.0.1 hk.digitaltrends.com

127.0.0.1 microsoft.com.org

127.0.0.1 www.www.microsoft.com.org

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\neltabxw.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Usual

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Usual\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Usual\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]

"Source"="About:Home"

"SubscribedURL"="About:Home"

"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix