Heya again,

Erm, I am sorry but I do not have my CD, and I think I only have Recovery CD. I got this maybe 2 years ago, and no, I don't hear any unusual sound.

Do I have to buy new laptop now? ^^; Heh.

Oh yeah, and is it okay to proceed to Kaspersky without backing up files? I don't wanna lose my files but if I move all the impt. ones in Drive D, is that okay?

Thank you again.

No, you won't have to buy a new notebook pc. I was concerned that possibly there's a hardware issue with the disk drive.

Please proceed forward with the Kaspersky online scan as per my reply of Thursday the 24th. The scan does not remove anything, but it is a very good check for malwares, and produces a report I want to see.

Hello botanyrox,

After you have finished the prior task (Kaspersky),

a) Delete the prior copy of Combofix.exe that you have. It should be on your Desktop. Delete it so we can get the latest copy.

b) Download Combofix from any of the links below, and SAVE it to your Desktop. Do NOT run it !

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your Desktop and not run straight away from download **

c) Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your edition of Windows XP and SAVE to your Desktop.
You may chose the XP-service pack 2 set appropos to your system.




Download the file & save it as it's originally named, next to ComboFix.exe.




Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

• Drag the setup package onto ComboFix.exe and drop it.
  
  
• Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  
  
• At the next prompt, click 'Yes' to run the full ComboFix scan.
  
  
  
  
• When the tool is finished, it will produce a report for you.

Thank you. ^_^ I'm sorry it took long. Took me awhile to finish installing/updating Kaspersky, plus I encountered problem with Combofix + Windows boot up disk.

When I combined Combofix + the file, it says the file may have been corrupt, download again. So I restarted, deleted both files, then I redownloaded both. Same thing. I am unable to do it then, I'm sorry. =\

Here is the Kaspersky log anyway. Thank you again.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, July 27, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, July 26, 2008 13:40:14
Records in database: 1011049
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 66516
Threat name: 3
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 01:34:02


File name / Threat name / Threats count
D:\transfer files\Downloads\mirc616.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 1
D:\transfer files\Downloads\mirc631.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.631 1
D:\Program Files\Granado Espada\release\xtrap\XTrap.xt Infected: Trojan.Win32.BHO.fex 1

The selected area was scanned.

I only just want to find out what may have happened. You did 2 separate downloads. correct?
Did you drag with your mouse and then drop the MS WindowsXP setup file onto ComboFix icon ??

I am simply curious as to what you mean by "combined" the files.

we're going to use OTMoveit2 to remove some files.
Please download the OTMoveIt2 by OldTimer and save it to your Desktop.

With your mouse, highlight and then do a Right-click | Copy of the entire list of file entries in the Code box below:

• Start OTMoveit2.
  
• Right click in the "Paste List of Files/Folders to be moved" window (under the light blue bar ) and choose Paste.
  
• Click the red Moveit! button.
  
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  
  
• Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
=

Delete any other copy of ComboFix that you may have left.

Make sure no other programs or windows are open.

Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.
=

I'm asking you re-try to get ComboFix one last time.

Download Combofix from any of the links below, and SAVE it to your Desktop.

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your Desktop and not run straight away from download **

-------------------------------------------------------

Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Double click Combo-Fix.exe on your Desktop to start it.

• A window may open with a warning. Type "1" (and Enter) to start the fix. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.
  

A caution - Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.
If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light.
If it is flashing, Combofix is still at work.

Note:
Do not mouseclick combofix's window nor run any program while Combofix is running.
That may cause it to stall.

A file will be created at => C:\Combofix.txt.

Please post the C:\ComboFix.txt along with a new HijackThis log for further review.
And you have to tell me, How is your system now

_________________
~Maurice Naggar
MS-MVP

Thank you again. ^_^ Here ya go:

OTMoveIt2 log:

D:\transfer files\Downloads\mirc616.exe moved successfully.
D:\transfer files\Downloads\mirc631.exe moved successfully.
D:\Program Files\Granado Espada\release\xtrap\XTrap.xt moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07272008_195331


Combofix log:

ComboFix 08-07-26.1 - MOTHER OF ALL 2008-07-27 21:16:50.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.224 [GMT 8:00]
Running from: C:\Documents and Settings\MOTHER OF ALL\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-06-27 to 2008-07-27 )))))))))))))))))))))))))))))))
.

2008-07-27 19:53 . 2008-07-27 19:53 <DIR> d-------- C:\_OTMoveIt
2008-07-26 21:16 . 2008-07-26 21:52 16 --a------ C:\WINDOWS\popcinfo.dat
2008-07-26 21:08 . 2008-07-26 21:08 <DIR> d-------- C:\Program Files\PopCap Games
2008-07-26 21:08 . 2008-07-26 21:08 <DIR> d-------- C:\PopCap Games
2008-07-26 21:08 . 2008-07-26 21:52 20 --a------ C:\WINDOWS\popcinfot.dat
2008-07-26 21:08 . 2008-07-26 21:08 0 --a------ C:\WINDOWS\popcreg.dat
2008-07-24 19:44 . 2008-07-24 19:45 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-24 19:30 . 2008-07-24 20:06 <DIR> d-------- C:\SDFix
2008-07-24 17:15 . 2008-07-24 17:16 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-24 17:15 . 2008-07-23 20:09 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-24 17:15 . 2008-07-23 20:09 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-22 22:19 . 2008-07-22 22:19 <DIR> d-------- C:\Deckard
2008-07-22 19:32 . 2008-07-22 19:32 268 --ah----- C:\sqmdata19.sqm
2008-07-22 19:32 . 2008-07-22 19:32 244 --ah----- C:\sqmnoopt19.sqm
2008-07-22 07:18 . 2008-07-22 07:18 268 --ah----- C:\sqmdata18.sqm
2008-07-22 07:18 . 2008-07-22 07:18 244 --ah----- C:\sqmnoopt18.sqm
2008-07-20 13:46 . 2008-07-20 13:46 268 --ah----- C:\sqmdata17.sqm
2008-07-20 13:46 . 2008-07-20 13:46 244 --ah----- C:\sqmnoopt17.sqm
2008-07-20 12:05 . 2008-07-20 12:05 268 --ah----- C:\sqmdata16.sqm
2008-07-20 12:05 . 2008-07-20 12:05 244 --ah----- C:\sqmnoopt16.sqm
2008-07-19 10:46 . 2008-07-19 10:46 268 --ah----- C:\sqmdata15.sqm
2008-07-19 10:46 . 2008-07-19 10:46 244 --ah----- C:\sqmnoopt15.sqm
2008-07-19 00:33 . 2008-07-19 00:33 268 --ah----- C:\sqmdata14.sqm
2008-07-19 00:33 . 2008-07-19 00:33 244 --ah----- C:\sqmnoopt14.sqm
2008-07-18 12:43 . 2008-07-18 12:43 268 --ah----- C:\sqmdata13.sqm
2008-07-18 12:43 . 2008-07-18 12:43 244 --ah----- C:\sqmnoopt13.sqm
2008-07-17 06:53 . 2008-07-17 06:53 268 --ah----- C:\sqmdata12.sqm
2008-07-17 06:53 . 2008-07-17 06:53 244 --ah----- C:\sqmnoopt12.sqm
2008-07-16 09:34 . 2008-07-16 09:34 268 --ah----- C:\sqmdata11.sqm
2008-07-16 09:34 . 2008-07-16 09:34 244 --ah----- C:\sqmnoopt11.sqm
2008-07-16 01:39 . 2008-07-16 01:39 268 --ah----- C:\sqmdata10.sqm
2008-07-16 01:39 . 2008-07-16 01:39 244 --ah----- C:\sqmnoopt10.sqm
2008-07-15 15:21 . 2008-07-15 15:21 268 --ah----- C:\sqmdata09.sqm
2008-07-15 15:21 . 2008-07-15 15:21 244 --ah----- C:\sqmnoopt09.sqm
2008-07-15 06:42 . 2008-07-15 06:42 268 --ah----- C:\sqmdata08.sqm
2008-07-15 06:42 . 2008-07-15 06:42 244 --ah----- C:\sqmnoopt08.sqm
2008-07-12 03:43 . 2008-07-12 03:43 268 --ah----- C:\sqmdata07.sqm
2008-07-12 03:43 . 2008-07-12 03:43 244 --ah----- C:\sqmnoopt07.sqm
2008-07-11 09:35 . 2008-07-11 09:35 268 --ah----- C:\sqmdata06.sqm
2008-07-11 09:35 . 2008-07-11 09:35 244 --ah----- C:\sqmnoopt06.sqm
2008-07-10 20:37 . 2008-07-24 20:46 268 --ah----- C:\sqmdata05.sqm
2008-07-10 20:37 . 2008-07-24 20:46 244 --ah----- C:\sqmnoopt05.sqm
2008-07-10 13:04 . 2008-07-24 20:31 268 --ah----- C:\sqmdata04.sqm
2008-07-10 13:04 . 2008-07-24 20:31 244 --ah----- C:\sqmnoopt04.sqm
2008-07-10 06:46 . 2008-07-10 06:47 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-07-10 06:42 . 2008-07-24 19:18 268 --ah----- C:\sqmdata03.sqm
2008-07-10 06:42 . 2008-07-24 19:18 244 --ah----- C:\sqmnoopt03.sqm
2008-07-09 07:13 . 2008-07-24 17:10 268 --ah----- C:\sqmdata02.sqm
2008-07-09 07:13 . 2008-07-24 17:10 244 --ah----- C:\sqmnoopt02.sqm
2008-07-08 20:19 . 2008-07-24 14:12 268 --ah----- C:\sqmdata01.sqm
2008-07-08 20:19 . 2008-07-24 14:12 244 --ah----- C:\sqmnoopt01.sqm
2008-07-08 06:13 . 2008-07-05 07:44 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-07-08 00:55 . 2008-07-08 00:59 <DIR> d-------- C:\Documents and Settings\MOTHER OF ALL\Application Data\HouseCall 6.6
2008-07-07 19:16 . 2008-07-07 19:16 <DIR> d-------- C:\Documents and Settings\MOTHER OF ALL\Application Data\Grisoft
2008-07-07 19:13 . 2008-07-07 19:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-07-07 19:13 . 2007-05-30 20:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-07-07 09:46 . 2008-07-23 20:21 268 --ah----- C:\sqmdata00.sqm
2008-07-07 09:46 . 2008-07-23 20:21 244 --ah----- C:\sqmnoopt00.sqm
2008-07-05 17:30 . 2008-07-05 17:30 <DIR> d-------- C:\Documents and Settings\MOTHER OF ALL\Application Data\Malwarebytes
2008-07-05 17:29 . 2008-07-05 17:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-05 12:33 . 2008-07-05 12:48 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-07-05 11:27 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-07-05 11:24 . 2008-07-05 11:24 <DIR> d-------- C:\Program Files\Panda Security
2008-07-05 07:43 . 2008-07-05 07:43 <DIR> d-------- C:\WINDOWS\Sun
2008-07-05 07:43 . 2008-07-08 06:14 <DIR> d-------- C:\Documents and Settings\MOTHER OF ALL\.housecall6.6
2008-07-05 05:14 . 2008-07-05 05:14 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-05 05:14 . 2008-07-07 20:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-05 01:39 . 2008-07-05 01:39 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-05 01:39 . 2008-07-05 01:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-05 01:38 . 2008-07-05 01:38 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-05 01:09 . 2008-07-05 01:09 <DIR> d-------- C:\Program Files\CCleaner
2008-07-05 01:03 . 2008-07-05 01:03 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-03 01:15 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-07-03 01:15 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-07-03 01:15 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-07-03 01:15 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-07-01 22:15 . 2004-08-03 22:58 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2008-07-01 22:15 . 2004-08-03 22:58 5,504 --a--c--- C:\WINDOWS\system32\dllcache\mstee.sys
2008-06-30 19:18 . 2008-06-30 19:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-06-30 05:08 . 2008-06-30 05:09 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-06-30 03:09 . 2008-06-30 03:09 <DIR> d-------- C:\Documents and Settings\MOTHER OF ALL\Application Data\Screenshot Sender
2008-06-30 03:08 . 2008-06-30 19:25 <DIR> d-------- C:\Program Files\Messenger Plus! Live
2008-06-30 01:27 . 2008-06-30 05:24 <DIR> d-------- C:\Documents and Settings\MOTHER OF ALL\Application Data\LimeWire
2008-06-30 01:24 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-30 01:23 . 2008-06-30 01:24 <DIR> d-------- C:\Program Files\Java
2008-06-30 01:19 . 2008-06-30 01:19 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-30 00:15 . 2008-04-23 12:16 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-06-30 00:15 . 2007-04-17 17:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-06-30 00:15 . 2007-03-08 13:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-06-30 00:15 . 2008-04-23 12:16 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-06-30 00:15 . 2008-04-23 12:16 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-06-30 00:15 . 2008-04-23 12:16 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-06-30 00:15 . 2008-04-23 12:16 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-06-30 00:15 . 2008-04-23 12:16 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-06-30 00:15 . 2008-04-22 15:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-30 11:25 --------- d-----w C:\Program Files\Windows Live
2008-06-30 11:25 --------- d-----w C:\Program Files\MSN Messenger
2008-06-23 14:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-06-22 10:42 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-22 06:44 --------- d-----w C:\Program Files\Yahoo!
2008-06-22 03:28 --------- d-----w C:\Documents and Settings\MOTHER OF ALL\Application Data\Yahoo!
2008-06-22 03:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-06-21 03:44 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-21 02:29 --------- d-----w C:\Program Files\XP Codec Pack
2008-06-21 02:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\CA
2008-06-21 01:59 --------- d-----w C:\Program Files\Intel
2008-06-21 01:42 745,472 ------w C:\WINDOWS\system32\NETw4c32.dll
2008-06-21 01:42 2,777,088 ------w C:\WINDOWS\system32\NETw4r32.dll
2008-06-21 01:42 2,236,032 ------w C:\WINDOWS\system32\drivers\NETw4x32.sys
2008-06-21 01:39 --------- d-----w C:\Program Files\Motorola
2008-06-21 01:29 --------- d-----w C:\Program Files\RALINK
2008-06-21 00:07 --------- d-----w C:\Program Files\REALTEK RTL8187 Wireless LAN Driver
2008-06-21 00:06 --------- d-----w C:\Program Files\Synaptics
2008-06-20 23:34 --------- d-----w C:\Program Files\VIA
2008-06-20 23:34 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-06-20 21:59 --------- d-----w C:\Program Files\Elantech
2008-06-20 21:55 --------- d-----w C:\Program Files\Realtek Sound Manager
2008-06-20 21:55 --------- d-----w C:\Program Files\AvRack
2008-06-20 21:33 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-06-20 21:14 --------- d-----w C:\Program Files\microsoft frontpage
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-16 03:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 12:54 5674352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-08-18 05:40 102400]
"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-11-22 17:31 630784]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-12-19 11:08 135168]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-12-19 11:08 159744]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-12-19 11:07 131072]
"BisonTrayIcon"="C:\WINDOWS\BisonCam\BisonTrayIcon.exe" [2005-09-05 16:51 45056]
"BisonHK"="C:\WINDOWS\BisonCam\BisonHK.exe" [2006-08-04 18:15 73728]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 04:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 04:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 04:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 04:00 455168]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 17:25 6731312]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 61952 C:\WINDOWS\system32\HdAShCut.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"WIAWizardMenu"="C:\WINDOWS\system32\sti_ci.dll" [2004-08-04 07:56 136704]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]

*Newly Created Service* - CATCHME
.
.
------- Supplementary Scan -------
.
R0 -: HKLM-Main,Search Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-27 21:20:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-27 21:21:47
ComboFix-quarantined-files.txt 2008-07-27 13:21:33
ComboFix2.txt 2008-07-24 12:37:26

Pre-Run: 32,104,566,784 bytes free
Post-Run: 32,093,741,056 bytes free

196 --- E O F --- 2008-07-10 03:56:25

We removed the items tagged by Kaspersky scan, and the last run of Combofix went without finding malware.
If the next scan shows clean results, we can proceed to close this HJT-malware incident.
If you have other issues with Windows, I'll point you to the appropos Windows forum, to start a new thread.
This sub-forum is on malware infection issues.

Do this online scan: F-Secure Online Scanner
The online scanner is on the bottom right of the page.
Follow the directions in the F-Secure page for proper Installation.
You may receive an alert on the address bar at this point to install the ActiveX control.
Click on that alert and then click "Install ActiveX component".
Read the license agreement and click "Accept".
Click "Custom Scan" and be sure the following are checked:

• Scan whole System
  
• Scan all files
  
• Scan whole system for rootkits
  
• Scan whole system for spyware
  
• Scan inside archives
  
• Use advanced heuristics

• the new HijackThis report &
• the F-secure report.
  And tell me, How is your system now

Sorry this is taking long, I am kinda having difficulty to download update for scanner because my connection. Gonna get back to ya when I finish this.

Erm... I give up. The components don't seem to download. And I can only run it on IE, not Firefox.

Heya, I finally got it now...

F-Secure Online Scanner Report:

Scanning Report
Monday, August 04, 2008 02:49:41 - 06:26:42
Computer name: ---
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\


--------------------------------------------------------------------------------

Result: 2 malware found
Tracking Cookie (spyware)
System
Trojan.Win32.BHO.fex (virus)
C:\_OTMoveIt\MovedFiles\07272008_195331\Program Files\Granado Espada\release\xtrap\XTrap.xt (Renamed & Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 290315
System: 3044
Not scanned: 56
Actions:
Disinfected: 0
Renamed: 1
Deleted: 0
None: 1
Submitted: 1
Files not scanned:
x
((CWS\SYSTEM32\CONFIG\SYSTEM
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
C:\WINDOWS\SYSTEM32\CATROOT2\EDB.LOG
C:\WINDOWS\SYSTEM32\CATROOT2\TMP.EDB
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\NTUSER.DAT
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\NTUSER.DAT.LOG
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT.LOG
C:\DOCUMENTS AND SETTINGS\MOTHER OF ALL\NTUSER.DAT
C:\DOCUMENTS AND SETTINGS\MOTHER OF ALL\NTUSER.DAT.LOG
C:\DOCUMENTS AND SETTINGS\MOTHER OF ALL\MY DOCUMENTS\MY RECEIVED FILES\ADVANCE WARS 2 - BLACK HOLE RISING (U) [HI]\ADVANCE WARS 2 - BLACK HOLE RISING (U) [HI].SAV
C:\DOCUMENTS AND SETTINGS\MOTHER OF ALL\LOCAL SETTINGS\TEMP\ETILQS_CGTXLGM0VXY6KS8AU0BY
C:\DOCUMENTS AND SETTINGS\MOTHER OF ALL\LOCAL SETTINGS\TEMP\ETILQS_WVVBYGLNDE4GUTSOOOIN
C:\DOCUMENTS AND SETTINGS\MOTHER OF ALL\LOCAL SETTINGS\TEMP\ETILQS_WVVBYGLNDE4GUTSOOOIN-JOURNAL
C:\DOCUMENTS AND SETTINGS\MOTHER OF ALL\LOCAL SETTINGS\TEMP\FLAFAE.TMP
C:\DOCUMENTS AND SETTINGS\MOTHER OF ALL\LOCAL SETTINGS\TEMP\HSPERFDATA_MOTHER OF ALL\1448
C:\Documents and Settings\MOTHER OF ALL\Desktop\Windows Live Installer.exe\Catalog
C:\Documents and Settings\MOTHER OF ALL\Desktop\Windows Live Installer.exe\CoreServiceFile
C:\Documents and Settings\MOTHER OF ALL\Desktop\Windows Live Installer.exe\DashboardExeFile
C:\Documents and Settings\MOTHER OF ALL\Desktop\Windows Live Installer.exe\DashboardLocDllFile
C:\Documents and Settings\MOTHER OF ALL\Desktop\Windows Live Installer.exe\DashboardResDllFile
C:\Documents and Settings\MOTHER OF ALL\Desktop\Windows Live Installer.exe\dw20.adm_1033.D0DF3458_A845_11D3_8D0A_0050046416B9
C:\Documents and Settings\MOTHER OF ALL\Desktop\Windows Live Installer.exe\dw20.exe_0001.D0DF3458_A845_11D3_8D0A_0050046416B9
C:\Documents and Settings\MOTHER OF ALL\Desktop\Windows Live Installer.exe\dwdcw20.dll.D0DF3458_A845_11D3_8D0A_0050046416B9
C:\Documents and Settings\MOTHER OF ALL\Desktop\Windows Live Installer.exe\dwintl20.dll_0001_1033.D0DF3458_A845_11D3_8D0A_0050046416B9
C:\Documents and Settings\MOTHER OF ALL\Desktop\Windows Live Installer.exe\dwtrig20.exe.D0DF3458_A845_11D3_8D0A_0050046416B9
C:\Documents and Settings\MOTHER OF ALL\Desktop\Windows Live Installer.exe\HiContrastThemeFile
C:\Documents and Settings\MOTHER OF ALL\Desktop\Windows Live Installer.exe\SqmApiDllFile
C:\Documents and Settings\MOTHER OF ALL\Desktop\Windows Live Installer.exe\UXCoreDllFile
C:\Documents and Settings\MOTHER OF ALL\Desktop\Windows Live Installer.exe\VCRT80MF
C:\Documents and Settings\MOTHER OF ALL\Desktop\Windows Live Installer.exe\VCRT80R
C:\DOCUMENTS AND SETTINGS\MOTHER OF ALL\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\OOWG1PV8.DEFAULT\PARENT.LOCK
C:\DOCUMENTS AND SETTINGS\MOTHER OF ALL\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\OOWG1PV8.DEFAULT\PLACES.SQLITE-JOURNAL
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\NTUSER.DAT
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\NTUSER.DAT.LOG
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASSW�
�
�


--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 2.30.0
F-Secure Blacklight: 1.0.68
F-Secure Hydra: 2.8.8110, 2008-08-01
F-Secure Pegasus: 1.20.0, 2008-04-15
F-Secure AVP: 7.0.171, 2008-08-01
Scanning options:
Scan all files
Scan inside archives
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

Erm... okay it has gotten worse now. I cannot even open my computer anymore because after getting past the Windows XP loading screen, a very, very quick blue screen (maybe 1/2 second) which I cannot read flashes and my system reboots. Then it makes me choose whether to start at Safe Mode, Last Known Good Config, Normal Mode etc. I tried them all but the same, BSOD for 1/2 second maybe, then reboot.

Do you recall something unusual happening in the days preceding this last episode?
Is it possible that XP Service Pack 3 was pushed down to your system?

Do the following:
Restart the pc and right away tap & keep repeat tapping F8 Function key to get XP Avanced bootup options!

You will actually see "Disable automatic restart on system failure" as a listed option.
Select that and give it a try. This option is available if you have XP service pack 2 or SP3.
** This will turn off the reboot on failure, which is what seems to be your situation. But, if it's missing boot files or a corrupted registry, then that is another kettle of problems.

Next, try chosing Normal mode. See if you can login.

If no joy, redo a pc restart and repeat the F8 procedures, when presented with bootup choices, select Last Known Good Configuration.

If you get a STOP code error, write it all down and post that info here.

I'm sorry been long since I went here, I really couldn't open my computer anymore so I couldn't go here. Unfortunately, my computer has been reformatted again, and I lost a lot of important files. -_-

I just wanna know if there's any way this episode can be prevented again via USB. I'm scared now to reinsert USB that has been from other computer, because I used the USB which has been installed by some program you gave me before, but when it was used on my dormmate's computer, she said it detected some threats from the USB. However, when it was in my computer, there was none. I'm scared that upon insertion on her Vista computer, the USB got the SAME VIRUS from before that started everything. Now I don't wanna insert that USB anymore here because I might need to reformat again...

I'm sorry to hear that you reformatted the system, although not surprised. Your system was very seriously infected when you started here.
The safest thing to do is to force a reformat of the USB flash.

USB flash devices are great for transporting files, but they are an easy target for malware infections.
I'm not sure I follow what you say about the tools we used.
The tools we used remove infections and or are reporting tools.

The way to prevent future infections is to practice safe comptuting practices.
Don't download or share multi-media files (movies, audio, programs, etc) before first
scanning thoroughly with antivirus program (that is current and up-to-date).
Never download free stuff unless you absolutely know the "source" is known and trusted.
Do not get free toolbars, smileys, widgets unless you have checked the reputation of the source.

Please learn how to backup your system and store backup to DVD or other off-line media. That way, if something goes wrong, you can recover files as needed instead of having nothing and having to reformat.

Next time you have to purchase a pc, make very sure it comes with a full operating system DVD/CD, not simply a "recovery CD".

This is what I typically suggest:

• Configure your Antivirus software to check for updates daily, at a time in which you are sure the computer will be on.
  
  
• Check in at Windows Update and install any Critical Updates offered.
  
  
• Download and Install Windows Defender by Microsoft (free) if you do not already have it:
  http://www.microsoft.com/downloads/details.aspx?FamilyId=435BFCE7-DA2B-4A6A-AFA4-F7F14E605A0D
  
  
• Make certain that Automatic Updates is enabled.
  How to configure and use Automatic Updates in WinXP:
  http://support.microsoft.com/kb/306525
• Download and install Comodo BOClean (free): http://www.comodo.com/boclean/CBO_download.html
  
  
• Download, install, and keep updated Spyware Blaster (free): http://www.javacoolsoftware.com/spywareblaster.html (all Protections should be enabled at all times)
  
  
• I'd recommend that you get and use MVP Mike Burgess' custom hosts file http://mvps.org/winhelp2002/hosts.htm
  See the FAQ page http://mvps.org/winhelp2002/hostsfaq.htm
  That would help to keep your browser away from known spyware/malware sites.
  
  
• Make regular backups of your system to removable media: DVD, USB external hard drive, etc.
  
  On some regular schedule, it is a good idea to do an online scan for viruses and malware. Here is a very short list of sites where this may be done:
  Kaspersky Webscan Online Virus Scanner
  
  ESET Online Scanner
  
  Panda ActiveScan
  
  Trend Micro Housecall
  
  F-Secure Online Scanner
  
  
• Read Tony Klein's article How Did I Get Infected In The First Place
  
  
• Never, ever download free games, free tools, smileys, or anything free unless you can be absolutely sure the source is safe !
  
  Finally, spend some time reading about how to keep your computer safe on the Internet: http://www.bleepingcomputer.com/tutorials/tutorial82.html

Thank you very much for your reply man...

My internet connection is not fast enough at the moment to redownload and do the aforementioned, but I will.

But...

I copied the USB contents to my external HD, but that was BEFORE I lent my dormmate the flash disk to copy files from her. And then I realized that I didn't even have any antivirus or protection so I didn't plug it in yet after it came out of her computer until I had at least AVG. Since then, only my external HD has been here. And I don't think the USB has been really infected (much?) when I copied the files to my external HD cause it's just now, when I opened just now my computer, this happened:

http://img156.imageshack.us/img156/6429/trojanthreatwy0.png