Computer Hope

Software => Computer viruses and spyware => Topic started by: Zakir on October 04, 2007, 03:05:25 AM

Title: Pure Hole Hole
Post by: Zakir on October 04, 2007, 03:05:25 AM
i have a file called Pure Hole Hole in my C:\ProgramData appearing all of a sudden and it has appeared as a startup program in TuneUp StartUp Manager(im using TuneUp Utilities 2007). whenever i delete it and restart my computer, it would reappear again in my ProgramData folder. when i check the properties of the Pure Hole Hole, it says:

Type of file:0V203 File (.0v203)
Opens with:Ford Keep Barb
Location:C:\ProgramData
Size:132 KB (135,184 bytes)
Size on disk:136 KB (139,264 bytes)

should i be worried about it? if it is a problem, what should i do about it?
Title: Re: Pure Hole Hole
Post by: CBMatt on October 04, 2007, 03:57:57 AM
Could be a Lop infection...

Download HijackThis (http://merijn.org/files/HijackThis.exe), scan, and post the log here.  Don't make any changes until instructed to do so.
Title: Re: Pure Hole Hole
Post by: Spero-T on October 04, 2007, 04:22:50 AM
Have you went to control panel/add and remove programs and removed it there ??

I am sure you have but just to check go to Location:C:\ProgramData and delete there rather than from the strat menu :D :D
Title: Re: Pure Hole Hole
Post by: Zakir on October 04, 2007, 05:34:03 AM
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:28:53 PM, on 4/10/2007
Platform: Windows Vista  (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Windows\ehome\ehmsas.exe
D:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
D:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Eset\nod32kui.exe
C:\Windows\system32\igfxext.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
D:\Program Files\Vidalia Bundle\Tor\tor.exe
D:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Title: Re: Pure Hole Hole
Post by: Zakir on October 04, 2007, 05:34:21 AM
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://sg.rd.yahoo.com/customize/ycomp/defaults/sp/*http://sg.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.daemonsearch.com/intl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.sg.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.sg.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://sg.rd.yahoo.com/customize/ycomp/defaults/su/*http://sg.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IE7pro\IE7Pro.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE 4.x-6.x BHO for Internet Download Accelerator - {2A646672-9C3A-4C28-9A7A-1FB0F63F28B6} - D:\PROGRA~1\IDA\idaiehlp.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [nod32kui] "D:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [NOD32 Control Center] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Eset\NOD32 Control Center.lnk
O4 - HKCU\..\Run: [Launch Manager] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Launch Manager\Launch Manager.LNK
O4 - HKCU\..\Run: [PeerGuardian] D:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [Vidalia] "D:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"
O4 - HKCU\..\Run: [FunkItch] "C:\ProgramData\Pure Hole Hole.wybxn8j"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Privoxy.lnk = D:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
O8 - Extra context menu item: Download ALL with IDA - D:\Program Files\IDA\idaieall.htm
O8 - Extra context menu item: Download Video - http://www.viloader.net/addon.htm
O8 - Extra context menu item: Download with IDA - D:\Program Files\IDA\idaie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7pro\IE7Pro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7pro\IE7Pro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - D:\Program Files\IDA\ida.exe
O9 - Extra 'Tools' menuitem: &Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - D:\Program Files\IDA\ida.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070711/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u2-windows-i586-jc.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://npsdmail3.np.edu.sg/dwa7W.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F4E9FB3-923F-4BED-B23D-5037D93AF3E4}: NameServer = 218.186.1.38,202.156.1.68
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: eNetHook.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Autodesk Network Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskNetSrv.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - D:\Program Files\Eset\nod32krn.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe

--
End of file - 9863 bytes

sorry bout double posting but coldnt fit everything into one post.....
and Spero-T, i have tried to delete it myself from the folder but it keeps coming back
Title: Re: Pure Hole Hole
Post by: CBMatt on October 04, 2007, 06:36:36 AM
Don't worry, HijackThis often takes more than one post.  This is normal.

As I suspected, you appear to have a Lop infection.  Infections like this need to be handled a bit differently.  I'm going to need a few things from you...

First...
Download NoLop! (http://www.spywareedge.net/nolop/NoLop.exe) and click on Search and Destroy.  Once the scan has been completed, the program will reboot your computer.  Upon rebooting, you may receive errors.  Don't panic; this is normal.  After the reboot, locate the file C:\NoLop!.log and post the contents here.

Second...
Open HijackThis.
Click on Open Misc Tools Section
Make sure that both boxes beside "Generate StartupList Log" are checked:
Click Generate StartupList Log.
Click Yes at the prompt.
It will open a text file. Please copy the entire contents of that page and paste it here.

Third...
Download lop.zip (http://www.geekstogo.com/forum/index.php?act=Attach&type=post&id=4967)
Unzip it to your desktop.
Go into the new lop folder and double-click lop.bat
It will run and when done, a Notepad will open.  Copy the contents of the Notepad and paste it here.

Finally...
Scan with HijackThis once again and post a new log here.

So...I need these four logs from you.  I know it sounds like a lot, but the effort is fairly minimal.  All of this information will help with cleaning your infection and determining if there is anything else we need to take care of.  Also...just checking...is your computer an Acer?
Title: Re: Pure Hole Hole
Post by: Zakir on October 04, 2007, 06:55:35 AM
well, i ran NoLop! and it says that i had no lop infections and yes, my comp is an acer


NoLop! Log by Skate_Punk_21

Please Note: any existing old logs will have now been renamed to NoLop!OLD.log

Fix running from: C:\
[4/10/2007]
[9:11:59 PM]

---Infection Files Found/Removed---
NO INFECTION FILES FOUND - Cleaning Aborted.

---Listing AppData sub directories---

Title: Re: Pure Hole Hole
Post by: Zakir on October 04, 2007, 07:04:42 AM
StartupList report, 4/10/2007, 8:56:18 PM
StartupList version: 1.52.2
Started from : D:\Program Files\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows Vista  (WinNT 6.00.1904)
Detected: Internet Explorer v7.00 (7.00.6000.16512)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Windows\ehome\ehmsas.exe
D:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
D:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
D:\Program Files\Eset\nod32kui.exe
C:\Windows\system32\igfxext.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
D:\Program Files\Vidalia Bundle\Tor\tor.exe
D:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Steam\Steam.exe
D:\Program Files\IDA\ida.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Users\K!R\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup]
Bluetooth.lnk = ?
Logitech SetPoint.lnk = ?
Privoxy.lnk = D:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\Windows\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

IgfxTray = C:\Windows\system32\igfxtray.exe
HotKeysCmds = C:\Windows\system32\hkcmd.exe
Persistence = C:\Windows\system32\igfxpers.exe
SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
SunJavaUpdateSched = "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
nod32kui = "D:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

????r =
ehTray.exe = C:\Windows\ehome\ehTray.exe
NOD32 Control Center = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Eset\NOD32 Control Center.lnk
Launch Manager = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Launch Manager\Launch Manager.LNK
PeerGuardian = D:\Program Files\PeerGuardian2\pg2.exe
(Default) =
Vidalia = "D:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"
FunkItch = "C:\ProgramData\Pure Hole Hole.wybxn8j"
Title: Re: Pure Hole Hole
Post by: Zakir on October 04, 2007, 07:05:08 AM

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\AutoCADScriptFile\shell\open\command

*Registry key not found*

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\Windows\system32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\Windows\system32\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = C:\Windows\system32\ie4uinit.exe -UserIconConfig

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = %SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = C:\Windows\system32\ie4uinit.exe -BaseSettings

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\Windows\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=eNetHook.dll

--------------------------------------------------

Shell & screensaver key from C:\Windows\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------
Title: Re: Pure Hole Hole
Post by: Zakir on October 04, 2007, 07:06:04 AM

Checking for EXPLORER.EXE instances:

C:\Windows\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\Windows\Explorer\Explorer.exe: not present
C:\Windows\System\Explorer.exe: not present
C:\Windows\System32\Explorer.exe: not present
C:\Windows\Command\Explorer.exe: not present
C:\Windows\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: *Registry key not found*
.shb: *Registry key not found*
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\Windows
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename NOT OK: 'REGEDIT.EXE.MUI'
- File description: 'Registry Editor'

Registry check failed!

--------------------------------------------------

Enumerating Browser Helper Objects:

IE7Pro - C:\Program Files\IE7pro\IE7Pro.dll - {00011268-E188-40DF-A514-835FCD78B1BF}
(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - D:\PROGRA~1\IDA\idaiehlp.dll - {2A646672-9C3A-4C28-9A7A-1FB0F63F28B6}
(no name) - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL - {72853161-30C5-4D22-B7F9-0BBC1D38A37E}
(no name) - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll - {9030D464-4C02-4ABF-8ECC-5164760863C6}

--------------------------------------------------

Enumerating Task Scheduler jobs:

1-Click Maintenance.job
User_Feed_Synchronization-{371CCB78-4DF7-4D0F-9081-6B14D59BC5D5}.job

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft XML Parser for Java]
CODEBASE = file:///C:/Windows/Java/classes/xmldso.cab
OSD = C:\Windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

[QuickTime Object]
InProcServer32 = D:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://a1540.g.akamai.net/7/1540/52/20070711/qtinstall.info.apple.com/qtactivex/qtplugin.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\Windows\system32\macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[Java Plug-in 1.6.0_02]
InProcServer32 = C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
CODEBASE = http://javadl-esd.sun.com/update/1.6.0/jinstall-6u2-windows-i586-jc.cab

[Java Plug-in 1.6.0_02]
InProcServer32 = C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

[Java Plug-in 1.6.0_02]
InProcServer32 = C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

[Domino Web Access 7 Control]
InProcServer32 = C:\Windows\Downloaded Program Files\dwa7W.dll
CODEBASE = https://npsdmail3.np.edu.sg/dwa7W.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\Windows\system32\NLAapi.dll
NameSpace #2: C:\Windows\System32\mswsock.dll
NameSpace #3: C:\Windows\System32\winrnr.dll
NameSpace #4: C:\Windows\system32\napinsp.dll
NameSpace #5: C:\Windows\system32\pnrpnsp.dll
NameSpace #6: C:\Windows\system32\pnrpnsp.dll
NameSpace #7: C:\Windows\system32\wshbth.dll
Protocol #1: C:\Windows\system32\imon.dll
Protocol #2: C:\Windows\system32\imon.dll
Protocol #3: C:\Windows\system32\imon.dll
Protocol #4: C:\Windows\system32\imon.dll
Protocol #5: C:\Windows\system32\imon.dll
Protocol #6: C:\Windows\system32\imon.dll
Protocol #7: C:\Windows\system32\imon.dll
Protocol #8: C:\Windows\system32\imon.dll
Protocol #9: C:\Windows\system32\imon.dll
Protocol #10: C:\Windows\system32\imon.dll
Protocol #11: C:\Windows\system32\mswsock.dll
Protocol #12: C:\Windows\system32\mswsock.dll
Protocol #13: C:\Windows\system32\mswsock.dll
Protocol #14: C:\Windows\system32\mswsock.dll
Protocol #15: C:\Windows\system32\mswsock.dll
Protocol #16: C:\Windows\system32\mswsock.dll
Protocol #17: C:\Windows\system32\mswsock.dll
Protocol #18: C:\Windows\system32\mswsock.dll
Protocol #19: C:\Windows\system32\mswsock.dll
Protocol #20: C:\Windows\system32\mswsock.dll
Protocol #21: C:\Windows\system32\mswsock.dll
Protocol #22: C:\Windows\system32\imon.dll
Protocol #23: C:\Windows\system32\mswsock.dll
Protocol #24: C:\Windows\system32\mswsock.dll
Protocol #25: C:\Windows\system32\mswsock.dll
Protocol #26: C:\Windows\system32\mswsock.dll
Protocol #27: C:\Windows\system32\mswsock.dll
Protocol #28: C:\Windows\system32\mswsock.dll
Protocol #29: C:\Windows\system32\mswsock.dll
Protocol #30: C:\Windows\system32\mswsock.dll
Protocol #31: C:\Windows\system32\mswsock.dll
Protocol #32: C:\Windows\system32\mswsock.dll
Protocol #33: C:\Windows\system32\mswsock.dll
Protocol #34: C:\Windows\system32\mswsock.dll
Protocol #35: C:\Windows\system32\mswsock.dll
Protocol #36: C:\Windows\system32\mswsock.dll
Protocol #37: C:\Windows\system32\mswsock.dll
Protocol #38: C:\Windows\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: system32\drivers\acpi.sys (system)
adp94xx: \SystemRoot\system32\drivers\adp94xx.sys (disabled)
adpahci: \SystemRoot\system32\drivers\adpahci.sys (disabled)
adpu160m: \SystemRoot\system32\drivers\adpu160m.sys (disabled)
adpu320: \SystemRoot\system32\drivers\adpu320.sys (disabled)
@%SystemRoot%\system32\aelupsvc.dll,-1: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Ancilliary Function Driver for Winsock: \SystemRoot\system32\drivers\afd.sys (system)
Agere Modem Call Progress Audio: C:\Windows\system32\agrsmsvc.exe (autostart)
Agere Systems Soft Modem: system32\DRIVERS\AGRSM.sys (manual start)
Intel AGP Bus Filter: \SystemRoot\system32\drivers\agp440.sys (manual start)
aic78xx: \SystemRoot\system32\drivers\djsvs.sys (disabled)
@%SystemRoot%\system32\Alg.exe,-112: %SystemRoot%\System32\alg.exe (manual start)
aliide: \SystemRoot\system32\drivers\aliide.sys (disabled)
AMD AGP Bus Filter Driver: \SystemRoot\system32\drivers\amdagp.sys (manual start)
amdide: \SystemRoot\system32\drivers\amdide.sys (disabled)
AMD K7 Processor Driver: \SystemRoot\system32\drivers\amdk7.sys (disabled)
AMD K8 Processor Driver: \SystemRoot\system32\drivers\amdk8.sys (disabled)
AMON: \SystemRoot\system32\drivers\amon.sys (autostart)
@%systemroot%\system32\appinfo.dll,-100: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Apple Mobile Device: "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe" (autostart)
arc: \SystemRoot\system32\drivers\arc.sys (disabled)
arcsas: \SystemRoot\system32\drivers\arcsas.sys (disabled)
Advanced SCSI Programming Interface Driver: \??\C:\Windows\System32\DRIVERS\ASPI32.sys (manual start)
RAS Asynchronous Media Driver: system32\DRIVERS\asyncmac.sys (manual start)
IDE Channel: system32\drivers\atapi.sys (system)
Atheros Extensible Wireless LAN device driver: system32\DRIVERS\athr.sys (manual start)
@%SystemRoot%\system32\audiosrv.dll,-204: %SystemRoot%\System32\svchost.exe -k LocalSystemNetworkRestricted (autostart)
@%SystemRoot%\system32\audiosrv.dll,-200: %SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted (autostart)
Autodesk Licensing Service: "C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe" (manual start)
Autodesk Network Licensing Service: C:\Program Files\Common Files\Autodesk Shared\Service\AdskNetSrv.exe (manual start)
@%SystemRoot%\system32\bfe.dll,-1001: %systemroot%\system32\svchost.exe -k LocalServiceNoNetwork (autostart)
@%SystemRoot%\system32\qmgr.dll,-1000: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
blbdrive: \SystemRoot\system32\drivers\blbdrive.sys (disabled)
Bowser: system32\DRIVERS\bowser.sys (manual start)
Title: Re: Pure Hole Hole
Post by: Zakir on October 04, 2007, 07:07:04 AM
Brother USB Mass-Storage Lower Filter Driver: \SystemRoot\system32\drivers\brfiltlo.sys (manual start)
Brother USB Mass-Storage Upper Filter Driver: \SystemRoot\system32\drivers\brfiltup.sys (manual start)
@%systemroot%\system32\browser.dll,-100: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Brother MFC Serial Port Interface Driver (WDM): \SystemRoot\system32\drivers\brserid.sys (disabled)
Brother WDM Serial driver: \SystemRoot\system32\drivers\brserwdm.sys (disabled)
Brother MFC USB Fax Only Modem: \SystemRoot\system32\drivers\brusbmdm.sys (disabled)
Brother MFC USB Serial WDM Driver: \SystemRoot\system32\drivers\brusbser.sys (manual start)
Bluetooth Request Block Driver: system32\DRIVERS\BthEnum.sys (manual start)
Bluetooth Modem Communications Driver: system32\DRIVERS\bthmodem.sys (manual start)
Bluetooth Device (Personal Area Network): system32\DRIVERS\bthpan.sys (manual start)
Bluetooth Port Driver: System32\Drivers\BTHport.sys (manual start)
@%SystemRoot%\System32\bthserv.dll,-101: %SystemRoot%\system32\svchost.exe -k bthsvcs (autostart)
Bluetooth Radio USB Driver: System32\Drivers\BTHUSB.sys (manual start)
Bluetooth Audio Device Service: system32\drivers\btwaudio.sys (manual start)
Bluetooth AVDT Service: system32\drivers\btwavdt.sys (manual start)
btwrchid: system32\DRIVERS\btwrchid.sys (manual start)
CD/DVD File System Reader: system32\DRIVERS\cdfs.sys (disabled)
CD-ROM Driver: system32\DRIVERS\cdrom.sys (system)
@%SystemRoot%\System32\certprop.dll,-11: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Consumer IR Devices: \SystemRoot\system32\drivers\circlass.sys (disabled)
Common Log (CLFS): System32\CLFS.sys (system)
Microsoft .NET Framework NGEN v2.0.50727_X86: %systemroot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (manual start)
Symantec Lic NetConnect service: "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (autostart)
Microsoft ACPI Control Method Battery Driver: system32\DRIVERS\CmBatt.sys (manual start)
cmdide: \SystemRoot\system32\drivers\cmdide.sys (disabled)
Microsoft Composite Battery Driver: system32\DRIVERS\compbatt.sys (system)
@comres.dll,-947: %SystemRoot%\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Crcdisk Filter Driver: system32\drivers\crcdisk.sys (system)
Transmeta Crusoe Processor Driver: \SystemRoot\system32\drivers\crusoe.sys (disabled)
@%SystemRoot%\system32\cryptsvc.dll,-1001: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart)
@oleres.dll,-5012: %SystemRoot%\system32\svchost.exe -k DcomLaunch (autostart)
Dfs Client Driver: System32\Drivers\dfsc.sys (system)
@dfsrres.dll,-101: %SystemRoot%\system32\DFSR.exe (manual start)
@%SystemRoot%\system32\dhcpcsvc.dll,-100: %SystemRoot%\system32\svchost.exe -k LocalServiceNetworkRestricted (autostart)
Disk Driver: system32\drivers\disk.sys (system)
Dritek Keyboard Filter Driver: system32\DRIVERS\DKbFltr.sys (manual start)
@%SystemRoot%\System32\dnsapi.dll,-101: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart)
@%systemroot%\system32\dot3svc.dll,-1102: %SystemRoot%\system32\svchost.exe -k LocalSystemNetworkRestricted (manual start)
@%systemroot%\system32\dps.dll,-500: %SystemRoot%\System32\svchost.exe -k LocalServiceNoNetwork (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
LDDM Graphics Subsystem: \SystemRoot\System32\drivers\dxgkrnl.sys (manual start)
Intel(R) PRO/1000 NDIS 6 Adapter Driver: system32\DRIVERS\E1G60I32.sys (manual start)
@%systemroot%\system32\eapsvc.dll,-1: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
ReadyBoost Caching Driver: System32\drivers\ecache.sys (system)
eDataSecurity Service: "C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe" (autostart)
@%SystemRoot%\ehome\ehrecvr.exe,-101: %systemroot%\ehome\ehRecvr.exe (manual start)
@%SystemRoot%\ehome\ehsched.exe,-101: %systemroot%\ehome\ehsched.exe (manual start)
@%SystemRoot%\ehome\ehstart.dll,-101: %windir%\system32\svchost.exe -k LocalServiceNoNetwork (autostart)
eLock Service: C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe (autostart)
elxstor: \SystemRoot\system32\drivers\elxstor.sys (disabled)
@%SystemRoot%\system32\emdmgmt.dll,-1000: %systemroot%\system32\svchost.exe -k LocalSystemNetworkRestricted (autostart)
eNet Service: C:\Acer\Empowering Technology\eNet\eNet Service.exe (autostart)
eRecovery Service: C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe (autostart)
eSettings Service: C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe (autostart)
@%SystemRoot%\system32\wevtsvc.dll,-200: %SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted (autostart)
@comres.dll,-2450: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Floppy Disk Controller Driver: system32\DRIVERS\fdc.sys (disabled)
@%systemroot%\system32\fdPHost.dll,-100: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
@%systemroot%\system32\fdrespub.dll,-100: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
File Information FS MiniFilter: system32\drivers\fileinfo.sys (system)
FileTrace: system32\drivers\filetrace.sys (manual start)
Floppy Disk Driver: system32\DRIVERS\flpydisk.sys (disabled)
FltMgr: system32\drivers\fltmgr.sys (system)
@%SystemRoot%\system32\PresentationHost.exe,-3309: %systemroot%\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe (manual start)
Microsoft Generic AGPv3.0 Filter for K8 Processor Platforms: \SystemRoot\system32\drivers\gagp30kx.sys (manual start)
@gpapi.dll,-112: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Microsoft 1.1 UAA Function Driver for High Definition Audio Service: system32\drivers\HdAudio.sys (manual start)
Microsoft UAA Bus Driver for High Definition Audio: system32\DRIVERS\HDAudBus.sys (manual start)
Microsoft Bluetooth HID Miniport: system32\DRIVERS\hidbth.sys (manual start)
Microsoft Infrared HID Driver: \SystemRoot\system32\drivers\hidir.sys (disabled)
@%SystemRoot%\System32\hidserv.dll,-101: %SystemRoot%\system32\svchost.exe -k LocalSystemNetworkRestricted (autostart)
Microsoft HID Class Driver: system32\DRIVERS\hidusb.sys (manual start)
@%SystemRoot%\system32\kmsvc.dll,-6: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
HpCISSs: \SystemRoot\system32\drivers\hpcisss.sys (disabled)
HTTP: system32\drivers\HTTP.sys (manual start)
i2omp: \SystemRoot\system32\drivers\i2omp.sys (disabled)
i8042 Keyboard and PS/2 Mouse Port Driver: system32\DRIVERS\i8042prt.sys (system)
ialm: system32\DRIVERS\igdkmd32.sys (manual start)
Intel RAID Controller Vista: \SystemRoot\system32\drivers\iastorv.sys (disabled)
@%systemroot%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelInstallRC.dll,-8193: "%systemroot%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe" (manual start)
igfx: system32\DRIVERS\igdkmd32.sys (manual start)
Title: Re: Pure Hole Hole
Post by: Zakir on October 04, 2007, 07:08:27 AM
iirsp: \SystemRoot\system32\drivers\iirsp.sys (disabled)
@%SystemRoot%\system32\ikeext.dll,-501: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
int15: \??\C:\Acer\Empowering Technology\eRecovery\int15.sys (autostart)
Service for Realtek HD Audio (WDM): system32\drivers\RTKVHDA.sys (manual start)
intelide: system32\drivers\intelide.sys (system)
Intel Processor Driver: system32\DRIVERS\intelppm.sys (manual start)
@%systemroot%\system32\IPBusEnum.dll,-102: %SystemRoot%\system32\svchost.exe -k LocalSystemNetworkRestricted (manual start)
IP Traffic Filter Driver: system32\DRIVERS\ipfltdrv.sys (manual start)
@%SystemRoot%\system32\iphlpsvc.dll,-200: %SystemRoot%\System32\svchost.exe -k NetSvcs (autostart)
IP in IP Tunnel Driver: system32\DRIVERS\ipinip.sys (manual start)
IPMIDRV: \SystemRoot\system32\drivers\ipmidrv.sys (disabled)
IP Network Address Translator: system32\DRIVERS\ipnat.sys (manual start)
IR Bus Enumerator: system32\drivers\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: \SystemRoot\system32\drivers\isapnp.sys (disabled)
iScsiPort Driver: system32\DRIVERS\msiscsi.sys (manual start)
ITEATAPI_Service_Install: \SystemRoot\system32\drivers\iteatapi.sys (disabled)
ITERAID_Service_Install: \SystemRoot\system32\drivers\iteraid.sys (disabled)
Keyboard Class Driver: system32\DRIVERS\kbdclass.sys (system)
Keyboard HID Driver: system32\DRIVERS\kbdhid.sys (system)
@keyiso.dll,-100: %SystemRoot%\system32\lsass.exe (manual start)
KSecDD: System32\Drivers\ksecdd.sys (system)
@comres.dll,-2946: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
@%systemroot%\system32\srvsvc.dll,-100: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
@%systemroot%\system32\wkssvc.dll,-100: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Logitech SetPoint KMDF HID Filter Driver: system32\DRIVERS\LHidFilt.Sys (manual start)
LightScribeService Direct Disc Labeling Service: "C:\Program Files\Common Files\LightScribe\LSSrvc.exe" (autostart)
Link-Layer Topology Discovery Mapper I/O Driver: system32\DRIVERS\lltdio.sys (autostart)
@%SystemRoot%\system32\lltdres.dll,-1: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
@%SystemRoot%\system32\lmhsvc.dll,-101: %SystemRoot%\system32\svchost.exe -k LocalServiceNetworkRestricted (autostart)
Logitech SetPoint KMDF Mouse Filter Driver: system32\DRIVERS\LMouFilt.Sys (manual start)
LSI_FC: \SystemRoot\system32\drivers\lsi_fc.sys (disabled)
LSI_SAS: \SystemRoot\system32\drivers\lsi_sas.sys (disabled)
LSI_SCSI: \SystemRoot\system32\drivers\lsi_scsi.sys (disabled)
UAC File Virtualization: \SystemRoot\system32\drivers\luafv.sys (autostart)
Logitech SetPoint KMDF USB Filter: System32\Drivers\LUsbFilt.Sys (manual start)
Driver for MagicISO SCSI Host Controller: system32\DRIVERS\mcdbus.sys (manual start)
@%SystemRoot%\ehome\ehres.dll,-15501: %SystemRoot%\system32\svchost.exe -k LocalService (disabled)
megasas: \SystemRoot\system32\drivers\megasas.sys (disabled)
Microsoft Office Groove Audit Service: "C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe" (manual start)
@%systemroot%\system32\mmcss.dll,-100: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
MobilityService: C:\Acer\Mobility Center\MobilityService.exe -p (autostart)
Modem: system32\drivers\modem.sys (manual start)
Microsoft Monitor Class Function Driver Service: system32\DRIVERS\monitor.sys (manual start)
Mouse Class Driver: system32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: system32\DRIVERS\mouhid.sys (manual start)
Mount Point Manager: System32\drivers\mountmgr.sys (system)
Microsoft Multi-Path Bus Driver: \SystemRoot\system32\drivers\mpio.sys (disabled)
@%SystemRoot%\system32\FirewallAPI.dll,-23092: System32\drivers\mpsdrv.sys (manual start)
@%SystemRoot%\system32\FirewallAPI.dll,-23090: %SystemRoot%\system32\svchost.exe -k LocalServiceNoNetwork (autostart)
Mraid35x: \SystemRoot\system32\drivers\mraid35x.sys (disabled)
WebDav Client Redirector Driver: \SystemRoot\system32\drivers\mrxdav.sys (manual start)
SMB MiniRedirector Wrapper and Engine: system32\DRIVERS\mrxsmb.sys (manual start)
SMB 1.x MiniRedirector: system32\DRIVERS\mrxsmb10.sys (manual start)
SMB 2.0 MiniRedirector: system32\DRIVERS\mrxsmb20.sys (manual start)
msahci: \SystemRoot\system32\drivers\msahci.sys (disabled)
Microsoft Multi-Path Device Specific Module: \SystemRoot\system32\drivers\msdsm.sys (disabled)
@comres.dll,-2797: %SystemRoot%\System32\msdtc.exe (manual start)
ISA/EISA Class Driver: system32\drivers\msisadrv.sys (system)
@%SystemRoot%\system32\iscsidsc.dll,-5000: %systemroot%\system32\svchost.exe -k netsvcs (manual start)
@%SystemRoot%\system32\msimsg.dll,-27: %systemroot%\system32\msiexec /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Title: Re: Pure Hole Hole
Post by: Zakir on October 04, 2007, 07:08:50 AM
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: system32\DRIVERS\mssmbios.sys (manual start)
SQL Server (SQLEXPRESS): "C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (autostart)
SQL Server Active Directory Helper: "C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe" (disabled)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
Visual Studio 2005 Remote Debugger: "C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 (disabled)
Mup: System32\Drivers\mup.sys (system)
@%SystemRoot%\system32\qagentrt.dll,-6: %SystemRoot%\System32\svchost.exe -k NetworkService (manual start)
NativeWiFi Filter: system32\DRIVERS\nwifi.sys (manual start)
NDIS System Driver: system32\drivers\ndis.sys (system)
Remote Access NDIS TAPI Driver: system32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: system32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: system32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: system32\DRIVERS\netbios.sys (system)
NETBT: System32\DRIVERS\netbt.sys (system)
@%SystemRoot%\System32\netlogon.dll,-102: %systemroot%\system32\lsass.exe (manual start)
@%SystemRoot%\system32\netman.dll,-109: %SystemRoot%\System32\svchost.exe -k LocalSystemNetworkRestricted (manual start)
@%SystemRoot%\system32\netprof.dll,-246: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
@%systemroot%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelInstallRC.dll,-8201: "%systemroot%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe" (disabled)
Intel(R) PRO/Wireless 3945ABG Adapter Driver for Windows Vista 32 Bit: system32\DRIVERS\NETw3v32.sys (manual start)
nfrd960: \SystemRoot\system32\drivers\nfrd960.sys (disabled)
@%SystemRoot%\System32\nlasvc.dll,-1: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
NMIndexingService: "C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe" (disabled)
nod32drv: \SystemRoot\system32\drivers\nod32drv.sys (system)
NOD32 Kernel Service: "D:\Program Files\Eset\nod32krn.exe" (autostart)
@%SystemRoot%\system32\nsisvc.dll,-200: %systemroot%\system32\svchost.exe -k LocalService (autostart)
NSI proxy service: system32\drivers\nsiproxy.sys (system)
Upper Class Filter Driver: system32\DRIVERS\NTIDrvr.sys (manual start)
N-trig HID Tablet Driver: \SystemRoot\system32\drivers\ntrigdigi.sys (disabled)
nvraid: \SystemRoot\system32\drivers\nvraid.sys (disabled)
nvstor: \SystemRoot\system32\drivers\nvstor.sys (disabled)
NVIDIA nForce AGP Bus Filter: \SystemRoot\system32\drivers\nv_agp.sys (manual start)
IPX Traffic Filter Driver: system32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: system32\DRIVERS\nwlnkfwd.sys (manual start)
Microsoft Office Diagnostics Service: "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE" (manual start)
NEC FireWarden OHCI Compliant IEEE 1394 Host Controller: \SystemRoot\system32\drivers\ohci1394.sys (disabled)
Office Source Engine: "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" (manual start)
@%SystemRoot%\system32\p2psvc.dll,-8004: %SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted (manual start)
@%SystemRoot%\system32\p2psvc.dll,-8006: %SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted (manual start)
Parallel port driver: \SystemRoot\system32\drivers\parport.sys (manual start)
Partition Manager: System32\drivers\partmgr.sys (system)
Parvdm: \SystemRoot\system32\drivers\parvdm.sys (autostart)
@%SystemRoot%\system32\pcasvc.dll,-1: %systemroot%\system32\svchost.exe -k LocalSystemNetworkRestricted (autostart)
PCI Bus Driver: system32\drivers\pci.sys (system)
pciide: \SystemRoot\system32\drivers\pciide.sys (disabled)
pcmcia: system32\DRIVERS\pcmcia.sys (system)
VSO Software pcouffin: System32\Drivers\pcouffin.sys (manual start)
PEAUTH: system32\drivers\peauth.sys (autostart)
pgfilter: \??\D:\Program Files\PeerGuardian2\pgfilter.sys (manual start)
@%systemroot%\system32\pla.dll,-500: %SystemRoot%\System32\svchost.exe -k LocalServiceNoNetwork (manual start)
@%SystemRoot%\system32\umpnpmgr.dll,-100: %SystemRoot%\system32\svchost.exe -k DcomLaunch (autostart)
@%SystemRoot%\system32\p2psvc.dll,-8002: %SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted (manual start)
@%SystemRoot%\system32\p2psvc.dll,-8000: %SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted (manual start)
@%SystemRoot%\System32\polstore.dll,-5010: %SystemRoot%\system32\svchost.exe -k NetworkServiceNetworkRestricted (autostart)
WAN Miniport (PPTP): system32\DRIVERS\raspptp.sys (manual start)
Processor Driver: \SystemRoot\system32\drivers\processr.sys (disabled)
StarForce Protection Environment Driver v6: \SystemRoot\System32\drivers\prodrv06.sys (system)
@%systemroot%\system32\profsvc.dll,-300: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
StarForce Protection Helper Driver v2: System32\drivers\prohlp02.sys (system)
StarForce Protection Synchronization Driver v1: System32\drivers\prosync1.sys (system)
@%systemroot%\system32\psbase.dll,-300: %SystemRoot%\system32\lsass.exe (manual start)
@%SystemRoot%\System32\drivers\pacer.sys,-101: system32\DRIVERS\pacer.sys (system)
PSDFilter: system32\DRIVERS\psdfilter.sys (system)
PSDNSERVER: system32\drivers\PSDNServ.sys (system)
psdvdisk: system32\drivers\psdvdisk.sys (system)
QLogic Fibre Channel Miniport Driver: \SystemRoot\system32\drivers\ql2300.sys (disabled)
QLogic iSCSI Miniport Driver: \SystemRoot\system32\drivers\ql40xx.sys (disabled)
@%SystemRoot%\system32\qwave.dll,-1: %windir%\system32\svchost.exe -k LocalService (manual start)
@%SystemRoot%\system32\drivers\qwavedrv.sys,-1: \SystemRoot\system32\drivers\qwavedrv.sys (manual start)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
@%Systemroot%\system32\rasauto.dll,-200: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): system32\DRIVERS\rasl2tp.sys (manual start)
@%Systemroot%\system32\rasmans.dll,-200: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: system32\DRIVERS\raspppoe.sys (manual start)
Redirected Buffering Sub Sysytem: system32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: \SystemRoot\system32\drivers\rdpdr.sys (disabled)
RDP Encoder Mirror Driver: system32\drivers\rdpencdd.sys (system)
@%Systemroot%\system32\mprdim.dll,-200: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
@regsvc.dll,-1: %SystemRoot%\system32\svchost.exe -k regsvc (manual start)
Bluetooth Device (RFCOMM Protocol TDI): system32\DRIVERS\rfcomm.sys (manual start)
Cyberlink RichVideo Service(CRVS): "C:\Program Files\CyberLink\Shared Files\RichVideo.exe" (autostart)
@%systemroot%\system32\Locator.exe,-2: %SystemRoot%\system32\locator.exe (manual start)
@oleres.dll,-5010: %SystemRoot%\system32\svchost.exe -k rpcss (autostart)
Link-Layer Topology Discovery Responder: system32\DRIVERS\rspndr.sys (autostart)
@%SystemRoot%\system32\samsrv.dll,-1: %SystemRoot%\system32\lsass.exe (autostart)
SBP-2 Transport/Protocol Bus Driver: \SystemRoot\system32\drivers\sbp2port.sys (disabled)
@%SystemRoot%\System32\SCardSvr.dll,-1: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
@%SystemRoot%\system32\schedsvc.dll,-100: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
@%SystemRoot%\System32\certprop.dll,-13: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
@%SystemRoot%\system32\sdrsvc.dll,-107: %SystemRoot%\system32\svchost.exe -k SDRSVC (manual start)
@%SystemRoot%\system32\seclogon.dll,-7001: %windir%\system32\svchost.exe -k netsvcs (autostart)
@%SystemRoot%\system32\Sens.dll,-200: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
ATEN Serial port driver: system32\DRIVERS\ser2pl.sys (manual start)
Serenum Filter Driver: system32\DRIVERS\serenum.sys (manual start)
Serial Port Driver: \SystemRoot\system32\drivers\serial.sys (manual start)
Serial Mouse Driver: \SystemRoot\system32\drivers\sermouse.sys (disabled)
@%SystemRoot%\System32\SessEnv.dll,-1026: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
SFF Storage Class Driver: \SystemRoot\system32\drivers\sffdisk.sys (disabled)
SFF Storage Protocol Driver for MMC: \SystemRoot\system32\drivers\sffp_mmc.sys (manual start)
SFF Storage Protocol Driver for SDBus: \SystemRoot\system32\drivers\sffp_sd.sys (manual start)
StarForce Protection Helper Driver: System32\drivers\sfhlp01.sys (system)
High-Capacity Floppy Disk Drive: \SystemRoot\system32\drivers\sfloppy.sys (disabled)
@%SystemRoot%\system32\ipnathlp.dll,-106: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
@%SystemRoot%\System32\shsvcs.dll,-12288: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SIS AGP Bus Filter: \SystemRoot\system32\drivers\sisagp.sys (manual start)
SiSRaid2: \SystemRoot\system32\drivers\sisraid2.sys (disabled)
SiSRaid4: \SystemRoot\system32\drivers\sisraid4.sys (disabled)
Title: Re: Pure Hole Hole
Post by: Zakir on October 04, 2007, 07:09:16 AM
@%SystemRoot%\system32\SLsvc.exe,-101: %SystemRoot%\system32\SLsvc.exe (autostart)
@%SystemRoot%\system32\SLUINotify.dll,-103: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
@%SystemRoot%\system32\tcpipcfg.dll,-50005: system32\DRIVERS\smb.sys (system)
@%SystemRoot%\system32\snmptrap.exe,-3: %SystemRoot%\System32\snmptrap.exe (manual start)
USB2.0 PC Camera (SNP2UVC): system32\DRIVERS\snp2uvc.sys (manual start)
@%systemroot%\system32\spoolsv.exe,-1: %SystemRoot%\System32\spoolsv.exe (autostart)
sptd: System32\Drivers\sptd.sys (system)
SQL Server Browser: "C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe" (disabled)
SQL Server VSS Writer: "C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" (manual start)
srv: System32\DRIVERS\srv.sys (manual start)
srv2: System32\DRIVERS\srv2.sys (manual start)
srvnet: System32\DRIVERS\srvnet.sys (manual start)
@%systemroot%\system32\ssdpsrv.dll,-100: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
Steam Client Service: C:\Program Files\Common Files\Steam\SteamService.exe /RunAsService (manual start)
@%SystemRoot%\system32\wiaservc.dll,-9: %SystemRoot%\system32\svchost.exe -k imgsvc (autostart)
Software Bus Driver: system32\DRIVERS\swenum.sys (manual start)
@%SystemRoot%\System32\swprv.dll,-103: %SystemRoot%\System32\svchost.exe -k swprv (manual start)
Symc8xx: \SystemRoot\system32\drivers\symc8xx.sys (disabled)
Sym_hi: \SystemRoot\system32\drivers\sym_hi.sys (disabled)
Sym_u3: \SystemRoot\system32\drivers\sym_u3.sys (disabled)
Synaptics TouchPad Driver: system32\DRIVERS\SynTP.sys (manual start)
@%SystemRoot%\system32\sysmain.dll,-1000: %systemroot%\system32\svchost.exe -k LocalSystemNetworkRestricted (autostart)
@%SystemRoot%\system32\TabSvc.dll,-100: %SystemRoot%\System32\svchost.exe -k LocalSystemNetworkRestricted (autostart)
@%SystemRoot%\system32\tapisrv.dll,-10100: %SystemRoot%\System32\svchost.exe -k NetworkService (manual start)
@%SystemRoot%\system32\tbssvc.dll,-100: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
@%SystemRoot%\system32\tcpipcfg.dll,-50003: System32\drivers\tcpip.sys (system)
Microsoft IPv6 Protocol Driver: system32\DRIVERS\tcpip.sys (manual start)
TCP/IP Registry Compatibility: System32\drivers\tcpipreg.sys (autostart)
TDPIPE: system32\drivers\tdpipe.sys (manual start)
TDTCP: system32\drivers\tdtcp.sys (manual start)
@%SystemRoot%\system32\tcpipcfg.dll,-50004: system32\DRIVERS\tdx.sys (system)
Terminal Device Driver: system32\DRIVERS\termdd.sys (system)
@%SystemRoot%\System32\termsrv.dll,-268: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
@%SystemRoot%\System32\shsvcs.dll,-8192: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
@%systemroot%\system32\mmcss.dll,-102: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
tifm21: system32\drivers\tifm21.sys (manual start)
@%SystemRoot%\system32\trkwks.dll,-1: %SystemRoot%\System32\svchost.exe -k LocalSystemNetworkRestricted (autostart)
@%SystemRoot%\servicing\TrustedInstaller.exe,-100: %SystemRoot%\servicing\TrustedInstaller.exe (manual start)
Terminal Services Security Filter Driver: System32\DRIVERS\tssecsrv.sys (manual start)
Microsoft Tun Miniport Adapter Driver: system32\DRIVERS\tunmp.sys (manual start)
Microsoft IPv6 Tunnel Miniport Adapter Driver: system32\DRIVERS\tunnel.sys (manual start)
Microsoft AGPv3.5 Filter: \SystemRoot\system32\drivers\uagp35.sys (manual start)
udfs: system32\DRIVERS\udfs.sys (disabled)
@%SystemRoot%\system32\ui0detect.exe,-101: %SystemRoot%\system32\UI0Detect.exe (manual start)
Uli AGP Bus Filter: \SystemRoot\system32\drivers\uliagpkx.sys (manual start)
uliahci: \SystemRoot\system32\drivers\uliahci.sys (disabled)
UlSata: \SystemRoot\system32\drivers\ulsata.sys (disabled)
ulsata2: \SystemRoot\system32\drivers\ulsata2.sys (disabled)
UMBus Enumerator Driver: system32\DRIVERS\umbus.sys (manual start)
@%systemroot%\system32\upnphost.dll,-213: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Microsoft USB Generic Parent Driver: \SystemRoot\system32\drivers\usbccgp.sys (manual start)
eHome Infrared Receiver (USBCIR): \SystemRoot\system32\drivers\usbcir.sys (disabled)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: system32\DRIVERS\usbehci.sys (manual start)
Microsoft USB Standard Hub Driver: system32\DRIVERS\usbhub.sys (manual start)
Microsoft USB Open Host Controller Miniport Driver: \SystemRoot\system32\drivers\usbohci.sys (disabled)
Microsoft USB PRINTER Class: system32\DRIVERS\usbprint.sys (manual start)
USB Mass Storage Driver: system32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: system32\DRIVERS\usbuhci.sys (manual start)
USB Remote NDIS Network Device Driver: system32\DRIVERS\usb8023.sys (manual start)
Messenger Sharing Folders USN Journal Reader service: "C:\Program Files\MSN Messenger\usnsvc.exe" (manual start)
@%SystemRoot%\system32\dwm.exe,-2000: %SystemRoot%\System32\svchost.exe -k LocalSystemNetworkRestricted (autostart)
@%SystemRoot%\System32\uxtuneup.dll,-4096: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
@%SystemRoot%\system32\vds.exe,-100: %SystemRoot%\System32\vds.exe (manual start)
vga: system32\DRIVERS\vgapnp.sys (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Bus Filter: \SystemRoot\system32\drivers\viaagp.sys (manual start)
VIA C7 Processor Driver: \SystemRoot\system32\drivers\viac7.sys (disabled)
viaide: \SystemRoot\system32\drivers\viaide.sys (disabled)
Volume Manager Driver: system32\drivers\volmgr.sys (system)
Dynamic Volume Manager: System32\drivers\volmgrx.sys (system)
Storage volumes: system32\drivers\volsnap.sys (system)
vsmraid: \SystemRoot\system32\drivers\vsmraid.sys (disabled)
@%systemroot%\system32\vssvc.exe,-102: %systemroot%\system32\vssvc.exe (manual start)
@%SystemRoot%\system32\w32time.dll,-200: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Wacom Serial Pen HID Driver: \SystemRoot\system32\drivers\wacompen.sys (disabled)
Remote Access IP ARP Driver: system32\DRIVERS\wanarp.sys (manual start)
Remote Access IPv6 ARP Driver: system32\DRIVERS\wanarp.sys (system)
@%SystemRoot%\system32\wcncsvc.dll,-3: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
@%SystemRoot%\system32\WcsPlugInService.dll,-200: %SystemRoot%\system32\svchost.exe -k wcssvc (manual start)
Microsoft Watchdog Timer Driver: \SystemRoot\system32\drivers\wd.sys (disabled)
Kernel Mode Driver Frameworks service: system32\drivers\Wdf01000.sys (system)
@%systemroot%\system32\wdi.dll,-502: %SystemRoot%\System32\svchost.exe -k wdisvc (manual start)
@%systemroot%\system32\wdi.dll,-500: %SystemRoot%\System32\svchost.exe -k LocalSystemNetworkRestricted (manual start)
@%systemroot%\system32\webclnt.dll,-100: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
@%SystemRoot%\system32\wecsvc.dll,-200: %SystemRoot%\system32\svchost.exe -k NetworkService (manual start)
@%SystemRoot%\System32\wercplsupport.dll,-101: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
@%SystemRoot%\System32\wersvc.dll,-100: %SystemRoot%\System32\svchost.exe -k WerSvcGroup (autostart)
WimFltr: system32\DRIVERS\wimfltr.sys (manual start)
@%ProgramFiles%\Windows Defender\MsMpRes.dll,-103: %SystemRoot%\System32\svchost.exe -k secsvcs (autostart)
@%SystemRoot%\system32\winhttp.dll,-100: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
@%Systemroot%\system32\wbem\wmisvc.dll,-205: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
@%Systemroot%\system32\wsmsvc.dll,-101: %SystemRoot%\System32\svchost.exe -k NetworkService (manual start)
@%SystemRoot%\System32\wlansvc.dll,-257: %SystemRoot%\system32\svchost.exe -k LocalSystemNetworkRestricted (autostart)
Microsoft Windows Management Interface for ACPI: system32\DRIVERS\wmiacpi.sys (manual start)
@%Systemroot%\system32\wbem\wmiapsrv.exe,-110: %systemroot%\system32\wbem\WmiApSrv.exe (manual start)
ePower Service: C:\Acer\Empowering Technology\ePower\ePowerSvc.exe (autostart)
@%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101: "%ProgramFiles%\Windows Media Player\wmpnetwk.exe" (manual start)
@%SystemRoot%\system32\wpcsvc.dll,-100: %SystemRoot%\system32\svchost.exe -k LocalServiceNetworkRestricted (manual start)
@%SystemRoot%\system32\wpdbusenum.dll,-100: %SystemRoot%\system32\svchost.exe -k LocalSystemNetworkRestricted (autostart)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\system32\drivers\ws2ifsl.sys (system)
@%SystemRoot%\System32\wscsvc.dll,-200: %SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted (autostart)
@%systemroot%\system32\SearchIndexer.exe,-103: %systemroot%\system32\SearchIndexer.exe /Embedding (autostart)
WSVD: \??\C:\Windows\system32\drivers\WSVD.sys (manual start)
@%systemroot%\system32\wuaueng.dll,-105: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
WUDFRd: system32\DRIVERS\WUDFRd.sys (manual start)
@%SystemRoot%\system32\wudfsvc.dll,-1000: %SystemRoot%\system32\svchost.exe -k LocalSystemNetworkRestricted (autostart)
NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller: system32\DRIVERS\yk60x86.sys (manual start)
Title: Re: Pure Hole Hole
Post by: Zakir on October 04, 2007, 07:09:51 AM

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\Windows\system32\webcheck.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 52,983 bytes
Report generated in 0.640 seconds

Command line options:
   /verbose  - to add additional info on each section
   /complete - to include empty sections and unsuspicious data
   /full     - to include several rarely-important sections
   /force9x  - to include Win9x-only startups even if running on WinNT
   /forcent  - to include WinNT-only startups even if running on Win9x
   /forceall - to include all Win9x and WinNT startups, regardless of platform
   /history  - to list version history only
Title: Re: Pure Hole Hole
Post by: Zakir on October 04, 2007, 07:10:28 AM
 Volume in drive C is ACER
 Volume Serial Number is 3056-A0AA

 Directory of C:\Users\K!R\Application Data

 Volume in drive C is ACER
 Volume Serial Number is 3056-A0AA

 Directory of C:\Users\Kir\Application Data

 Volume in drive C is ACER
 Volume Serial Number is 3056-A0AA

 Directory of C:\Users\All Users\Application Data

 Volume in drive C is ACER
 Volume Serial Number is 3056-A0AA

 Directory of C:\Users\Default\Application Data

 Volume in drive C is ACER
 Volume Serial Number is 3056-A0AA

 Directory of C:\Users\Default User\Application Data

Title: Re: Pure Hole Hole
Post by: CBMatt on October 04, 2007, 08:16:01 AM
Okay, your infection doesn't seem to be as serious as I had thought it was going to be.  That's usually a good sign.  Heh.  I've attached a zip file...in it is a reg file.  Run that file and when prompted, click Yes.  This will delete the infection's key in the registry.

Then...download CCleaner (http://www.ccleaner.com) (install without Yahoo! toolbar) and configure it according to this guide (http://www.computerhope.com/forum/index.php/topic,22078.0.html).

And if it still exists, try using Pocket KillBox (http://www.bleepingcomputer.com/files/killbox.php) to delete C:\ProgramData\Pure Hole Hole.wybxn8j.  I would then like to see a new HijackThis log.
Title: Re: Pure Hole Hole
Post by: Zakir on October 04, 2007, 08:30:10 AM
i cant seem to find the attachment that u said u attached....and sorry to bother u so much
Title: Re: Pure Hole Hole
Post by: CBMatt on October 04, 2007, 08:44:08 AM
Sorry, Zakir, the upload folder is full, so I can't attach the file right now.  Instead, I'll tell you how to make it yourself.  Copy everything in the quote box below...

Quote
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"FunkItch" =-

Then open up Notepad and paste the contents.  Go to File > Save As...  Next to Save as Type select All Files and name the file badkey.reg and save it to your desktop.  You can then run the file like I previously instructed.

And don't worry, you're not a bother at all.  This is what I'm here for!
Title: Re: Pure Hole Hole
Post by: Zakir on October 04, 2007, 09:13:52 AM
i did what u asked and used the pocker killbox and theres still 2 pure hole hole files in my programdata directory, one is a 0v203 file and the other a wybxn8j file.....and i did reboot after i did al that

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:11:55 PM, on 4/10/2007
Platform: Windows Vista  (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
D:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
D:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Eset\nod32kui.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\igfxext.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
D:\Program Files\Vidalia Bundle\Tor\tor.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Title: Re: Pure Hole Hole
Post by: Zakir on October 04, 2007, 09:14:31 AM

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://sg.rd.yahoo.com/customize/ycomp/defaults/sp/*http://sg.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.daemonsearch.com/intl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.sg.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.sg.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://sg.rd.yahoo.com/customize/ycomp/defaults/su/*http://sg.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IE7pro\IE7Pro.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE 4.x-6.x BHO for Internet Download Accelerator - {2A646672-9C3A-4C28-9A7A-1FB0F63F28B6} - D:\PROGRA~1\IDA\idaiehlp.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [nod32kui] "D:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [NOD32 Control Center] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Eset\NOD32 Control Center.lnk
O4 - HKCU\..\Run: [Launch Manager] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Launch Manager\Launch Manager.LNK
O4 - HKCU\..\Run: [PeerGuardian] D:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [Vidalia] "D:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"
O4 - HKCU\..\Run: [FunkItch] "C:\ProgramData\Pure Hole Hole.wybxn8j"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Privoxy.lnk = D:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
O8 - Extra context menu item: Download ALL with IDA - D:\Program Files\IDA\idaieall.htm
O8 - Extra context menu item: Download Video - http://www.viloader.net/addon.htm
O8 - Extra context menu item: Download with IDA - D:\Program Files\IDA\idaie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7pro\IE7Pro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7pro\IE7Pro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - D:\Program Files\IDA\ida.exe
O9 - Extra 'Tools' menuitem: &Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - D:\Program Files\IDA\ida.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070711/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u2-windows-i586-jc.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://npsdmail3.np.edu.sg/dwa7W.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F4E9FB3-923F-4BED-B23D-5037D93AF3E4}: NameServer = 218.186.1.38,202.156.1.68
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: eNetHook.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Autodesk Network Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskNetSrv.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - D:\Program Files\Eset\nod32krn.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe

--
End of file - 9818 bytes
Title: Re: Pure Hole Hole
Post by: CBMatt on October 04, 2007, 09:33:55 AM
This file is deciding to be a bit stubborn, I see.  I hate to give you more "homework", but download SUPERAntiSpyware (http://www.superantispyware.com), update it, and scan with it in Safe Mode.  Then go ahead and post the log here.  To retrieve the removal information after reboot, launch SUPERAntiSpyware again.  Click Preferences, then click the Statistics/Logs tab. Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

Then...download ComboFix (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) and save it to your desktop.  Run the program and read its disclaimer (it's fairly short) and make sure you really pay attention to what it says.  Follow the prompts and when finished, it will produce a log at C:\ComboFix.txt.  Go ahead and post that here.  Note: Don't click on the window while it's running; this may cause stalls.
Title: Re: Pure Hole Hole
Post by: Zakir on October 04, 2007, 10:51:10 AM
after about an hour of scanning, finally finished....dont worry about giving me homework, ur helping me ;D

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/05/2007 at 00:37 AM

Application Version : 3.9.1008

Core Rules Database Version : 3318
Trace Rules Database Version: 1319

Scan type       : Complete Scan
Total Scan Time : 00:39:12

Memory items scanned      : 258
Memory threats detected   : 0
Registry items scanned    : 10005
Registry threats detected : 0
File items scanned        : 70068
File threats detected     : 6

Adware.Lop-Variant
   C:\PROGRAMDATA\GRIM PROGRAM ACTIVE\FORD KEEP BARB.EXE
   C:\PROGRAMDATA\GRIM PROGRAM ACTIVE\LBPZYDCB.EXE
   C:\PROGRAMDATA\LONG SLOW ROAD ITCH\SOFT NAME.EXE
   C:\USERS\ALL USERS\GRIM PROGRAM ACTIVE\FORD KEEP BARB.EXE
   C:\USERS\ALL USERS\GRIM PROGRAM ACTIVE\LBPZYDCB.EXE
   C:\USERS\ALL USERS\LONG SLOW ROAD ITCH\SOFT NAME.EXE



Title: Re: Pure Hole Hole
Post by: Zakir on October 04, 2007, 10:52:18 AM
ComboFix 07-10-04.6 - K!R 2007-10-05  0:45:36.1 - NTFSx86
Microsoftr Windows VistaT Home Premium   6.0.6000.0.1252.1.1033.18.169 [GMT 8:00]
Running from: C:\Users\K!R\Desktop\ComboFix.exe
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Users\K!R\AppData\Roaming\inst.exe
C:\Windows\system32\x64

.
(((((((((((((((((((((((((   Files Created from 2007-09-04 to 2007-10-04  )))))))))))))))))))))))))))))))
.

2007-10-05 00:44   51,200   --a------   C:\Windows\NirCmd.exe
2007-10-04 23:43   <DIR>   d--------   C:\Users\K!R\AppData\Roaming\SUPERAntiSpyware.com
2007-10-04 23:43   <DIR>   d--------   C:\Users\All Users\SUPERAntiSpyware.com
2007-10-04 23:43   <DIR>   d--------   C:\ProgramData\SUPERAntiSpyware.com
2007-10-04 22:58   <DIR>   dr-------   C:\!KillBox
2007-10-04 20:53   318   --a------   C:\delete.bat
2007-10-02 10:10   <DIR>   d--------   C:\Users\All Users\Long slow road itch
2007-10-02 10:10   <DIR>   d--------   C:\ProgramData\Long slow road itch
2007-10-02 10:09   <DIR>   d--------   C:\Users\All Users\grim program active
2007-10-02 10:09   <DIR>   d--------   C:\ProgramData\grim program active
2007-09-30 18:08   <DIR>   d--------   C:\Users\K!R\AppData\Roaming\Joost
2007-09-30 16:44   <DIR>   d--------   C:\Users\K!R\dwhelper
2007-09-28 16:40   <DIR>   d--------   C:\Users\All Users\p9-55-6o-55-93-56
2007-09-28 16:40   <DIR>   d--------   C:\ProgramData\p9-55-6o-55-93-56
2007-09-28 15:47   <DIR>   d--------   C:\Users\All Users\p9-55-2n-55-93-56
2007-09-28 15:47   <DIR>   d--------   C:\ProgramData\p9-55-2n-55-93-56
2007-09-27 17:30   <DIR>   dr-h-----   C:\Users\K!R\AppData\Roaming\SecuROM
2007-09-26 14:08   0   --a------   C:\Windows\Infob.dat
2007-09-26 14:08   0   --a------   C:\Windows\Infoa.dat
2007-09-24 09:31   <DIR>   d--------   C:\Users\K!R\AppData\Roaming\Vidalia
2007-09-24 09:31   <DIR>   d--------   C:\Users\K!R\AppData\Roaming\tor
2007-09-21 17:04   <DIR>   d--------   C:\Program Files\Common Files\Apple
2007-09-21 17:01   <DIR>   d--------   C:\Users\All Users\Apple
2007-09-21 17:01   <DIR>   d--------   C:\ProgramData\Apple
2007-09-21 17:01   <DIR>   d--------   C:\Program Files\Apple Software Update
2007-09-19 06:54   <DIR>   d--------   C:\Users\K!R\AppData\Roaming\vlc
2007-09-19 05:50   <DIR>   d--------   C:\Program Files\Microsoft Works
2007-09-19 05:41   <DIR>   dr-h-----   C:\MSOCache
2007-09-19 05:35   <DIR>   d--------   C:\Users\K!R\AppData\Roaming\Audacity
2007-09-19 04:51   <DIR>   d--------   C:\Users\K!R\AppData\Roaming\uTorrent
2007-09-19 04:28   86,016   --a------   C:\Windows\System32\AddiTunes.exe
2007-09-19 04:28   626,688   --a------   C:\Windows\System32\NCTImageFile.dll
2007-09-19 04:28   61,440   --a------   C:\Windows\System32\cygz.dll
2007-09-19 04:28   4,755,968   --a------   C:\Windows\System32\apexconverter.exe
2007-09-19 04:28   398,798   --a------   C:\Windows\System32\apexpmp.exe
2007-09-19 04:28   3,138,048   --a------   C:\Windows\System32\apexxbox.exe
2007-09-19 04:28   120,320   --a------   C:\Windows\System32\apexchanger.exe
2007-09-19 04:28   109,568   --a------   C:\Windows\System32\apex3gp.exe
2007-09-19 04:28   1,295,582   --a------   C:\Windows\System32\cygwin1.dll
2007-09-19 04:27   764,416   --a------   C:\Windows\System32\NCTRMFile.dll
2007-09-19 04:27   495,104   --a------   C:\Windows\System32\NCTVideoCoreM.dll
2007-09-19 04:27   382,464   --a------   C:\Windows\System32\NCTAVIFile.dll
2007-09-19 04:27   249,856   --a------   C:\Windows\System32\NCTQuickTimeFile.dll
2007-09-19 04:16   217,127   --a------   C:\Windows\System32\drv43260.dll
2007-09-19 04:16   208,935   --a------   C:\Windows\System32\drv33260.dll
2007-09-19 04:16   176,165   --a------   C:\Windows\System32\drv23260.dll
2007-09-19 03:18   29,704   --a------   C:\Windows\System32\uxtuneup.dll
2007-09-19 03:18   16,904   --a------   C:\Windows\System32\authuitu.dll
2007-09-19 03:16   <DIR>   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2007-09-19 03:10   512,096   --a------   C:\Windows\System32\drivers\amon.sys
2007-09-19 03:10   298,104   --a------   C:\Windows\System32\imon.dll
2007-09-19 03:10   15,424   --a------   C:\Windows\System32\drivers\nod32drv.sys
2007-09-18 02:23   823,296   --a------   C:\Windows\System32\divx_xx0c.dll
2007-09-18 02:23   823,296   --a------   C:\Windows\System32\divx_xx07.dll
2007-09-18 02:22   802,816   --a------   C:\Windows\System32\divx_xx11.dll
2007-09-18 02:22   739,840   --a------   C:\Windows\System32\DivX.dll
2007-09-18 01:51   685,816   --a------   C:\Windows\System32\drivers\sptd.sys
2007-09-17 17:49   89,360   --a------   C:\Windows\System32\VB5DB.DLL
2007-09-17 17:49   86,016   --a------   C:\Windows\unvise32qt.exe
2007-09-17 17:49   69,632   --a------   C:\Windows\System32\xmltok.dll
2007-09-17 17:49   505,104   --a------   C:\Windows\System32\msxml.dll
2007-09-17 17:49   36,864   --a------   C:\Windows\System32\xmlparse.dll
2007-09-17 17:49   28,432   --a------   C:\Windows\System32\msxmlr.dll
2007-09-17 17:49   26,088   --a------   C:\Windows\System32\xmlinst.exe
2007-09-17 17:49   24,576   --a------   C:\Windows\System32\msxml3a.dll
2007-09-17 17:48   <DIR>   d--------   C:\Users\All Users\QuickTime
2007-09-17 17:48   <DIR>   d--------   C:\ProgramData\QuickTime
2007-09-16 00:14   <DIR>   d--------   C:\Users\K!R\.dwa_store
2007-09-15 10:09   <DIR>   d--------   C:\Users\All Users\p9-55-60-55-55-7s
2007-09-15 10:09   <DIR>   d--------   C:\ProgramData\p9-55-60-55-55-7s
2007-09-14 22:02   <DIR>   d--------   C:\Users\All Users\55-55-55-55-55-55
2007-09-14 22:02   <DIR>   d--------   C:\ProgramData\55-55-55-55-55-55
2007-09-14 22:00   <DIR>   d--------   C:\Windows\Monopoly Here & Now Edition
2007-09-14 22:00   <DIR>      C:\Program Files\Monopoly
2007-09-13 18:48   <DIR>   d--------   C:\Program Files\Common Files\Steam
2007-09-13 12:17   49,664   --a------   C:\Windows\SSMaui Wowee.scr
2007-09-13 12:14   802,816   --a------   C:\Windows\FeedingFrenzy.scr
2007-09-13 12:13   57,344   --a------   C:\Windows\System32\Big Kahuna Reef.scr
2007-09-13 12:12   389,120   --a------   C:\Windows\Adventure Inlay.scr
2007-09-12 18:24   <DIR>   d--------   C:\Users\K!R\AppData\Roaming\GetRightToGo
2007-09-12 07:14   156,992   --a------   C:\Windows\System32\DivXCodecVersionChecker.exe
2007-09-11 14:01   360,448   --a------   C:\Windows\System32\NCTWMAFile.dll
2007-09-11 14:01   1,703,936   --a------   C:\Windows\System32\NCTAudioFile.dll
2007-09-07 01:56   35   --a------   C:\Windows\popcinfo.dat
2007-09-05 18:48   139,264   --a------   C:\Windows\System32\eax.dll
2007-09-05 18:48   <DIR>   d--------   C:\Program Files\Creative
2007-09-05 18:47   233,472   -ra------   C:\Windows\System32\MafiaSetup.exe
2007-09-05 18:42   233,472   -ra------   C:\Users\K!R\AppData\Roaming\MafiaSetup.exe

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
Title: Re: Pure Hole Hole
Post by: Zakir on October 04, 2007, 10:52:38 AM
.
2007-10-02 10:31   ---------   d--h-----   C:\Program Files\InstallShield Installation Information
2007-10-01 04:10   ---------   d--------   C:\Users\K!R\AppData\Roaming\Internet Download Accelerator
2007-09-26 17:31   ---------   d--------   C:\Users\K!R\AppData\Roaming\Vso
2007-09-24 08:48   ---------   d--------   C:\Users\K!R\AppData\Roaming\FrostWire
2007-09-21 17:18   ---------   d--------   C:\ProgramData\Apple Computer
2007-09-21 17:07   ---------   d--------   C:\Users\K!R\AppData\Roaming\Apple Computer
2007-09-19 05:53   ---------   d--------   C:\ProgramData\Microsoft Help
2007-09-19 05:49   ---------   d--------   C:\Program Files\MSBuild
2007-09-19 05:43   ---------   d--------   C:\Program Files\Microsoft Visual Studio 8
2007-09-19 04:16   47360   --a------   C:\Users\K!R\AppData\Roaming\pcouffin.sys
2007-09-19 03:45   ---------   d--------   C:\Program Files\Common Files\PX Storage Engine
2007-09-15 08:04   ---------   d--------   C:\Program Files\IE7pro
2007-09-12 09:53   ---------   d--------   C:\Program Files\Windows Mail
2007-09-10 23:58   319984   --a------   C:\Windows\DIFxAPI.dll
2007-08-31 01:05   174   --ahs----   C:\Program Files\desktop.ini
2007-08-30 20:02   704000   --a------   C:\Windows\System32\PhotoScreensaver.scr
2007-08-30 20:01   88576   --a------   C:\Windows\System32\avifil32.dll
2007-08-30 20:01   82944   --a------   C:\Windows\System32\mciavi32.dll
2007-08-30 20:01   8138240   --a------   C:\Windows\System32\ssBranded.scr
2007-08-30 20:01   712192   --a------   C:\Windows\System32\WindowsCodecs.dll
2007-08-30 20:01   69632   --a------   C:\Windows\System32\sendmail.dll
2007-08-30 20:01   65024   --a------   C:\Windows\System32\avicap32.dll
2007-08-30 20:01   61440   --a------   C:\Windows\System32\ntprint.exe
2007-08-30 20:01   3504824   --a------   C:\Windows\System32\ntkrnlpa.exe
2007-08-30 20:01   3470008   --a------   C:\Windows\System32\ntoskrnl.exe
2007-08-30 20:01   31232   --a------   C:\Windows\System32\msvidc32.dll
2007-08-30 20:01   269824   --a------   C:\Windows\System32\schannel.dll
2007-08-30 20:01   220160   --a------   C:\Windows\System32\ntprint.dll
2007-08-30 20:01   1984512   --a------   C:\Windows\System32\authui.dll
2007-08-30 20:01   12800   --a------   C:\Windows\System32\msrle32.dll
2007-08-30 20:01   123904   --a------   C:\Windows\System32\msvfw32.dll
2007-08-30 20:01   120320   --a------   C:\Windows\System32\dhcpcsvc6.dll
2007-08-30 20:01   10240   --a------   C:\Windows\System32\dhcpcmonitor.dll
2007-08-29 20:45   ---------   d--------   C:\Program Files\Windows Calendar
2007-08-29 20:04   8192   --a------   C:\Windows\System32\riched32.dll
2007-08-29 20:04   77824   --a------   C:\Windows\System32\rascfg.dll
2007-08-29 20:04   70144   --a------   C:\Windows\system32\drivers\pacer.sys
2007-08-29 20:04   694784   --a------   C:\Windows\System32\localspl.dll
2007-08-29 20:04   61952   --a------   C:\Windows\system32\drivers\wanarp.sys
2007-08-29 20:04   619008   --a------   C:\Windows\system32\drivers\dxgkrnl.sys
2007-08-29 20:04   52736   --a------   C:\Windows\System32\rasdiag.dll
2007-08-29 20:04   48640   --a------   C:\Windows\system32\drivers\ndproxy.sys
2007-08-29 20:04   384000   --a------   C:\Windows\System32\netcfgx.dll
2007-08-29 20:04   36864   --a------   C:\Windows\System32\cdd.dll
2007-08-29 20:04   33280   --a------   C:\Windows\System32\traffic.dll
2007-08-29 20:04   32768   --a------   C:\Windows\System32\rasmxs.dll
2007-08-29 20:04   286208   --a------   C:\Windows\System32\ipnathlp.dll
2007-08-29 20:04   22016   --a------   C:\Windows\System32\rasser.dll
2007-08-29 20:04   20480   --a------   C:\Windows\system32\drivers\ndistapi.sys
2007-08-29 20:04   15360   --a------   C:\Windows\System32\pacerprf.dll
2007-08-29 20:04   13824   --a------   C:\Windows\System32\wshqos.dll
2007-08-29 20:04   13824   --a------   C:\Windows\System32\icsunattend.exe
2007-08-29 20:04   134656   --a------   C:\Windows\System32\dps.dll
2007-08-29 20:03   750080   --a------   C:\Windows\System32\qmgr.dll
2007-08-22 03:35   53080   --a------   C:\Windows\System32\wuauclt.exe
2007-08-22 03:35   43352   --a------   C:\Windows\System32\wups2.dll
2007-08-22 03:35   1712984   --a------   C:\Windows\System32\wuaueng.dll
2007-08-22 03:35   1524224   --a------   C:\Windows\System32\wucltux.dll
2007-08-22 03:34   80896   --a------   C:\Windows\System32\wudriver.dll
2007-08-22 03:34   549720   --a------   C:\Windows\System32\wuapi.dll
2007-08-22 03:34   33624   --a------   C:\Windows\System32\wups.dll
2007-08-22 03:33   31232   --a------   C:\Windows\System32\wuapp.exe
2007-08-22 03:33   163000   --a------   C:\Windows\System32\wuwebv.dll
2007-08-21 08:26   81920   --a------   C:\Windows\System32\dpl100.dll
2007-08-21 08:26   196608   --a------   C:\Windows\System32\dtu100.dll
2007-08-17 23:31   ---------   d--------   C:\Users\K!R\AppData\Roaming\Sports Interactive
2007-08-17 23:27   ---------   d--------   C:\Users\Kir\AppData\Roaming\TuneUp Software
2007-08-17 23:16   ---------   d--------   C:\Users\Kir\AppData\Roaming\Logitech
2007-08-17 19:43   ---------   d--------   C:\Program Files\Common Files\InstallShield
2007-08-16 06:33   524288   --a------   C:\Windows\System32\DivXsm.exe
2007-08-16 06:33   3596288   --a------   C:\Windows\System32\qt-dx331.dll
2007-08-16 06:33   200704   --a------   C:\Windows\System32\ssldivx.dll
2007-08-16 06:33   1044480   --a------   C:\Windows\System32\libdivx.dll
2007-08-16 06:31   593920   --a------   C:\Windows\System32\dpuGUI11.dll
2007-08-16 06:31   57344   --a------   C:\Windows\System32\dpv11.dll
2007-08-16 06:31   53248   --a------   C:\Windows\System32\dpuGUI10.dll
2007-08-16 06:31   344064   --a------   C:\Windows\System32\dpus11.dll
2007-08-16 06:31   294912   --a------   C:\Windows\System32\dpu11.dll
2007-08-16 06:31   294912   --a------   C:\Windows\System32\dpu10.dll
2007-08-16 06:30   12288   --a------   C:\Windows\System32\DivXWMPExtType.dll
2007-08-15 04:44   8147968   --a------   C:\Windows\System32\wmploc.DLL
2007-08-15 04:44   7680   --a------   C:\Windows\System32\spwmp.dll
2007-08-15 04:44   4096   --a------   C:\Windows\System32\dxmasf.dll
2007-08-15 04:43   1191936   --a------   C:\Windows\System32\msxml3.dll
2007-08-15 04:37   1335296   --a------   C:\Windows\System32\msxml6.dll
2007-08-15 04:35   56320   --a------   C:\Windows\System32\iesetup.dll
2007-08-15 04:35   52736   --a------   C:\Windows\AppPatch\iebrshim.dll
2007-08-15 04:35   26624   --a------   C:\Windows\System32\ieUnatt.exe
2007-08-07 18:09   ---------   d--------   C:\Program Files\MSN Messenger
2007-07-27 07:06   129784   ---------   C:\Windows\System32\pxafs.dll
2007-07-27 07:06   120056   ---------   C:\Windows\System32\pxcpyi64.exe
2007-07-27 07:06   118520   ---------   C:\Windows\System32\pxinsi64.exe
2007-07-11 09:02   86016   --a------   C:\Windows\System32\icfupgd.dll
2007-07-11 09:02   61952   --a------   C:\Windows\System32\cmifw.dll
2007-07-11 09:02   396800   --a------   C:\Windows\System32\MPSSVC.dll
2007-07-11 09:02   392192   --a------   C:\Windows\System32\FirewallAPI.dll
2007-07-11 09:02   374456   --a------   C:\Windows\System32\mcupdate_GenuineIntel.dll
2007-07-11 09:02   178688   --a------   C:\Windows\System32\iphlpsvc.dll
2007-07-11 09:02   16896   --a------   C:\Windows\System32\wfapigp.dll
2007-07-11 09:00   57856   --a------   C:\Windows\System32\SLUINotify.dll
2007-06-09 12:06:50   56   --sha-r   C:\Windows\System32\B309C375B6.sys
2007-06-09 12:06:59   3,766   --sha-w   C:\Windows\System32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
Title: Re: Pure Hole Hole
Post by: Zakir on October 04, 2007, 10:53:02 AM
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2007-03-30 11:04]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2007-03-30 11:04]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2007-03-30 11:04]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-06 14:23]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"nod32kui"="D:\Program Files\Eset\nod32kui.exe" [2007-09-19 03:09]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"????r"="" []
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 20:35]
"NOD32 Control Center"="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Eset\NOD32 Control Center.lnk" [2007-09-19 03:10]
"Launch Manager"="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Launch Manager\Launch Manager.LNK" [2007-04-16 20:07]
"PeerGuardian"="D:\Program Files\PeerGuardian2\pg2.exe" [2005-09-18 18:40]
"Vidalia"="D:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe" [2007-08-26 14:02]
"FunkItch"="C:\ProgramData\Pure Hole Hole.wybxn8j" [2007-10-04 19:49]
"SUPERAntiSpyware"="D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-03 17:55:50]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-04-25 23:37:48]
Privoxy.lnk - D:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe [2006-11-20 22:30:54]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-03 17:55:50]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-04-25 23:37:48]
Privoxy.lnk - D:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe [2006-11-20 22:30:54]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= D:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
D:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=eNetHook.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\Windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=C:\Windows\pss\AutoCAD Startup Accelerator.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Empowering Technology Launcher.lnk
backup=C:\Windows\pss\Empowering Technology Launcher.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Users^K!R^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=C:\Users\K!R\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=C:\Windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
"C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"c:\program files\steam\steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\?????????]
??????????????e

R0 PSDFilter;PSDFilter;C:\Windows\system32\DRIVERS\psdfilter.sys
R0 PSDNServ;PSDNSERVER;C:\Windows\system32\drivers\PSDNServ.sys
R0 psdvdisk;psdvdisk;C:\Windows\system32\drivers\psdvdisk.sys
R2 eDataSecurity Service;eDataSecurity Service;"C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe"
R2 eNet Service;eNet Service;C:\Acer\Empowering Technology\eNet\eNet Service.exe
R2 eSettingsService;eSettings Service;C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
R2 int15;int15;\??\C:\Acer\Empowering Technology\eRecovery\int15.sys
R2 MobilityService;MobilityService;C:\Acer\Mobility Center\MobilityService.exe -p
R2 UxTuneUp;TuneUp Theme Extension;C:\Windows\System32\svchost.exe -k netsvcs
R2 WMIService;ePower Service;C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
R3 DKbFltr;Dritek Keyboard Filter Driver;C:\Windows\system32\DRIVERS\DKbFltr.sys
R3 igfx;igfx;C:\Windows\system32\DRIVERS\igdkmd32.sys
R3 LUsbFilt;Logitech SetPoint KMDF USB Filter;C:\Windows\system32\Drivers\LUsbFilt.Sys
R3 NETw3v32;Intel(R) PRO/Wireless 3945ABG Adapter Driver for Windows Vista 32 Bit;C:\Windows\system32\DRIVERS\NETw3v32.sys
R3 pgfilter;pgfilter;\??\D:\Program Files\PeerGuardian2\pgfilter.sys
R3 SNP2UVC;USB2.0 PC Camera (SNP2UVC);C:\Windows\system32\DRIVERS\snp2uvc.sys
R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys
S3 ASPI;Advanced SCSI Programming Interface Driver;\??\C:\Windows\System32\DRIVERS\ASPI32.sys
S3 athr;Atheros Extensible Wireless LAN device driver;C:\Windows\system32\DRIVERS\athr.sys
S3 btwaudio;Bluetooth Audio Device Service;C:\Windows\system32\drivers\btwaudio.sys
S3 btwavdt;Bluetooth AVDT Service;C:\Windows\system32\drivers\btwavdt.sys
S3 btwrchid;btwrchid;C:\Windows\system32\DRIVERS\btwrchid.sys
S3 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
S3 Steam Client Service;Steam Client Service;C:\Program Files\Common Files\Steam\SteamService.exe /RunAsService
S3 WimFltr;WimFltr;C:\Windows\system32\DRIVERS\wimfltr.sys
S3 WSVD;WSVD;\??\C:\Windows\system32\drivers\WSVD.sys
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted   hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum
bthsvcs   BthServ

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
UxTuneUp

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-09-28 11:55:47 C:\Windows\Tasks\1-Click Maintenance.job"
- D:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2007-10-04 06:57:07 C:\Windows\Tasks\User_Feed_Synchronization-{371CCB78-4DF7-4D0F-9081-6B14D59BC5D5}.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-05 00:48:21
Windows 6.0.6000  NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-05  0:49:30
C:\ComboFix-quarantined-files.txt ... 2007-10-05 00:49
.
   --- E O F ---
Title: Re: Pure Hole Hole
Post by: Zakir on October 04, 2007, 10:55:14 AM
this is the Hijack This log file after the scans


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:54:26 AM, on 5/10/2007
Platform: Windows Vista  (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
D:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
D:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\ehome\ehmsas.exe
D:\Program Files\Eset\nod32kui.exe
C:\Windows\system32\igfxext.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
D:\Program Files\Vidalia Bundle\Tor\tor.exe
D:\Program Files\PeerGuardian2\pg2.exe
C:\Windows\explorer.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Title: Re: Pure Hole Hole
Post by: Zakir on October 04, 2007, 10:55:35 AM
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.daemonsearch.com/intl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.sg.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.sg.acer.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://sg.rd.yahoo.com/customize/ycomp/defaults/su/*http://sg.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IE7pro\IE7Pro.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE 4.x-6.x BHO for Internet Download Accelerator - {2A646672-9C3A-4C28-9A7A-1FB0F63F28B6} - D:\PROGRA~1\IDA\idaiehlp.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [nod32kui] "D:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [NOD32 Control Center] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Eset\NOD32 Control Center.lnk
O4 - HKCU\..\Run: [Launch Manager] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Launch Manager\Launch Manager.LNK
O4 - HKCU\..\Run: [PeerGuardian] D:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [Vidalia] "D:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"
O4 - HKCU\..\Run: [FunkItch] "C:\ProgramData\Pure Hole Hole.wybxn8j"
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Privoxy.lnk = D:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
O8 - Extra context menu item: Download ALL with IDA - D:\Program Files\IDA\idaieall.htm
O8 - Extra context menu item: Download Video - http://www.viloader.net/addon.htm
O8 - Extra context menu item: Download with IDA - D:\Program Files\IDA\idaie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7pro\IE7Pro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7pro\IE7Pro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - D:\Program Files\IDA\ida.exe
O9 - Extra 'Tools' menuitem: &Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - D:\Program Files\IDA\ida.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070711/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u2-windows-i586-jc.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://npsdmail3.np.edu.sg/dwa7W.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F4E9FB3-923F-4BED-B23D-5037D93AF3E4}: NameServer = 218.186.1.38,202.156.1.68
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: eNetHook.dll
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Autodesk Network Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskNetSrv.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - D:\Program Files\Eset\nod32krn.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe

--
End of file - 9708 bytes