Metalhead's (aka JSP) OnLineGames Trojan

I’m starting a thread for Metalhead with his HJT log from here

http://forum.avast.com/index.php?topic=29308.0

Please post a ComboFix log as well.

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix’s window while its running. That may cause it to stall.

ok cool, ill do that when i get home

Do you also have removable drives? If you do, they could be infected.

Yeh, i have a removable drive, it was infected i had it formatted so i think its fine now, heres my combofix log
http://www.sendspace.com/file/ju55mv

Upload these files to Virus Total for analyis and paste the results in you next response

[b]C:\WINDOWS\system32\d3d8caps.dat

C:\WINDOWS\system32\d3d9caps.dat

C:\WINDOWS\scunin.dat[/b]

Then run SDFix

Download SDFix and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press “Enter”.
Choose your usual account.

In Safe Mode, double click SDFix.exe and install to the default location by clicking Install. The SDFix Folder will be extracted to %systemdrive% \ (Drive that contains the Windows directory - typically ‘C:\SDFix’) Open the SDFix folder in Safe Mode then double click the RunThis.bat file to start the fixtool. Type Y to begin the script.

It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot. Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files. When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

Now we will create a registry fix.

If you don’t already have ERUNT (I think you do) download if from here and back up your entire registry

http://www.snapfiles.com/get/erunt.html

Having done that we will create a registry fix. Copy and paste ALL of the information below in the quote box to a notepad file. Ensure there is no space above the REGEDIT4.
Then in notepad go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.reg
This will create a fix.reg file on your desktop

To use this file you will need to right click the icon and select merge, accept the warning if it appears and you are done.

Oh, and keep that external drive away from this computer for the time being.

ok kool, ill get it done when i’m home

im currently the scanning the three files on virus total will post the items when done

File d3d8caps.dat

Antivirus Version Last Update Result
AhnLab-V3 2007.7.18.0 2007.07.19 no virus found
AntiVir 7.4.0.44 2007.07.19 no virus found
Authentium 4.93.8 2007.07.19 no virus found
Avast 4.7.997.0 2007.07.18 no virus found
AVG 7.5.0.476 2007.07.18 no virus found
BitDefender 7.2 2007.07.19 no virus found
CAT-QuickHeal 9.00 2007.07.18 no virus found
ClamAV devel-20070416 2007.07.19 no virus found
DrWeb 4.33 2007.07.19 no virus found
eSafe 7.0.15.0 2007.07.17 no virus found
eTrust-Vet 30.8.3794 2007.07.19 no virus found
Ewido 4.0 2007.07.19 no virus found
FileAdvisor 1 2007.07.19 no virus found
Fortinet 2.91.0.0 2007.07.19 no virus found
F-Prot 4.3.2.48 2007.07.19 no virus found
F-Secure 6.70.13030.0 2007.07.19 no virus found
Ikarus T3.1.1.8 2007.07.19 no virus found
Kaspersky 4.0.2.24 2007.07.19 no virus found
McAfee 5077 2007.07.18 no virus found
Microsoft 1.2704 2007.07.19 no virus found
NOD32v2 2406 2007.07.19 no virus found
Norman 5.80.02 2007.07.19 no virus found
Panda 9.0.0.4 2007.07.19 no virus found
Sophos 4.19.0 2007.07.17 no virus found
Sunbelt 2.2.907.0 2007.07.19 no virus found
Symantec 10 2007.07.19 no virus found
TheHacker 6.1.7.149 2007.07.18 no virus found
VBA32 3.12.2.1 2007.07.19 no virus found
VirusBuster 4.3.26:9 2007.07.19 no virus found
Webwasher-Gateway 6.0.1 2007.07.19 no virus found
Aditional information
File size: 1632 bytes
MD5: 0142928fe854a7bd3eb00a8a9f21dc05
SHA1: f9569cb7bf7bd83c350c3c59efbc1f98e5abdc55

heres the second one C:\WINDOWS\system32\d3d9caps.dat

Antivirus Version Last Update Result
AhnLab-V3 2007.7.18.0 2007.07.19 no virus found
AntiVir 7.4.0.44 2007.07.19 no virus found
Authentium 4.93.8 2007.07.19 no virus found
Avast 4.7.997.0 2007.07.18 no virus found
AVG 7.5.0.476 2007.07.18 no virus found
BitDefender 7.2 2007.07.19 no virus found
CAT-QuickHeal 9.00 2007.07.18 no virus found
ClamAV devel-20070416 2007.07.19 no virus found
DrWeb 4.33 2007.07.19 no virus found
eSafe 7.0.15.0 2007.07.17 no virus found
eTrust-Vet 30.8.3794 2007.07.19 no virus found
Ewido 4.0 2007.07.19 no virus found
FileAdvisor 1 2007.07.19 no virus found
Fortinet 2.91.0.0 2007.07.19 no virus found
F-Prot 4.3.2.48 2007.07.19 no virus found
F-Secure 6.70.13030.0 2007.07.19 no virus found
Ikarus T3.1.1.8 2007.07.19 no virus found
Kaspersky 4.0.2.24 2007.07.19 no virus found
McAfee 5077 2007.07.18 no virus found
Microsoft 1.2704 2007.07.19 no virus found
NOD32v2 2406 2007.07.19 no virus found
Norman 5.80.02 2007.07.19 no virus found
Panda 9.0.0.4 2007.07.19 no virus found
Sophos 4.19.0 2007.07.17 no virus found
Sunbelt 2.2.907.0 2007.07.19 no virus found
Symantec 10 2007.07.19 no virus found
TheHacker 6.1.7.149 2007.07.18 no virus found
VBA32 3.12.2.1 2007.07.19 no virus found
VirusBuster 4.3.26:9 2007.07.19 no virus found
Webwasher-Gateway 6.0.1 2007.07.19 no virus found

File scunin.dat received

Antivirus Version Last Update Result
AhnLab-V3 2007.7.18.0 2007.07.19 no virus found
AntiVir 7.4.0.44 2007.07.19 no virus found
Authentium 4.93.8 2007.07.19 no virus found
Avast 4.7.997.0 2007.07.18 no virus found
AVG 7.5.0.476 2007.07.18 no virus found
BitDefender 7.2 2007.07.19 no virus found
CAT-QuickHeal 9.00 2007.07.19 no virus found
ClamAV devel-20070416 2007.07.19 no virus found
DrWeb 4.33 2007.07.19 no virus found
eSafe 7.0.15.0 2007.07.17 no virus found
eTrust-Vet 30.8.3794 2007.07.19 no virus found
Ewido 4.0 2007.07.19 no virus found
FileAdvisor 1 2007.07.19 no virus found
Fortinet 2.91.0.0 2007.07.19 no virus found
F-Prot 4.3.2.48 2007.07.19 no virus found
F-Secure 6.70.13030.0 2007.07.19 no virus found
Ikarus T3.1.1.8 2007.07.19 no virus found
Kaspersky 4.0.2.24 2007.07.19 no virus found
McAfee 5077 2007.07.18 no virus found
Microsoft 1.2704 2007.07.19 no virus found
NOD32v2 2406 2007.07.19 no virus found
Norman 5.80.02 2007.07.19 no virus found
Panda 9.0.0.4 2007.07.19 no virus found
Sophos 4.19.0 2007.07.17 no virus found
Sunbelt 2.2.907.0 2007.07.19 no virus found
Symantec 10 2007.07.19 no virus found
TheHacker 6.1.7.149 2007.07.18 no virus found
VBA32 3.12.2.1 2007.07.19 no virus found
VirusBuster 4.3.26:9 2007.07.19 no virus found
Webwasher-Gateway 6.0.1 2007.07.19 no virus found

And the SDFix log ?

i can’t find the sdfix log, ill try to look for it again, did the things you told me the win trojan is still there

See if you can find c:\rapport.txt

And don’t worry - we’ll get this sorted.

EDIT: I’ll be out of town for a couple days. If you get this posted I’ll take a look when I’m back.

ok cool thanks man

i found report it had this

SDFix: Version 1.91

Run by EDISON on 20/07/2007 Fri at 10:28 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: D:\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing SharedAccess Service

I’m posting your initial ComboFix log just to make things easier for me.

"EDISON" - 2007-07-16 22:36:19 - ComboFix 07-07-13.8 - Service Pack 2 NTFS

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\Common Files\Relive.dll
C:\Program Files\Internet Explorer\msvcrt.bak
C:\Program Files\Internet Explorer\msvcrt.dll

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\msdirectx

((((((((((((((((((((((((( Files Created from 2007-06-16 to 2007-07-16 )))))))))))))))))))))))))))))))

2007-07-16 22:25 d-------- C:\WINDOWS\ERUNT
2007-07-16 22:10 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-16 12:18 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-07-16 12:17 d-------- C:\DOCUME~1\EDISON\APPLIC~1\SUPERAntiSpyware.com
2007-07-16 12:17 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-06-19 12:08 d-------- C:\Program Files\iTunes
2007-06-19 12:08 d-------- C:\Program Files\iPod
2007-06-19 12:06 d-------- C:\Program Files\QuickTime
2007-06-19 04:34 d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-06-18 21:38 d-------- C:\DOCUME~1\EDISON\APPLIC~1\WinRAR

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-16 02:16:42 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-07-15 13:14:42 1,632 ----a-w C:\WINDOWS\system32\d3d8caps.dat
2007-07-08 08:29:16 1,744 ----a-w C:\WINDOWS\system32\d3d9caps.dat
2007-06-20 00:02:06 2,560 ----a-w C:\WINDOWS\system32\BitCometRes.dll
2007-06-14 11:35:30 33,439 ----a-w C:\WINDOWS\scunin.dat
2007-06-14 11:35:27 967 ----a-w C:\WINDOWS\ScUnin.pif
2007-06-14 11:35:26 94,208 ----a-w C:\WINDOWS\ScUnin.exe
2007-06-12 11:36:02 -------- d-----w C:\Program Files\Messenger Plus! Live
2007-06-12 11:36:00 -------- d-----w C:\Program Files\Windows Live
2007-06-03 08:58:30 -------- d-----w C:\DOCUME~1\EDISON\APPLIC~1\Nokia
2007-06-03 08:54:38 -------- d-----w C:\DOCUME~1\EDISON\APPLIC~1\Datalayer
2007-06-03 08:50:09 -------- d-----w C:\Program Files\Nokia
2007-06-03 08:41:53 -------- d-----w C:\DOCUME~1\EDISON\APPLIC~1\PC Suite
2007-06-03 08:41:49 -------- d-----w C:\Program Files\DIFX
2007-06-03 08:40:49 -------- d-----w C:\Program Files\Common Files\PCSuite
2007-06-03 08:40:49 -------- d-----w C:\Program Files\Common Files\Nokia
2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-04-29 00:54:41 4,212 —h–w C:\WINDOWS\system32\zllictbl.dat
2007-04-28 03:25:08 60,637 ----a-w C:\WINDOWS\War3Unin.dat
2007-04-28 02:36:16 2,829 ----a-w C:\WINDOWS\War3Unin.pif
2007-04-28 02:36:15 139,264 ----a-w C:\WINDOWS\War3Unin.exe
2007-04-16 12:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 12:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 12:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 12:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 12:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 12:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 12:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 12:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

Note empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}]
2007-05-19 04:17 452160 --a------ D:\Program Files\BitComet\tools\BitCometBHO_1.1.5.19.dll

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{9030D464-4C02-4ABF-8ECC-5164760863C6}]
2006-04-17 13:32 323904 --a------ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}]
2006-01-17 15:04 282624 --a------ C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{D3626E66-B13B-C628-ACDF-BDABCFA265E1}]
C:\Program Files\Common Files\Relive.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-05-01 01:42]
“Zone Labs Client”=“C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe” [2007-03-09 00:02]
“H2O”=“C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe” [2005-10-23 00:00]
“ZoneAlarm Client”=“C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe” [2007-03-09 00:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 17:56]
“msnmsgr”=“C:\Program Files\MSN Messenger\msnmsgr.exe” [2007-01-19 11:54]
“SUPERAntiSpyware”=“D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe” [2007-06-21 14:06]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
“{0FAD2E16-C8EF-5AC1-1E6A-AE3FD8EF56B3}”=“C:\Program Files\Internet Explorer\msvcrt.dll”
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”=“D:\Program Files\SUPERAntiSpyware\SASSEH.DLL” [2006-12-20 13:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon]
D:\Program Files\SUPERAntiSpyware\SASWINLO.dll --a------ 2007-04-19 13:41 294912 D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
“appinit_dlls”=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\upnpdrv]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GetRight - Tray Icon.lnk]
backup=C:\WINDOWS\pss\GetRight - Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^EDISON^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=C:\Documents and Settings\EDISON\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
“C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
“C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
“C:\Program Files\iTunes\iTunesHelper.exe”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
“C:\Program Files\Messenger\msmsgs.exe” /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
“C:\Program Files\MSN Messenger\msnmsgr.exe” /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinTray]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
“C:\Program Files\QuickTime\qttask.exe” -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RAM Idle Professional]
C:\Program Files\RAM Idle\RAM_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
“C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StormCodec_Helper]
“C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe” /S /opti

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\THGuard]
“C:\Program Files\TrojanHunter 4.2\THGuard.exe”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB0_0_0

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
D:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
“C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe” -quiet

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
AutoRun\command- J:\autoplay.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
AutoRun\command- K:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
AutoRun\command- L:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{90273ea1-d444-11da-bca3-00a1b1ff1156}]
Auto\command- M:\Ghost.pif
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Ghost.pif

Contents of the ‘Scheduled Tasks’ folder
2007-07-12 01:50:05 C:\WINDOWS\tasks\AppleSoftwareUpdate.job


catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-16 22:50:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0


Completion time: 2007-07-16 22:55:23 - machine was rebooted
C:\ComboFix-quarantined-files.txt … 2007-07-16 22:55

--- E O F ---</blockquote>

Download the OTMoveIt http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe by OldTimer.
Save it to your desktop but don’t do anything with it yet.

Next download ERUNT from here and back up your entire registry http://www.snapfiles.com/get/erunt.html

Now we will create a registry fix. Copy and paste ALL of the information below in the quote box to a notepad file. Ensure there is no space above the REGEDIT4.
Then in notepad go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.reg
This will create a fix.reg file on your desktop

REGEDIT4

[-HKEY_CLASSES_ROOT\CLSID{D3626E66-B13B-C628-ACDF-BDABCFA265E1}]

[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID{D3626E66-B13B-C628-ACDF-BDABCFA265E1}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{90273ea1-d444-11da-bca3-00a1b1ff1156}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
“{0FAD2E16-C8EF-5AC1-1E6A-AE3FD8EF56B3}”=-

To use this file you will need to right click the icon and select merge, accept the warning if it appears and you are done with this step.

Now open OTMoveIt and copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Program Files\Common Files\Relive.dll
C:\Program Files\Internet Explorer\msvcrt.bak
C:\Program Files\Internet Explorer\msvcrt.dll

Return to OTMoveIt, right click on the “Paste List of Files/Folders to be moved” window and choose Paste.
Click the red Moveit! button. It is possible some or all of that these files will not be found - don’t worry if that happens. Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply with a new ComboFix log, then a HJT log (run in that order).
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Now, since SDFix did not run successfully the first time run it again and post that log after the ComboFix and HJT logs.

ok kool i’ll do that now