PDA

View Full Version : Browser Hijacking



tbri1559
2007-04-23, 03:25
Hi,
I've gone through the whole process of Safe Mode and HJT. Hopefully I've got it right and got the information you require.

HJT Log:
Logfile of HijackThis v1.99.1
Scan saved at 10:16:35 AM, on 23/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe
C:\Program Files\ScanSoft\OmniPagePro14.0\OpScheduler.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\jbrdewvm.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\SYSTEM32\monitorbk.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Anti-Spyware\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {36645342-9475-2663-166A-466739207346} - C:\WINDOWS\system32\ipv6mops.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B03C0099-B2F4-4913-85EF-D31AE8103997} - c:\windows\system32\mlfamlf.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [WorkFlowTray] "C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe"
O4 - HKLM\..\Run: [Opware14] "C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe"
O4 - HKLM\..\Run: [OpScheduler] "C:\Program Files\ScanSoft\OmniPagePro14.0\OpScheduler.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [jbrdewvm] C:\WINDOWS\system32\jbrdewvm.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [jbrdewvm] C:\WINDOWS\system32\jbrdewvm.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Belkin PCMCIA WLAN Monitor.lnk = C:\WINDOWS\SYSTEM32\monitorbk.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: oimzfaex - C:\WINDOWS\SYSTEM32\mlfamlf.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Online Anti-Virus Log:


Incident Status Location

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\fixwareout\FindT\nircmd.exe
Potentially unwanted tool:Application/BrilliantDigital Not disinfected C:\Program Files\Kazaa\bdcore.dll.updpnd
Adware:Adware/KeenValue Not disinfected C:\Program Files\Kazaa\PerfectNavUninstall.exe
Adware:adware/savenow Not disinfected C:\WINDOWS\Downloaded Program Files\WUInst.inf
Potentially unwanted tool:application/bestoffer Not disinfected C:\WINDOWS\smdat32m.sys
Adware:Adware/Popuper Not disinfected C:\WINDOWS\SYSTEM32\mlfamlf.dll
Potentially unwanted tool:Application/P2PNetworking Not disinfected C:\WINDOWS\SYSTEM32\P2P Networking v124.cpl
Adware:Adware/Popuper Not disinfected C:\WINDOWS\SYSTEM32\qchxqoad.dll
Adware:Adware/Lop Not disinfected C:\WINDOWS\winhp32.exe
Adware:Adware/Lop Not disinfected C:\WINDOWS\winlogon32.exe
Thankyou for your help!
Tom

Angelfire777
2007-04-23, 03:57
Hi, welcome to Safer Networking forums!

I noticed that you are not running any AntiVirus application. You could get infected immediately after we clean you up. Please download and install ONE of these:

» Avast! (http://www.asw.cz/eng/avast_4_home.html)
» AVG AntiVirus (http://free.grisoft.com/doc/5390/lng/us/tpl/v5#avg-anti-virus-free)
» AntiVir (http://www.free-av.com/)


*Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum


*Download combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)

1. Double click combofix.exe & follow the prompts.
2. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

On your next reply, please post the combofix log, SDFix log and a new HijackThis log.

tbri1559
2007-04-23, 07:08
Hi,
thanks very much for your help, much appreciated. I have taken the steps you have advised. Here are the logs you requested:

The combofix log is in a couple of parts because of the length.

Combofix Log:
"Campbell Bridge" - 07-04-23 13:47:28 Service Pack 2
ComboFix 07-04-22.6V - Running from: "C:\Documents and Settings\Campbell Bridge\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\mlfamlf.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\422113034.dll
C:\DOCUME~1\CAMPBE~1\Desktop\internet.lnk
C:\Program Files\install.log
C:\WINDOWS\system32\drivers\usyudhjd.sys
C:\WINDOWS\system32\mlfamlf.dll


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\hiytdfzv
-------\LEGACY_HIYTDFZV


((((((((((((((((((((((((((((((( Files Created from 2007-03-23 to 2007-04-23 ))))))))))))))))))))))))))))))))))


2007-04-23 12:23 499,712 --a------ C:\WINDOWS\SYSTEM32\msvcp71.dll
2007-04-23 12:23 348,160 --a------ C:\WINDOWS\SYSTEM32\msvcr71.dll
2007-04-23 12:19 21,299,912 --a------ C:\Program Files\avg75free_463a1000.exe
2007-04-23 10:12 <DIR> d-------- C:\Anti-Spyware
2007-04-23 08:56 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-04-22 21:30 9,216 --a------ C:\WINDOWS\winlogon32.exe
2007-04-22 21:29 5,632 --a------ C:\WINDOWS\winlogon32.dll
2007-04-22 19:19 <DIR> d-------- C:\WINDOWS\Prefetch
2007-04-22 11:51 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-04-21 20:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-04-21 15:51 <DIR> d-------- C:\Program Files\CCleaner
2007-04-21 14:20 <DIR> d-------- C:\DOCUME~1\CAMPBE~1\APPLIC~1\SpywareBot
2007-04-21 12:44 <DIR> d-------- C:\16e7a3799cc4ff36826d19da47c626
2007-04-20 14:47 842,672 --a------ C:\Program Files\slsk156c.exe
2007-04-20 14:47 <DIR> d-------- C:\Program Files\Soulseek
2007-04-20 14:15 28,672 --------- C:\WINDOWS\SYSTEM32\verclsid.exe
2007-04-20 14:06 <DIR> d-------- C:\Program Files\iPod
2007-04-20 14:06 <DIR> d-------- C:\DOCUME~1\CAMPBE~1\APPLIC~1\Apple Computer
2007-04-20 14:05 <DIR> d-------- C:\Program Files\iTunes
2007-04-20 14:04 <DIR> d-------- C:\Program Files\QuickTime
2007-04-20 14:03 <DIR> d-------- C:\Program Files\Apple Software Update
2007-04-20 14:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-04-20 14:01 37,860,928 --a------ C:\Program Files\iTunesSetup.exe
2007-04-20 08:23 44,032 --a------ C:\WINDOWS\SYSTEM32\apwdscfn.dll
2007-04-20 08:23 131,584 --a------ C:\WINDOWS\SYSTEM32\mntrycpo.dll
2007-04-20 08:23 100,864 --a------ C:\WINDOWS\SYSTEM32\qchxqoad.dll
2007-04-20 08:17 138,752 --a------ C:\WINDOWS\SYSTEM32\diceuaaa.exe
2007-04-19 00:26 <DIR> d-------- C:\DOCUME~1\CAMPBE~1\APPLIC~1\AdobeAUM
2007-04-19 00:23 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-04-19 00:10 21,822,168 --a------ C:\Program Files\AdbeRdr80_en_US.exe
2007-04-19 00:05 811,560 --a------ C:\Program Files\GoogleToolbarInstaller_ADBx_en_401019_signed.exe
2007-04-19 00:05 7,050,552 --a------ C:\Program Files\psa30se_en_us.exe
2007-04-18 23:53 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-04-18 23:53 <DIR> d-------- C:\WINDOWS\SYSTEM32\PreInstall
2007-04-18 16:51 95,424 --------- C:\WINDOWS\SYSTEM32\DRIVERS\slnthal.sys
2007-04-18 16:51 9,216 --------- C:\WINDOWS\SYSTEM32\proxycfg.exe
2007-04-18 16:51 73,216 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atintuxx.sys
2007-04-18 16:51 701,440 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati2mtag.sys
2007-04-18 16:51 685,056 --------- C:\WINDOWS\SYSTEM32\DRIVERS\hsfcxts2.sys
2007-04-18 16:51 67,584 --------- C:\WINDOWS\SYSTEM32\DRIVERS\sdbus.sys
2007-04-18 16:51 63,663 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati1rvxx.sys
2007-04-18 16:51 63,488 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atinxsxx.sys
2007-04-18 16:51 6,016 --------- C:\WINDOWS\SYSTEM32\DRIVERS\smbali.sys
2007-04-18 16:51 59,648 --------- C:\WINDOWS\SYSTEM32\DRIVERS\rfcomm.sys
2007-04-18 16:51 59,392 --------- C:\WINDOWS\SYSTEM32\logman.exe
2007-04-18 16:51 57,856 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atinbtxx.sys
2007-04-18 16:51 56,623 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati1btxx.sys
2007-04-18 16:51 52,224 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atinraxx.sys
2007-04-18 16:51 46,464 --------- C:\WINDOWS\SYSTEM32\DRIVERS\gagp30kx.sys
2007-04-18 16:51 452,736 --------- C:\WINDOWS\SYSTEM32\DRIVERS\mtxparhm.sys
2007-04-18 16:51 44,672 --------- C:\WINDOWS\SYSTEM32\DRIVERS\uagp35.sys
2007-04-18 16:51 404,990 --------- C:\WINDOWS\SYSTEM32\DRIVERS\slntamr.sys
2007-04-18 16:51 4,255 --------- C:\WINDOWS\SYSTEM32\DRIVERS\adv01nt5.dll
2007-04-18 16:51 38,016 --------- C:\WINDOWS\SYSTEM32\DRIVERS\bthmodem.sys
2007-04-18 16:51 36,463 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati1tuxx.sys
2007-04-18 16:51 36,096 --------- C:\WINDOWS\SYSTEM32\DRIVERS\intelppm.sys
2007-04-18 16:51 35,456 --------- C:\WINDOWS\SYSTEM32\DRIVERS\bthprint.sys
2007-04-18 16:51 34,735 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati1xsxx.sys
2007-04-18 16:51 327,040 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati2mtaa.sys
2007-04-18 16:51 31,744 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atinxbxx.sys
2007-04-18 16:51 30,671 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati1raxx.sys
2007-04-18 16:51 30,080 --------- C:\WINDOWS\SYSTEM32\DRIVERS\rndismpx.sys
2007-04-18 16:51 3,967 --------- C:\WINDOWS\SYSTEM32\DRIVERS\adv02nt5.dll
2007-04-18 16:51 3,901 --------- C:\WINDOWS\SYSTEM32\DRIVERS\siint5.dll
2007-04-18 16:51 3,775 --------- C:\WINDOWS\SYSTEM32\DRIVERS\adv11nt5.dll
2007-04-18 16:51 3,711 --------- C:\WINDOWS\SYSTEM32\DRIVERS\adv09nt5.dll
2007-04-18 16:51 3,647 --------- C:\WINDOWS\SYSTEM32\DRIVERS\adv07nt5.dll
2007-04-18 16:51 3,615 --------- C:\WINDOWS\SYSTEM32\DRIVERS\adv05nt5.dll
2007-04-18 16:51 3,135 --------- C:\WINDOWS\SYSTEM32\DRIVERS\adv08nt5.dll
2007-04-18 16:51 29,455 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati1xbxx.sys
2007-04-18 16:51 29,056 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ip6fw.sys
2007-04-18 16:51 28,672 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atinsnxx.sys
2007-04-18 16:51 274,304 --------- C:\WINDOWS\SYSTEM32\DRIVERS\bthport.sys
2007-04-18 16:51 262,784 --------- C:\WINDOWS\SYSTEM32\DRIVERS\http.sys
2007-04-18 16:51 26,367 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati1snxx.sys
2007-04-18 16:51 25,600 --------- C:\WINDOWS\SYSTEM32\DRIVERS\hidbth.sys
2007-04-18 16:51 25,471 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atv04nt5.dll
2007-04-18 16:51 220,032 --------- C:\WINDOWS\SYSTEM32\DRIVERS\hsfbs2s2.sys
2007-04-18 16:51 21,343 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati1ttxx.sys
2007-04-18 16:51 21,183 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atv01nt5.dll
2007-04-18 16:51 180,360 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ntmtlfax.sys
2007-04-18 16:51 18,944 --------- C:\WINDOWS\SYSTEM32\DRIVERS\bthusb.sys
2007-04-18 16:51 17,279 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atv10nt5.dll
2007-04-18 16:51 17,024 --------- C:\WINDOWS\SYSTEM32\DRIVERS\bthenum.sys
2007-04-18 16:51 166,912 --------- C:\WINDOWS\SYSTEM32\DRIVERS\s3gnbm.sys
2007-04-18 16:51 15,488 --------- C:\WINDOWS\SYSTEM32\DRIVERS\mssmbios.sys
2007-04-18 16:51 15,423 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ch7xxnt5.dll
2007-04-18 16:51 15,104 --------- C:\WINDOWS\SYSTEM32\DRIVERS\hidir.sys
2007-04-18 16:51 14,336 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atinpdxx.sys
2007-04-18 16:51 14,143 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atv06nt5.dll
2007-04-18 16:51 13,824 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atinttxx.sys
2007-04-18 16:51 13,824 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atinmdxx.sys
2007-04-18 16:51 13,776 --------- C:\WINDOWS\SYSTEM32\DRIVERS\recagent.sys
2007-04-18 16:51 13,240 --------- C:\WINDOWS\SYSTEM32\DRIVERS\slwdmsup.sys
2007-04-18 16:51 129,535 --------- C:\WINDOWS\SYSTEM32\DRIVERS\slnt7554.sys
2007-04-18 16:51 128,896 --------- C:\WINDOWS\SYSTEM32\DRIVERS\fltmgr.sys
2007-04-18 16:51 126,686 --------- C:\WINDOWS\SYSTEM32\DRIVERS\mtlmnt5.sys
2007-04-18 16:51 12,672 --------- C:\WINDOWS\SYSTEM32\DRIVERS\usb8023x.sys
2007-04-18 16:51 12,672 --------- C:\WINDOWS\SYSTEM32\DRIVERS\mutohpen.sys
2007-04-18 16:51 12,047 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati1pdxx.sys
2007-04-18 16:51 11,615 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati1mdxx.sys
2007-04-18 16:51 11,359 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atv02nt5.dll
2007-04-18 16:51 11,136 --------- C:\WINDOWS\SYSTEM32\DRIVERS\sffdisk.sys
2007-04-18 16:51 104,960 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atinrvxx.sys
2007-04-18 16:51 100,992 --------- C:\WINDOWS\SYSTEM32\DRIVERS\bthpan.sys
2007-04-18 16:51 10,240 --------- C:\WINDOWS\SYSTEM32\DRIVERS\sffp_sd.sys
2007-04-18 16:51 1,309,184 --------- C:\WINDOWS\SYSTEM32\DRIVERS\mtlstrm.sys
2007-04-18 16:51 1,041,536 --------- C:\WINDOWS\SYSTEM32\DRIVERS\hsfdpsp2.sys
2007-04-18 16:50 88,064 --------- C:\WINDOWS\SYSTEM32\p2pnetsh.dll
2007-04-18 16:50 870,784 --------- C:\WINDOWS\SYSTEM32\ati3d1ag.dll
2007-04-18 16:50 86,016 --------- C:\WINDOWS\SYSTEM32\p2pgasvc.dll
2007-04-18 16:50 81,920 --------- C:\WINDOWS\SYSTEM32\ieencode.dll
2007-04-18 16:50 81,408 --------- C:\WINDOWS\SYSTEM32\wscsvc.dll
2007-04-18 16:50 8,192 --------- C:\WINDOWS\SYSTEM32\smbinst.exe
2007-04-18 16:50 78,464 --------- C:\WINDOWS\SYSTEM32\DRIVERS\usbvideo.sys
2007-04-18 16:50 75,776 --------- C:\WINDOWS\SYSTEM32\strmfilt.dll
2007-04-18 16:50 73,832 --------- C:\WINDOWS\SYSTEM32\slcoinst.dll
2007-04-18 16:50 73,796 --------- C:\WINDOWS\SYSTEM32\slserv.exe
2007-04-18 16:50 71,680 --------- C:\WINDOWS\SYSTEM32\blastcln.exe
2007-04-18 16:50 7,680 --------- C:\WINDOWS\SYSTEM32\kbdsmsno.dll
2007-04-18 16:50 7,680 --------- C:\WINDOWS\SYSTEM32\kbdsmsfi.dll
2007-04-18 16:50 7,168 --------- C:\WINDOWS\SYSTEM32\kbdukx.dll
2007-04-18 16:50 7,168 --------- C:\WINDOWS\SYSTEM32\kbdno1.dll
2007-04-18 16:50 7,168 --------- C:\WINDOWS\SYSTEM32\kbdfi1.dll
2007-04-18 16:50 60,416 --------- C:\WINDOWS\SYSTEM32\fwcfg.dll
2007-04-18 16:50 6,656 --------- C:\WINDOWS\SYSTEM32\kbdinmal.dll
2007-04-18 16:50 6,656 --------- C:\WINDOWS\SYSTEM32\kbdinben.dll
2007-04-18 16:50 6,144 --------- C:\WINDOWS\SYSTEM32\kbdmlt48.dll
2007-04-18 16:50 6,144 --------- C:\WINDOWS\SYSTEM32\kbdmlt47.dll
2007-04-18 16:50 6,144 --------- C:\WINDOWS\SYSTEM32\kbdinbe1.dll
2007-04-18 16:50 526,848 --------- C:\WINDOWS\SYSTEM32\p2psvc.dll
2007-04-18 16:50 516,768 --------- C:\WINDOWS\SYSTEM32\ativvaxx.dll
2007-04-18 16:50 50,688 --------- C:\WINDOWS\SYSTEM32\btpanui.dll
2007-04-18 16:50 50,176 --------- C:\WINDOWS\SYSTEM32\xmlprovi.dll
2007-04-18 16:50 5,632 --------- C:\WINDOWS\SYSTEM32\kbdmaori.dll
2007-04-18 16:50 49,152 --------- C:\WINDOWS\SYSTEM32\powercfg.exe
2007-04-18 16:50 48,640 --------- C:\WINDOWS\SYSTEM32\pnrpnsp.dll
2007-04-18 16:50 44,032 --------- C:\WINDOWS\SYSTEM32\twext.dll
2007-04-18 16:50 397,056 --------- C:\WINDOWS\SYSTEM32\s3gnb.dll
2007-04-18 16:50 377,984 --------- C:\WINDOWS\SYSTEM32\ati2dvaa.dll
2007-04-18 16:50 32,866 --------- C:\WINDOWS\SYSTEM32\slrundll.exe
2007-04-18 16:50 32,866 --------- C:\WINDOWS\slrundll.exe
2007-04-18 16:50 32,768 --------- C:\WINDOWS\SYSTEM32\ativtmxx.dll
2007-04-18 16:50 32,285 --------- C:\WINDOWS\SYSTEM32\hsfcisp2.dll
2007-04-18 16:50 312,320 --------- C:\WINDOWS\SYSTEM32\p2pgraph.dll
2007-04-18 16:50 30,208 --------- C:\WINDOWS\SYSTEM32\bthserv.dll
2007-04-18 16:50 29,184 --------- C:\WINDOWS\SYSTEM32\sdhcinst.dll
2007-04-18 16:50 286,792 --------- C:\WINDOWS\SYSTEM32\slextspk.dll
2007-04-18 16:50 25,471 --------- C:\WINDOWS\SYSTEM32\DRIVERS\watv10nt.sys
2007-04-18 16:50 24,576 --------- C:\WINDOWS\SYSTEM32\httpapi.dll
2007-04-18 16:50 23,040 --a------ C:\WINDOWS\SYSTEM32\fltmc.exe
2007-04-18 16:50 229,376 --------- C:\WINDOWS\SYSTEM32\ati2cqag.dll
2007-04-18 16:50 22,271 --------- C:\WINDOWS\SYSTEM32\DRIVERS\watv06nt.sys
2007-04-18 16:50 201,728 --------- C:\WINDOWS\SYSTEM32\ati2dvag.dll
2007-04-18 16:50 20,992 --------- C:\WINDOWS\SYSTEM32\bthci.dll
2007-04-18 16:50 2,113,536 --------- C:\WINDOWS\SYSTEM32\dxdiagn.dll
2007-04-18 16:50 193,024 --------- C:\WINDOWS\SYSTEM32\fsquirt.exe
2007-04-18 16:50 188,508 --------- C:\WINDOWS\SYSTEM32\slgen.dll
2007-04-18 16:50 17,408 --------- C:\WINDOWS\SYSTEM32\winshfhc.dll
2007-04-18 16:50 16,896 --a------ C:\WINDOWS\SYSTEM32\fltlib.dll
2007-04-18 16:50 15,872 --------- C:\WINDOWS\SYSTEM32\w3ssl.dll
2007-04-18 16:50 14,336 --------- C:\WINDOWS\SYSTEM32\auditusr.exe
2007-04-18 16:50 13,824 --------- C:\WINDOWS\SYSTEM32\wscntfy.exe
2007-04-18 16:50 13,824 --------- C:\WINDOWS\SYSTEM32\cmsetacl.dll
2007-04-18 16:50 13,568 --------- C:\WINDOWS\SYSTEM32\DRIVERS\wacompen.sys
2007-04-18 16:50 129,536 --------- C:\WINDOWS\SYSTEM32\xmlprov.dll
2007-04-18 16:50 118,784 --------- C:\WINDOWS\SYSTEM32\msdadiag.dll
2007-04-18 16:50 116,224 --------- C:\WINDOWS\SYSTEM32\p2p.dll
2007-04-18 16:50 11,935 --------- C:\WINDOWS\SYSTEM32\DRIVERS\wadv11nt.sys
2007-04-18 16:50 11,871 --------- C:\WINDOWS\SYSTEM32\DRIVERS\wadv09nt.sys
2007-04-18 16:50 11,807 --------- C:\WINDOWS\SYSTEM32\DRIVERS\wadv07nt.sys
2007-04-18 16:50 11,325 --------- C:\WINDOWS\SYSTEM32\DRIVERS\vchnt5.dll
2007-04-18 16:50 11,295 --------- C:\WINDOWS\SYSTEM32\DRIVERS\wadv08nt.sys
2007-04-18 16:50 108,032 --------- C:\WINDOWS\SYSTEM32\wshbth.dll
2007-04-18 16:50 1,888,992 --------- C:\WINDOWS\SYSTEM32\ati3duag.dll
2007-04-18 16:50 1,737,856 --------- C:\WINDOWS\SYSTEM32\mtxparhd.dll
2007-04-18 16:50 1,689,088 --------- C:\WINDOWS\SYSTEM32\d3d9.dll
2007-04-18 16:50 <DIR> d-------- C:\WINDOWS\provisioning
2007-04-18 16:50 <DIR> d-------- C:\WINDOWS\peernet
2007-04-18 16:45 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-04-18 16:37 22,752 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.exe
2007-04-18 16:32 <DIR> d-------- C:\WINDOWS\EHome
2007-04-18 16:00 21,822,168 --a------ C:\AdbeRdr80_en_US.exe
2007-04-17 12:20 75,291 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\bkpcmxp.sys
2007-04-17 12:20 73,728 --a------ C:\WINDOWS\SYSTEM32\install.dll
2007-04-17 12:20 61,440 --a------ C:\WINDOWS\SYSTEM32\w32n50.dll
2007-04-17 12:20 462,848 --a------ C:\WINDOWS\SYSTEM32\monitorbk.exe
2007-04-17 12:20 36,864 --a------ C:\WINDOWS\SYSTEM32\WRLSetup.exe
2007-04-17 12:20 16,068 --a------ C:\WINDOWS\SYSTEM32\pcandis5.sys
2007-04-17 12:20 <DIR> d-------- C:\Program Files\Belkin
2007-04-12 16:19 <DIR> d-------- C:\Temp
2007-04-12 16:14 545,560 --a------ C:\AdbeRdr80_DLM_en_US.exe
2007-04-11 20:10 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-04-10 19:52 <DIR> d-------- C:\Program Files\Norton Security Scan
2007-04-10 17:33 <DIR> d-------- C:\DOCUME~1\CAMPBE~1\APPLIC~1\Google
2007-04-10 17:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-04-10 16:45 <DIR> d-------- C:\Program Files\Google
2007-04-09 23:24 <DIR> d-------- C:\WINDOWS\SYSTEM32\SoftwareDistribution
2007-04-09 21:52 <DIR> d-------- C:\Program Files\Yahoo!
2007-04-09 18:18 465,368 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
2007-04-09 18:18 41,432 --a------ C:\WINDOWS\SYSTEM32\wups.dll
2007-04-09 18:18 194,520 --a------ C:\WINDOWS\SYSTEM32\wuaueng1.dll
2007-04-09 18:18 174,040 --a------ C:\WINDOWS\SYSTEM32\wuweb.dll
2007-04-09 18:18 172,504 --a------ C:\WINDOWS\SYSTEM32\wuauclt1.exe
2007-04-09 18:18 127,448 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
2007-04-09 18:18 <DIR> d-------- C:\WINDOWS\SoftwareDistribution
2007-04-03 21:43 <DIR> d-------- C:\Program Files\mIRC
2007-04-03 20:46 <DIR> d-------- C:\DOCUME~1\CAMPBE~1\Contacts
2007-04-03 20:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Live Toolbar
2007-04-03 20:42 <DIR> d----c--- C:\WINDOWS\SYSTEM32\DRVSTORE
2007-04-03 20:42 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2007-04-03 20:41 <DIR> d-------- C:\Program Files\MSN Messenger
2007-04-03 20:22 18,040,176 --a------ C:\Install_Messenger_nous.exe

tbri1559
2007-04-23, 07:08
and the second part....


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-23 13:52 79360 --a------ C:\WINDOWS\SYSTEM32\mlfamlf.dll
2007-04-23 12:20 44288 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\cdr4_xp.sys
2007-04-23 11:03 -------- d-------- C:\Program Files\messenger
2007-04-23 09:20 -------- d-------- C:\Program Files\digital line detect
2007-04-21 21:27 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-04-21 20:48 -------- d-------- C:\Program Files\myway
2007-04-18 22:05 45056 --a------ C:\WINDOWS\ncuninst.exe
2007-04-18 16:50 -------- d-------- C:\Program Files\movie maker
2007-04-18 16:45 -------- d-------- C:\Program Files\windows nt
2007-04-18 16:30 -------- d--h----- C:\Program Files\installshield installation information
2007-04-18 16:30 -------- d-------- C:\Program Files\dell
2007-04-17 16:27 -------- d-------- C:\Program Files\epson
2007-04-09 18:18 -------- d--h----- C:\Program Files\windowsupdate
2007-03-17 23:43 292864 --a------ C:\WINDOWS\SYSTEM32\winsrv.dll
2007-03-09 01:36 577536 --a------ C:\WINDOWS\SYSTEM32\user32.dll
2007-03-09 01:36 40960 --a------ C:\WINDOWS\SYSTEM32\mf3216.dll
2007-03-09 01:36 281600 --a------ C:\WINDOWS\SYSTEM32\gdi32.dll
2007-03-08 23:47 1843584 --a------ C:\WINDOWS\SYSTEM32\win32k.sys
2007-02-06 06:17 185344 --a------ C:\WINDOWS\SYSTEM32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{9030D464-4C02-4ABF-8ECC-5164760863C6} C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
{B03C0099-B2F4-4913-85EF-D31AE8103997} c:\windows\system32\mlfamlf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"DVDSentry"="C:\\WINDOWS\\System32\\DSentry.exe"
"WinampAgent"="\"C:\\Program Files\\Winamp3\\winampa.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Logitech Utility"="Logi_MwX.Exe"
"SSBkgdUpdate"="\"C:\\Program Files\\Common Files\\Scansoft Shared\\SSBkgdUpdate\\SSBkgdupdate.exe\" -Embedding -boot"
"WorkFlowTray"="\"C:\\Program Files\\ScanSoft\\OmniPagePro14.0\\WorkFlowTray.exe\""
"Opware14"="\"C:\\Program Files\\ScanSoft\\OmniPagePro14.0\\Opware14.exe\""
"OpScheduler"="\"C:\\Program Files\\ScanSoft\\OmniPagePro14.0\\OpScheduler.exe\""
"RoxioEngineUtility"="\"C:\\Program Files\\Common Files\\Roxio Shared\\System\\EngUtil.exe\""
"RoxioDragToDisc"="\"C:\\Program Files\\Roxio\\Easy CD Creator 6\\DragToDisc\\DrgToDsc.exe\""
"RoxioAudioCentral"="\"C:\\Program Files\\Roxio\\Easy CD Creator 6\\AudioCentral\\RxMon.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"jbrdewvm"="C:\\WINDOWS\\system32\\jbrdewvm.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"SpywareBot"="C:\\Program Files\\SpywareBot\\SpywareBot.exe -boot"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\oimzfaex

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

hklm\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
oqnhgqvw

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_HIYTDFZV


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Norton Security Scan.job
C:\WINDOWS\tasks\SpywareBot Scheduled Scan.job
C:\WINDOWS\tasks\Symantec NetDetect.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-23 13:55:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-04-23 13:55:12 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-04-23 13:55


SD Fix Log:


SDFix: Version 1.79

Run by Campbell Bridge - Mon 23/04/2007 - 13:32:25.30

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\DOCUME~1\CAMPBE~1\Desktop\SDFix

Safe Mode:
Checking Services:






Restoring Windows Registry Values
Restoring Windows Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

No Trojan Files Found...




Removing Temp Files

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\SYSTEM32\\P2P Networking\\P2P Networking.exe"="C:\\WINDOWS\\SYSTEM32\\P2P Networking\\P2P Networking.exe:*:Disabled:P2P Networking"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\WINDOWS\\SYSTEM32\\jbrdewvm.exe"="C:\\WINDOWS\\SYSTEM32\\jbrdewvm.exe:*:Disabled:jbrdewvm"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Soulseek\\slsk.exe"="C:\\Program Files\\Soulseek\\slsk.exe:*:Enabled:SoulSeek"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\WINDOWS\\explorer.exe"="C:\\WINDOWS\\explorer.exe:*:Enabled:Windows Explorer"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"


Remaining Files:
---------------


Checking For Files with Hidden Attributes:


Finished

HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 1:59:30 PM, on 23/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe
C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe
C:\Program Files\ScanSoft\OmniPagePro14.0\OpScheduler.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\WINDOWS\SYSTEM32\monitorbk.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Campbell Bridge\Local Settings\Temp\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B03C0099-B2F4-4913-85EF-D31AE8103997} - c:\windows\system32\mlfamlf.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [WorkFlowTray] "C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe"
O4 - HKLM\..\Run: [Opware14] "C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe"
O4 - HKLM\..\Run: [OpScheduler] "C:\Program Files\ScanSoft\OmniPagePro14.0\OpScheduler.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [jbrdewvm] C:\WINDOWS\system32\jbrdewvm.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Belkin PCMCIA WLAN Monitor.lnk = C:\WINDOWS\SYSTEM32\monitorbk.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: oimzfaex - C:\WINDOWS\SYSTEM32\mlfamlf.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

thanks again,
Tom

Angelfire777
2007-04-23, 08:01
Hi, something isn't right here...Could you please run combofix one more time then post the log along with a fresh HijackThis log..

tbri1559
2007-04-23, 08:43
"Campbell Bridge" - 07-04-23 15:22:37 Service Pack 2
ComboFix 07-04-22.6V - Running from: "C:\Documents and Settings\Campbell Bridge\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\mlfamlf.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\drivers\usyudhjd.sys
C:\WINDOWS\system32\mlfamlf.dll


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\hiytdfzv
-------\LEGACY_HIYTDFZV


((((((((((((((((((((((((((((((( Files Created from 2007-03-23 to 2007-04-23 ))))))))))))))))))))))))))))))))))


2007-04-23 13:55 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-04-23 12:23 499,712 --a------ C:\WINDOWS\SYSTEM32\msvcp71.dll
2007-04-23 12:23 348,160 --a------ C:\WINDOWS\SYSTEM32\msvcr71.dll
2007-04-23 12:19 21,299,912 --a------ C:\Program Files\avg75free_463a1000.exe
2007-04-23 10:12 <DIR> d-------- C:\Anti-Spyware
2007-04-23 08:56 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-04-22 21:30 9,216 --a------ C:\WINDOWS\winlogon32.exe
2007-04-22 21:29 5,632 --a------ C:\WINDOWS\winlogon32.dll
2007-04-22 19:19 <DIR> d-------- C:\WINDOWS\Prefetch
2007-04-22 11:51 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-04-21 20:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-04-21 15:51 <DIR> d-------- C:\Program Files\CCleaner
2007-04-21 14:20 <DIR> d-------- C:\DOCUME~1\CAMPBE~1\APPLIC~1\SpywareBot
2007-04-21 12:44 <DIR> d-------- C:\16e7a3799cc4ff36826d19da47c626
2007-04-20 14:47 842,672 --a------ C:\Program Files\slsk156c.exe
2007-04-20 14:47 <DIR> d-------- C:\Program Files\Soulseek
2007-04-20 14:15 28,672 --------- C:\WINDOWS\SYSTEM32\verclsid.exe
2007-04-20 14:06 <DIR> d-------- C:\Program Files\iPod
2007-04-20 14:06 <DIR> d-------- C:\DOCUME~1\CAMPBE~1\APPLIC~1\Apple Computer
2007-04-20 14:05 <DIR> d-------- C:\Program Files\iTunes
2007-04-20 14:04 <DIR> d-------- C:\Program Files\QuickTime
2007-04-20 14:03 <DIR> d-------- C:\Program Files\Apple Software Update
2007-04-20 14:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-04-20 14:01 37,860,928 --a------ C:\Program Files\iTunesSetup.exe
2007-04-20 08:23 44,032 --a------ C:\WINDOWS\SYSTEM32\apwdscfn.dll
2007-04-20 08:23 131,584 --a------ C:\WINDOWS\SYSTEM32\mntrycpo.dll
2007-04-20 08:23 100,864 --a------ C:\WINDOWS\SYSTEM32\qchxqoad.dll
2007-04-20 08:17 138,752 --a------ C:\WINDOWS\SYSTEM32\diceuaaa.exe
2007-04-19 00:26 <DIR> d-------- C:\DOCUME~1\CAMPBE~1\APPLIC~1\AdobeAUM
2007-04-19 00:23 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-04-19 00:10 21,822,168 --a------ C:\Program Files\AdbeRdr80_en_US.exe
2007-04-19 00:05 811,560 --a------ C:\Program Files\GoogleToolbarInstaller_ADBx_en_401019_signed.exe
2007-04-19 00:05 7,050,552 --a------ C:\Program Files\psa30se_en_us.exe
2007-04-18 23:53 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-04-18 23:53 <DIR> d-------- C:\WINDOWS\SYSTEM32\PreInstall
2007-04-18 16:51 95,424 --------- C:\WINDOWS\SYSTEM32\DRIVERS\slnthal.sys
2007-04-18 16:51 9,216 --------- C:\WINDOWS\SYSTEM32\proxycfg.exe
2007-04-18 16:51 73,216 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atintuxx.sys
2007-04-18 16:51 701,440 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati2mtag.sys
2007-04-18 16:51 685,056 --------- C:\WINDOWS\SYSTEM32\DRIVERS\hsfcxts2.sys
2007-04-18 16:51 67,584 --------- C:\WINDOWS\SYSTEM32\DRIVERS\sdbus.sys
2007-04-18 16:51 63,663 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati1rvxx.sys
2007-04-18 16:51 63,488 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atinxsxx.sys
2007-04-18 16:51 6,016 --------- C:\WINDOWS\SYSTEM32\DRIVERS\smbali.sys
2007-04-18 16:51 59,648 --------- C:\WINDOWS\SYSTEM32\DRIVERS\rfcomm.sys
2007-04-18 16:51 59,392 --------- C:\WINDOWS\SYSTEM32\logman.exe
2007-04-18 16:51 57,856 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atinbtxx.sys
2007-04-18 16:51 56,623 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati1btxx.sys
2007-04-18 16:51 52,224 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atinraxx.sys
2007-04-18 16:51 46,464 --------- C:\WINDOWS\SYSTEM32\DRIVERS\gagp30kx.sys
2007-04-18 16:51 452,736 --------- C:\WINDOWS\SYSTEM32\DRIVERS\mtxparhm.sys
2007-04-18 16:51 44,672 --------- C:\WINDOWS\SYSTEM32\DRIVERS\uagp35.sys
2007-04-18 16:51 404,990 --------- C:\WINDOWS\SYSTEM32\DRIVERS\slntamr.sys
2007-04-18 16:51 4,255 --------- C:\WINDOWS\SYSTEM32\DRIVERS\adv01nt5.dll
2007-04-18 16:51 38,016 --------- C:\WINDOWS\SYSTEM32\DRIVERS\bthmodem.sys
2007-04-18 16:51 36,463 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati1tuxx.sys
2007-04-18 16:51 36,096 --------- C:\WINDOWS\SYSTEM32\DRIVERS\intelppm.sys
2007-04-18 16:51 35,456 --------- C:\WINDOWS\SYSTEM32\DRIVERS\bthprint.sys
2007-04-18 16:51 34,735 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati1xsxx.sys
2007-04-18 16:51 327,040 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati2mtaa.sys
2007-04-18 16:51 31,744 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atinxbxx.sys
2007-04-18 16:51 30,671 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati1raxx.sys
2007-04-18 16:51 30,080 --------- C:\WINDOWS\SYSTEM32\DRIVERS\rndismpx.sys
2007-04-18 16:51 3,967 --------- C:\WINDOWS\SYSTEM32\DRIVERS\adv02nt5.dll
2007-04-18 16:51 3,901 --------- C:\WINDOWS\SYSTEM32\DRIVERS\siint5.dll
2007-04-18 16:51 3,775 --------- C:\WINDOWS\SYSTEM32\DRIVERS\adv11nt5.dll
2007-04-18 16:51 3,711 --------- C:\WINDOWS\SYSTEM32\DRIVERS\adv09nt5.dll
2007-04-18 16:51 3,647 --------- C:\WINDOWS\SYSTEM32\DRIVERS\adv07nt5.dll
2007-04-18 16:51 3,615 --------- C:\WINDOWS\SYSTEM32\DRIVERS\adv05nt5.dll
2007-04-18 16:51 3,135 --------- C:\WINDOWS\SYSTEM32\DRIVERS\adv08nt5.dll
2007-04-18 16:51 29,455 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati1xbxx.sys
2007-04-18 16:51 29,056 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ip6fw.sys
2007-04-18 16:51 28,672 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atinsnxx.sys
2007-04-18 16:51 274,304 --------- C:\WINDOWS\SYSTEM32\DRIVERS\bthport.sys
2007-04-18 16:51 262,784 --------- C:\WINDOWS\SYSTEM32\DRIVERS\http.sys
2007-04-18 16:51 26,367 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati1snxx.sys
2007-04-18 16:51 25,600 --------- C:\WINDOWS\SYSTEM32\DRIVERS\hidbth.sys
2007-04-18 16:51 25,471 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atv04nt5.dll
2007-04-18 16:51 220,032 --------- C:\WINDOWS\SYSTEM32\DRIVERS\hsfbs2s2.sys
2007-04-18 16:51 21,343 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati1ttxx.sys
2007-04-18 16:51 21,183 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atv01nt5.dll
2007-04-18 16:51 180,360 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ntmtlfax.sys
2007-04-18 16:51 18,944 --------- C:\WINDOWS\SYSTEM32\DRIVERS\bthusb.sys
2007-04-18 16:51 17,279 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atv10nt5.dll
2007-04-18 16:51 17,024 --------- C:\WINDOWS\SYSTEM32\DRIVERS\bthenum.sys
2007-04-18 16:51 166,912 --------- C:\WINDOWS\SYSTEM32\DRIVERS\s3gnbm.sys
2007-04-18 16:51 15,488 --------- C:\WINDOWS\SYSTEM32\DRIVERS\mssmbios.sys
2007-04-18 16:51 15,423 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ch7xxnt5.dll
2007-04-18 16:51 15,104 --------- C:\WINDOWS\SYSTEM32\DRIVERS\hidir.sys
2007-04-18 16:51 14,336 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atinpdxx.sys
2007-04-18 16:51 14,143 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atv06nt5.dll
2007-04-18 16:51 13,824 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atinttxx.sys
2007-04-18 16:51 13,824 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atinmdxx.sys
2007-04-18 16:51 13,776 --------- C:\WINDOWS\SYSTEM32\DRIVERS\recagent.sys
2007-04-18 16:51 13,240 --------- C:\WINDOWS\SYSTEM32\DRIVERS\slwdmsup.sys
2007-04-18 16:51 129,535 --------- C:\WINDOWS\SYSTEM32\DRIVERS\slnt7554.sys
2007-04-18 16:51 128,896 --------- C:\WINDOWS\SYSTEM32\DRIVERS\fltmgr.sys
2007-04-18 16:51 126,686 --------- C:\WINDOWS\SYSTEM32\DRIVERS\mtlmnt5.sys
2007-04-18 16:51 12,672 --------- C:\WINDOWS\SYSTEM32\DRIVERS\usb8023x.sys
2007-04-18 16:51 12,672 --------- C:\WINDOWS\SYSTEM32\DRIVERS\mutohpen.sys
2007-04-18 16:51 12,047 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati1pdxx.sys
2007-04-18 16:51 11,615 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati1mdxx.sys
2007-04-18 16:51 11,359 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atv02nt5.dll
2007-04-18 16:51 11,136 --------- C:\WINDOWS\SYSTEM32\DRIVERS\sffdisk.sys
2007-04-18 16:51 104,960 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atinrvxx.sys
2007-04-18 16:51 100,992 --------- C:\WINDOWS\SYSTEM32\DRIVERS\bthpan.sys
2007-04-18 16:51 10,240 --------- C:\WINDOWS\SYSTEM32\DRIVERS\sffp_sd.sys
2007-04-18 16:51 1,309,184 --------- C:\WINDOWS\SYSTEM32\DRIVERS\mtlstrm.sys
2007-04-18 16:51 1,041,536 --------- C:\WINDOWS\SYSTEM32\DRIVERS\hsfdpsp2.sys
2007-04-18 16:50 88,064 --------- C:\WINDOWS\SYSTEM32\p2pnetsh.dll
2007-04-18 16:50 870,784 --------- C:\WINDOWS\SYSTEM32\ati3d1ag.dll
2007-04-18 16:50 86,016 --------- C:\WINDOWS\SYSTEM32\p2pgasvc.dll
2007-04-18 16:50 81,920 --------- C:\WINDOWS\SYSTEM32\ieencode.dll
2007-04-18 16:50 81,408 --------- C:\WINDOWS\SYSTEM32\wscsvc.dll
2007-04-18 16:50 8,192 --------- C:\WINDOWS\SYSTEM32\smbinst.exe
2007-04-18 16:50 78,464 --------- C:\WINDOWS\SYSTEM32\DRIVERS\usbvideo.sys
2007-04-18 16:50 75,776 --------- C:\WINDOWS\SYSTEM32\strmfilt.dll
2007-04-18 16:50 73,832 --------- C:\WINDOWS\SYSTEM32\slcoinst.dll
2007-04-18 16:50 73,796 --------- C:\WINDOWS\SYSTEM32\slserv.exe
2007-04-18 16:50 71,680 --------- C:\WINDOWS\SYSTEM32\blastcln.exe
2007-04-18 16:50 7,680 --------- C:\WINDOWS\SYSTEM32\kbdsmsno.dll
2007-04-18 16:50 7,680 --------- C:\WINDOWS\SYSTEM32\kbdsmsfi.dll
2007-04-18 16:50 7,168 --------- C:\WINDOWS\SYSTEM32\kbdukx.dll
2007-04-18 16:50 7,168 --------- C:\WINDOWS\SYSTEM32\kbdno1.dll
2007-04-18 16:50 7,168 --------- C:\WINDOWS\SYSTEM32\kbdfi1.dll
2007-04-18 16:50 60,416 --------- C:\WINDOWS\SYSTEM32\fwcfg.dll
2007-04-18 16:50 6,656 --------- C:\WINDOWS\SYSTEM32\kbdinmal.dll
2007-04-18 16:50 6,656 --------- C:\WINDOWS\SYSTEM32\kbdinben.dll
2007-04-18 16:50 6,144 --------- C:\WINDOWS\SYSTEM32\kbdmlt48.dll
2007-04-18 16:50 6,144 --------- C:\WINDOWS\SYSTEM32\kbdmlt47.dll
2007-04-18 16:50 6,144 --------- C:\WINDOWS\SYSTEM32\kbdinbe1.dll
2007-04-18 16:50 526,848 --------- C:\WINDOWS\SYSTEM32\p2psvc.dll
2007-04-18 16:50 516,768 --------- C:\WINDOWS\SYSTEM32\ativvaxx.dll
2007-04-18 16:50 50,688 --------- C:\WINDOWS\SYSTEM32\btpanui.dll
2007-04-18 16:50 50,176 --------- C:\WINDOWS\SYSTEM32\xmlprovi.dll
2007-04-18 16:50 5,632 --------- C:\WINDOWS\SYSTEM32\kbdmaori.dll
2007-04-18 16:50 49,152 --------- C:\WINDOWS\SYSTEM32\powercfg.exe
2007-04-18 16:50 48,640 --------- C:\WINDOWS\SYSTEM32\pnrpnsp.dll
2007-04-18 16:50 44,032 --------- C:\WINDOWS\SYSTEM32\twext.dll
2007-04-18 16:50 397,056 --------- C:\WINDOWS\SYSTEM32\s3gnb.dll
2007-04-18 16:50 377,984 --------- C:\WINDOWS\SYSTEM32\ati2dvaa.dll
2007-04-18 16:50 32,866 --------- C:\WINDOWS\SYSTEM32\slrundll.exe
2007-04-18 16:50 32,866 --------- C:\WINDOWS\slrundll.exe
2007-04-18 16:50 32,768 --------- C:\WINDOWS\SYSTEM32\ativtmxx.dll
2007-04-18 16:50 32,285 --------- C:\WINDOWS\SYSTEM32\hsfcisp2.dll
2007-04-18 16:50 312,320 --------- C:\WINDOWS\SYSTEM32\p2pgraph.dll
2007-04-18 16:50 30,208 --------- C:\WINDOWS\SYSTEM32\bthserv.dll
2007-04-18 16:50 29,184 --------- C:\WINDOWS\SYSTEM32\sdhcinst.dll
2007-04-18 16:50 286,792 --------- C:\WINDOWS\SYSTEM32\slextspk.dll
2007-04-18 16:50 25,471 --------- C:\WINDOWS\SYSTEM32\DRIVERS\watv10nt.sys
2007-04-18 16:50 24,576 --------- C:\WINDOWS\SYSTEM32\httpapi.dll
2007-04-18 16:50 23,040 --a------ C:\WINDOWS\SYSTEM32\fltmc.exe
2007-04-18 16:50 229,376 --------- C:\WINDOWS\SYSTEM32\ati2cqag.dll
2007-04-18 16:50 22,271 --------- C:\WINDOWS\SYSTEM32\DRIVERS\watv06nt.sys
2007-04-18 16:50 201,728 --------- C:\WINDOWS\SYSTEM32\ati2dvag.dll
2007-04-18 16:50 20,992 --------- C:\WINDOWS\SYSTEM32\bthci.dll
2007-04-18 16:50 2,113,536 --------- C:\WINDOWS\SYSTEM32\dxdiagn.dll
2007-04-18 16:50 193,024 --------- C:\WINDOWS\SYSTEM32\fsquirt.exe
2007-04-18 16:50 188,508 --------- C:\WINDOWS\SYSTEM32\slgen.dll
2007-04-18 16:50 17,408 --------- C:\WINDOWS\SYSTEM32\winshfhc.dll
2007-04-18 16:50 16,896 --a------ C:\WINDOWS\SYSTEM32\fltlib.dll
2007-04-18 16:50 15,872 --------- C:\WINDOWS\SYSTEM32\w3ssl.dll
2007-04-18 16:50 14,336 --------- C:\WINDOWS\SYSTEM32\auditusr.exe
2007-04-18 16:50 13,824 --------- C:\WINDOWS\SYSTEM32\wscntfy.exe
2007-04-18 16:50 13,824 --------- C:\WINDOWS\SYSTEM32\cmsetacl.dll
2007-04-18 16:50 13,568 --------- C:\WINDOWS\SYSTEM32\DRIVERS\wacompen.sys
2007-04-18 16:50 129,536 --------- C:\WINDOWS\SYSTEM32\xmlprov.dll
2007-04-18 16:50 118,784 --------- C:\WINDOWS\SYSTEM32\msdadiag.dll
2007-04-18 16:50 116,224 --------- C:\WINDOWS\SYSTEM32\p2p.dll
2007-04-18 16:50 11,935 --------- C:\WINDOWS\SYSTEM32\DRIVERS\wadv11nt.sys
2007-04-18 16:50 11,871 --------- C:\WINDOWS\SYSTEM32\DRIVERS\wadv09nt.sys
2007-04-18 16:50 11,807 --------- C:\WINDOWS\SYSTEM32\DRIVERS\wadv07nt.sys
2007-04-18 16:50 11,325 --------- C:\WINDOWS\SYSTEM32\DRIVERS\vchnt5.dll
2007-04-18 16:50 11,295 --------- C:\WINDOWS\SYSTEM32\DRIVERS\wadv08nt.sys
2007-04-18 16:50 108,032 --------- C:\WINDOWS\SYSTEM32\wshbth.dll
2007-04-18 16:50 1,888,992 --------- C:\WINDOWS\SYSTEM32\ati3duag.dll
2007-04-18 16:50 1,737,856 --------- C:\WINDOWS\SYSTEM32\mtxparhd.dll
2007-04-18 16:50 1,689,088 --------- C:\WINDOWS\SYSTEM32\d3d9.dll
2007-04-18 16:50 <DIR> d-------- C:\WINDOWS\provisioning
2007-04-18 16:50 <DIR> d-------- C:\WINDOWS\peernet
2007-04-18 16:45 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-04-18 16:37 22,752 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.exe
2007-04-18 16:32 <DIR> d-------- C:\WINDOWS\EHome
2007-04-18 16:00 21,822,168 --a------ C:\AdbeRdr80_en_US.exe
2007-04-17 12:20 75,291 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\bkpcmxp.sys
2007-04-17 12:20 73,728 --a------ C:\WINDOWS\SYSTEM32\install.dll
2007-04-17 12:20 61,440 --a------ C:\WINDOWS\SYSTEM32\w32n50.dll
2007-04-17 12:20 462,848 --a------ C:\WINDOWS\SYSTEM32\monitorbk.exe
2007-04-17 12:20 36,864 --a------ C:\WINDOWS\SYSTEM32\WRLSetup.exe
2007-04-17 12:20 16,068 --a------ C:\WINDOWS\SYSTEM32\pcandis5.sys
2007-04-17 12:20 <DIR> d-------- C:\Program Files\Belkin
2007-04-12 16:19 <DIR> d-------- C:\Temp
2007-04-12 16:14 545,560 --a------ C:\AdbeRdr80_DLM_en_US.exe
2007-04-11 20:10 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-04-10 19:52 <DIR> d-------- C:\Program Files\Norton Security Scan
2007-04-10 17:33 <DIR> d-------- C:\DOCUME~1\CAMPBE~1\APPLIC~1\Google
2007-04-10 17:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-04-10 16:45 <DIR> d-------- C:\Program Files\Google
2007-04-09 23:24 <DIR> d-------- C:\WINDOWS\SYSTEM32\SoftwareDistribution
2007-04-09 21:52 <DIR> d-------- C:\Program Files\Yahoo!
2007-04-09 18:18 465,368 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
2007-04-09 18:18 41,432 --a------ C:\WINDOWS\SYSTEM32\wups.dll
2007-04-09 18:18 194,520 --a------ C:\WINDOWS\SYSTEM32\wuaueng1.dll
2007-04-09 18:18 174,040 --a------ C:\WINDOWS\SYSTEM32\wuweb.dll
2007-04-09 18:18 172,504 --a------ C:\WINDOWS\SYSTEM32\wuauclt1.exe
2007-04-09 18:18 127,448 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
2007-04-09 18:18 <DIR> d-------- C:\WINDOWS\SoftwareDistribution
2007-04-03 21:43 <DIR> d-------- C:\Program Files\mIRC
2007-04-03 20:46 <DIR> d-------- C:\DOCUME~1\CAMPBE~1\Contacts
2007-04-03 20:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Live Toolbar
2007-04-03 20:42 <DIR> d----c--- C:\WINDOWS\SYSTEM32\DRVSTORE
2007-04-03 20:42 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2007-04-03 20:41 <DIR> d-------- C:\Program Files\MSN Messenger
2007-04-03 20:22 18,040,176 --a------ C:\Install_Messenger_nous.exe

tbri1559
2007-04-23, 08:45
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-23 12:20 44288 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\cdr4_xp.sys
2007-04-23 11:03 -------- d-------- C:\Program Files\messenger
2007-04-23 09:20 -------- d-------- C:\Program Files\digital line detect
2007-04-21 21:27 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-04-21 20:48 -------- d-------- C:\Program Files\myway
2007-04-18 22:05 45056 --a------ C:\WINDOWS\ncuninst.exe
2007-04-18 16:50 -------- d-------- C:\Program Files\movie maker
2007-04-18 16:45 -------- d-------- C:\Program Files\windows nt
2007-04-18 16:30 -------- d--h----- C:\Program Files\installshield installation information
2007-04-18 16:30 -------- d-------- C:\Program Files\dell
2007-04-17 16:27 -------- d-------- C:\Program Files\epson
2007-04-09 18:18 -------- d--h----- C:\Program Files\windowsupdate
2007-03-17 23:43 292864 --a------ C:\WINDOWS\SYSTEM32\winsrv.dll
2007-03-09 01:36 577536 --a------ C:\WINDOWS\SYSTEM32\user32.dll
2007-03-09 01:36 40960 --a------ C:\WINDOWS\SYSTEM32\mf3216.dll
2007-03-09 01:36 281600 --a------ C:\WINDOWS\SYSTEM32\gdi32.dll
2007-03-08 23:47 1843584 --a------ C:\WINDOWS\SYSTEM32\win32k.sys
2007-02-06 06:17 185344 --a------ C:\WINDOWS\SYSTEM32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{9030D464-4C02-4ABF-8ECC-5164760863C6} C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"DVDSentry"="C:\\WINDOWS\\System32\\DSentry.exe"
"WinampAgent"="\"C:\\Program Files\\Winamp3\\winampa.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Logitech Utility"="Logi_MwX.Exe"
"SSBkgdUpdate"="\"C:\\Program Files\\Common Files\\Scansoft Shared\\SSBkgdUpdate\\SSBkgdupdate.exe\" -Embedding -boot"
"WorkFlowTray"="\"C:\\Program Files\\ScanSoft\\OmniPagePro14.0\\WorkFlowTray.exe\""
"Opware14"="\"C:\\Program Files\\ScanSoft\\OmniPagePro14.0\\Opware14.exe\""
"OpScheduler"="\"C:\\Program Files\\ScanSoft\\OmniPagePro14.0\\OpScheduler.exe\""
"RoxioEngineUtility"="\"C:\\Program Files\\Common Files\\Roxio Shared\\System\\EngUtil.exe\""
"RoxioDragToDisc"="\"C:\\Program Files\\Roxio\\Easy CD Creator 6\\DragToDisc\\DrgToDsc.exe\""
"RoxioAudioCentral"="\"C:\\Program Files\\Roxio\\Easy CD Creator 6\\AudioCentral\\RxMon.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"jbrdewvm"="C:\\WINDOWS\\system32\\jbrdewvm.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"SpywareBot"="C:\\Program Files\\SpywareBot\\SpywareBot.exe -boot"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

hklm\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
oqnhgqvw



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Norton Security Scan.job
C:\WINDOWS\tasks\SpywareBot Scheduled Scan.job
C:\WINDOWS\tasks\Symantec NetDetect.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-23 15:30:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-04-23 15:32:21 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-04-23 15:32
C:\ComboFix2.txt ... 07-04-23 13:55





Logfile of HijackThis v1.99.1
Scan saved at 3:36:07 PM, on 23/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe
C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe
C:\Program Files\ScanSoft\OmniPagePro14.0\OpScheduler.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\SYSTEM32\monitorbk.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Anti-Spyware\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [WorkFlowTray] "C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe"
O4 - HKLM\..\Run: [Opware14] "C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe"
O4 - HKLM\..\Run: [OpScheduler] "C:\Program Files\ScanSoft\OmniPagePro14.0\OpScheduler.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [jbrdewvm] C:\WINDOWS\system32\jbrdewvm.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Belkin PCMCIA WLAN Monitor.lnk = C:\WINDOWS\SYSTEM32\monitorbk.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


Cheers,
Tom

Angelfire777
2007-04-23, 22:50
Hi,

It looks like this is going to be messy :)

Please download the Suspicious file Packer (http://www.safer-networking.org/files/sfp.zip) from Safer-Networking.Org and unzip it to your desktop.

Run SFP.exe.

Please copy the following lines into the Step 1: Paste Text window:

C:\WINDOWS\SYSTEM32\apwdscfn.dll
C:\WINDOWS\SYSTEM32\mntrycpo.dll
C:\WINDOWS\SYSTEM32\qchxqoad.dll
C:\WINDOWS\SYSTEM32\diceuaaa.exe

then click "Continue".

This will create a .cab file on your desktop named requested-files[Date/Time].cab

Next, please visit BleepingComputers forum HERE (http://www.bleepingcomputer.com/submit-malware.php?channel=4) and fill in the required fields.

On the "Browse to the file you want to submit:" box, click "browse" then find the newly created .cab file in your desktop and click open.

After that, please click the "send file" button.

Post back when you're done..

tbri1559
2007-04-24, 02:39
All done and submitted.
Regards,
Tom

Angelfire777
2007-04-24, 17:57
*Please follow the instrcutions HERE (http://www.dellcommunity.com/supportforums/board/message?board.id=si_virus&message.id=42328) on how to remove Dell's MyWay.

*Uninstall the item in bold if found:

SpywareBot
Please uninstall that program since it is considered as a Rogue Antispyware application as listed HERE (http://www.spywarewarrior.com/rogue_anti-spyware.htm).

*Click Start > Control Panel > Add or Remove Programs and uninstall the item in bold if found.

*Reboot

*Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [jbrdewvm] C:\WINDOWS\system32\jbrdewvm.exe
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.

Please download the OTMoveIt by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe).

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\jbrdewvm.exe
C:\WINDOWS\winlogon32.exe
C:\WINDOWS\winlogon32.dll
C:\Program Files\SpywareBot
C:\DOCUME~1\CAMPBE~1\APPLIC~1\SpywareBot
C:\Program Files\myway
C:\WINDOWS\NCUNINST.EXE
C:\Program Files\Common Files\symantec shared



Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

*download RegSearch Tool (http://www.xs4all.nl/~fstaal01/regsearch-us.html) by Bobbi Flekman

Unzip it to your desktop

In the search box, enter the keyword below & click "Ok".

oqnhgqvw

Notepad will open with some text in it (the file will also be saved in the program's folder as well).
Post this text in your next reply along with a fresh HijackThis log.

tbri1559
2007-04-27, 04:35
Hi,
According to the control panel, I don't have any of those programs listed on the link or in the post. Should I continue the process you suggest anyway?
Tom

Angelfire777
2007-04-27, 08:06
Yes please :)

tbri1559
2007-04-27, 13:10
Here you go...
Tom

File/Folder C:\WINDOWS\system32\jbrdewvm.exe not found.
C:\WINDOWS\winlogon32.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\winlogon32.dll
C:\WINDOWS\winlogon32.dll NOT unregistered.
C:\WINDOWS\winlogon32.dll moved successfully.
File/Folder C:\Program Files\SpywareBot not found.
C:\DOCUME~1\CAMPBE~1\APPLIC~1\SpywareBot\Settings moved successfully.
C:\DOCUME~1\CAMPBE~1\APPLIC~1\SpywareBot\Registry Backups moved successfully.
C:\DOCUME~1\CAMPBE~1\APPLIC~1\SpywareBot\Quarantine moved successfully.
C:\DOCUME~1\CAMPBE~1\APPLIC~1\SpywareBot\Log moved successfully.
C:\DOCUME~1\CAMPBE~1\APPLIC~1\SpywareBot moved successfully.
C:\Program Files\myway moved successfully.
C:\WINDOWS\NCUNINST.EXE moved successfully.
C:\Program Files\Common Files\symantec shared\VirusDefs moved successfully.
C:\Program Files\Common Files\symantec shared\SymcData moved successfully.
C:\Program Files\Common Files\symantec shared\SPManifests moved successfully.
C:\Program Files\Common Files\symantec shared\Registry Backup moved successfully.
C:\Program Files\Common Files\symantec shared\LiveReg moved successfully.
C:\Program Files\Common Files\symantec shared\Help moved successfully.
C:\Program Files\Common Files\symantec shared\EENGINE moved successfully.
C:\Program Files\Common Files\symantec shared moved successfully.

Created on 04/27/2007 20:01:55


Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.4.2

; Results at 27/04/2007 8:08:03 PM for strings:
; 'oqnhgqvw'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
; Contents of value:
; 6to4
; AppMgmt
; AudioSrv
; oqnhgqvw
; Browser
; CryptSvc
; DMServer
; DHCP
; ERSvc
; EventSystem
; FastUserSwitchingCompatibility
; HidServ
; Ias
; Iprip
; Irmon
; LanmanServer
; LanmanWorkstation
; Messenger
; Netman
; Nla
; Ntmssvc
; NWCWorkstation
; Nwsapagent
; Rasauto
; Rasman
; Remoteaccess
; Schedule
; Seclogon
; SENS
; Sharedaccess
; SRService
; Tapisrv
; Themes
; TrkWks
; W32Time
; WZCSVC
; Wmi
; WmdmPmSp
; winmgmt
; TermService
; wuauserv
; BITS
; ShellHWDetection
; helpsvc
; WmdmPmSN
; xmlprov
; wscsvc
;
;
"netsvcs"=hex(7):36,00,74,00,6f,00,34,00,00,00,41,00,70,00,70,00,4d,00,67,00,\
6d,00,74,00,00,00,41,00,75,00,64,00,69,00,6f,00,53,00,72,00,76,00,00,00,6f,\
00,71,00,6e,00,68,00,67,00,71,00,76,00,77,00,00,00,42,00,72,00,6f,00,77,00,\
73,00,65,00,72,00,00,00,43,00,72,00,79,00,70,00,74,00,53,00,76,00,63,00,00,\
00,44,00,4d,00,53,00,65,00,72,00,76,00,65,00,72,00,00,00,44,00,48,00,43,00,\
50,00,00,00,45,00,52,00,53,00,76,00,63,00,00,00,45,00,76,00,65,00,6e,00,74,\
00,53,00,79,00,73,00,74,00,65,00,6d,00,00,00,46,00,61,00,73,00,74,00,55,00,\
73,00,65,00,72,00,53,00,77,00,69,00,74,00,63,00,68,00,69,00,6e,00,67,00,43,\
00,6f,00,6d,00,70,00,61,00,74,00,69,00,62,00,69,00,6c,00,69,00,74,00,79,00,\
00,00,48,00,69,00,64,00,53,00,65,00,72,00,76,00,00,00,49,00,61,00,73,00,00,\
00,49,00,70,00,72,00,69,00,70,00,00,00,49,00,72,00,6d,00,6f,00,6e,00,00,00,\
4c,00,61,00,6e,00,6d,00,61,00,6e,00,53,00,65,00,72,00,76,00,65,00,72,00,00,\
00,4c,00,61,00,6e,00,6d,00,61,00,6e,00,57,00,6f,00,72,00,6b,00,73,00,74,00,\
61,00,74,00,69,00,6f,00,6e,00,00,00,4d,00,65,00,73,00,73,00,65,00,6e,00,67,\
00,65,00,72,00,00,00,4e,00,65,00,74,00,6d,00,61,00,6e,00,00,00,4e,00,6c,00,\
61,00,00,00,4e,00,74,00,6d,00,73,00,73,00,76,00,63,00,00,00,4e,00,57,00,43,\
00,57,00,6f,00,72,00,6b,00,73,00,74,00,61,00,74,00,69,00,6f,00,6e,00,00,00,\
4e,00,77,00,73,00,61,00,70,00,61,00,67,00,65,00,6e,00,74,00,00,00,52,00,61,\
00,73,00,61,00,75,00,74,00,6f,00,00,00,52,00,61,00,73,00,6d,00,61,00,6e,00,\
00,00,52,00,65,00,6d,00,6f,00,74,00,65,00,61,00,63,00,63,00,65,00,73,00,73,\
00,00,00,53,00,63,00,68,00,65,00,64,00,75,00,6c,00,65,00,00,00,53,00,65,00,\
63,00,6c,00,6f,00,67,00,6f,00,6e,00,00,00,53,00,45,00,4e,00,53,00,00,00,53,\
00,68,00,61,00,72,00,65,00,64,00,61,00,63,00,63,00,65,00,73,00,73,00,00,00,\
53,00,52,00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,00,00,54,00,61,00,70,\
00,69,00,73,00,72,00,76,00,00,00,54,00,68,00,65,00,6d,00,65,00,73,00,00,00,\
54,00,72,00,6b,00,57,00,6b,00,73,00,00,00,57,00,33,00,32,00,54,00,69,00,6d,\
00,65,00,00,00,57,00,5a,00,43,00,53,00,56,00,43,00,00,00,57,00,6d,00,69,00,\
00,00,57,00,6d,00,64,00,6d,00,50,00,6d,00,53,00,70,00,00,00,77,00,69,00,6e,\
00,6d,00,67,00,6d,00,74,00,00,00,54,00,65,00,72,00,6d,00,53,00,65,00,72,00,\
76,00,69,00,63,00,65,00,00,00,77,00,75,00,61,00,75,00,73,00,65,00,72,00,76,\
00,00,00,42,00,49,00,54,00,53,00,00,00,53,00,68,00,65,00,6c,00,6c,00,48,00,\
57,00,44,00,65,00,74,00,65,00,63,00,74,00,69,00,6f,00,6e,00,00,00,68,00,65,\
00,6c,00,70,00,73,00,76,00,63,00,00,00,57,00,6d,00,64,00,6d,00,50,00,6d,00,\
53,00,4e,00,00,00,78,00,6d,00,6c,00,70,00,72,00,6f,00,76,00,00,00,77,00,73,\
00,63,00,73,00,76,00,63,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_OQNHGQVW]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_OQNHGQVW\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_OQNHGQVW\0000]
"Service"="oqnhgqvw"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_OQNHGQVW\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_OQNHGQVW\0000\Control]
"ActiveService"="oqnhgqvw"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\oqnhgqvw]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\oqnhgqvw\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\oqnhgqvw\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\oqnhgqvw\Enum]
"0"="Root\\LEGACY_OQNHGQVW\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_OQNHGQVW]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_OQNHGQVW\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_OQNHGQVW\0000]
"Service"="oqnhgqvw"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\oqnhgqvw]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\oqnhgqvw\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OQNHGQVW]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OQNHGQVW\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OQNHGQVW\0000]
"Service"="oqnhgqvw"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OQNHGQVW\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OQNHGQVW\0000\Control]
"ActiveService"="oqnhgqvw"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\oqnhgqvw]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\oqnhgqvw\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\oqnhgqvw\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\oqnhgqvw\Enum]
"0"="Root\\LEGACY_OQNHGQVW\\0000"

; End Of The Log...

Logfile of HijackThis v1.99.1
Scan saved at 8:10:25 PM, on 27/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe
C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe
C:\Program Files\ScanSoft\OmniPagePro14.0\OpScheduler.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SYSTEM32\monitorbk.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Campbell Bridge\Local Settings\Temp\regsearch.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Anti-Spyware\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [WorkFlowTray] "C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe"
O4 - HKLM\..\Run: [Opware14] "C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe"
O4 - HKLM\..\Run: [OpScheduler] "C:\Program Files\ScanSoft\OmniPagePro14.0\OpScheduler.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Belkin PCMCIA WLAN Monitor.lnk = C:\WINDOWS\SYSTEM32\monitorbk.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

tashi
2007-04-27, 22:12
Topic here: http://forums.spybot.info/showthread.php?t=13138 closed.

Angelfire777
2007-04-28, 08:42
Hi,

I just need to know the dll that's loading this service then we'll blow this one out :)

Click start > run > copy and paste the following command in the box:

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\oqnhgqvw" >> C:\look.txt

Locate c:\look.txt then post all of its contents.

tbri1559
2007-04-29, 09:02
Hi,
when I put that command into the "Run" box and press OK, the black results box briefly flashes then disappears. What should I be doing?
Tom

Angelfire777
2007-04-29, 18:06
Hi,


when I put that command into the "Run" box and press OK, the black results box briefly flashes then disappears. What should I be doing?

It's normal..


Locate c:\look.txt then post all of its contents.

tbri1559
2007-04-30, 03:28
That's the part I couldn't find. I did a search for that command, and look.txt and then through all .txt files on the c:/ drive and got no results.
Tom

Angelfire777
2007-04-30, 08:43
Hmmmm...

try this command please...


reg export "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\oqnhgqvw" >> C:\look.txt

Look for look.txt then post the contents.

tbri1559
2007-04-30, 09:47
Hi,
sorry, I still can't find anything! I have tried modifying my search several times and still come up with no results at all!
Tom

Angelfire777
2007-04-30, 16:32
Arg!

try this one please:

regedit /e C:\look.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\oqnhgqvw"

ook for look.txt then post the contents.

tbri1559
2007-05-01, 07:17
Success!! Finally!! Woohoo!

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\oqnhgqvw]
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"Description"="Helper for Microsoft ACPI Control Method Battery"
"DisplayName"="Microsoft ACPI Control Method Battery Helper"
"ErrorControl"=dword:00000001
"ObjectName"="LocalSystem"
"Start"=dword:00000002
"Type"=dword:00000020

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\oqnhgqvw\Parameters]
"ServiceDll"=hex(2):43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,\
00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,6d,00,6c,00,\
66,00,61,00,6d,00,6c,00,66,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\oqnhgqvw\Enum]
"0"="Root\\LEGACY_OQNHGQVW\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001


Hope that helps!
Thanks again,
Tom

Angelfire777
2007-05-01, 07:46
ha! Now let's blow it out :)

*Please download KaazaBegone (http://www.bleepingcomputer.com/files/Merijn/kazaabegone.zip)

Create a new folder in your desktop, name it Kazaabegone.

Extract all the files of the zip files to the newly created folder on your desktop.

Navigate to the KazaaBegone folder then double click Kazaabegone.exe and let it remove Kazaa and all of its components.

Note: In case you use Kazaa, we need to remove it because the program itself is infected and if we don't remove it, the infections you have will only return..


*Run OTMoveiT
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Program Files\Kazaa
C:\WINDOWS\Downloaded Program Files\WUInst.inf
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\SYSTEM32\P2P Networking v124.cpl
C:\WINDOWS\winhp32.exe
C:\WINDOWS\SYSTEM32\diceuaaa.exe



Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

*Please download SvcQuery.exe (http://download.bleepingcomputer.com/sUBs/SvcQuery.exe)
Save it to your desktop.
Double click SvcQuery.exe
When prompted to enter a service name, enter oqnhgqvw
Type "y" to confirm.
When done, it shall present a log, please post it on your next reply.


*Click start > run > copy and paste this command please:

"%userprofile%\desktop\combofix.exe" /wow-drv oqnhgqvw /v apwdscfn mntrycpo qchxqoad

Post back with a fresh HijackThis log, svcquery log and the new combofix log along with a description on how your machine is running.

tbri1559
2007-05-01, 09:49
"Campbell Bridge" - 07-05-01 16:21:56 Service Pack 2
ComboFix 07-04-22.6V - Running from: "C:\Documents and Settings\Campbell Bridge\Desktop\"
Command switches used :: "/wow-drv oqnhgqvw /v apwdscfn mntrycpo qchxqoad"


((((((((((((((((((((((((( Files Created from 2007-04-01 to 2007-05-01 ))))))))))))))))))))))))))))


2007-04-23 20:48 <DIR> d-------- C:\WINDOWS\SYSTEM32\LogFiles
2007-04-23 18:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-04-23 13:55 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-04-23 12:23 499,712 --a------ C:\WINDOWS\SYSTEM32\msvcp71.dll
2007-04-23 12:23 348,160 --a------ C:\WINDOWS\SYSTEM32\msvcr71.dll
2007-04-23 12:19 21,299,912 --a------ C:\Program Files\avg75free_463a1000.exe
2007-04-23 10:12 <DIR> d-------- C:\Anti-Spyware
2007-04-23 08:56 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-04-22 19:19 <DIR> d-------- C:\WINDOWS\Prefetch
2007-04-22 11:51 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-04-21 20:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-04-21 15:51 <DIR> d-------- C:\Program Files\CCleaner
2007-04-21 12:44 <DIR> d-------- C:\16e7a3799cc4ff36826d19da47c626
2007-04-20 14:47 842,672 --a------ C:\Program Files\slsk156c.exe
2007-04-20 14:47 <DIR> d-------- C:\Program Files\Soulseek
2007-04-20 14:15 28,672 --------- C:\WINDOWS\SYSTEM32\verclsid.exe
2007-04-20 14:06 <DIR> d-------- C:\Program Files\iPod
2007-04-20 14:06 <DIR> d-------- C:\DOCUME~1\CAMPBE~1\APPLIC~1\Apple Computer
2007-04-20 14:05 <DIR> d-------- C:\Program Files\iTunes
2007-04-20 14:04 <DIR> d-------- C:\Program Files\QuickTime
2007-04-20 14:03 <DIR> d-------- C:\Program Files\Apple Software Update
2007-04-20 14:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-04-20 14:01 37,860,928 --a------ C:\Program Files\iTunesSetup.exe
2007-04-20 08:23 44,032 --a------ C:\WINDOWS\SYSTEM32\apwdscfn.dll
2007-04-20 08:23 131,584 --a------ C:\WINDOWS\SYSTEM32\mntrycpo.dll
2007-04-20 08:23 100,864 --a------ C:\WINDOWS\SYSTEM32\qchxqoad.dll
2007-04-19 00:26 <DIR> d-------- C:\DOCUME~1\CAMPBE~1\APPLIC~1\AdobeAUM
2007-04-19 00:23 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-04-19 00:10 21,822,168 --a------ C:\Program Files\AdbeRdr80_en_US.exe
2007-04-19 00:05 811,560 --a------ C:\Program Files\GoogleToolbarInstaller_ADBx_en_401019_signed.exe
2007-04-19 00:05 7,050,552 --a------ C:\Program Files\psa30se_en_us.exe
2007-04-18 23:53 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-04-18 23:53 <DIR> d-------- C:\WINDOWS\SYSTEM32\PreInstall
2007-04-18 16:51 95,424 --------- C:\WINDOWS\SYSTEM32\DRIVERS\slnthal.sys
2007-04-18 16:51 9,216 --------- C:\WINDOWS\SYSTEM32\proxycfg.exe
2007-04-18 16:51 73,216 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atintuxx.sys
2007-04-18 16:51 701,440 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati2mtag.sys
2007-04-18 16:51 685,056 --------- C:\WINDOWS\SYSTEM32\DRIVERS\hsfcxts2.sys
2007-04-18 16:51 67,584 --------- C:\WINDOWS\SYSTEM32\DRIVERS\sdbus.sys
2007-04-18 16:51 63,663 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati1rvxx.sys
2007-04-18 16:51 63,488 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atinxsxx.sys
2007-04-18 16:51 6,016 --------- C:\WINDOWS\SYSTEM32\DRIVERS\smbali.sys
2007-04-18 16:51 59,648 --------- C:\WINDOWS\SYSTEM32\DRIVERS\rfcomm.sys
2007-04-18 16:51 59,392 --------- C:\WINDOWS\SYSTEM32\logman.exe
2007-04-18 16:51 57,856 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atinbtxx.sys
2007-04-18 16:51 56,623 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati1btxx.sys
2007-04-18 16:51 52,224 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atinraxx.sys
2007-04-18 16:51 46,464 --------- C:\WINDOWS\SYSTEM32\DRIVERS\gagp30kx.sys
2007-04-18 16:51 452,736 --------- C:\WINDOWS\SYSTEM32\DRIVERS\mtxparhm.sys
2007-04-18 16:51 44,672 --------- C:\WINDOWS\SYSTEM32\DRIVERS\uagp35.sys
2007-04-18 16:51 404,990 --------- C:\WINDOWS\SYSTEM32\DRIVERS\slntamr.sys
2007-04-18 16:51 4,255 --------- C:\WINDOWS\SYSTEM32\DRIVERS\adv01nt5.dll
2007-04-18 16:51 38,016 --------- C:\WINDOWS\SYSTEM32\DRIVERS\bthmodem.sys
2007-04-18 16:51 36,463 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati1tuxx.sys
2007-04-18 16:51 36,096 --------- C:\WINDOWS\SYSTEM32\DRIVERS\intelppm.sys
2007-04-18 16:51 35,456 --------- C:\WINDOWS\SYSTEM32\DRIVERS\bthprint.sys
2007-04-18 16:51 34,735 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati1xsxx.sys
2007-04-18 16:51 327,040 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati2mtaa.sys
2007-04-18 16:51 31,744 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atinxbxx.sys
2007-04-18 16:51 30,671 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati1raxx.sys
2007-04-18 16:51 30,080 --------- C:\WINDOWS\SYSTEM32\DRIVERS\rndismpx.sys
2007-04-18 16:51 3,967 --------- C:\WINDOWS\SYSTEM32\DRIVERS\adv02nt5.dll
2007-04-18 16:51 3,901 --------- C:\WINDOWS\SYSTEM32\DRIVERS\siint5.dll
2007-04-18 16:51 3,775 --------- C:\WINDOWS\SYSTEM32\DRIVERS\adv11nt5.dll
2007-04-18 16:51 3,711 --------- C:\WINDOWS\SYSTEM32\DRIVERS\adv09nt5.dll
2007-04-18 16:51 3,647 --------- C:\WINDOWS\SYSTEM32\DRIVERS\adv07nt5.dll
2007-04-18 16:51 3,615 --------- C:\WINDOWS\SYSTEM32\DRIVERS\adv05nt5.dll
2007-04-18 16:51 3,135 --------- C:\WINDOWS\SYSTEM32\DRIVERS\adv08nt5.dll
2007-04-18 16:51 29,455 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati1xbxx.sys
2007-04-18 16:51 29,056 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ip6fw.sys
2007-04-18 16:51 28,672 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atinsnxx.sys
2007-04-18 16:51 274,304 --------- C:\WINDOWS\SYSTEM32\DRIVERS\bthport.sys
2007-04-18 16:51 262,784 --------- C:\WINDOWS\SYSTEM32\DRIVERS\http.sys
2007-04-18 16:51 26,367 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati1snxx.sys
2007-04-18 16:51 25,600 --------- C:\WINDOWS\SYSTEM32\DRIVERS\hidbth.sys
2007-04-18 16:51 25,471 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atv04nt5.dll
2007-04-18 16:51 220,032 --------- C:\WINDOWS\SYSTEM32\DRIVERS\hsfbs2s2.sys
2007-04-18 16:51 21,343 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati1ttxx.sys
2007-04-18 16:51 21,183 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atv01nt5.dll
2007-04-18 16:51 180,360 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ntmtlfax.sys
2007-04-18 16:51 18,944 --------- C:\WINDOWS\SYSTEM32\DRIVERS\bthusb.sys
2007-04-18 16:51 17,279 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atv10nt5.dll
2007-04-18 16:51 17,024 --------- C:\WINDOWS\SYSTEM32\DRIVERS\bthenum.sys
2007-04-18 16:51 166,912 --------- C:\WINDOWS\SYSTEM32\DRIVERS\s3gnbm.sys
2007-04-18 16:51 15,488 --------- C:\WINDOWS\SYSTEM32\DRIVERS\mssmbios.sys
2007-04-18 16:51 15,423 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ch7xxnt5.dll
2007-04-18 16:51 15,104 --------- C:\WINDOWS\SYSTEM32\DRIVERS\hidir.sys
2007-04-18 16:51 14,336 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atinpdxx.sys
2007-04-18 16:51 14,143 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atv06nt5.dll
2007-04-18 16:51 13,824 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atinttxx.sys
2007-04-18 16:51 13,824 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atinmdxx.sys
2007-04-18 16:51 13,776 --------- C:\WINDOWS\SYSTEM32\DRIVERS\recagent.sys
2007-04-18 16:51 13,240 --------- C:\WINDOWS\SYSTEM32\DRIVERS\slwdmsup.sys
2007-04-18 16:51 129,535 --------- C:\WINDOWS\SYSTEM32\DRIVERS\slnt7554.sys
2007-04-18 16:51 128,896 --------- C:\WINDOWS\SYSTEM32\DRIVERS\fltmgr.sys
2007-04-18 16:51 126,686 --------- C:\WINDOWS\SYSTEM32\DRIVERS\mtlmnt5.sys
2007-04-18 16:51 12,672 --------- C:\WINDOWS\SYSTEM32\DRIVERS\usb8023x.sys
2007-04-18 16:51 12,672 --------- C:\WINDOWS\SYSTEM32\DRIVERS\mutohpen.sys
2007-04-18 16:51 12,047 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati1pdxx.sys
2007-04-18 16:51 11,615 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati1mdxx.sys
2007-04-18 16:51 11,359 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atv02nt5.dll
2007-04-18 16:51 11,136 --------- C:\WINDOWS\SYSTEM32\DRIVERS\sffdisk.sys
2007-04-18 16:51 104,960 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atinrvxx.sys
2007-04-18 16:51 100,992 --------- C:\WINDOWS\SYSTEM32\DRIVERS\bthpan.sys
2007-04-18 16:51 10,240 --------- C:\WINDOWS\SYSTEM32\DRIVERS\sffp_sd.sys
2007-04-18 16:51 1,309,184 --------- C:\WINDOWS\SYSTEM32\DRIVERS\mtlstrm.sys
2007-04-18 16:51 1,041,536 --------- C:\WINDOWS\SYSTEM32\DRIVERS\hsfdpsp2.sys
2007-04-18 16:50 88,064 --------- C:\WINDOWS\SYSTEM32\p2pnetsh.dll
2007-04-18 16:50 870,784 --------- C:\WINDOWS\SYSTEM32\ati3d1ag.dll
2007-04-18 16:50 86,016 --------- C:\WINDOWS\SYSTEM32\p2pgasvc.dll
2007-04-18 16:50 81,920 --------- C:\WINDOWS\SYSTEM32\ieencode.dll
2007-04-18 16:50 81,408 --------- C:\WINDOWS\SYSTEM32\wscsvc.dll
2007-04-18 16:50 8,192 --------- C:\WINDOWS\SYSTEM32\smbinst.exe
2007-04-18 16:50 78,464 --------- C:\WINDOWS\SYSTEM32\DRIVERS\usbvideo.sys
2007-04-18 16:50 75,776 --------- C:\WINDOWS\SYSTEM32\strmfilt.dll
2007-04-18 16:50 73,832 --------- C:\WINDOWS\SYSTEM32\slcoinst.dll
2007-04-18 16:50 73,796 --------- C:\WINDOWS\SYSTEM32\slserv.exe
2007-04-18 16:50 71,680 --------- C:\WINDOWS\SYSTEM32\blastcln.exe
2007-04-18 16:50 7,680 --------- C:\WINDOWS\SYSTEM32\kbdsmsno.dll
2007-04-18 16:50 7,680 --------- C:\WINDOWS\SYSTEM32\kbdsmsfi.dll
2007-04-18 16:50 7,168 --------- C:\WINDOWS\SYSTEM32\kbdukx.dll
2007-04-18 16:50 7,168 --------- C:\WINDOWS\SYSTEM32\kbdno1.dll
2007-04-18 16:50 7,168 --------- C:\WINDOWS\SYSTEM32\kbdfi1.dll
2007-04-18 16:50 60,416 --------- C:\WINDOWS\SYSTEM32\fwcfg.dll
2007-04-18 16:50 6,656 --------- C:\WINDOWS\SYSTEM32\kbdinmal.dll
2007-04-18 16:50 6,656 --------- C:\WINDOWS\SYSTEM32\kbdinben.dll
2007-04-18 16:50 6,144 --------- C:\WINDOWS\SYSTEM32\kbdmlt48.dll
2007-04-18 16:50 6,144 --------- C:\WINDOWS\SYSTEM32\kbdmlt47.dll
2007-04-18 16:50 6,144 --------- C:\WINDOWS\SYSTEM32\kbdinbe1.dll
2007-04-18 16:50 526,848 --------- C:\WINDOWS\SYSTEM32\p2psvc.dll
2007-04-18 16:50 516,768 --------- C:\WINDOWS\SYSTEM32\ativvaxx.dll
2007-04-18 16:50 50,688 --------- C:\WINDOWS\SYSTEM32\btpanui.dll
2007-04-18 16:50 50,176 --------- C:\WINDOWS\SYSTEM32\xmlprovi.dll
2007-04-18 16:50 5,632 --------- C:\WINDOWS\SYSTEM32\kbdmaori.dll
2007-04-18 16:50 49,152 --------- C:\WINDOWS\SYSTEM32\powercfg.exe
2007-04-18 16:50 48,640 --------- C:\WINDOWS\SYSTEM32\pnrpnsp.dll
2007-04-18 16:50 44,032 --------- C:\WINDOWS\SYSTEM32\twext.dll
2007-04-18 16:50 397,056 --------- C:\WINDOWS\SYSTEM32\s3gnb.dll
2007-04-18 16:50 377,984 --------- C:\WINDOWS\SYSTEM32\ati2dvaa.dll
2007-04-18 16:50 32,866 --------- C:\WINDOWS\SYSTEM32\slrundll.exe
2007-04-18 16:50 32,866 --------- C:\WINDOWS\slrundll.exe
2007-04-18 16:50 32,768 --------- C:\WINDOWS\SYSTEM32\ativtmxx.dll
2007-04-18 16:50 32,285 --------- C:\WINDOWS\SYSTEM32\hsfcisp2.dll
2007-04-18 16:50 312,320 --------- C:\WINDOWS\SYSTEM32\p2pgraph.dll
2007-04-18 16:50 30,208 --------- C:\WINDOWS\SYSTEM32\bthserv.dll
2007-04-18 16:50 29,184 --------- C:\WINDOWS\SYSTEM32\sdhcinst.dll
2007-04-18 16:50 286,792 --------- C:\WINDOWS\SYSTEM32\slextspk.dll
2007-04-18 16:50 25,471 --------- C:\WINDOWS\SYSTEM32\DRIVERS\watv10nt.sys
2007-04-18 16:50 24,576 --------- C:\WINDOWS\SYSTEM32\httpapi.dll
2007-04-18 16:50 23,040 --a------ C:\WINDOWS\SYSTEM32\fltmc.exe
2007-04-18 16:50 229,376 --------- C:\WINDOWS\SYSTEM32\ati2cqag.dll
2007-04-18 16:50 22,271 --------- C:\WINDOWS\SYSTEM32\DRIVERS\watv06nt.sys
2007-04-18 16:50 201,728 --------- C:\WINDOWS\SYSTEM32\ati2dvag.dll
2007-04-18 16:50 20,992 --------- C:\WINDOWS\SYSTEM32\bthci.dll
2007-04-18 16:50 2,113,536 --------- C:\WINDOWS\SYSTEM32\dxdiagn.dll
2007-04-18 16:50 193,024 --------- C:\WINDOWS\SYSTEM32\fsquirt.exe
2007-04-18 16:50 188,508 --------- C:\WINDOWS\SYSTEM32\slgen.dll
2007-04-18 16:50 17,408 --------- C:\WINDOWS\SYSTEM32\winshfhc.dll
2007-04-18 16:50 16,896 --a------ C:\WINDOWS\SYSTEM32\fltlib.dll
2007-04-18 16:50 15,872 --------- C:\WINDOWS\SYSTEM32\w3ssl.dll
2007-04-18 16:50 14,336 --------- C:\WINDOWS\SYSTEM32\auditusr.exe
2007-04-18 16:50 13,824 --------- C:\WINDOWS\SYSTEM32\wscntfy.exe
2007-04-18 16:50 13,824 --------- C:\WINDOWS\SYSTEM32\cmsetacl.dll
2007-04-18 16:50 13,568 --------- C:\WINDOWS\SYSTEM32\DRIVERS\wacompen.sys
2007-04-18 16:50 129,536 --------- C:\WINDOWS\SYSTEM32\xmlprov.dll
2007-04-18 16:50 118,784 --------- C:\WINDOWS\SYSTEM32\msdadiag.dll
2007-04-18 16:50 116,224 --------- C:\WINDOWS\SYSTEM32\p2p.dll
2007-04-18 16:50 11,935 --------- C:\WINDOWS\SYSTEM32\DRIVERS\wadv11nt.sys
2007-04-18 16:50 11,871 --------- C:\WINDOWS\SYSTEM32\DRIVERS\wadv09nt.sys
2007-04-18 16:50 11,807 --------- C:\WINDOWS\SYSTEM32\DRIVERS\wadv07nt.sys
2007-04-18 16:50 11,325 --------- C:\WINDOWS\SYSTEM32\DRIVERS\vchnt5.dll
2007-04-18 16:50 11,295 --------- C:\WINDOWS\SYSTEM32\DRIVERS\wadv08nt.sys
2007-04-18 16:50 108,032 --------- C:\WINDOWS\SYSTEM32\wshbth.dll
2007-04-18 16:50 1,888,992 --------- C:\WINDOWS\SYSTEM32\ati3duag.dll
2007-04-18 16:50 1,737,856 --------- C:\WINDOWS\SYSTEM32\mtxparhd.dll
2007-04-18 16:50 1,689,088 --------- C:\WINDOWS\SYSTEM32\d3d9.dll
2007-04-18 16:50 <DIR> d-------- C:\WINDOWS\provisioning
2007-04-18 16:50 <DIR> d-------- C:\WINDOWS\peernet
2007-04-18 16:45 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-04-18 16:37 22,752 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.exe
2007-04-18 16:32 <DIR> d-------- C:\WINDOWS\EHome
2007-04-18 16:00 21,822,168 --a------ C:\AdbeRdr80_en_US.exe
2007-04-17 12:20 75,291 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\bkpcmxp.sys
2007-04-17 12:20 73,728 --a------ C:\WINDOWS\SYSTEM32\install.dll
2007-04-17 12:20 61,440 --a------ C:\WINDOWS\SYSTEM32\w32n50.dll
2007-04-17 12:20 462,848 --a------ C:\WINDOWS\SYSTEM32\monitorbk.exe
2007-04-17 12:20 36,864 --a------ C:\WINDOWS\SYSTEM32\WRLSetup.exe
2007-04-17 12:20 16,068 --a------ C:\WINDOWS\SYSTEM32\pcandis5.sys
2007-04-17 12:20 <DIR> d-------- C:\Program Files\Belkin
2007-04-12 16:19 <DIR> d-------- C:\Temp
2007-04-12 16:14 545,560 --a------ C:\AdbeRdr80_DLM_en_US.exe
2007-04-11 20:10 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-04-10 19:52 <DIR> d-------- C:\Program Files\Norton Security Scan
2007-04-10 17:33 <DIR> d-------- C:\DOCUME~1\CAMPBE~1\APPLIC~1\Google
2007-04-10 17:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-04-10 16:45 <DIR> d-------- C:\Program Files\Google
2007-04-09 23:24 <DIR> d-------- C:\WINDOWS\SYSTEM32\SoftwareDistribution
2007-04-09 21:52 <DIR> d-------- C:\Program Files\Yahoo!
2007-04-09 18:18 465,368 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
2007-04-09 18:18 41,432 --a------ C:\WINDOWS\SYSTEM32\wups.dll
2007-04-09 18:18 194,520 --a------ C:\WINDOWS\SYSTEM32\wuaueng1.dll
2007-04-09 18:18 174,040 --a------ C:\WINDOWS\SYSTEM32\wuweb.dll
2007-04-09 18:18 172,504 --a------ C:\WINDOWS\SYSTEM32\wuauclt1.exe
2007-04-09 18:18 127,448 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
2007-04-09 18:18 <DIR> d-------- C:\WINDOWS\SoftwareDistribution
2007-04-03 21:43 <DIR> d-------- C:\Program Files\mIRC
2007-04-03 20:46 <DIR> d-------- C:\DOCUME~1\CAMPBE~1\Contacts
2007-04-03 20:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Live Toolbar
2007-04-03 20:42 <DIR> d----c--- C:\WINDOWS\SYSTEM32\DRVSTORE
2007-04-03 20:42 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2007-04-03 20:41 <DIR> d-------- C:\Program Files\MSN Messenger
2007-04-03 20:22 18,040,176 --a------ C:\Install_Messenger_nous.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-01 16:13 -------- d--h----- C:\Program Files\installshield installation information
2007-04-23 12:20 44288 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\cdr4_xp.sys
2007-04-23 11:03 -------- d-------- C:\Program Files\messenger
2007-04-23 09:20 -------- d-------- C:\Program Files\digital line detect
2007-04-18 16:50 -------- d-------- C:\Program Files\movie maker
2007-04-18 16:45 -------- d-------- C:\Program Files\windows nt
2007-04-18 16:30 -------- d-------- C:\Program Files\dell
2007-04-17 16:27 -------- d-------- C:\Program Files\epson
2007-04-09 18:18 -------- d--h----- C:\Program Files\windowsupdate
2007-03-17 23:43 292864 --a------ C:\WINDOWS\SYSTEM32\winsrv.dll
2007-03-09 01:36 577536 --a------ C:\WINDOWS\SYSTEM32\user32.dll
2007-03-09 01:36 40960 --a------ C:\WINDOWS\SYSTEM32\mf3216.dll
2007-03-09 01:36 281600 --a------ C:\WINDOWS\SYSTEM32\gdi32.dll
2007-03-08 23:47 1843584 --a------ C:\WINDOWS\SYSTEM32\win32k.sys
2007-02-06 06:17 185344 --a------ C:\WINDOWS\SYSTEM32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{9030D464-4C02-4ABF-8ECC-5164760863C6} C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"DVDSentry"="C:\\WINDOWS\\System32\\DSentry.exe"
"WinampAgent"="\"C:\\Program Files\\Winamp3\\winampa.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Logitech Utility"="Logi_MwX.Exe"
"SSBkgdUpdate"="\"C:\\Program Files\\Common Files\\Scansoft Shared\\SSBkgdUpdate\\SSBkgdupdate.exe\" -Embedding -boot"
"WorkFlowTray"="\"C:\\Program Files\\ScanSoft\\OmniPagePro14.0\\WorkFlowTray.exe\""
"Opware14"="\"C:\\Program Files\\ScanSoft\\OmniPagePro14.0\\Opware14.exe\""
"OpScheduler"="\"C:\\Program Files\\ScanSoft\\OmniPagePro14.0\\OpScheduler.exe\""
"RoxioEngineUtility"="\"C:\\Program Files\\Common Files\\Roxio Shared\\System\\EngUtil.exe\""
"RoxioDragToDisc"="\"C:\\Program Files\\Roxio\\Easy CD Creator 6\\DragToDisc\\DrgToDsc.exe\""
"RoxioAudioCentral"="\"C:\\Program Files\\Roxio\\Easy CD Creator 6\\AudioCentral\\RxMon.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Norton Security Scan.job
C:\WINDOWS\tasks\SpywareBot Scheduled Scan.job
C:\WINDOWS\tasks\Symantec NetDetect.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-01 16:28:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-05-01 16:31:20 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-05-01 16:31
C:\ComboFix2.txt ... 07-04-23 15:32
C:\ComboFix3.txt ... 07-04-23 13:55

tbri1559
2007-05-01, 09:52
Logfile of HijackThis v1.99.1
Scan saved at 4:51:48 PM, on 1/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe
C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe
C:\Program Files\ScanSoft\OmniPagePro14.0\OpScheduler.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SYSTEM32\monitorbk.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Anti-Spyware\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [WorkFlowTray] "C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe"
O4 - HKLM\..\Run: [Opware14] "C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe"
O4 - HKLM\..\Run: [OpScheduler] "C:\Program Files\ScanSoft\OmniPagePro14.0\OpScheduler.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Belkin PCMCIA WLAN Monitor.lnk = C:\WINDOWS\SYSTEM32\monitorbk.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

tbri1559
2007-05-01, 10:02
When I try to enter the service name you gave me it says it cannot be found. I'm glad you know what you're doing because computers drive me nuts!
There has been a huge improvement in the running of the machine since we started fixing it. Right from the start it doesn't redirect me any more.
Tom

Angelfire777
2007-05-02, 08:04
When I try to enter the service name you gave me it says it cannot be found. I'm glad you know what you're doing because computers drive me nuts!
There has been a huge improvement in the running of the machine since we started fixing it. Right from the start it doesn't redirect me any more.
Tom

Glad to hear that! However, this thing is still a bit stubborn..


You may want to print these instructions here or save them in notepad since you'll work offline.

Reboot into Safe Mode.

To enter Safe Mode..

Click Start > Turn Off Computer > Restart > Tap F8 key just before Windows starts to load, > This will bring up a Menu > Use your keyboard to scroll to Safe Mode> Hit enter.


*Click start > run > copy and paste this command please:

"%userprofile%\desktop\combofix.exe" /v apwdscfn mntrycpo qchxqoad

Reboot to normal mode then post a fresh HijackThis log.

tbri1559
2007-05-03, 06:08
Logfile of HijackThis v1.99.1
Scan saved at 1:08:20 PM, on 3/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe
C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe
C:\Program Files\ScanSoft\OmniPagePro14.0\OpScheduler.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\SYSTEM32\monitorbk.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Anti-Spyware\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [WorkFlowTray] "C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe"
O4 - HKLM\..\Run: [Opware14] "C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe"
O4 - HKLM\..\Run: [OpScheduler] "C:\Program Files\ScanSoft\OmniPagePro14.0\OpScheduler.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Belkin PCMCIA WLAN Monitor.lnk = C:\WINDOWS\SYSTEM32\monitorbk.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Tom

Angelfire777
2007-05-03, 08:09
I'm sorry, please post the combofix log as well..

tbri1559
2007-05-08, 10:36
Hi,
sorry it took so long to get back. Long weekend here!

"Campbell Bridge" - 07-05-08 17:24:19 Service Pack 2 [SAFE MODE]
ComboFix 07-04-22.6V - Running from: "C:\Documents and Settings\Campbell Bridge\Desktop\"
Command switches used :: "/v apwdscfn mntrycpo qchxqoad"


((((((((((((((((((((((((((((((( Files Created from 2007-04-08 to 2007-05-08 ))))))))))))))))))))))))))))))))))


2007-05-07 14:29 <DIR> d-------- C:\Program Files\QuickTime
2007-05-04 15:09 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-05-04 15:00 <DIR> d-------- C:\Program Files\Common Files\SYMANT~1
2007-05-01 16:40 <DIR> d-------- C:\Program Files\Skype
2007-05-01 16:40 <DIR> d-------- C:\DOCUME~1\CAMPBE~1\APPLIC~1\Skype
2007-04-23 20:48 <DIR> d-------- C:\WINDOWS\SYSTEM32\LogFiles
2007-04-23 18:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-04-23 13:55 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-04-23 12:23 499,712 --a------ C:\WINDOWS\SYSTEM32\msvcp71.dll
2007-04-23 12:23 348,160 --a------ C:\WINDOWS\SYSTEM32\msvcr71.dll
2007-04-23 12:19 21,299,912 --a------ C:\Program Files\avg75free_463a1000.exe
2007-04-23 10:12 <DIR> d-------- C:\Anti-Spyware
2007-04-23 08:56 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-04-22 19:19 <DIR> d-------- C:\WINDOWS\Prefetch
2007-04-22 11:51 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-04-21 20:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-04-21 15:51 <DIR> d-------- C:\Program Files\CCleaner
2007-04-21 12:44 <DIR> d-------- C:\16e7a3799cc4ff36826d19da47c626
2007-04-20 14:47 842,672 --a------ C:\Program Files\slsk156c.exe
2007-04-20 14:47 <DIR> d-------- C:\Program Files\Soulseek
2007-04-20 14:15 28,672 --------- C:\WINDOWS\SYSTEM32\verclsid.exe
2007-04-20 14:06 <DIR> d-------- C:\Program Files\iPod
2007-04-20 14:06 <DIR> d-------- C:\DOCUME~1\CAMPBE~1\APPLIC~1\Apple Computer
2007-04-20 14:05 <DIR> d-------- C:\Program Files\iTunes
2007-04-20 14:03 <DIR> d-------- C:\Program Files\Apple Software Update
2007-04-20 14:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-04-20 14:01 37,860,928 --a------ C:\Program Files\iTunesSetup.exe
2007-04-19 00:26 <DIR> d-------- C:\DOCUME~1\CAMPBE~1\APPLIC~1\AdobeAUM
2007-04-19 00:23 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-04-19 00:10 21,822,168 --a------ C:\Program Files\AdbeRdr80_en_US.exe
2007-04-19 00:05 811,560 --a------ C:\Program Files\GoogleToolbarInstaller_ADBx_en_401019_signed.exe
2007-04-19 00:05 7,050,552 --a------ C:\Program Files\psa30se_en_us.exe
2007-04-18 23:53 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-04-18 23:53 <DIR> d-------- C:\WINDOWS\SYSTEM32\PreInstall
2007-04-18 16:51 95,424 --------- C:\WINDOWS\SYSTEM32\DRIVERS\slnthal.sys
2007-04-18 16:51 9,216 --------- C:\WINDOWS\SYSTEM32\proxycfg.exe
2007-04-18 16:51 73,216 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atintuxx.sys
2007-04-18 16:51 701,440 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati2mtag.sys
2007-04-18 16:51 685,056 --------- C:\WINDOWS\SYSTEM32\DRIVERS\hsfcxts2.sys
2007-04-18 16:51 67,584 --------- C:\WINDOWS\SYSTEM32\DRIVERS\sdbus.sys
2007-04-18 16:51 63,663 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati1rvxx.sys
2007-04-18 16:51 63,488 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atinxsxx.sys
2007-04-18 16:51 6,016 --------- C:\WINDOWS\SYSTEM32\DRIVERS\smbali.sys
2007-04-18 16:51 59,648 --------- C:\WINDOWS\SYSTEM32\DRIVERS\rfcomm.sys
2007-04-18 16:51 59,392 --------- C:\WINDOWS\SYSTEM32\logman.exe
2007-04-18 16:51 57,856 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atinbtxx.sys
2007-04-18 16:51 56,623 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati1btxx.sys
2007-04-18 16:51 52,224 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atinraxx.sys
2007-04-18 16:51 46,464 --------- C:\WINDOWS\SYSTEM32\DRIVERS\gagp30kx.sys
2007-04-18 16:51 452,736 --------- C:\WINDOWS\SYSTEM32\DRIVERS\mtxparhm.sys
2007-04-18 16:51 44,672 --------- C:\WINDOWS\SYSTEM32\DRIVERS\uagp35.sys
2007-04-18 16:51 404,990 --------- C:\WINDOWS\SYSTEM32\DRIVERS\slntamr.sys
2007-04-18 16:51 4,255 --------- C:\WINDOWS\SYSTEM32\DRIVERS\adv01nt5.dll
2007-04-18 16:51 38,016 --------- C:\WINDOWS\SYSTEM32\DRIVERS\bthmodem.sys
2007-04-18 16:51 36,463 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati1tuxx.sys
2007-04-18 16:51 36,096 --------- C:\WINDOWS\SYSTEM32\DRIVERS\intelppm.sys
2007-04-18 16:51 35,456 --------- C:\WINDOWS\SYSTEM32\DRIVERS\bthprint.sys
2007-04-18 16:51 34,735 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati1xsxx.sys
2007-04-18 16:51 327,040 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati2mtaa.sys
2007-04-18 16:51 31,744 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atinxbxx.sys
2007-04-18 16:51 30,671 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati1raxx.sys
2007-04-18 16:51 30,080 --------- C:\WINDOWS\SYSTEM32\DRIVERS\rndismpx.sys
2007-04-18 16:51 3,967 --------- C:\WINDOWS\SYSTEM32\DRIVERS\adv02nt5.dll
2007-04-18 16:51 3,901 --------- C:\WINDOWS\SYSTEM32\DRIVERS\siint5.dll
2007-04-18 16:51 3,775 --------- C:\WINDOWS\SYSTEM32\DRIVERS\adv11nt5.dll
2007-04-18 16:51 3,711 --------- C:\WINDOWS\SYSTEM32\DRIVERS\adv09nt5.dll
2007-04-18 16:51 3,647 --------- C:\WINDOWS\SYSTEM32\DRIVERS\adv07nt5.dll
2007-04-18 16:51 3,615 --------- C:\WINDOWS\SYSTEM32\DRIVERS\adv05nt5.dll
2007-04-18 16:51 3,135 --------- C:\WINDOWS\SYSTEM32\DRIVERS\adv08nt5.dll
2007-04-18 16:51 29,455 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati1xbxx.sys
2007-04-18 16:51 29,056 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ip6fw.sys
2007-04-18 16:51 28,672 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atinsnxx.sys
2007-04-18 16:51 274,304 --------- C:\WINDOWS\SYSTEM32\DRIVERS\bthport.sys
2007-04-18 16:51 262,784 --------- C:\WINDOWS\SYSTEM32\DRIVERS\http.sys
2007-04-18 16:51 26,367 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati1snxx.sys
2007-04-18 16:51 25,600 --------- C:\WINDOWS\SYSTEM32\DRIVERS\hidbth.sys
2007-04-18 16:51 25,471 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atv04nt5.dll
2007-04-18 16:51 220,032 --------- C:\WINDOWS\SYSTEM32\DRIVERS\hsfbs2s2.sys
2007-04-18 16:51 21,343 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati1ttxx.sys
2007-04-18 16:51 21,183 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atv01nt5.dll
2007-04-18 16:51 180,360 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ntmtlfax.sys
2007-04-18 16:51 18,944 --------- C:\WINDOWS\SYSTEM32\DRIVERS\bthusb.sys
2007-04-18 16:51 17,279 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atv10nt5.dll
2007-04-18 16:51 17,024 --------- C:\WINDOWS\SYSTEM32\DRIVERS\bthenum.sys
2007-04-18 16:51 166,912 --------- C:\WINDOWS\SYSTEM32\DRIVERS\s3gnbm.sys
2007-04-18 16:51 15,488 --------- C:\WINDOWS\SYSTEM32\DRIVERS\mssmbios.sys
2007-04-18 16:51 15,423 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ch7xxnt5.dll
2007-04-18 16:51 15,104 --------- C:\WINDOWS\SYSTEM32\DRIVERS\hidir.sys
2007-04-18 16:51 14,336 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atinpdxx.sys
2007-04-18 16:51 14,143 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atv06nt5.dll
2007-04-18 16:51 13,824 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atinttxx.sys
2007-04-18 16:51 13,824 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atinmdxx.sys
2007-04-18 16:51 13,776 --------- C:\WINDOWS\SYSTEM32\DRIVERS\recagent.sys
2007-04-18 16:51 13,240 --------- C:\WINDOWS\SYSTEM32\DRIVERS\slwdmsup.sys
2007-04-18 16:51 129,535 --------- C:\WINDOWS\SYSTEM32\DRIVERS\slnt7554.sys
2007-04-18 16:51 128,896 --------- C:\WINDOWS\SYSTEM32\DRIVERS\fltmgr.sys
2007-04-18 16:51 126,686 --------- C:\WINDOWS\SYSTEM32\DRIVERS\mtlmnt5.sys
2007-04-18 16:51 12,672 --------- C:\WINDOWS\SYSTEM32\DRIVERS\usb8023x.sys
2007-04-18 16:51 12,672 --------- C:\WINDOWS\SYSTEM32\DRIVERS\mutohpen.sys
2007-04-18 16:51 12,047 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati1pdxx.sys
2007-04-18 16:51 11,615 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati1mdxx.sys
2007-04-18 16:51 11,359 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atv02nt5.dll
2007-04-18 16:51 11,136 --------- C:\WINDOWS\SYSTEM32\DRIVERS\sffdisk.sys
2007-04-18 16:51 104,960 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atinrvxx.sys
2007-04-18 16:51 100,992 --------- C:\WINDOWS\SYSTEM32\DRIVERS\bthpan.sys
2007-04-18 16:51 10,240 --------- C:\WINDOWS\SYSTEM32\DRIVERS\sffp_sd.sys
2007-04-18 16:51 1,309,184 --------- C:\WINDOWS\SYSTEM32\DRIVERS\mtlstrm.sys
2007-04-18 16:51 1,041,536 --------- C:\WINDOWS\SYSTEM32\DRIVERS\hsfdpsp2.sys
2007-04-18 16:50 88,064 --------- C:\WINDOWS\SYSTEM32\p2pnetsh.dll
2007-04-18 16:50 870,784 --------- C:\WINDOWS\SYSTEM32\ati3d1ag.dll
2007-04-18 16:50 86,016 --------- C:\WINDOWS\SYSTEM32\p2pgasvc.dll
2007-04-18 16:50 81,920 --------- C:\WINDOWS\SYSTEM32\ieencode.dll
2007-04-18 16:50 81,408 --------- C:\WINDOWS\SYSTEM32\wscsvc.dll
2007-04-18 16:50 8,192 --------- C:\WINDOWS\SYSTEM32\smbinst.exe
2007-04-18 16:50 78,464 --------- C:\WINDOWS\SYSTEM32\DRIVERS\usbvideo.sys
2007-04-18 16:50 75,776 --------- C:\WINDOWS\SYSTEM32\strmfilt.dll
2007-04-18 16:50 73,832 --------- C:\WINDOWS\SYSTEM32\slcoinst.dll
2007-04-18 16:50 73,796 --------- C:\WINDOWS\SYSTEM32\slserv.exe
2007-04-18 16:50 71,680 --------- C:\WINDOWS\SYSTEM32\blastcln.exe
2007-04-18 16:50 7,680 --------- C:\WINDOWS\SYSTEM32\kbdsmsno.dll
2007-04-18 16:50 7,680 --------- C:\WINDOWS\SYSTEM32\kbdsmsfi.dll
2007-04-18 16:50 7,168 --------- C:\WINDOWS\SYSTEM32\kbdukx.dll
2007-04-18 16:50 7,168 --------- C:\WINDOWS\SYSTEM32\kbdno1.dll
2007-04-18 16:50 7,168 --------- C:\WINDOWS\SYSTEM32\kbdfi1.dll
2007-04-18 16:50 60,416 --------- C:\WINDOWS\SYSTEM32\fwcfg.dll
2007-04-18 16:50 6,656 --------- C:\WINDOWS\SYSTEM32\kbdinmal.dll
2007-04-18 16:50 6,656 --------- C:\WINDOWS\SYSTEM32\kbdinben.dll
2007-04-18 16:50 6,144 --------- C:\WINDOWS\SYSTEM32\kbdmlt48.dll
2007-04-18 16:50 6,144 --------- C:\WINDOWS\SYSTEM32\kbdmlt47.dll
2007-04-18 16:50 6,144 --------- C:\WINDOWS\SYSTEM32\kbdinbe1.dll
2007-04-18 16:50 526,848 --------- C:\WINDOWS\SYSTEM32\p2psvc.dll
2007-04-18 16:50 516,768 --------- C:\WINDOWS\SYSTEM32\ativvaxx.dll
2007-04-18 16:50 50,688 --------- C:\WINDOWS\SYSTEM32\btpanui.dll
2007-04-18 16:50 50,176 --------- C:\WINDOWS\SYSTEM32\xmlprovi.dll
2007-04-18 16:50 5,632 --------- C:\WINDOWS\SYSTEM32\kbdmaori.dll
2007-04-18 16:50 49,152 --------- C:\WINDOWS\SYSTEM32\powercfg.exe
2007-04-18 16:50 48,640 --------- C:\WINDOWS\SYSTEM32\pnrpnsp.dll
2007-04-18 16:50 44,032 --------- C:\WINDOWS\SYSTEM32\twext.dll
2007-04-18 16:50 397,056 --------- C:\WINDOWS\SYSTEM32\s3gnb.dll
2007-04-18 16:50 377,984 --------- C:\WINDOWS\SYSTEM32\ati2dvaa.dll
2007-04-18 16:50 32,866 --------- C:\WINDOWS\SYSTEM32\slrundll.exe
2007-04-18 16:50 32,866 --------- C:\WINDOWS\slrundll.exe
2007-04-18 16:50 32,768 --------- C:\WINDOWS\SYSTEM32\ativtmxx.dll
2007-04-18 16:50 32,285 --------- C:\WINDOWS\SYSTEM32\hsfcisp2.dll
2007-04-18 16:50 312,320 --------- C:\WINDOWS\SYSTEM32\p2pgraph.dll
2007-04-18 16:50 30,208 --------- C:\WINDOWS\SYSTEM32\bthserv.dll
2007-04-18 16:50 29,184 --------- C:\WINDOWS\SYSTEM32\sdhcinst.dll
2007-04-18 16:50 286,792 --------- C:\WINDOWS\SYSTEM32\slextspk.dll
2007-04-18 16:50 25,471 --------- C:\WINDOWS\SYSTEM32\DRIVERS\watv10nt.sys
2007-04-18 16:50 24,576 --------- C:\WINDOWS\SYSTEM32\httpapi.dll
2007-04-18 16:50 23,040 --a------ C:\WINDOWS\SYSTEM32\fltmc.exe
2007-04-18 16:50 229,376 --------- C:\WINDOWS\SYSTEM32\ati2cqag.dll
2007-04-18 16:50 22,271 --------- C:\WINDOWS\SYSTEM32\DRIVERS\watv06nt.sys
2007-04-18 16:50 201,728 --------- C:\WINDOWS\SYSTEM32\ati2dvag.dll
2007-04-18 16:50 20,992 --------- C:\WINDOWS\SYSTEM32\bthci.dll
2007-04-18 16:50 2,113,536 --------- C:\WINDOWS\SYSTEM32\dxdiagn.dll
2007-04-18 16:50 193,024 --------- C:\WINDOWS\SYSTEM32\fsquirt.exe
2007-04-18 16:50 188,508 --------- C:\WINDOWS\SYSTEM32\slgen.dll
2007-04-18 16:50 17,408 --------- C:\WINDOWS\SYSTEM32\winshfhc.dll
2007-04-18 16:50 16,896 --a------ C:\WINDOWS\SYSTEM32\fltlib.dll
2007-04-18 16:50 15,872 --------- C:\WINDOWS\SYSTEM32\w3ssl.dll
2007-04-18 16:50 14,336 --------- C:\WINDOWS\SYSTEM32\auditusr.exe
2007-04-18 16:50 13,824 --------- C:\WINDOWS\SYSTEM32\wscntfy.exe
2007-04-18 16:50 13,824 --------- C:\WINDOWS\SYSTEM32\cmsetacl.dll
2007-04-18 16:50 13,568 --------- C:\WINDOWS\SYSTEM32\DRIVERS\wacompen.sys
2007-04-18 16:50 129,536 --------- C:\WINDOWS\SYSTEM32\xmlprov.dll
2007-04-18 16:50 118,784 --------- C:\WINDOWS\SYSTEM32\msdadiag.dll
2007-04-18 16:50 116,224 --------- C:\WINDOWS\SYSTEM32\p2p.dll
2007-04-18 16:50 11,935 --------- C:\WINDOWS\SYSTEM32\DRIVERS\wadv11nt.sys
2007-04-18 16:50 11,871 --------- C:\WINDOWS\SYSTEM32\DRIVERS\wadv09nt.sys
2007-04-18 16:50 11,807 --------- C:\WINDOWS\SYSTEM32\DRIVERS\wadv07nt.sys
2007-04-18 16:50 11,325 --------- C:\WINDOWS\SYSTEM32\DRIVERS\vchnt5.dll
2007-04-18 16:50 11,295 --------- C:\WINDOWS\SYSTEM32\DRIVERS\wadv08nt.sys
2007-04-18 16:50 108,032 --------- C:\WINDOWS\SYSTEM32\wshbth.dll
2007-04-18 16:50 1,888,992 --------- C:\WINDOWS\SYSTEM32\ati3duag.dll
2007-04-18 16:50 1,737,856 --------- C:\WINDOWS\SYSTEM32\mtxparhd.dll
2007-04-18 16:50 1,689,088 --------- C:\WINDOWS\SYSTEM32\d3d9.dll
2007-04-18 16:50 <DIR> d-------- C:\WINDOWS\provisioning
2007-04-18 16:50 <DIR> d-------- C:\WINDOWS\peernet
2007-04-18 16:45 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-04-18 16:37 22,752 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.exe
2007-04-18 16:32 <DIR> d-------- C:\WINDOWS\EHome
2007-04-18 16:00 21,822,168 --a------ C:\AdbeRdr80_en_US.exe
2007-04-17 12:20 75,291 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\bkpcmxp.sys
2007-04-17 12:20 73,728 --a------ C:\WINDOWS\SYSTEM32\install.dll
2007-04-17 12:20 61,440 --a------ C:\WINDOWS\SYSTEM32\w32n50.dll
2007-04-17 12:20 462,848 --a------ C:\WINDOWS\SYSTEM32\monitorbk.exe
2007-04-17 12:20 36,864 --a------ C:\WINDOWS\SYSTEM32\WRLSetup.exe
2007-04-17 12:20 16,068 --a------ C:\WINDOWS\SYSTEM32\pcandis5.sys
2007-04-17 12:20 <DIR> d-------- C:\Program Files\Belkin
2007-04-12 16:19 <DIR> d-------- C:\Temp
2007-04-12 16:14 545,560 --a------ C:\AdbeRdr80_DLM_en_US.exe
2007-04-11 20:10 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-04-10 19:52 <DIR> d-------- C:\Program Files\Norton Security Scan
2007-04-10 17:33 <DIR> d-------- C:\DOCUME~1\CAMPBE~1\APPLIC~1\Google
2007-04-10 17:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-04-10 16:45 <DIR> d-------- C:\Program Files\Google
2007-04-09 23:24 <DIR> d-------- C:\WINDOWS\SYSTEM32\SoftwareDistribution
2007-04-09 21:52 <DIR> d-------- C:\Program Files\Yahoo!
2007-04-09 18:18 465,368 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
2007-04-09 18:18 41,432 --a------ C:\WINDOWS\SYSTEM32\wups.dll
2007-04-09 18:18 194,520 --a------ C:\WINDOWS\SYSTEM32\wuaueng1.dll
2007-04-09 18:18 174,040 --a------ C:\WINDOWS\SYSTEM32\wuweb.dll
2007-04-09 18:18 172,504 --a------ C:\WINDOWS\SYSTEM32\wuauclt1.exe
2007-04-09 18:18 127,448 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
2007-04-09 18:18 <DIR> d-------- C:\WINDOWS\SoftwareDistribution


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-07 18:34 -------- d-------- C:\Program Files\mirc
2007-05-01 16:13 -------- d--h----- C:\Program Files\installshield installation information
2007-04-23 12:20 44288 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\cdr4_xp.sys
2007-04-23 11:03 -------- d-------- C:\Program Files\messenger
2007-04-23 09:23 -------- d-------- C:\Program Files\msn messenger
2007-04-23 09:20 -------- d-------- C:\Program Files\digital line detect
2007-04-21 19:49 -------- d-------- C:\Program Files\windows live toolbar
2007-04-18 16:50 -------- d-------- C:\Program Files\movie maker
2007-04-18 16:45 -------- d-------- C:\Program Files\windows nt
2007-04-18 16:30 -------- d-------- C:\Program Files\dell
2007-04-17 16:27 -------- d-------- C:\Program Files\epson
2007-04-09 18:18 -------- d--h----- C:\Program Files\windowsupdate
2007-04-03 20:22 18040176 --a------ C:\Install_Messenger_nous.exe
2007-03-17 23:43 292864 --a------ C:\WINDOWS\SYSTEM32\winsrv.dll
2007-03-09 01:36 577536 --a------ C:\WINDOWS\SYSTEM32\user32.dll
2007-03-09 01:36 40960 --a------ C:\WINDOWS\SYSTEM32\mf3216.dll
2007-03-09 01:36 281600 --a------ C:\WINDOWS\SYSTEM32\gdi32.dll
2007-03-08 23:47 1843584 --a------ C:\WINDOWS\SYSTEM32\win32k.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{9030D464-4C02-4ABF-8ECC-5164760863C6} C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"DVDSentry"="C:\\WINDOWS\\System32\\DSentry.exe"
"WinampAgent"="\"C:\\Program Files\\Winamp3\\winampa.exe\""
"Logitech Utility"="Logi_MwX.Exe"
"SSBkgdUpdate"="\"C:\\Program Files\\Common Files\\Scansoft Shared\\SSBkgdUpdate\\SSBkgdupdate.exe\" -Embedding -boot"
"WorkFlowTray"="\"C:\\Program Files\\ScanSoft\\OmniPagePro14.0\\WorkFlowTray.exe\""
"Opware14"="\"C:\\Program Files\\ScanSoft\\OmniPagePro14.0\\Opware14.exe\""
"OpScheduler"="\"C:\\Program Files\\ScanSoft\\OmniPagePro14.0\\OpScheduler.exe\""
"RoxioEngineUtility"="\"C:\\Program Files\\Common Files\\Roxio Shared\\System\\EngUtil.exe\""
"RoxioDragToDisc"="\"C:\\Program Files\\Roxio\\Easy CD Creator 6\\DragToDisc\\DrgToDsc.exe\""
"RoxioAudioCentral"="\"C:\\Program Files\\Roxio\\Easy CD Creator 6\\AudioCentral\\RxMon.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Norton Security Scan.job
C:\WINDOWS\tasks\SpywareBot Scheduled Scan.job
C:\WINDOWS\tasks\Symantec NetDetect.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-08 17:27:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-05-08 17:27:51
C:\ComboFix-quarantined-files.txt ... 07-05-08 17:27
C:\ComboFix2.txt ... 07-05-02 17:37
C:\ComboFix3.txt ... 07-05-01 16:31
C:\ComboFix4.txt ... 07-05-02 17:59

Tom

Angelfire777
2007-05-08, 18:03
How is it running?

tbri1559
2007-05-09, 02:38
Much better thanks! It's not the newest machine so it's not too quick by nature, but it's heaps better than it was. Plus I'm not getting my searches redirected any more, which was really annoying! Thanks very much for your help, it is much appreciated. Is there anything else I should do now?
Tom

Angelfire777
2007-05-09, 20:59
Is there anything else I should do now?

Yes, read my prevention tips and that's an order!...

Just kidding, but it would help a lot if you take time to read these stuff :D:

Congratulations! Your log looks clean!


This is a good time to clear your existing system restore points and establish a new clean restore point:
Go to Start > All Programs > Accessories > System Tools > System Restore

Select Create a restore point, and Ok it.

Next, go to Start > Run and type in cleanmgr

Select the More options tab

Choose the option to clean up system restore and OK it.

This will remove all restore points except the new one you just created.
______________________
Here are some free programs I recommend that could help you improve your pc's security.

Firewall Application - Although Windows Xp comes with a firewall, you should not rely on it because the Windows Firewall can only filter incoming data; outgoing traffic is not controlled, meaning that malware/viruses that are present in your computer can access the internet with no restrictions. There are several other Firewall that can protect you better by filtering incoming and outgoing data. Make sure you get only one of these.

» ZoneAlarm (http://www.zonelabs.com)
» Kerio (http//www.sunbelt-software.com/Kerio-Download.cfm)

Install SpyWare Blaster
~You can download it from here (http://www.javacoolsoftware.com/spywareblaster.html)
~You can read the tutorial on how to use Spyware Blaster here (http://www.bleepingcomputer.com/tutorials/tutorial49.html)

Install WinPatrol
~You can download it from here (http://www.winpatrol.com/download.html)
~You can get some information about how WinPatrol works here (http://www.winpatrol.com/features.html)

IESpyAds
~You can download it from here (http://www.spywarewarrior.com/uiuc/resource.htm#IESPYAD)
~If you want to know how IEspyads work you can take a look at it here (http://www.bleepingcomputer.com/tutorials/tutorial53.html)
~Please note that IESpyAds only works with Internet Explorer.

Note: Make sure you update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

Please check out Tony Klein's article "How did I get infected in the first place?" (http://castlecops.com/t7736-So_how_did_I_get_infected_in_the_first_place.html)

Happy safe surfing!

Angelfire777
2007-05-12, 01:02
Glad we could be of assistance :bigthumb:

Since the problem has been resolved, this topic is now closed and archived. If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.