View Full Version : Smitfraud-C Plus Other Issues - At Wit's End!
rocket1981
2007-10-10, 07:51
I've been having problems with Smitfraud-C and other related issues, including a pop-up IE site trying to sell me a virus program. Spybot seems to identify the malware, but the malware reinstalls itself. For background, I've tried the smitfraudfix program, spybot, avg antispyware, adaware, and spyware blaster. I owe a debt of gratitude to anyone who can help!
Here is my HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:48, on 2007-10-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nusrmgr.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = news.google.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9877
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: metaspinner GmbH - {7C7A8947-5935-4430-AC0E-E7D04697414E} - C:\PROGRA~1\BUYERT~1\IEBUTT~1.DLL (file missing)
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: Microsoft copyright - {971D5B7B-F7DF-43ee-B771-6B7FA09975C3} - tcprp.dll (file missing)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: oembios32.msdn_hlp - {D79E1D43-C805-40EF-8ACB-DFFB17E9A4AF} - C:\WINDOWS\system32\oembios32.dll
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKLM\..\Run: [{6B-BA-A1-10-ZN}] C:\Documents and Settings\Administrator\Local Settings\Temp\thinksnet.exe CHD003
O4 - HKLM\..\Run: [hotygex] C:\Program Files\Internet Explorer\hotygex22011.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
O4 - HKCU\..\Run: [Buyertools Reminder] "C:\PROGRA~1\BUYERT~1\Reminder.exe" /autorun
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\Administrator\Local Settings\Temp\thinksnet.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://register.starband.net
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1138401221257
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O21 - SSODL: System - {78B56EFA-BF84-4E7E-B973-4E334128252A} - C:\WINDOWS\system32\system32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 8241 bytes
Hello and welcome to the FOrums :)
YOu're infected.
1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
rocket1981
2007-10-14, 02:34
Thanks for your help. Here's my combofix log:
ComboFix 07-10-12.4 - Administrator 2007-10-13 18:01:26.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.80 [GMT -5:00]
Running from: C:\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\TA_Start.lnk
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\ta_start.lnk
C:\Program Files\3721
C:\Program Files\3721\assist\asbar.dll
C:\Program Files\3721\helper.dll
C:\Program Files\Accoona
C:\Program Files\Accoona\ASearchAssist.dll
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\curlog.htm
C:\Program Files\akl\keylog.txt
C:\Program Files\akl\readme.txt
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.dat
C:\Program Files\akl\unsetup.exe
C:\Program Files\amsys
C:\Program Files\amsys\awmsg.dat
C:\Program Files\amsys\guid.dat
C:\Program Files\amsys\ijl15.dll
C:\Program Files\amsys\mfc42.dll
C:\Program Files\amsys\msvcrt.dll
C:\Program Files\amsys\unins000.dat
C:\Program Files\amsys\unis000.exe
C:\Program Files\amsys\winam.dat
C:\Program Files\e-zshopper
C:\Program Files\e-zshopper\BarLcher.dll
C:\Program Files\p2pnetworks
C:\Program Files\p2pnetworks\amp2pl.exe
C:\WINDOWS\764.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\aconti.exe
C:\WINDOWS\adbar.dll
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\daxtime.dll
C:\WINDOWS\dp0.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\hcwprn.exe
C:\WINDOWS\hotporn.exe
C:\WINDOWS\ie_32.exe
C:\WINDOWS\iexplorr23.dll
C:\WINDOWS\jd2002.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\kkcomp.dll
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\kvnab$.exe
C:\WINDOWS\kvnab.dll
C:\WINDOWS\kvnab.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqad.dll
C:\WINDOWS\liqad.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\liqui.dll
C:\WINDOWS\liqui.exe
C:\WINDOWS\ngd.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\pbsysie.dll
C:\WINDOWS\settn.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\system32\drivers\bg_bg.gif
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\box_1.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\box_3.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\cell_bg.gif
C:\WINDOWS\system32\drivers\cell_footer.gif
C:\WINDOWS\system32\drivers\cell_header_block.gif
C:\WINDOWS\system32\drivers\cell_header_remove.gif
C:\WINDOWS\system32\drivers\cell_header_scan.gif
C:\WINDOWS\system32\drivers\close_ico.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\download_box.gif
C:\WINDOWS\system32\drivers\download_btn.jpg
C:\WINDOWS\system32\drivers\download_now_btn.gif
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\header_red_bg.gif
C:\WINDOWS\system32\drivers\header_red_free_scan.gif
C:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif
C:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif
C:\WINDOWS\system32\drivers\icon_warning_big.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
C:\WINDOWS\system32\drivers\product_1_header.gif
C:\WINDOWS\system32\drivers\product_1_name_small.gif
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\product_2_name_small.gif
C:\WINDOWS\system32\drivers\product_3_header.gif
C:\WINDOWS\system32\drivers\product_3_name_small.gif
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\rating.gif
C:\WINDOWS\system32\drivers\remove_spyware_header.gif
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\screenshot.jpg
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\shadow_bg.gif
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\spyware_detected.gif
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\warning_ico.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\drivers\yellow_warning_ico.gif
C:\WINDOWS\system32\ESHOPEE.exe
C:\WINDOWS\system32\gtv_sd.bin
C:\WINDOWS\system32\l3acdb2.dll
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\system32\nusrmgr.exe
C:\WINDOWS\system32\oembios32.dll
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\wbeCheck.exe
C:\WINDOWS\wbeInst$.exe
C:\WINDOWS\wml.exe
C:\WINDOWS\xadbrk.dll
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\xxxvideo.exe
.
((((((((((((((((((((((((( Files Created from 2007-09-13 to 2007-10-13 )))))))))))))))))))))))))))))))
.
2007-10-09 22:02 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-08 21:51 21,312 --a------ C:\WINDOWS\choice.exe
2007-10-08 21:50 <DIR> d----c--- C:\ie-spyad
2007-10-08 21:49 536,811 --a------ C:\ie-spyad.exe
2007-10-08 21:47 <DIR> d-------- C:\Program Files\Comodo
2007-10-08 21:47 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\BOC425
2007-10-08 21:47 235,008 --a------ C:\WINDOWS\UNBOC.EXE
2007-10-08 21:47 208,896 --a------ C:\WINDOWS\CMDLIC.DLL
2007-10-08 21:46 1,284,112 --a------ C:\CBO_Setup_4.25.exe
2007-10-08 21:41 25,856 --a------ C:\WINDOWS\system32\ace16win.dll
2007-10-08 21:16 <DIR> d-------- C:\SmitfraudFix
2007-10-08 20:56 2,692 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-08 20:52 <DIR> d-------- C:\Program Files\JustZIPit
2007-10-08 20:52 381,952 --a------ C:\justzipit.exe
2007-10-05 22:23 <DIR> d-------- C:\Documents and Settings\Administrator\Shared
2007-10-05 22:23 <DIR> d-------- C:\Documents and Settings\Administrator\Incomplete
2007-10-05 22:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\LimeWire
2007-10-05 22:02 <DIR> d-------- C:\Program Files\Common Files\Java
2007-10-05 22:01 <DIR> d-------- C:\Program Files\LimeWire
2007-10-05 22:00 3,380,048 --a------ C:\LimeWireWin.exe
2007-10-02 21:36 <DIR> d-------- C:\Program Files\Apple Software Update
2007-10-02 21:34 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-10-02 21:33 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-10-02 21:32 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple
2007-10-02 21:24 51,422,520 --a------ C:\iTunes743Setup.exe
2007-09-21 22:54 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-09-21 22:52 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft
2007-09-21 22:52 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-09-21 22:50 12,413,440 --a------ C:\avgas-setup-7.5.1.43.exe
2007-09-21 21:55 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-21 21:54 1,522,217 --a------ C:\ComboFix.exe
2007-09-21 21:48 <DIR> d----c--- C:\VundoFix Backups
2007-09-21 21:48 113,664 --a------ C:\VundoFix.exe
2007-09-21 21:35 812,344 --a------ C:\HJTInstall.exe
2007-09-21 21:27 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-09-21 21:26 2,566,736 --a------ C:\spywareblastersetup351.exe
2007-09-21 19:57 108,808 --a------ C:\spybotsd_tcpip.exe
2007-09-21 19:53 126,648 --a--c--- C:\TCPIPAddress.dll
2007-09-21 19:25 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-09-21 19:25 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2007-09-20 22:38 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2007-09-20 22:25 486,449 --a------ C:\Fixwareout.exe
2007-09-20 22:22 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-20 22:20 19,142,000 --a------ C:\aaw2007.exe
2007-09-17 21:46 4 --a------ C:\WINDOWS\system32\stfv.bin
2007-09-17 21:44 <DIR> d-------- C:\WINDOWS\system32\acespy
2007-09-17 21:19 21,504 --a------ C:\WINDOWS\system32\tcprp.dll
2007-09-17 21:19 21,504 --a------ C:\WINDOWS\system32\sipov.dll
2007-09-14 19:00 0 --a------ C:\WINDOWS\system32\ntkrpamp.exe
2007-09-14 19:00 0 --a------ C:\WINDOWS\system32\ntkrnlmp.exe
rocket1981
2007-10-14, 02:36
continued . . .
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-10 12:59 --------- d-----w C:\Documents and Settings\Administrator\Application Data\BitTorrent
2007-10-06 03:09 --------- d-----w C:\Program Files\Java
2007-10-03 03:00 --------- d-----w C:\Program Files\iTunes
2007-10-03 02:59 --------- d-----w C:\Program Files\iPod
2007-10-03 02:47 --------- d-----w C:\Program Files\QuickTime
2007-10-03 02:44 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple Computer
2007-09-22 02:35 --------- d-----w C:\Program Files\Trend Micro
2007-09-22 00:52 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2007-09-21 03:38 --------- d-----w C:\Program Files\Lavasoft
2007-09-15 00:03 --------- d-----w C:\Program Files\BitTorrent
2007-09-12 01:31 5,037,072 ----a-w C:\spybotsd14.exe
2007-09-09 16:23 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Viewpoint
2007-02-01 11:14 722,176 ----a-w C:\Documents and Settings\Administrator\gotomypc_428.exe
2006-12-19 01:57 5,900,416 ----a-w C:\Program Files\Firefox Setup 2.0.exe
2006-10-15 23:00 563,712 ----a-w C:\Documents and Settings\Administrator\gotomypc_370.exe
2006-07-17 09:30 5,837,777 ----a-w C:\Program Files\BitTorrent-4.20.4.exe
2006-01-17 01:02 4,860,993 ----a-w C:\Program Files\Ebay Sniper.exe
2005-12-05 14:15 19,025,408 ----a-w C:\Program Files\Common Files\TaxWise Workstation.msi
2004-09-08 21:50 7,817,710 ----a-w C:\Program Files\McAfee.zip
2004-03-04 16:00 3,662,787 ----a-w C:\Program Files\spybot.exe
2003-10-22 17:52 3,120,360 -c--a-w C:\Program Files\Install_AIM.exe
2003-10-19 18:37 7,303,273 -c--a-w C:\Program Files\win2k_xp1332.exe
2003-10-18 22:50 16,251,072 -c--a-w C:\Program Files\AdbeRdr60_enu_full.exe
2003-08-24 23:54 2,274,850 -c--a-w C:\Program Files\1021_drivers_v2.exe
2002-12-10 10:47 271 --sh--w C:\Program Files\desktop.ini
2002-12-10 10:47 21,952 -c-ha-w C:\Program Files\folder.htt
1997-06-12 22:07 9,888 ----a-w C:\Documents and Settings\Administrator\RADIO.SCR
1997-06-12 15:01 1,465,911 ----a-w C:\Documents and Settings\Administrator\PROJCTOR.EXE
.
((((((((((((((((((((((((((((( snapshot_2007-09-21_221548.79 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-07-09 13:16:16 582,656 ----a-w C:\WINDOWS\$hf_mig$\KB933729\SP2QFE\rpcrt4.dll
+ 2007-06-19 07:24:36 350,720 ----a-w C:\WINDOWS\$hf_mig$\KB933729\SP2QFE\xpsp3res.dll
+ 2005-10-12 23:12:25 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB933729\spmsg.dll
+ 2005-10-12 23:12:26 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB933729\spuninst.exe
+ 2005-10-12 23:12:25 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB933729\update\spcustom.dll
+ 2005-10-12 23:12:28 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB933729\update\update.exe
+ 2005-10-12 23:12:33 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB933729\update\updspapi.dll
+ 2007-08-22 12:55:28 1,022,976 ----a-w C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\browseui.dll
+ 2007-08-22 12:55:29 151,040 ----a-w C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\cdfview.dll
+ 2007-08-22 12:55:30 1,054,208 ----a-w C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\danim.dll
+ 2007-08-22 12:55:30 357,888 ----a-w C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\dxtmsft.dll
+ 2007-08-22 12:55:31 205,824 ----a-w C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\dxtrans.dll
+ 2007-08-22 12:55:31 55,808 ----a-w C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\extmgr.dll
+ 2007-08-21 10:19:39 18,432 ----a-w C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\iedw.exe
+ 2007-08-22 12:55:32 251,904 ----a-w C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\iepeers.dll
+ 2007-08-22 12:55:32 96,256 ----a-w C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\inseng.dll
+ 2007-08-22 12:55:32 16,384 ----a-w C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\jsproxy.dll
+ 2007-08-22 12:55:36 3,064,832 ----a-w C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\mshtml.dll
+ 2007-08-22 12:55:37 449,024 ----a-w C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\mshtmled.dll
+ 2007-08-22 12:55:37 146,432 ----a-w C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\msrating.dll
+ 2007-08-22 12:55:38 532,480 ----a-w C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\mstime.dll
+ 2007-08-22 12:55:38 39,424 ----a-w C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\pngfilt.dll
+ 2007-08-22 12:55:40 1,498,112 ----a-w C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\shdocvw.dll
+ 2007-08-22 12:55:41 474,112 ----a-w C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\shlwapi.dll
+ 2007-08-22 12:55:43 617,984 ----a-w C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\urlmon.dll
+ 2007-08-22 12:55:44 665,600 ----a-w C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\wininet.dll
+ 2007-08-21 10:13:33 350,720 ----a-w C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\xpsp3res.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB939653\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB939653\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB939653\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB939653\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB939653\update\updspapi.dll
+ 2007-08-21 06:25:02 683,520 ----a-w C:\WINDOWS\$hf_mig$\KB941202\SP2QFE\inetcomm.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB941202\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB941202\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB941202\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB941202\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB941202\update\updspapi.dll
+ 2004-08-04 07:56:44 581,120 -c----w C:\WINDOWS\$NtUninstallKB933729$\rpcrt4.dll
+ 2005-10-12 23:12:26 213,216 -c----w C:\WINDOWS\$NtUninstallKB933729$\spuninst\spuninst.exe
+ 2005-10-12 23:12:33 371,424 -c----w C:\WINDOWS\$NtUninstallKB933729$\spuninst\updspapi.dll
+ 2007-06-14 18:09:18 1,023,488 -c----w C:\WINDOWS\$NtUninstallKB939653$\browseui.dll
+ 2007-06-14 18:09:18 151,040 -c----w C:\WINDOWS\$NtUninstallKB939653$\cdfview.dll
+ 2007-06-14 18:09:18 1,054,208 -c----w C:\WINDOWS\$NtUninstallKB939653$\danim.dll
+ 2007-06-14 18:09:18 357,888 -c----w C:\WINDOWS\$NtUninstallKB939653$\dxtmsft.dll
+ 2007-06-14 18:09:19 205,312 -c----w C:\WINDOWS\$NtUninstallKB939653$\dxtrans.dll
+ 2007-06-14 18:09:19 55,808 -c----w C:\WINDOWS\$NtUninstallKB939653$\extmgr.dll
+ 2007-06-14 14:07:24 18,432 -c----w C:\WINDOWS\$NtUninstallKB939653$\iedw.exe
+ 2007-06-14 18:09:19 251,392 -c----w C:\WINDOWS\$NtUninstallKB939653$\iepeers.dll
+ 2007-06-14 18:09:19 96,256 -c----w C:\WINDOWS\$NtUninstallKB939653$\inseng.dll
+ 2007-06-14 18:09:19 16,384 -c----w C:\WINDOWS\$NtUninstallKB939653$\jsproxy.dll
+ 2007-06-14 18:09:20 3,058,688 -c----w C:\WINDOWS\$NtUninstallKB939653$\mshtml.dll
+ 2007-06-14 18:09:19 449,024 -c----w C:\WINDOWS\$NtUninstallKB939653$\mshtmled.dll
+ 2007-06-14 18:09:19 146,432 -c----w C:\WINDOWS\$NtUninstallKB939653$\msrating.dll
+ 2007-06-14 18:09:20 532,480 -c----w C:\WINDOWS\$NtUninstallKB939653$\mstime.dll
+ 2007-06-14 18:09:20 39,424 -c----w C:\WINDOWS\$NtUninstallKB939653$\pngfilt.dll
+ 2007-06-14 18:09:20 1,494,528 -c----w C:\WINDOWS\$NtUninstallKB939653$\shdocvw.dll
+ 2007-06-14 18:09:20 474,112 -c----w C:\WINDOWS\$NtUninstallKB939653$\shlwapi.dll
+ 2007-03-06 01:22:41 213,216 -c----w C:\WINDOWS\$NtUninstallKB939653$\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\$NtUninstallKB939653$\spuninst\updspapi.dll
+ 2007-06-14 18:09:20 615,424 -c----w C:\WINDOWS\$NtUninstallKB939653$\urlmon.dll
+ 2007-06-26 14:09:10 658,944 -c----w C:\WINDOWS\$NtUninstallKB939653$\wininet.dll
+ 2007-06-14 13:39:54 115,712 -c----w C:\WINDOWS\$NtUninstallKB939653$\xpsp3res.dll
+ 2007-05-16 15:12:02 683,520 -c----w C:\WINDOWS\$NtUninstallKB941202$\inetcomm.dll
+ 2007-03-06 01:22:41 213,216 -c----w C:\WINDOWS\$NtUninstallKB941202$\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\$NtUninstallKB941202$\spuninst\updspapi.dll
- 2007-07-20 05:47:22 109,056 ----a-w C:\WINDOWS\catchme.exe
+ 2007-09-28 14:06:08 135,168 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-03 03:03:15 102,400 ----a-r C:\WINDOWS\Installer\{B045B608-4A47-4C77-9EAD-06C394503306}\iTunesIco.exe
+ 2007-10-03 02:37:08 27,136 ----a-r C:\WINDOWS\Installer\{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}\AppleSoftwareUpdateIco.exe
- 2005-12-05 08:36:42 11,563 ----a-w C:\WINDOWS\mozver.dat
+ 2007-09-22 21:23:16 12,163 ----a-w C:\WINDOWS\mozver.dat
+ 2007-08-22 13:12:15 1,022,976 ----a-w C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\browseui.dll
+ 2007-08-22 13:12:15 151,040 ----a-w C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\cdfview.dll
+ 2007-08-22 13:12:16 1,054,208 ----a-w C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\danim.dll
+ 2007-08-22 13:12:16 357,888 ----a-w C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\dxtmsft.dll
+ 2007-08-22 13:12:16 205,312 ----a-w C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\dxtrans.dll
+ 2007-08-22 13:12:16 55,808 ----a-w C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\extmgr.dll
+ 2007-08-21 10:30:45 18,432 ----a-w C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\iedw.exe
+ 2007-08-22 13:12:16 251,392 ----a-w C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\iepeers.dll
+ 2007-08-22 13:12:16 96,256 ----a-w C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\inseng.dll
+ 2007-08-22 13:12:16 16,384 ----a-w C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\jsproxy.dll
+ 2007-08-22 13:12:17 3,058,176 ----a-w C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\mshtml.dll
+ 2007-08-22 13:12:17 449,024 ----a-w C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\mshtmled.dll
+ 2007-08-22 13:12:17 146,432 ----a-w C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\msrating.dll
+ 2007-08-22 13:12:17 532,480 ----a-w C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\mstime.dll
+ 2007-08-22 13:12:17 39,424 ----a-w C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\pngfilt.dll
+ 2007-08-22 13:12:18 1,494,528 ----a-w C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\shdocvw.dll
+ 2007-08-22 13:12:18 474,112 ----a-w C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\shlwapi.dll
+ 2007-08-22 13:12:18 615,424 ----a-w C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\urlmon.dll
+ 2007-08-22 13:12:18 658,944 ----a-w C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\wininet.dll
+ 2007-08-21 10:20:02 115,712 ----a-w C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\xpsp3res.dll
+ 2007-08-22 12:55:28 1,022,976 ----a-w C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\browseui.dll
+ 2007-08-22 12:55:29 151,040 ----a-w C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\cdfview.dll
+ 2007-08-22 12:55:30 1,054,208 ----a-w C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\danim.dll
+ 2007-08-22 12:55:30 357,888 ----a-w C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\dxtmsft.dll
+ 2007-08-22 12:55:31 205,824 ----a-w C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\dxtrans.dll
+ 2007-08-22 12:55:31 55,808 ----a-w C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\extmgr.dll
+ 2007-08-21 10:19:39 18,432 ----a-w C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\iedw.exe
+ 2007-08-22 12:55:32 251,904 ----a-w C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\iepeers.dll
+ 2007-08-22 12:55:32 96,256 ----a-w C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\inseng.dll
+ 2007-08-22 12:55:32 16,384 ----a-w C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\jsproxy.dll
+ 2007-08-22 12:55:36 3,064,832 ----a-w C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\mshtml.dll
+ 2007-08-22 12:55:37 449,024 ----a-w C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\mshtmled.dll
+ 2007-08-22 12:55:37 146,432 ----a-w C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\msrating.dll
+ 2007-08-22 12:55:38 532,480 ----a-w C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\mstime.dll
+ 2007-08-22 12:55:38 39,424 ----a-w C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\pngfilt.dll
+ 2007-08-22 12:55:40 1,498,112 ----a-w C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\shdocvw.dll
+ 2007-08-22 12:55:41 474,112 ----a-w C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\shlwapi.dll
+ 2007-08-22 12:55:43 617,984 ----a-w C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\urlmon.dll
+ 2007-08-22 12:55:44 665,600 ----a-w C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\wininet.dll
+ 2007-08-21 10:13:33 350,720 ----a-w C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\xpsp3res.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\update\updspapi.dll
+ 2007-07-09 13:09:42 584,192 ----a-w C:\WINDOWS\SoftwareDistribution\Download\28d74bdac17e30d3a4336176766f2e4a\SP2GDR\rpcrt4.dll
+ 2007-06-13 06:53:14 115,712 ----a-w C:\WINDOWS\SoftwareDistribution\Download\28d74bdac17e30d3a4336176766f2e4a\SP2GDR\xpsp3res.dll
+ 2007-07-09 13:16:16 582,656 ----a-w C:\WINDOWS\SoftwareDistribution\Download\28d74bdac17e30d3a4336176766f2e4a\SP2QFE\rpcrt4.dll
+ 2007-06-19 07:24:36 350,720 ----a-w C:\WINDOWS\SoftwareDistribution\Download\28d74bdac17e30d3a4336176766f2e4a\SP2QFE\xpsp3res.dll
+ 2005-10-12 23:12:25 14,048 ----a-w C:\WINDOWS\SoftwareDistribution\Download\28d74bdac17e30d3a4336176766f2e4a\spmsg.dll
+ 2005-10-12 23:12:26 213,216 ----a-w C:\WINDOWS\SoftwareDistribution\Download\28d74bdac17e30d3a4336176766f2e4a\spuninst.exe
+ 2005-10-12 23:12:25 22,752 ----a-w C:\WINDOWS\SoftwareDistribution\Download\28d74bdac17e30d3a4336176766f2e4a\update\spcustom.dll
+ 2005-10-12 23:12:28 716,000 ----a-w C:\WINDOWS\SoftwareDistribution\Download\28d74bdac17e30d3a4336176766f2e4a\update\update.exe
+ 2005-10-12 23:12:33 371,424 ----a-w C:\WINDOWS\SoftwareDistribution\Download\28d74bdac17e30d3a4336176766f2e4a\update\updspapi.dll
+ 2007-08-21 06:15:44 683,520 ----a-w C:\WINDOWS\SoftwareDistribution\Download\8c426bb59cb8f380ba397304c1c563d0\sp2gdr\inetcomm.dll
+ 2007-08-21 06:25:02 683,520 ----a-w C:\WINDOWS\SoftwareDistribution\Download\8c426bb59cb8f380ba397304c1c563d0\sp2qfe\inetcomm.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\SoftwareDistribution\Download\8c426bb59cb8f380ba397304c1c563d0\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\SoftwareDistribution\Download\8c426bb59cb8f380ba397304c1c563d0\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\SoftwareDistribution\Download\8c426bb59cb8f380ba397304c1c563d0\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\SoftwareDistribution\Download\8c426bb59cb8f380ba397304c1c563d0\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\SoftwareDistribution\Download\8c426bb59cb8f380ba397304c1c563d0\update\updspapi.dll
- 2007-06-14 18:09:18 1,023,488 ----a-w C:\WINDOWS\system32\browseui.dll
+ 2007-08-22 13:12:15 1,022,976 ----a-w C:\WINDOWS\system32\browseui.dll
- 2007-06-14 18:09:18 151,040 ----a-w C:\WINDOWS\system32\cdfview.dll
+ 2007-08-22 13:12:15 151,040 ----a-w C:\WINDOWS\system32\cdfview.dll
- 2007-06-14 18:09:18 1,054,208 ----a-w C:\WINDOWS\system32\danim.dll
+ 2007-08-22 13:12:16 1,054,208 ----a-w C:\WINDOWS\system32\danim.dll
- 2007-06-14 18:09:18 1,023,488 -c----w C:\WINDOWS\system32\dllcache\browseui.dll
+ 2007-08-22 13:12:15 1,022,976 -c----w C:\WINDOWS\system32\dllcache\browseui.dll
- 2007-06-14 18:09:18 151,040 -c----w C:\WINDOWS\system32\dllcache\cdfview.dll
+ 2007-08-22 13:12:15 151,040 -c----w C:\WINDOWS\system32\dllcache\cdfview.dll
- 2007-06-14 18:09:18 1,054,208 -c----w C:\WINDOWS\system32\dllcache\danim.dll
+ 2007-08-22 13:12:16 1,054,208 -c----w C:\WINDOWS\system32\dllcache\danim.dll
- 2007-06-14 18:09:18 357,888 -c----w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2007-08-22 13:12:16 357,888 -c----w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2007-06-14 18:09:19 205,312 -c----w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2007-08-22 13:12:16 205,312 -c----w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2007-06-14 18:09:19 55,808 -c----w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2007-08-22 13:12:16 55,808 -c----w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2007-06-14 14:07:24 18,432 -c----w C:\WINDOWS\system32\dllcache\iedw.exe
+ 2007-08-21 10:30:45 18,432 -c----w C:\WINDOWS\system32\dllcache\iedw.exe
- 2007-06-14 18:09:19 251,392 -c----w C:\WINDOWS\system32\dllcache\iepeers.dll
+ 2007-08-22 13:12:16 251,392 -c----w C:\WINDOWS\system32\dllcache\iepeers.dll
- 2007-05-16 15:12:02 683,520 -c----w C:\WINDOWS\system32\dllcache\inetcomm.dll
+ 2007-08-21 06:15:44 683,520 -c----w C:\WINDOWS\system32\dllcache\inetcomm.dll
- 2007-06-14 18:09:19 96,256 -c----w C:\WINDOWS\system32\dllcache\inseng.dll
+ 2007-08-22 13:12:16 96,256 -c----w C:\WINDOWS\system32\dllcache\inseng.dll
- 2007-06-14 18:09:19 16,384 -c----w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2007-08-22 13:12:16 16,384 -c----w C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2007-06-14 18:09:20 3,058,688 -c----w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2007-08-22 13:12:17 3,058,176 -c----w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2007-06-14 18:09:19 449,024 -c----w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2007-08-22 13:12:17 449,024 -c----w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2007-06-14 18:09:19 146,432 -c----w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2007-08-22 13:12:17 146,432 -c----w C:\WINDOWS\system32\dllcache\msrating.dll
- 2007-06-14 18:09:20 532,480 -c----w
rocket1981
2007-10-14, 02:37
the last part . . .
C:\WINDOWS\system32\dllcache\mstime.dll
+ 2007-08-22 13:12:17 532,480 -c----w C:\WINDOWS\system32\dllcache\mstime.dll
- 2007-06-14 18:09:20 39,424 -c----w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2007-08-22 13:12:17 39,424 -c----w C:\WINDOWS\system32\dllcache\pngfilt.dll
- 2007-06-14 18:09:20 1,494,528 -c----w C:\WINDOWS\system32\dllcache\shdocvw.dll
+ 2007-08-22 13:12:18 1,494,528 -c----w C:\WINDOWS\system32\dllcache\shdocvw.dll
- 2007-06-14 18:09:20 474,112 -c----w C:\WINDOWS\system32\dllcache\shlwapi.dll
+ 2007-08-22 13:12:18 474,112 -c----w C:\WINDOWS\system32\dllcache\shlwapi.dll
- 2007-06-14 18:09:20 615,424 -c----w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2007-08-22 13:12:18 615,424 -c----w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2007-06-26 14:09:10 658,944 -c----w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2007-08-22 13:12:18 658,944 -c----w C:\WINDOWS\system32\dllcache\wininet.dll
- 2005-03-07 16:52:48 14,408 ----a-w C:\WINDOWS\system32\drivers\GEARAspiWDM.sys
+ 2006-09-19 19:44:04 15,664 ----a-w C:\WINDOWS\system32\drivers\GEARAspiWDM.sys
+ 2007-09-06 18:28:16 30,336 -c--a-w C:\WINDOWS\system32\DRVSTORE\usbaapl_A65621D65F5B7507DD7B22331826547BDD2D206B\usbaapl.sys
- 2007-06-14 18:09:18 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2007-08-22 13:12:16 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2007-06-14 18:09:19 205,312 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2007-08-22 13:12:16 205,312 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2007-06-14 18:09:19 55,808 ------w C:\WINDOWS\system32\extmgr.dll
+ 2007-08-22 13:12:16 55,808 ------w C:\WINDOWS\system32\extmgr.dll
- 2005-05-31 16:20:36 79,432 ----a-w C:\WINDOWS\system32\GEARAspi.dll
+ 2006-10-04 00:47:52 109,360 ----a-w C:\WINDOWS\system32\GEARAspi.dll
- 2007-06-14 18:09:19 251,392 ----a-w C:\WINDOWS\system32\iepeers.dll
+ 2007-08-22 13:12:16 251,392 ----a-w C:\WINDOWS\system32\iepeers.dll
- 2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
+ 2007-08-21 06:15:44 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
- 2007-06-14 18:09:19 96,256 ----a-w C:\WINDOWS\system32\inseng.dll
+ 2007-08-22 13:12:16 96,256 ----a-w C:\WINDOWS\system32\inseng.dll
- 2003-02-20 21:42:34 24,677 ------w C:\WINDOWS\system32\java.exe
+ 2007-07-12 06:22:00 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2003-02-20 21:42:34 28,775 ------w C:\WINDOWS\system32\javaw.exe
+ 2007-07-12 06:22:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-07-12 07:22:38 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
- 2007-06-14 18:09:19 16,384 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2007-08-22 13:12:16 16,384 ----a-w C:\WINDOWS\system32\jsproxy.dll
- 2007-09-06 02:50:42 17,474,680 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2007-09-28 05:19:39 18,089,592 ----a-w C:\WINDOWS\system32\MRT.exe
- 2007-06-14 18:09:20 3,058,688 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2007-08-22 13:12:17 3,058,176 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2007-06-14 18:09:19 449,024 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2007-08-22 13:12:17 449,024 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2007-06-14 18:09:19 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2007-08-22 13:12:17 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
- 2007-06-14 18:09:20 532,480 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2007-08-22 13:12:17 532,480 ----a-w C:\WINDOWS\system32\mstime.dll
- 2007-06-14 18:09:20 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2007-08-22 13:12:17 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
- 2004-08-04 07:56:44 581,120 ----a-w C:\WINDOWS\system32\rpcrt4.dll
+ 2007-07-09 13:09:42 584,192 ----a-w C:\WINDOWS\system32\rpcrt4.dll
- 2007-06-14 18:09:20 1,494,528 ----a-w C:\WINDOWS\system32\shdocvw.dll
+ 2007-08-22 13:12:18 1,494,528 ----a-w C:\WINDOWS\system32\shdocvw.dll
- 2007-06-14 18:09:20 474,112 ----a-w C:\WINDOWS\system32\shlwapi.dll
+ 2007-08-22 13:12:18 474,112 ----a-w C:\WINDOWS\system32\shlwapi.dll
- 2007-03-06 01:22:36 14,048 ------w C:\WINDOWS\system32\spmsg.dll
+ 2005-10-12 23:12:25 14,048 ------w C:\WINDOWS\system32\spmsg.dll
- 2007-07-22 23:39:27 279,552 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2007-10-05 15:07:31 279,552 ----a-w C:\WINDOWS\system32\swreg.exe
- 2007-06-14 18:09:20 615,424 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2007-08-22 13:12:18 615,424 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2007-06-26 14:09:10 658,944 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2007-08-22 13:12:18 658,944 ----a-w C:\WINDOWS\system32\wininet.dll
- 2007-06-14 13:39:54 115,712 ----a-w C:\WINDOWS\system32\xpsp3res.dll
+ 2007-08-21 10:20:02 115,712 ----a-w C:\WINDOWS\system32\xpsp3res.dll
+ 2006-12-02 03:54:32 479,232 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
+ 2006-12-02 03:54:34 548,864 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
+ 2006-12-02 03:54:32 626,688 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
.
-- Snapshot reset to current date --
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000000-d9e3-4bc6-a0bd-3d0ca4be5271}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000012-890e-4aac-afd9-eff6954a34dd}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06dfedaa-6196-11d5-bfc8-00508b4a487d}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1adbcce8-cf84-441e-9b38-afc7a19c06a4}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53C330D6-A4AB-419B-B45D-FD4411C1FEF4}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{669695bc-a811-4a9d-8cdf-ba8c795f261e}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{944864a5-3916-46e2-96a9-a2e84f3f1208}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{971D5B7B-F7DF-43ee-B771-6B7FA09975C3}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b8875bfe-b021-11d4-bfa8-00508b8e9bd3}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c5af2622-8c75-4dfb-9693-23ab7686a456}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ca1d1b05-9c66-11d5-a009-000103c1e50b}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-02-10 11:51]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-02-10 11:55]
"PCTVOICE"="pctspk.exe" [2003-02-24 15:35 C:\WINDOWS\system32\pctspk.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-04-27 17:47]
"AS00_Gear511"="C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe" [2003-07-31 02:52]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"BOC-425"="C:\PROGRA~1\Comodo\CBOClean\BOC425.exe" [2007-08-08 19:49]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 16:17]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify"=0 (0x0)
"NoToolbarCustomize"=0 (0x0)
"NoBandCustomize"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu"=0 (0x0)
"NoSetActiveDesktop"=0 (0x0)
"NoRecentDocsMenu"=0 (0x0)
"NoRecentDocsHistory"=0 (0x0)
"NoLogoff"=0 (0x0)
"NoSetFolders"=0 (0x0)
"NoTrayContextMenu"=0 (0x0)
"EnforceShellExtensionSecurity"=0 (0x0)
"NoDeletePrinter"=0 (0x0)
"NoAddPrinter"=0 (0x0)
"NoPrinterTabs"=0 (0x0)
"Btn_Back"=0 (0x0)
"Btn_Forward"=0 (0x0)
"Btn_Stop"=0 (0x0)
"Btn_Refresh"=0 (0x0)
"Btn_Home"=0 (0x0)
"Btn_Search"=0 (0x0)
"Btn_History"=0 (0x0)
"Btn_Favorites"=0 (0x0)
"Btn_Media"=0 (0x0)
"Btn_Folders"=0 (0x0)
"Btn_Fullscreen"=0 (0x0)
"Btn_Tools"=0 (0x0)
"Btn_MailNews"=0 (0x0)
"Btn_Size"=0 (0x0)
"Btn_Print"=0 (0x0)
"Btn_Edit"=0 (0x0)
"Btn_Discussions"=0 (0x0)
"Btn_Cut"=0 (0x0)
"Btn_Copy"=0 (0x0)
"Btn_Paste"=0 (0x0)
"Btn_Encoding"=0 (0x0)
"Btn_PrintPreview"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"System"= {78B56EFA-BF84-4E7E-B973-4E334128252A} - C:\WINDOWS\system32\system32.dll [ ]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli scecli
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"updater"=C:\Program Files\Common files\updater\wupdater.exe
"DeviceDiscovery"=C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
"HPDJ Taskbar Utility"=C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
"PCTVOICE"=pctspk.exe
R0 IABFilt;Iomega Snapshot Volume Filter;C:\WINDOWS\system32\DRIVERS\IABFilt.sys
R1 nipplpt;Novell iCapture Lpt Redirector;C:\WINDOWS\system32\drivers\nipplpt.sys
R3 AWINDIS5;AWINDIS5 Protocol Driver;\??\C:\WINDOWS\System32\AWINDIS5.SYS
R3 BOCDRIVE;BOClean Kernel Monitor.;\??\C:\Program Files\Comodo\CBOClean\BOCDRIVE.sys
S3 {A7E39B01-B403-11d4-BD18-00D0B7A1821E};AIM 3.0 Part 01 Codec Driver VCH-A;C:\WINDOWS\system32\drivers\Vch.sys
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;C:\WINDOWS\system32\DRIVERS\ADM8511.SYS
S3 LSWPCv4;Wireless-B Notebook Adapter Driver;C:\WINDOWS\system32\DRIVERS\rtl8180.sys
S3 NETGEAR_WG511_SERVICE;NETGEAR WG511T Wireless Adapter Service;C:\WINDOWS\system32\DRIVERS\wg511nd5.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-10-03 02:37:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-08-22 15:14:21 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#deskjet5100#MY39O3P6VH7A.job"
.
**************************************************************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-13 18:16:35
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2007-10-13 18:27:14 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-21 22:17
C:\ComboFix2.txt ... 2007-09-21 22:18
.
Hi, we'll continue...
I see parts of AceSpy surveillance program on the pc. I'll assume that you haven't installed this program on purpose. If this system is used for online banking or has credit card information on it, all passwords should be changed immediately by using a different computer (not the infected one!) to make the changes. Banking and credit card institutions, if any, should be notified of the possible security breech. I suggest that you read this (http://www.dslreports.com/faq/10451) article too.
Open notepad and copy/paste the text in the quotebox below into it:
Folder::
C:\Program Files\Common files\updater
File::
C:\WINDOWS\system32\ace16win.dll
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\system32\acespy
C:\WINDOWS\system32\tcprp.dll
C:\WINDOWS\system32\sipov.dll
C:\WINDOWS\system32\ntkrpamp.exe
C:\WINDOWS\system32\ntkrnlmp.exe
C:\WINDOWS\system32\system32.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000000-d9e3-4bc6-a0bd-3d0ca4be5271}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000012-890e-4aac-afd9-eff6954a34dd}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06dfedaa-6196-11d5-bfc8-00508b4a487d}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1adbcce8-cf84-441e-9b38-afc7a19c06a4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53C330D6-A4AB-419B-B45D-FD4411C1FEF4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{669695bc-a811-4a9d-8cdf-ba8c795f261e}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{944864a5-3916-46e2-96a9-a2e84f3f1208}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{971D5B7B-F7DF-43ee-B771-6B7FA09975C3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b8875bfe-b021-11d4-bfa8-00508b8e9bd3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c5af2622-8c75-4dfb-9693-23ab7686a456}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ca1d1b05-9c66-11d5-a009-000103c1e50b}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"System"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"updater"=-
Save this as "CFScript"
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
rocket1981
2007-10-15, 07:18
That's troubling. Here's the combofix.txt file:
ComboFix 07-10-12.4 - Administrator 2007-10-14 22:49:48.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.90 [GMT -5:00]
Running from: C:\ComboFix.exe
Command switches used :: C:\CFScript.txt
FILE::
C:\WINDOWS\system32\ace16win.dll
C:\WINDOWS\system32\acespy
C:\WINDOWS\system32\ntkrnlmp.exe
C:\WINDOWS\system32\ntkrpamp.exe
C:\WINDOWS\system32\sipov.dll
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\system32\system32.dll
C:\WINDOWS\system32\tcprp.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\ace16win.dll
C:\WINDOWS\system32\ntkrnlmp.exe
C:\WINDOWS\system32\ntkrpamp.exe
C:\WINDOWS\system32\sipov.dll
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\system32\tcprp.dll
.
((((((((((((((((((((((((( Files Created from 2007-09-15 to 2007-10-15 )))))))))))))))))))))))))))))))
.
2007-10-09 22:02 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-08 21:51 21,312 --a------ C:\WINDOWS\choice.exe
2007-10-08 21:50 <DIR> d----c--- C:\ie-spyad
2007-10-08 21:49 536,811 --a------ C:\ie-spyad.exe
2007-10-08 21:47 <DIR> d-------- C:\Program Files\Comodo
2007-10-08 21:47 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\BOC425
2007-10-08 21:47 235,008 --a------ C:\WINDOWS\UNBOC.EXE
2007-10-08 21:47 208,896 --a------ C:\WINDOWS\CMDLIC.DLL
2007-10-08 21:46 1,284,112 --a------ C:\CBO_Setup_4.25.exe
2007-10-08 21:16 <DIR> d-------- C:\SmitfraudFix
2007-10-08 20:56 2,692 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-08 20:52 <DIR> d-------- C:\Program Files\JustZIPit
2007-10-08 20:52 381,952 --a------ C:\justzipit.exe
2007-10-05 22:23 <DIR> d-------- C:\Documents and Settings\Administrator\Shared
2007-10-05 22:23 <DIR> d-------- C:\Documents and Settings\Administrator\Incomplete
2007-10-05 22:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\LimeWire
2007-10-05 22:02 <DIR> d-------- C:\Program Files\Common Files\Java
2007-10-05 22:01 <DIR> d-------- C:\Program Files\LimeWire
2007-10-05 22:00 3,380,048 --a------ C:\LimeWireWin.exe
2007-10-02 21:36 <DIR> d-------- C:\Program Files\Apple Software Update
2007-10-02 21:34 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-10-02 21:33 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-10-02 21:32 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple
2007-10-02 21:24 51,422,520 --a------ C:\iTunes743Setup.exe
2007-09-21 22:54 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-09-21 22:52 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft
2007-09-21 22:52 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-09-21 22:50 12,413,440 --a------ C:\avgas-setup-7.5.1.43.exe
2007-09-21 21:55 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-21 21:54 1,522,217 --a------ C:\ComboFix.exe
2007-09-21 21:48 <DIR> d----c--- C:\VundoFix Backups
2007-09-21 21:48 113,664 --a------ C:\VundoFix.exe
2007-09-21 21:35 812,344 --a------ C:\HJTInstall.exe
2007-09-21 21:27 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-09-21 21:26 2,566,736 --a------ C:\spywareblastersetup351.exe
2007-09-21 19:57 108,808 --a------ C:\spybotsd_tcpip.exe
2007-09-21 19:53 126,648 --a--c--- C:\TCPIPAddress.dll
2007-09-21 19:25 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-09-21 19:25 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2007-09-20 22:38 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2007-09-20 22:25 486,449 --a------ C:\Fixwareout.exe
2007-09-20 22:22 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-20 22:20 19,142,000 --a------ C:\aaw2007.exe
2007-09-17 21:44 <DIR> d-------- C:\WINDOWS\system32\acespy
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-14 00:27 --------- d-----w C:\Program Files\BitTorrent
2007-10-10 12:59 --------- d-----w C:\Documents and Settings\Administrator\Application Data\BitTorrent
2007-10-06 03:09 --------- d-----w C:\Program Files\Java
2007-10-03 03:00 --------- d-----w C:\Program Files\iTunes
2007-10-03 02:59 --------- d-----w C:\Program Files\iPod
2007-10-03 02:47 --------- d-----w C:\Program Files\QuickTime
2007-10-03 02:44 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple Computer
2007-09-22 02:35 --------- d-----w C:\Program Files\Trend Micro
2007-09-22 00:52 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2007-09-21 03:38 --------- d-----w C:\Program Files\Lavasoft
2007-09-12 01:31 5,037,072 ----a-w C:\spybotsd14.exe
2007-09-09 16:23 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Viewpoint
2007-02-01 11:14 722,176 ----a-w C:\Documents and Settings\Administrator\gotomypc_428.exe
2006-12-19 01:57 5,900,416 ----a-w C:\Program Files\Firefox Setup 2.0.exe
2006-10-15 23:00 563,712 ----a-w C:\Documents and Settings\Administrator\gotomypc_370.exe
2006-07-17 09:30 5,837,777 ----a-w C:\Program Files\BitTorrent-4.20.4.exe
2006-01-17 01:02 4,860,993 ----a-w C:\Program Files\Ebay Sniper.exe
2005-12-05 14:15 19,025,408 ----a-w C:\Program Files\Common Files\TaxWise Workstation.msi
2004-09-08 21:50 7,817,710 ----a-w C:\Program Files\McAfee.zip
2004-03-04 16:00 3,662,787 ----a-w C:\Program Files\spybot.exe
2003-10-22 17:52 3,120,360 -c--a-w C:\Program Files\Install_AIM.exe
2003-10-19 18:37 7,303,273 -c--a-w C:\Program Files\win2k_xp1332.exe
2003-10-18 22:50 16,251,072 -c--a-w C:\Program Files\AdbeRdr60_enu_full.exe
2003-08-24 23:54 2,274,850 -c--a-w C:\Program Files\1021_drivers_v2.exe
2002-12-10 10:47 271 --sh--w C:\Program Files\desktop.ini
2002-12-10 10:47 21,952 -c-ha-w C:\Program Files\folder.htt
1997-06-12 22:07 9,888 ----a-w C:\Documents and Settings\Administrator\RADIO.SCR
1997-06-12 15:01 1,465,911 ----a-w C:\Documents and Settings\Administrator\PROJCTOR.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-02-10 11:51]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-02-10 11:55]
"PCTVOICE"="pctspk.exe" [2003-02-24 15:35 C:\WINDOWS\system32\pctspk.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-04-27 17:47]
"AS00_Gear511"="C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe" [2003-07-31 02:52]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"BOC-425"="C:\PROGRA~1\Comodo\CBOClean\BOC425.exe" [2007-08-08 19:49]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 16:17]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify"=0 (0x0)
"NoToolbarCustomize"=0 (0x0)
"NoBandCustomize"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu"=0 (0x0)
"NoSetActiveDesktop"=0 (0x0)
"NoRecentDocsMenu"=0 (0x0)
"NoRecentDocsHistory"=0 (0x0)
"NoLogoff"=0 (0x0)
"NoSetFolders"=0 (0x0)
"NoTrayContextMenu"=0 (0x0)
"EnforceShellExtensionSecurity"=0 (0x0)
"NoDeletePrinter"=0 (0x0)
"NoAddPrinter"=0 (0x0)
"NoPrinterTabs"=0 (0x0)
"Btn_Back"=0 (0x0)
"Btn_Forward"=0 (0x0)
"Btn_Stop"=0 (0x0)
"Btn_Refresh"=0 (0x0)
"Btn_Home"=0 (0x0)
"Btn_Search"=0 (0x0)
"Btn_History"=0 (0x0)
"Btn_Favorites"=0 (0x0)
"Btn_Media"=0 (0x0)
"Btn_Folders"=0 (0x0)
"Btn_Fullscreen"=0 (0x0)
"Btn_Tools"=0 (0x0)
"Btn_MailNews"=0 (0x0)
"Btn_Size"=0 (0x0)
"Btn_Print"=0 (0x0)
"Btn_Edit"=0 (0x0)
"Btn_Discussions"=0 (0x0)
"Btn_Cut"=0 (0x0)
"Btn_Copy"=0 (0x0)
"Btn_Paste"=0 (0x0)
"Btn_Encoding"=0 (0x0)
"Btn_PrintPreview"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli scecli
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"DeviceDiscovery"=C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
"HPDJ Taskbar Utility"=C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
"PCTVOICE"=pctspk.exe
R0 IABFilt;Iomega Snapshot Volume Filter;C:\WINDOWS\system32\DRIVERS\IABFilt.sys
R1 nipplpt;Novell iCapture Lpt Redirector;C:\WINDOWS\system32\drivers\nipplpt.sys
R3 AWINDIS5;AWINDIS5 Protocol Driver;\??\C:\WINDOWS\System32\AWINDIS5.SYS
R3 BOCDRIVE;BOClean Kernel Monitor.;\??\C:\Program Files\Comodo\CBOClean\BOCDRIVE.sys
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;C:\WINDOWS\system32\DRIVERS\ADM8511.SYS
S3 LSWPCv4;Wireless-B Notebook Adapter Driver;C:\WINDOWS\system32\DRIVERS\rtl8180.sys
S3 NETGEAR_WG511_SERVICE;NETGEAR WG511T Wireless Adapter Service;C:\WINDOWS\system32\DRIVERS\wg511nd5.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-10-03 02:37:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-08-22 15:14:21 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#deskjet5100#MY39O3P6VH7A.job"
.
**************************************************************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-14 23:03:50
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2007-10-14 23:11:57 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-21 22:17
C:\ComboFix2.txt ... 2007-10-13 18:27
C:\ComboFix3.txt ... 2007-09-21 22:18
.
--- E O F ---
rocket1981
2007-10-15, 07:46
Here is my new HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:19:40 PM, on 10/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = news.google.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9877
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: metaspinner GmbH - {7C7A8947-5935-4430-AC0E-E7D04697414E} - C:\PROGRA~1\BUYERT~1\IEBUTT~1.DLL (file missing)
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://register.starband.net
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1138401221257
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 5890 bytes
Hi again, we'll continue :)
You should print these instructions or save these to a text file. Follow these instructions carefully.
Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list. Fix the O6 entries too if you haven't locked Internet Explorer settings on purpose.
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: metaspinner GmbH - {7C7A8947-5935-4430-AC0E-E7D04697414E} - C:\PROGRA~1\BUYERT~1\IEBUTT~1.DLL (file missing)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Run a scan with Dr.Web CureIt Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, you should now mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable
After the scan, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot the computer in Normal Mode,
Post the Cure-it report and a fresh HijackThis log
Also please let me know how the pc is running :bigthumb:
rocket1981
2007-10-16, 08:58
Thanks to you, my pc is running much better! Your help has been invaluable. Here's my DrWeb log:
115648724;C:\;Trojan.Spambot;Deleted.;
119253257;C:\;Trojan.Spambot;Deleted.;
122854575;C:\;Trojan.Spambot;Deleted.;
126457275;C:\;Trojan.Spambot;Deleted.;
130058103;C:\;Trojan.Spambot;Deleted.;
133658961;C:\;Trojan.Spambot;Deleted.;
137259869;C:\;Trojan.Spambot;Deleted.;
140862389;C:\;Trojan.Spambot;Deleted.;
144463287;C:\;Trojan.Spambot;Deleted.;
148064525;C:\;Trojan.Spambot;Deleted.;
151665803;C:\;Trojan.Spambot;Deleted.;
155267793;C:\;Trojan.Spambot;Deleted.;
setup.exe;C:\Documents and Settings\All Users.WINDOWS\Application Data\AOL Downloads\SUD4131;Probably BACKDOOR.Trojan;Incurable.Moved.;
inst.exe;C:\Documents and Settings\All Users.WINDOWS\Application Data\AOL Downloads\triton_suite_install_6.0.28.3;Probably BACKDOOR.Trojan;Incurable.Moved.;
fwdrv.sys.vir;C:\qoobox\Quarantine\C;Trojan.Spambot.2447;Deleted.;
ntkrnlpa.exe.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.Spambot.2452;Cured.;
ntoskrnl.exe.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.Spambot.2452;Cured.;
oembios32.dll.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.Fakealert.338;Deleted.;
sipov.dll.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.PWS.School;Deleted.;
tcprp.dll.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.PWS.School;Deleted.;
f02WtR1065.exe.vir;C:\qoobox\Quarantine\C\WINDOWS\system32\f02WtR;Trojan.DownLoader.24715;Deleted.;
Process.exe;C:\SmitfraudFix;Tool.Prockill;Incurable.Moved.;
restart.exe;C:\SmitfraudFix;Tool.ShutDown.11;Incurable.Moved.;
A0610210.exe;C:\System Volume Information\_restore{F3160898-1F47-4C12-AFDC-FE55150B047A}\RP1034;POLY!CRYPT - decompression error;Deleted.;
A0612223.exe;C:\System Volume Information\_restore{F3160898-1F47-4C12-AFDC-FE55150B047A}\RP1034;Trojan.DownLoader.30343;Deleted.;
A0615223.exe;C:\System Volume Information\_restore{F3160898-1F47-4C12-AFDC-FE55150B047A}\RP1035;POLY!CRYPT - decompression error;Deleted.;
A0620737.exe;C:\System Volume Information\_restore{F3160898-1F47-4C12-AFDC-FE55150B047A}\RP1037;Trojan.DownLoader.24715;Deleted.;
A0620741.sys;C:\System Volume Information\_restore{F3160898-1F47-4C12-AFDC-FE55150B047A}\RP1037;Trojan.Spambot.2447;Deleted.;
A0620784.dll;C:\System Volume Information\_restore{F3160898-1F47-4C12-AFDC-FE55150B047A}\RP1037;Trojan.Fakealert.338;Deleted.;
A0620791.exe;C:\System Volume Information\_restore{F3160898-1F47-4C12-AFDC-FE55150B047A}\RP1037;Trojan.Spambot.2452;Cured.;
A0620792.exe;C:\System Volume Information\_restore{F3160898-1F47-4C12-AFDC-FE55150B047A}\RP1037;Trojan.Spambot.2452;Cured.;
A0631015.exe;C:\System Volume Information\_restore{F3160898-1F47-4C12-AFDC-FE55150B047A}\RP1042;Tool.Prockill;Incurable.Moved.;
A0634211.dll;C:\System Volume Information\_restore{F3160898-1F47-4C12-AFDC-FE55150B047A}\RP1047;Trojan.Fakealert.338;Deleted.;
A0635238.dll;C:\System Volume Information\_restore{F3160898-1F47-4C12-AFDC-FE55150B047A}\RP1048;Trojan.PWS.School;Deleted.;
A0635239.dll;C:\System Volume Information\_restore{F3160898-1F47-4C12-AFDC-FE55150B047A}\RP1048;Trojan.PWS.School;Deleted.;
iprntcmd.exe;C:\WINDOWS\system32;Tool.Sqlscan.origin;Incurable.Moved.;
And here's my new HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:45:52 AM, on 10/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\iPod\bin\iPodService.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = news.google.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9877
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://register.starband.net
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1138401221257
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 5499 bytes
Ok look very good now.
You don't seem to have a third-party firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) installed. You must install one firewall.
It is possible that you're using the Windows XP firewall. That is of course better than nothing but I recommend that you install a more advanced firewall that gives more protection. Windows firewall doesn't eg protect your computer from inbound threats. This means that any malware on your computer is free to "phone home" for more instructions. Remember to use only one firewall at the same time. I'll give you a few alternatives if you want to install a third-party firewall:
These are good (free) firewalls: Sunbelt-Kerio (http://www.sunbelt-software.com/Kerio.cfm)
ZoneAlarm (http://www.zonelabs.com/)
Sygate (http://http://www.majorgeeks.com/download.php?det=3356)
Outpost (http://www.majorgeeks.com/download.php?det=1056)
Comodo (http://www.personalfirewall.comodo.com)
You don't have an antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) on your computer, you must install one antivirus. Otherwise you'll get infected again.
These are good (free) antiviruses: AVG (http://free.grisoft.com)
Antivir (http://www.free-av.com)
Avast (http://www.avast.com)
Also one or more of the identified infections may have stolen information. If this system is used for online banking or has credit card information on it, all passwords should be changed immediately. Banking and credit card institutions, if any, should be notified of the possible security breech. I suggest that you read this (http://www.dslreports.com/faq/10451) article too.
Post a one more HijackThis log after you've installed antivirus & firewall. :bigthumb:
rocket1981, due to lack of a response to your helper, this topic has been archived.
If you need it re-opened, please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.