PDA

View Full Version : Winlogon



Plutonus
2007-10-14, 11:25
Lately winlogon has been shutting itself down (so I need to restart) and McAfee has been blocking winlogon.exe from sending emails so may be a problem..

HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:36:22 PM, on 14/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\csrss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
E:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
e:\program files\common files\mcafee\mna\mcnasvc.exe
E:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
E:\PROGRA~1\McAfee\MSC\mcpromgr.exe
e:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
E:\WINDOWS\Explorer.EXE
E:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
e:\PROGRA~1\mcafee.com\agent\mcagent.exe
E:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
E:\Program Files\McAfee\MPF\MPFSrv.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\wdfmgr.exe
e:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
E:\Program Files\ASUS\Asus Probe\AsusProb.exe
E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Apps\Winamp\winampa.exe
E:\WINDOWS\LOGI_MWX.EXE
E:\WINDOWS\SOUNDMAN.EXE
E:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
E:\WINDOWS\system32\wscntfy.exe
C:\Apps\D-Tools\daemon.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Games\Steam\Steam.exe
E:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
E:\WINDOWS\System32\alg.exe
E:\Program Files\Logitech\SetPoint\KEM.exe
E:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
E:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
E:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
E:\Program Files\MSN Messenger\msnmsgr.exe
E:\Program Files\MSN Messenger\usnsvc.exe
E:\Program Files\Mozilla Firefox\firefox.exe
C:\Apps\Winamp\winamp.exe
E:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe
E:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Apps\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: (no name) - {6EA3996D-C362-430E-BC84-88FDB3D53510} - e:\windows\system32\adsldpcl.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - E:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - e:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {C9FD9808-DD6B-4854-B5E2-DB9BFEDCE5C2} - E:\WINDOWS\system32\dbmsvinnl.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [ASUS Probe] E:\Program Files\ASUS\Asus Probe\AsusProb.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [GrooveMonitor] "E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Apps\Winamp\winampa.exe
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Apps\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Apps\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] E:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [CTSyncU.exe] "E:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [Steam] "C:\Games\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "E:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = E:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = E:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190284954735
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1190285765076
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - E:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: hfgjwjqe - E:\WINDOWS\SYSTEM32\adsldpcl.dll
O23 - Service: Adobe LM Service - Unknown owner - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - E:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - E:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - E:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - E:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - e:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - E:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - E:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - e:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - E:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - E:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - E:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - C:\Apps\Nero 7\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - E:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 10077 bytes

If you need the kapersky log let me know... I was 3 hours/75% into the scan when the computer crashed and I just gave up then and decided to start doing things again.

Thanks!!

shelf life
2007-10-14, 18:57
hi Plutonus,

lets start with this:
download and run vundofix.exe:

http://www.atribune.org/ccount/click.php?id=4

* Double-click VundoFix.exe to run it.
* Click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK.
* Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

shelf life

Plutonus
2007-10-15, 05:19
Hi shelf life,

Thanks for taking the time to help me out.

Vundofix told me it had not found any infected files and then it closed, producing no log that I could find.

shelf life
2007-10-15, 23:40
hi,

is spybot or mcafee finding anything after a scan?

lets try combofix and see if it can dig up anything:

Please download ComboFix (by sUBs) from one of the following links:

http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Save it to the Desktop.
Double-click combofix.exe and follow the prompts.

CAUTION: Do not mouse-click ComboFix's window while it is running.
It may cause it to stall.

When finished, it produces a log.

Please provide the contents of the ComboFix log in your reply--

shelf life

Plutonus
2007-10-19, 13:24
Sorry about the late reply...

Combofix Log
ComboFix 07-10-17.8@ - Matt2 2007-10-19 20:17:50.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.528 [GMT 10:00]
Running from: E:\Documents and Settings\Matt2\My Documents\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-09-19 to 2007-10-19 )))))))))))))))))))))))))))))))
.

2007-10-19 20:16 51,200 --a------ E:\WINDOWS\NirCmd.exe
2007-10-18 16:28 <DIR> d-------- E:\Program Files\Canon
2007-10-18 16:28 921,600 --a------ E:\WINDOWS\system32\CNAP1NSK.DLL
2007-10-18 16:28 204,800 --a------ E:\WINDOWS\system32\CNAC6EMU.DLL
2007-10-18 16:28 102,453 --a------ E:\WINDOWS\system32\CNAC6SMK.DLL
2007-10-18 16:28 63,168 --a------ E:\WINDOWS\system32\CNAC6RPK.EXE
2007-10-18 16:28 32,821 --a------ E:\WINDOWS\system32\CNAC6LMK.DLL
2007-10-18 16:28 28,672 --a------ E:\WINDOWS\system32\CNAC6PTU.DLL
2007-10-15 12:16 <DIR> d-------- E:\VundoFix Backups
2007-10-14 23:09 <DIR> d--h----- E:\WINDOWS\PIF
2007-10-14 14:39 <DIR> d-------- E:\WINDOWS\system32\Kaspersky Lab
2007-10-14 14:39 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-14 14:36 <DIR> d-------- E:\Program Files\Trend Micro
2007-10-14 13:50 <DIR> d-------- E:\Program Files\Emirates TravelDesk
2007-10-14 10:09 41,728 --a------ E:\WINDOWS\system32\sfnchhtb.dat
2007-10-11 22:40 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-11 22:27 <DIR> d-------- E:\Program Files\McAfee.com
2007-10-11 22:27 <DIR> d-------- E:\Program Files\Common Files\McAfee
2007-10-11 22:27 171,240 --a------ E:\WINDOWS\system32\drivers\mfehidk.sys
2007-10-11 22:27 109,608 --a------ E:\WINDOWS\system32\drivers\Mpfp.sys
2007-10-11 22:27 71,496 --a------ E:\WINDOWS\system32\drivers\mfeavfk.sys
2007-10-11 22:27 37,480 --a------ E:\WINDOWS\system32\drivers\mfesmfk.sys
2007-10-11 22:27 34,184 --a------ E:\WINDOWS\system32\drivers\mfebopk.sys
2007-10-11 22:27 32,008 --a------ E:\WINDOWS\system32\drivers\mferkdk.sys
2007-10-11 22:26 <DIR> d-------- E:\Program Files\McAfee
2007-10-11 22:17 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\McAfee
2007-10-10 15:13 <DIR> d-------- E:\RealityXP
2007-10-08 01:14 1,188,375 --a------ E:\WINDOWS\system32\libeay32.dll
2007-10-08 01:14 246,545 --a------ E:\WINDOWS\system32\libssl32.dll
2007-10-08 01:12 741,632 --a------ E:\WINDOWS\system32\bvfkxilp.dat
2007-10-08 01:12 118,528 --a------ E:\WINDOWS\system32\retaxdtq.dat
2007-10-08 01:12 35,584 --a------ E:\WINDOWS\system32\qwamqwvi.dat
2007-10-08 01:12 34,560 --a------ E:\WINDOWS\system32\adjgpkzw.dat
2007-10-08 01:05 17,792 E:\WINDOWS\system32\drivers\drfupiwj.dat
2007-10-08 01:04 92,160 --a------ E:\WINDOWS\system32\dbmsvinnl.dll
2007-10-08 01:04 80,896 --a------ E:\WINDOWS\system32\adsldpcl.dll
2007-10-07 14:08 737,280 --a------ E:\WINDOWS\iun6002.exe
2007-10-03 23:24 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\FLEXnet
2007-10-03 23:21 <DIR> d-------- E:\Program Files\Bonjour
2007-10-03 23:16 <DIR> d-------- E:\Program Files\Common Files\Macrovision Shared
2007-10-03 19:59 <DIR> d-------- E:\Program Files\SkyTeam Travel Timetable
2007-10-03 16:22 <DIR> d-------- E:\Documents and Settings\Matt2\Application Data\GlobalSCAPE
2007-10-02 11:12 <DIR> d-------- E:\Documents and Settings\Matt2\Application Data\Apple Computer
2007-10-01 20:27 <DIR> d-------- E:\Program Files\Common Files\Adobe Systems Shared
2007-10-01 20:27 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Macrovision
2007-10-01 20:14 159,232 --a------ E:\WINDOWS\system32\ptpusd.dll
2007-10-01 20:14 15,104 --a------ E:\WINDOWS\system32\drivers\usbscan.sys
2007-10-01 20:14 15,104 --a--c--- E:\WINDOWS\system32\dllcache\usbscan.sys
2007-10-01 20:14 5,632 --a------ E:\WINDOWS\system32\ptpusb.dll
2007-09-29 19:36 356,352 --a------ E:\WINDOWS\eSellerateEngine.dll
2007-09-29 19:36 61 ---hs---- E:\WINDOWS\cnerolf.dat
2007-09-29 19:26 <DIR> d-------- E:\Program Files\rcv4
2007-09-29 14:53 <DIR> d-------- E:\Documents and Settings\Matt2\Application Data\Ahead
2007-09-29 14:52 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Ahead
2007-09-29 14:51 <DIR> d-------- E:\Program Files\Common Files\Ahead
2007-09-29 14:51 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Nero
2007-09-27 20:06 <DIR> d-------- E:\Program Files\Common Files\Adobe
2007-09-27 20:06 <DIR> d-------- E:\Documents and Settings\Matt2\Application Data\AdobeUM
2007-09-24 21:25 442,368 -ra------ E:\WINDOWS\system32\vp6vfw.dll
2007-09-24 21:02 <DIR> d-------- E:\Documents and Settings\Matt2\Application Data\Creative
2007-09-23 21:10 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Test Drive Unlimited
2007-09-23 20:57 <DIR> dr-h----- E:\Documents and Settings\Matt2\Application Data\SecuROM
2007-09-23 20:57 108,144 --a------ E:\WINDOWS\system32\CmdLineExt.dll
2007-09-23 20:40 <DIR> d-------- E:\WINDOWS\Downloaded Installations
2007-09-23 20:40 155,136 --a------ E:\WINDOWS\system32\drivers\d347bus.sys
2007-09-23 20:40 5,248 --a------ E:\WINDOWS\system32\drivers\d347prt.sys
2007-09-22 18:23 <DIR> d-------- E:\WINDOWS\Sun
2007-09-22 18:22 <DIR> d-------- E:\Program Files\Java
2007-09-22 18:21 <DIR> d-------- E:\Program Files\Common Files\Java
2007-09-21 23:43 <DIR> d-------- E:\Program Files\Apple Software Update
2007-09-21 23:43 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Apple Computer
2007-09-21 23:43 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Apple
2007-09-21 19:30 <DIR> d-------- E:\WINDOWS\system32\Lang
2007-09-21 19:30 60,416 --a------ E:\WINDOWS\ALCFDRTM.EXE
2007-09-21 19:22 <DIR> d-------- E:\Documents and Settings\Matt2\Application Data\Logitech
2007-09-21 18:53 <DIR> d--hs---- E:\WINDOWS\ftpcache
2007-09-21 18:52 <DIR> d-------- E:\Program Files\Realtek AC97
2007-09-21 17:48 81,920 -r------- E:\WINDOWS\bwUnin-6.1.4.68-8876480L.exe
2007-09-21 17:47 71,533 --a------ E:\WINDOWS\system32\drivers\LMouKE.Sys
2007-09-21 17:47 54,817 --------- E:\WINDOWS\system32\drivers\L8042MOU.SYS
2007-09-21 17:47 13,105 --------- E:\WINDOWS\system32\drivers\L8042Kbd.SYS
2007-09-21 17:46 38,081 --a------ E:\WINDOWS\system32\drivers\LHidUsbK.sys
2007-09-21 17:46 29,696 --a------ E:\WINDOWS\KHALMNPR.Exe
2007-09-21 17:46 24,637 --a------ E:\WINDOWS\system32\drivers\LHidKE.Sys
2007-09-21 17:46 14,975 --a------ E:\WINDOWS\system32\drivers\LUsbKbd.sys
2007-09-21 17:38 192,512 --a------ E:\WINDOWS\system32\WmJoyFrc.dll
2007-09-21 17:38 46,208 --a------ E:\WINDOWS\system32\drivers\WmXlCore.sys
2007-09-21 17:38 21,632 --a------ E:\WINDOWS\system32\drivers\WmFilter.sys
2007-09-21 17:38 20,864 --a------ E:\WINDOWS\system32\drivers\WmHidLo.sys
2007-09-21 17:38 11,136 --a------ E:\WINDOWS\system32\drivers\WmBEnum.sys
2007-09-21 17:38 6,400 --a------ E:\WINDOWS\system32\drivers\WmVirHid.sys
2007-09-21 17:34 81,920 -r------- E:\WINDOWS\bwUnin-6.1.4.36-8876480L.exe
2007-09-21 17:33 <DIR> d-------- E:\Program Files\Logitech
2007-09-21 17:33 <DIR> d-------- E:\Program Files\Common Files\Logitech
2007-09-21 17:31 <DIR> d-------- E:\Program Files\Winamp
2007-09-21 15:57 32,592 --a------ E:\WINDOWS\system32\msonpmon.dll
2007-09-21 15:56 <DIR> d-------- E:\Program Files\MSBuild
2007-09-21 15:56 <DIR> d-------- E:\Program Files\Microsoft Works
2007-09-21 15:53 <DIR> d-------- E:\WINDOWS\SHELLNEW
2007-09-21 15:53 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Microsoft Help

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-10 10:18 805 ----a-w E:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-10 10:18 10,740 ----a-w E:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-03 06:22 --------- d--h--w E:\Program Files\InstallShield Installation Information
2007-09-29 09:31 12,400 ----a-w E:\WINDOWS\system32\drivers\secdrv.sys
2007-09-21 08:52 --------- d-----w E:\Program Files\AvRack
2007-09-20 11:33 --------- d-----w E:\Program Files\MSN Messenger
2007-09-20 10:20 --------- d-----w E:\Program Files\Common Files\InstallShield
2007-09-20 09:54 --------- d-----w E:\Program Files\Realtek Sound Manager
2007-09-20 09:35 --------- d-----w E:\Program Files\ASUS
2007-09-20 09:31 --------- d-----w E:\Program Files\Marvell
2007-09-20 09:12 --------- d-----w E:\Program Files\microsoft frontpage
2007-07-30 09:19 92,504 ----a-w E:\WINDOWS\system32\cdm.dll
2007-07-30 09:19 53,080 ----a-w E:\WINDOWS\system32\wuauclt.exe
2007-07-30 09:19 203,096 ----a-w E:\WINDOWS\system32\wuweb.dll
2007-07-30 09:19 1,712,984 ----a-w E:\WINDOWS\system32\wuaueng.dll
2007-07-30 09:18 207,736 ----a-w E:\WINDOWS\system32\muweb.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6EA3996D-C362-430E-BC84-88FDB3D53510}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C9FD9808-DD6B-4854-B5E2-DB9BFEDCE5C2}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ASUS Probe"="E:\Program Files\ASUS\Asus Probe\AsusProb.exe" [2002-12-06 16:07]
"NvCplDaemon"="E:\WINDOWS\system32\NvCpl.dll" [2007-06-29 00:43]
"nwiz"="nwiz.exe" [2007-06-29 00:43 E:\WINDOWS\system32\nwiz.exe]
"GrooveMonitor"="E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47]
"WinampAgent"="C:\Apps\Winamp\winampa.exe" [2007-05-15 08:22]
"Logitech Utility"="LOGI_MWX.EXE" [2002-11-08 19:50 E:\WINDOWS\LOGI_MWX.EXE]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-06-08 12:31 E:\WINDOWS\KHALMNPR.Exe]
"SoundMan"="SOUNDMAN.EXE" [2005-06-20 21:42 E:\WINDOWS\SOUNDMAN.EXE]
"QuickTime Task"="C:\Apps\QuickTime\qttask.exe" [2007-06-29 06:24]
"SunJavaUpdateSched"="E:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"DAEMON Tools-1033"="C:\Apps\D-Tools\daemon.exe" [2004-08-22 17:05]
"NeroFilterCheck"="E:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57]
"NvMediaCenter"="E:\WINDOWS\system32\NvMcTray.dll" [2007-06-29 00:43]
"UserFaultCheck"="E:\WINDOWS\system32\dumprep 0 -u" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSyncU.exe"="E:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-06-12 14:32]
"ctfmon.exe"="E:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:56]
"LDM"="E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2007-09-21 17:48]
"Steam"="C:\Games\Steam\Steam.exe" [2007-10-05 22:42]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="E:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 19:03]
"SpybotSD TeaTimer"="E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"EBUReboot"=C:\Games\Train Simulator\UNINSTAL.EXE /resetreboot

E:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-10-01 20:26:36]
Logitech Desktop Messenger.lnk - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-09-21 17:48:55]
Logitech SetPoint.lnk - E:\Program Files\Logitech\SetPoint\KEM.exe [2007-09-21 17:46:42]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hfgjwjqe]
adsldpcl.dll 2007-10-18 18:49 80896 E:\WINDOWS\system32\adsldpcl.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R0 futhwejw;futhwejw;E:\WINDOWS\system32\drivers\drfupiwj.dat
R2 njhaizau;IPv6 Windows Firewall Monitor;E:\WINDOWS\System32\svchost.exe -k netsvcs
R3 LUsbKbd;Logitech SetPoint USB Keyboard Filter;E:\WINDOWS\system32\Drivers\LUsbKbd.Sys
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;E:\WINDOWS\system32\drivers\WmBEnum.sys
R3 WmFilter;Logitech Gaming HID Filter Driver;E:\WINDOWS\system32\drivers\WmFilter.sys
R3 WmHidLo;Logitech Gaming USB Filter Driver;E:\WINDOWS\system32\drivers\WmHidLo.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;E:\WINDOWS\system32\drivers\WmXlCore.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;E:\WINDOWS\system32\drivers\WmVirHid.sys

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
njhaizau

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-10-14 15:18:52 E:\WINDOWS\Tasks\McDefragTask.job"
"2007-10-11 12:27:14 E:\WINDOWS\Tasks\McQcTask.job"
- e:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-19 20:21:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-19 20:22:31
.
--- E O F ---


Yes, I have scanned both with McAfee and Spybot recently, all they detect is tracking cookies and remove them. No change.

shelf life
2007-10-20, 03:04
hi Plutonus,

its been a while. lets try another resident malware scanner. superantispyware:

Please download SUPERAntiSpyware Home Edition:

http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE

Install it and double-click the icon on your desktop to run it.
It will ask if you want to update the program definitions, click Yes.
Under Configuration and Preferences, click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked:

* Close browsers before scanning
* Scan for tracking cookies
* Terminate memory threats before quarantining.
* Ignore System Restore/Volume Information on ME and XP
* Please leave the others unchecked.
* Click the Close button to leave the control center screen.

On the main screen, under Scan for Harmful Software click Scan your computer.
On the left check C:\Fixed Drive.
On the right, under Complete Scan, choose Perform Complete Scan.
Click Next to start the scan. Please be patient while it scans your computer.
After the scan is complete a summary box will appear. Click OK.
Make sure everything in the white box has a check next to it, then click Next.
It will quarantine what it found and if it asks if you want to reboot, click
Yes.

To retrieve the removal information - please do the following:

* After reboot, double-click the SUPERAntispyware icon on your desktop.
* Click Preferences . Click the Statistics/Logs tab .
* Under Scanner Logs , double-click SUPERAntiSpyware Scan Log .
* It will open in your default text editor (Notepad).
* Please highlight everything , then right-click and choose copy.
* Click close and close again to exit the program.

please paste the removal information in next reply.

shelf life

tashi
2007-10-29, 18:52
This topic has been archived due to lack of a response.

If you need it re-opened, please send me a private message (pm) and provide a link to the thread.

Applies only to the original poster, anyone else with similar problems please start a new topic.

tashi
2007-10-31, 06:28
Re-opened upon request. :)

Plutonus
2007-11-01, 08:25
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/31/2007 at 04:06 PM

Application Version : 3.9.1008

Core Rules Database Version : 3334
Trace Rules Database Version: 1335

Scan type : Complete Scan
Total Scan Time : 00:52:25

Memory items scanned : 681
Memory threats detected : 1
Registry items scanned : 6398
Registry threats detected : 0
File items scanned : 55586
File threats detected : 63

Trojan.Spam-MultiSite/Gen
E:\WINDOWS\SYSTEM32\ADSLDPCL.DLL
E:\WINDOWS\SYSTEM32\ADSLDPCL.DLL

Adware.Tracking Cookie
E:\Documents and Settings\Matt2\Cookies\matt2@gaypornblog[2].txt
E:\Documents and Settings\Matt2\Cookies\matt2@www.teenidols4you[1].txt
E:\Documents and Settings\Matt2\Cookies\matt2@tripod[1].txt
E:\Documents and Settings\Matt2\Cookies\matt2@serving-sys[1].txt
E:\Documents and Settings\Matt2\Cookies\matt2@counter1.sextracker[1].txt
E:\Documents and Settings\Matt2\Cookies\matt2@2.adbrite[2].txt
E:\Documents and Settings\Matt2\Cookies\matt2@ad.yieldmanager[2].txt
E:\Documents and Settings\Matt2\Cookies\matt2@spyguardpro[1].txt
E:\Documents and Settings\Matt2\Cookies\matt2@tribalfusion[2].txt
E:\Documents and Settings\Matt2\Cookies\matt2@revsci[1].txt
E:\Documents and Settings\Matt2\Cookies\matt2@xxxcounter[1].txt
E:\Documents and Settings\Matt2\Cookies\matt2@ad1.clickhype[1].txt
E:\Documents and Settings\Matt2\Cookies\matt2@tacoda[1].txt
E:\Documents and Settings\Matt2\Cookies\matt2@avsystemcare[1].txt
E:\Documents and Settings\Matt2\Cookies\matt2@adbrite[1].txt
E:\Documents and Settings\Matt2\Cookies\matt2@adultadworld[1].txt
E:\Documents and Settings\Matt2\Cookies\matt2@maxis.112.2o7[1].txt
E:\Documents and Settings\Matt2\Cookies\matt2@clicktorrent[1].txt
E:\Documents and Settings\Matt2\Cookies\matt2@adserver[1].txt
E:\Documents and Settings\Matt2\Cookies\matt2@ads.adbrite[1].txt
E:\Documents and Settings\Matt2\Cookies\matt2@sale.spyguardpro[1].txt
E:\Documents and Settings\Matt2\Cookies\matt2@__frm5[2].txt
E:\Documents and Settings\Matt2\Cookies\matt2@questionmarket[2].txt
E:\Documents and Settings\Matt2\Cookies\matt2@www.free-porn-babes[1].txt
E:\Documents and Settings\Matt2\Cookies\matt2@doubleclick[2].txt
E:\Documents and Settings\Matt2\Cookies\matt2@gomyron[1].txt
E:\Documents and Settings\Matt2\Cookies\matt2@ads.ozonemedia.co[1].txt
E:\Documents and Settings\Matt2\Cookies\matt2@bs.serving-sys[1].txt
E:\Documents and Settings\Matt2\Cookies\matt2@track.asus[1].txt
E:\Documents and Settings\Matt2\Cookies\matt2@www.jointheporn[1].txt
E:\Documents and Settings\Matt2\Cookies\matt2@trafficmp[1].txt
E:\Documents and Settings\Matt2\Cookies\matt2@audit.median[1].txt
E:\Documents and Settings\Matt2\Cookies\matt2@teenist[2].txt
E:\Documents and Settings\Matt2\Cookies\matt2@anad.tacoda[2].txt
E:\Documents and Settings\Matt2\Cookies\matt2@4.adbrite[1].txt
E:\Documents and Settings\Matt2\Cookies\matt2@cgi-bin[2].txt
E:\Documents and Settings\Matt2\Cookies\matt2@pornV[1].txt
E:\Documents and Settings\Matt2\Cookies\matt2@teenidols4you[1].txt
E:\Documents and Settings\Matt2\Cookies\matt2@mediaonenetwork[1].txt
E:\Documents and Settings\Matt2\Cookies\matt2@statcounter[1].txt
E:\Documents and Settings\Matt2\Cookies\matt2@mediaplex[1].txt
E:\Documents and Settings\Matt2\Cookies\matt2@_pt13[2].txt
E:\Documents and Settings\Matt2\Cookies\matt2@www.pcantiviruspro[2].txt
E:\Documents and Settings\Matt2\Cookies\matt2@3.adbrite[1].txt
E:\Documents and Settings\Matt2\Cookies\matt2@sextracker[1].txt
E:\Documents and Settings\Matt2\Cookies\matt2@_bt13[2].txt
E:\Documents and Settings\Matt2\Cookies\matt2@ads.pointroll[2].txt
E:\Documents and Settings\Matt2\Cookies\matt2@calc.avsystemcare[2].txt
E:\Documents and Settings\Matt2\Cookies\matt2@atdmt[2].txt
E:\Documents and Settings\Matt2\Cookies\matt2@counter7.sextracker[1].txt
E:\Documents and Settings\Matt2\Cookies\matt2@overture[1].txt
E:\Documents and Settings\Matt2\Cookies\matt2@acvs.mediaonenetwork[1].txt
E:\Documents and Settings\Matt2\Cookies\matt2@fastclick[2].txt
E:\Documents and Settings\Matt2\Cookies\matt2@amateurpornthumbs[1].txt
E:\Documents and Settings\Matt2\Cookies\matt2@sexlist[2].txt
E:\Documents and Settings\Matt2\Cookies\matt2@theryancorrfanclub.tripod[2].txt
E:\Documents and Settings\Matt2\Cookies\matt2@tradedoubler[2].txt
E:\Documents and Settings\Matt2\Cookies\matt2@www.teenist[1].txt
E:\Documents and Settings\Matt2\Cookies\matt2@msnportal.112.2o7[1].txt
E:\Documents and Settings\Matt2\Cookies\matt2@realmedia[1].txt
E:\Documents and Settings\Matt2\Cookies\matt2@protect.spyguardpro[1].txt
E:\Documents and Settings\Matt2\Cookies\matt2@ad1.doublepimp[1].txt

shelf life
2007-11-03, 00:55
hi Plutonus,

ok i see SAS found two items, cookies aren't much to be worried about. looks like alot of them are from pOrnO sites.

you still having a malware problem or just visiting those sites? if malware post another hjt log. if you are visting those sites be careful. some can infect you with malware.
dont download or install any "codec" thats "needed" to view a video

shelf life

Plutonus
2007-11-03, 06:23
Yup I still am getting the same issues, and it seems whenever I open IE or My Computer I get the fake "viruses found" announcement from my taskbar which takes me to a website.

Never downloaded any of those codecs etc.

Looking at those cookies, I've never seen half of those websites before.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:21:54 PM, on 3/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\csrss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
E:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
e:\program files\common files\mcafee\mna\mcnasvc.exe
E:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
E:\PROGRA~1\McAfee\MSC\mcpromgr.exe
e:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
E:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
E:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
E:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Apps\NetLimiter 2 Pro\nlsvc.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\wdfmgr.exe
E:\WINDOWS\System32\alg.exe
E:\WINDOWS\Explorer.EXE
C:\Apps\NetLimiter 2 Pro\NLClient.exe
E:\WINDOWS\system32\ctfmon.exe
e:\PROGRA~1\mcafee.com\agent\mcagent.exe
E:\Program Files\ASUS\Asus Probe\AsusProb.exe
E:\WINDOWS\system32\CNAC6RPK.EXE
E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Apps\Winamp\winampa.exe
E:\WINDOWS\LOGI_MWX.EXE
E:\WINDOWS\SOUNDMAN.EXE
E:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Apps\D-Tools\daemon.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
E:\WINDOWS\system32\wscntfy.exe
C:\Games\Steam\Steam.exe
E:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
E:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
E:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
E:\Program Files\Logitech\SetPoint\KEM.exe
E:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Apps\Winamp\winamp.exe
E:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
E:\Program Files\MSN Messenger\msnmsgr.exe
E:\Program Files\MSN Messenger\usnsvc.exe
E:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
E:\Program Files\Mozilla Firefox\firefox.exe
e:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe
E:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Apps\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: (no name) - {6EA3996D-C362-430E-BC84-88FDB3D53510} - e:\windows\system32\adsldpcl.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - E:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - e:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {C9FD9808-DD6B-4854-B5E2-DB9BFEDCE5C2} - E:\WINDOWS\system32\dbmsvinnl.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [ASUS Probe] E:\Program Files\ASUS\Asus Probe\AsusProb.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [GrooveMonitor] "E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Apps\Winamp\winampa.exe
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Apps\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Apps\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] E:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [CTSyncU.exe] "E:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [Steam] "C:\Games\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "E:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = E:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = E:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190284954735
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1190285765076
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - E:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: hfgjwjqe - E:\WINDOWS\SYSTEM32\adsldpcl.dll
O23 - Service: Adobe LM Service - Unknown owner - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - E:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - E:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - E:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - E:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - e:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - E:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - E:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - e:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - E:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - E:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - E:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - C:\Apps\Nero 7\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Apps\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: NMIndexingService - Nero AG - E:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 10422 bytes


On a separate note, do you know what the "Bonjour" thing is. It keeps on wanting internet access but I block it, just wondering if it's necessary or anything.

shelf life
2007-11-04, 16:07
hi Plutonus,

thanks for the info. looks like we need smitfraudfix. so another download to get and run. this should take care of the popups. This clean step needs to run in safe mode
-------------------------------------------
Download SmitfraudFix (by S!Ri) to your Desktop:

http://www.bleepingcomputer.com/files/smitfraudfix.php

you might want to copy/paste this into notepad and save it somewhere so you can read it in safe mode:

boot computer into safe mode.
to reach safe mode: restart your computer and tap the f8 key during the boot up. chose the first option from the list: safe mode. log on the your regular account.

locate the smitfraud icon on the desktop and double click it to start.
from the main option menu, chose the second option (clean). after smitfraud runs-- disk clean will run, last when asked if you want to clean the registry, select y (yes) then enter. computer will reboot and after the restart produce a log. please save the log somewhere.

after the reboot, run superantispyware once. post the saved log from the smitfraud clean and a new hjt log.

Bonjour Service: i think this is installed by apple itunes. and maybe also by other software. you use a ipod?

shelf life

Plutonus
2007-11-13, 08:17
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:15:35 PM, on 13/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\csrss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
E:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
e:\program files\common files\mcafee\mna\mcnasvc.exe
E:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
E:\PROGRA~1\McAfee\MSC\mcpromgr.exe
e:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
E:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
E:\WINDOWS\Explorer.EXE
e:\PROGRA~1\mcafee.com\agent\mcagent.exe
E:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
E:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Apps\NetLimiter 2 Pro\nlsvc.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\wdfmgr.exe
E:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Apps\NetLimiter 2 Pro\NLClient.exe
E:\WINDOWS\system32\CNAC6RPK.EXE
e:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
E:\WINDOWS\System32\alg.exe
E:\WINDOWS\system32\wscntfy.exe
E:\Program Files\ASUS\Asus Probe\AsusProb.exe
E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Apps\Winamp\winampa.exe
E:\WINDOWS\LOGI_MWX.EXE
E:\WINDOWS\SOUNDMAN.EXE
E:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Apps\D-Tools\daemon.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
E:\WINDOWS\system32\ctfmon.exe
C:\Games\Steam\Steam.exe
E:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
E:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
E:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
E:\Program Files\Logitech\SetPoint\KEM.exe
E:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Apps\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: (no name) - {6EA3996D-C362-430E-BC84-88FDB3D53510} - e:\windows\system32\adsldpcl.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - E:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - e:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {C9FD9808-DD6B-4854-B5E2-DB9BFEDCE5C2} - E:\WINDOWS\system32\dbmsvinnl.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [ASUS Probe] E:\Program Files\ASUS\Asus Probe\AsusProb.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [GrooveMonitor] "E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Apps\Winamp\winampa.exe
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Apps\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Apps\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] E:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [CTSyncU.exe] "E:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [Steam] "C:\Games\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: "E:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = E:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = E:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190284954735
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1190285765076
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - E:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: hfgjwjqe - E:\WINDOWS\SYSTEM32\adsldpcl.dll
O20 - Winlogon Notify: tt - E:\WINDOWS\
O23 - Service: Adobe LM Service - Unknown owner - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - E:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - E:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - E:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - E:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - e:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - E:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - E:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - e:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - E:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - E:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - E:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - C:\Apps\Nero 7\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Apps\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: NMIndexingService - Nero AG - E:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 10197 bytes
[B]
SmitFraudFix Log v2.250

Scan done at 18:32:41.81, Sat 10/11/2007
Run from F:\My Stuff\Downloads\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

ğğğğğğğğğğğğğğğğğğğğğğğğ SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

ğğğğğğğğğğğğğğğğğğğğğğğğ Killing process


ğğğğğğğğğğğğğğğğğğğğğğğğ hosts


127.0.0.1 localhost
127.0.0.1 www.newsleecher.com
127.0.0.1 newsleecher.com
127.0.0.1 www.aerosoft.com
127.0.0.1 aerosoft.com

ğğğğğğğğğğğğğğğğğğğğğğğğ Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.
ğğğğğğğğğğğğğğğğğğğğğğğğ Generic Renos Fix

GenericRenosFix by S!Ri


ğğğğğğğğğğğğğğğğğğğğğğğğ Deleting infected files


ğğğğğğğğğğğğğğğğğğğğğğğğ DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{4149B8C5-6C03-4A0F-8BA1-C499F5170B86}: DhcpNameServer=192.231.203.132 192.231.203.3
HKLM\SYSTEM\CS1\Services\Tcpip\..\{4149B8C5-6C03-4A0F-8BA1-C499F5170B86}: DhcpNameServer=192.231.203.132 192.231.203.3
HKLM\SYSTEM\CS3\Services\Tcpip\..\{4149B8C5-6C03-4A0F-8BA1-C499F5170B86}: DhcpNameServer=192.231.203.132 192.231.203.3
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.231.203.132 192.231.203.3
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.231.203.132 192.231.203.3
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.231.203.132 192.231.203.3


ğğğğğğğğğğğğğğğğğğğğğğğğ Deleting Temp Files


ğğğğğğğğğğğğğğğğğğğğğğğğ Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


ğğğğğğğğğğğğğğğğğğğğğğğğ Registry Cleaning

Registry Cleaning done.

ğğğğğğğğğğğğğğğğğğğğğğğğ SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


ğğğğğğğğğğğğğğğğğğğğğğğğ End

The 'smitfraud' is still there however, it still comes up with those annoying messages.

shelf life
2007-11-14, 05:07
hi,

ok delete that old version of combofix;

start>run and type in Combofix /u
there is a space after the x.
if prompted select option 2
---------------------------------------------------------

get a new copy, because it gets it updated:

Please download ComboFix (by sUBs) from one of the following links:

http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Save it to the Desktop.
Double-click combofix.exe and follow the prompts.

CAUTION: Do not mouse-click ComboFix's window while it is running.
It may cause it to stall.

When finished, it produces a log.

Please provide the contents of the ComboFix log in your reply--

shelf life

Plutonus
2007-11-17, 09:50
ComboFix 07-11-08.1 - Matt2 2007-11-17 18:33:54.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1472 [GMT 11:00]
Running from: E:\Documents and Settings\Matt2\Desktop\ComboFix.exe
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\WINDOWS\system32\adsldpcl.dll
E:\WINDOWS\system32\adsldpcl.dll.bak
E:\WINDOWS\system32\dbmsvinnl.dll
E:\WINDOWS\system32\drivers\csvvcoje.dat
E:\WINDOWS\system32\drivers\drfupiwj.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_FUTHWEJW
-------\LEGACY_NJHAIZAU
-------\futhwejw
-------\njhaizau


((((((((((((((((((((((((( Files Created from 2007-10-17 to 2007-11-17 )))))))))))))))))))))))))))))))
.

2007-11-11 22:08 <DIR> d-------- E:\Documents and Settings\Matt2\Application Data\mIRC
2007-11-11 14:58 <DIR> d-------- E:\Documents and Settings\Matt2\Application Data\InstallShield
2007-11-10 18:32 53,248 --a------ E:\WINDOWS\system32\Process.exe
2007-11-10 18:32 1,814 --a------ E:\WINDOWS\system32\tmp.reg
2007-11-10 18:29 289,144 --a------ E:\WINDOWS\system32\VCCLSID.exe
2007-11-10 18:29 288,417 --a------ E:\WINDOWS\system32\SrchSTS.exe
2007-11-10 18:29 51,200 --a------ E:\WINDOWS\system32\dumphive.exe
2007-11-10 18:29 25,600 --a------ E:\WINDOWS\system32\WS2Fix.exe
2007-11-03 14:29 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Messenger Plus!
2007-11-01 17:37 <DIR> d-------- E:\Program Files\Windows Live
2007-11-01 17:37 <DIR> d-------- E:\Program Files\Messenger Plus! Live
2007-10-31 15:11 <DIR> d-------- E:\Program Files\SUPERAntiSpyware
2007-10-31 15:11 <DIR> d-------- E:\Program Files\Common Files\Wise Installation Wizard
2007-10-31 15:11 <DIR> d-------- E:\Documents and Settings\Matt2\Application Data\SUPERAntiSpyware.com
2007-10-31 15:11 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-29 19:32 <DIR> d-------- E:\Documents and Settings\Matt2\Application Data\Locktime
2007-10-29 19:29 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Locktime
2007-10-22 18:58 139,264 --a------ E:\WINDOWS\system32\eax.dll
2007-10-22 18:34 319,488 -ra------ E:\WINDOWS\system32\MafiaSetup.exe
2007-10-19 21:16 51,200 --a------ E:\WINDOWS\NirCmd.exe
2007-10-18 17:28 <DIR> d-------- E:\Program Files\Canon
2007-10-18 17:28 921,600 --a------ E:\WINDOWS\system32\CNAP1NSK.DLL
2007-10-18 17:28 204,800 --a------ E:\WINDOWS\system32\CNAC6EMU.DLL
2007-10-18 17:28 102,453 --a------ E:\WINDOWS\system32\CNAC6SMK.DLL
2007-10-18 17:28 63,168 --a------ E:\WINDOWS\system32\CNAC6RPK.EXE
2007-10-18 17:28 32,821 --a------ E:\WINDOWS\system32\CNAC6LMK.DLL
2007-10-18 17:28 28,672 --a------ E:\WINDOWS\system32\CNAC6PTU.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-14 09:55 --------- d-----w E:\Program Files\Emirates TravelDesk
2007-11-11 12:49 --------- d--h--w E:\Program Files\InstallShield Installation Information
2007-11-11 12:49 --------- d-----w E:\Program Files\Common Files\InstallShield
2007-11-01 06:37 --------- d-----w E:\Program Files\MSN Messenger
2007-10-26 06:51 --------- d-----w E:\Program Files\SkyTeam Travel Timetable
2007-10-22 07:58 --------- d-----w E:\Program Files\Creative
2007-10-18 06:29 --------- d-----w E:\Documents and Settings\Matt2\Application Data\AdobeUM
2007-10-14 04:39 --------- d-----w E:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-14 04:36 --------- d-----w E:\Program Files\Trend Micro
2007-10-12 06:22 --------- d-----w E:\Program Files\McAfee
2007-10-11 23:58 --------- d-----w E:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-11 12:28 --------- d-----w E:\Documents and Settings\All Users\Application Data\McAfee
2007-10-11 12:27 --------- d-----w E:\Program Files\McAfee.com
2007-10-11 12:27 --------- d-----w E:\Program Files\Common Files\McAfee
2007-10-11 12:24 --------- d-----w E:\Program Files\Common Files\Symantec Shared
2007-10-11 12:24 --------- d-----w E:\Documents and Settings\All Users\Application Data\Symantec
2007-10-10 17:32 --------- d-----w E:\Documents and Settings\Matt2\Application Data\Symantec
2007-10-10 10:18 805 ----a-w E:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-10 10:18 10,740 ----a-w E:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-07 04:07 737,280 ----a-w E:\WINDOWS\iun6002.exe
2007-10-06 01:44 --------- d-----w E:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-03 13:24 --------- d-----w E:\Documents and Settings\All Users\Application Data\FLEXnet
2007-10-03 13:21 --------- d-----w E:\Program Files\Common Files\Adobe
2007-10-03 13:21 --------- d-----w E:\Program Files\Bonjour
2007-10-03 13:16 --------- d-----w E:\Program Files\Common Files\Macrovision Shared
2007-10-03 06:22 --------- d-----w E:\Documents and Settings\Matt2\Application Data\GlobalSCAPE
2007-10-02 01:12 --------- d-----w E:\Documents and Settings\Matt2\Application Data\Apple Computer
2007-10-01 10:27 --------- d-----w E:\Program Files\Common Files\Adobe Systems Shared
2007-10-01 10:27 --------- d-----w E:\Documents and Settings\All Users\Application Data\Macrovision
2007-10-01 03:17 --------- d-----w E:\Documents and Settings\Matt2\Application Data\Ahead
2007-09-29 09:36 356,352 ----a-w E:\WINDOWS\eSellerateEngine.dll
2007-09-29 09:31 12,400 ----a-w E:\WINDOWS\system32\drivers\secdrv.sys
2007-09-29 09:26 --------- d-----w E:\Program Files\rcv4
2007-09-29 04:52 --------- d-----w E:\Program Files\Common Files\Ahead
2007-09-29 04:52 --------- d-----w E:\Documents and Settings\All Users\Application Data\Ahead
2007-09-29 04:51 --------- d-----w E:\Documents and Settings\All Users\Application Data\Nero
2007-09-25 10:53 --------- d-----w E:\Documents and Settings\Matt2\Application Data\Creative
2007-09-24 07:46 --------- d-----w E:\Documents and Settings\All Users\Application Data\Test Drive Unlimited
2007-09-23 10:57 --------- d--h--r E:\Documents and Settings\Matt2\Application Data\SecuROM
2007-09-22 08:22 --------- d-----w E:\Program Files\Java
2007-09-22 08:21 --------- d-----w E:\Program Files\Common Files\Java
2007-09-21 13:43 --------- d-----w E:\Program Files\Apple Software Update
2007-09-21 13:43 --------- d-----w E:\Documents and Settings\All Users\Application Data\Apple Computer
2007-09-21 13:43 --------- d-----w E:\Documents and Settings\All Users\Application Data\Apple
2007-09-21 09:30 60,416 ----a-w E:\WINDOWS\ALCFDRTM.EXE
2007-09-21 09:22 --------- d-----w E:\Documents and Settings\Matt2\Application Data\Logitech
2007-09-21 08:52 --------- d-----w E:\Program Files\Realtek AC97
2007-09-21 08:52 --------- d-----w E:\Program Files\AvRack
2007-09-21 07:48 81,920 ------r E:\WINDOWS\bwUnin-6.1.4.68-8876480L.exe
2007-09-21 07:46 --------- d-----w E:\Program Files\Logitech
2007-09-21 07:38 --------- d-----w E:\Program Files\Common Files\Logitech
2007-09-21 07:34 81,920 ------r E:\WINDOWS\bwUnin-6.1.4.36-8876480L.exe
2007-09-21 07:31 --------- d-----w E:\Program Files\Winamp
2007-09-21 05:56 --------- d-----w E:\Program Files\MSBuild
2007-09-21 05:56 --------- d-----w E:\Program Files\Microsoft Works
2007-09-20 12:05 --------- d-----w E:\Documents and Settings\All Users\Application Data\Creative
2007-09-20 11:48 --------- d-----w E:\Program Files\Western Digital
2007-09-20 09:54 --------- d-----w E:\Program Files\Realtek Sound Manager
2007-09-20 09:35 --------- d-----w E:\Program Files\ASUS
2007-09-20 09:31 --------- d-----w E:\Program Files\Marvell
2007-09-20 09:12 --------- d-----w E:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ASUS Probe"="E:\Program Files\ASUS\Asus Probe\AsusProb.exe" [2002-12-06 17:07]
"NvCplDaemon"="E:\WINDOWS\system32\NvCpl.dll" [2007-06-29 01:43]
"nwiz"="nwiz.exe" [2007-06-29 01:43 E:\WINDOWS\system32\nwiz.exe]
"GrooveMonitor"="E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 01:47]
"WinampAgent"="C:\Apps\Winamp\winampa.exe" [2007-05-15 09:22]
"Logitech Utility"="LOGI_MWX.EXE" [2002-11-08 20:50 E:\WINDOWS\LOGI_MWX.EXE]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-06-08 13:31 E:\WINDOWS\KHALMNPR.Exe]
"SoundMan"="SOUNDMAN.EXE" [2005-06-20 22:42 E:\WINDOWS\SOUNDMAN.EXE]
"QuickTime Task"="C:\Apps\QuickTime\qttask.exe" [2007-06-29 07:24]
"SunJavaUpdateSched"="E:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 05:00]
"DAEMON Tools-1033"="C:\Apps\D-Tools\daemon.exe" [2004-08-22 18:05]
"NeroFilterCheck"="E:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 16:57]
"NvMediaCenter"="E:\WINDOWS\system32\NvMcTray.dll" [2007-06-29 01:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSyncU.exe"="E:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-06-12 15:32]
"ctfmon.exe"="E:\WINDOWS\system32\ctfmon.exe" [2004-08-04 18:56]
"LDM"="E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2007-09-21 18:48]
"Steam"="C:\Games\Steam\Steam.exe" [2007-11-15 17:55]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="E:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 20:03]
"SUPERAntiSpyware"="E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

E:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-10-01 21:26:36]
Logitech Desktop Messenger.lnk - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-09-21 18:48:55]
Logitech SetPoint.lnk - E:\Program Files\Logitech\SetPoint\KEM.exe [2007-09-21 18:46:42]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= E:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
E:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 E:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tt]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R1 nltdi;nltdi;\??\E:\WINDOWS\system32\drivers\nltdi.sys
R3 LUsbKbd;Logitech SetPoint USB Keyboard Filter;E:\WINDOWS\system32\Drivers\LUsbKbd.Sys
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;E:\WINDOWS\system32\drivers\WmBEnum.sys
R3 WmFilter;Logitech Gaming HID Filter Driver;E:\WINDOWS\system32\drivers\WmFilter.sys
R3 WmHidLo;Logitech Gaming USB Filter Driver;E:\WINDOWS\system32\drivers\WmHidLo.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;E:\WINDOWS\system32\drivers\WmXlCore.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;E:\WINDOWS\system32\drivers\WmVirHid.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-14 15:16:56 E:\WINDOWS\Tasks\McDefragTask.job"
- e:\program files\mcafee\mqc\QcConsol.exe
"2007-10-31 14:00:18 E:\WINDOWS\Tasks\McQcTask.job"
- e:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-17 18:40:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-17 18:46:42 - machine was rebooted
E:\ComboFix2.txt ... 2007-10-19 21:22
.
--- E O F ---

shelf life
2007-11-18, 01:32
hi,

ok, lets do this:

go to one of these two website:

http://virusscan.jotti.org/
http://www.virustotal.com/

using the browse button, navigate to the system32 dir. and upload one at a time the following two files. they will be scanned by 10-12 antivirus scanners. please post the results in next reply.

E:\WINDOWS\system32\CNAC6RPK.EXE
E:\WINDOWS\system32\CNAC6PTU.DLL

shelf life

Plutonus
2007-11-19, 02:15
Both files were "OK'" - nothing found by any of the virus scanners.

Plutonus
2007-11-19, 02:16
Can't seem to edit so - I had a look at them, seems to be Canon Printing Drivers/Software - which ties in with what I had to install a month or so back.

shelf life
2007-11-19, 04:40
hi,

thanks for the info. one more download to get and run:

http://download.bleepingcomputer.com/marckie/haxfix.exe

How to use HaxFix:
Double click on haxfix.exe to install the program. (standard installation path is c:\program Files\haxfix)
Checkmark "Create a desktop icon".
Click "Next".
When the installation is completed, make sure that the checkmark "Launch haxfix" is placed.
Click "Finish".

A red "dos window" (dos box) will open with options:
1. Make logfile
E. Exit Haxfix

Select option "1. Make logfile" by typing 1 and then pressing Enter
Haxfix will start scanning the computer. When it is finished a logfile (c:\haxlog.txt) will open.

save the log file and copy/paste it in next reply.
exit haxfix by typing e at the prompt
-------------------------------------------
see if you can locate this .exe:
iun6002.exe

found here: E:\WINDOWS

upload it so it can be checked out:
http://www.virustotal.com/

shelf life

Plutonus
2007-11-25, 11:06
HAXFIX logfile - by Marckie

version 4.58
Sun 25/11/2007 19:49:32.07

--- Checking for Haxdoor ---

checking for a3d files
a3d files not found

checking for matching notify keys
no matching notify keys found

checking for matching services
no matching services found

checking for matching safeboot services
no matching safeboot services found

checking for other Haxdoor-files
no other Haxdoor-files found


--- Checking for Goldun ---

checking for SSODL keys
no ssodl keys found

checking for notify keys
no notify keys found

checking for services
no services found

checking for other Goldun-files
no other Goldun-files found

checking iexplore.exe
iexplore.exe is not infected


--- Catchme logfile - thank you Gmer ---

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-25 19:49:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40]
"khjeh"=hex:20,02,00,00,90,9f,c4,fc,99,f2,1c,61,78,ec,53,c1,de,f0,de,53,e8,..
"hj34z0"=hex:7a,b4,76,68,d7,b1,45,b5,ff,bd,c9,27,7c,95,94,5a,b4,e5,d6,4b,b4,..
"hj34z1"=hex:b8,b4,76,68,af,b1,45,b5,fe,bd,c8,27,7d,95,94,5a,b4,e5,d6,4b,fb,..
"hj34z2"=hex:b8,b4,76,68,af,b1,45,b5,fe,bd,c8,27,7d,95,94,5a,b4,e5,d6,4b,fb,..
"hj34z3"=hex:b8,b4,76,68,af,b1,45,b5,fe,bd,c8,27,7d,95,94,5a,b4,e5,d6,4b,fb,..
"hj34z4"=hex:b8,b4,76,68,af,b1,45,b5,fe,bd,c8,27,7d,95,94,5a,b4,e5,d6,4b,fb,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:00000066
"TracesSuccessful"=dword:00000043

scanning hidden files ...

E:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\994C321A.TMP 0 bytes
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\tegzfrendz@hotmail.com\DFSR\Staging\CS{D8E17164-69C6-701A-1B00-E4DDFFB0BD5B}\01\15-{D8E17164-69C6-701A-1B00-E4DDFFB0BD5B}-v1-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v15-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 8 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\50\150-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v150-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v150-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 1208 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\00\400-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v400-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v400-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 584 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\01\10-{9F3D7A35-1186-874C-EE15-4EBA4B65B231}-v1-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v10-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 8 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\01\601-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v601-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v601-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 1920 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\02\602-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v602-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v602-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 1592 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\03\603-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v603-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v603-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 1624 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\04\604-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v604-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v604-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 1952 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\05\605-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v605-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v605-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 1880 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\06\606-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v606-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v606-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 1856 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\11\11-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v11-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v11-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1 948 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\11\11-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v11-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v11-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 120 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\12\12-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v12-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v12-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1 1326 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\12\12-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v12-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v12-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 152 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\13\13-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v13-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v13-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1 1002 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\13\13-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v13-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v13-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 112 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\13\513-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v513-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v513-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 1856 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\14\14-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v14-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v14-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1 1398 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\14\14-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v14-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v14-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 144 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\16\16-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v16-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v16-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1 1002 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\16\16-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v16-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v16-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 112 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\17\17-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v17-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v17-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1 606 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\17\17-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v17-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v17-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 80 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\18\18-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v18-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v18-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1 858 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\18\18-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v18-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v18-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 104 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\21\21-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v21-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v21-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1 22260 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\21\21-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v21-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v21-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2 1686 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\21\21-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v21-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v21-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 2488 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\22\22-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v22-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v22-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1 27840 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\22\22-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v22-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v22-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2 2028 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\22\22-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v22-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v22-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 3048 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\23\23-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v23-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v23-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1 27318 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\23\23-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v23-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v23-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2 1956 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\23\23-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v23-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v23-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 2992 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\24\24-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v24-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v24-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1 25104 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\24\24-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v24-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v24-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2 1920 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\24\24-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v24-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v24-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 2800 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\27\27-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v27-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v27-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1 25950 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\27\27-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v27-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v27-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2 1740 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\27\27-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v27-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v27-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 2888 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\28\28-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v28-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v28-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1 25374 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\28\28-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v28-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v28-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2 1848 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\28\28-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v28-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v28-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 2824 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\35\535-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v535-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v535-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 1792 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\36\19-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v536-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v19-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1 13386 bytes hidden from API

Plutonus
2007-11-25, 11:07
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\36\19-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v536-{94EFD367-7931-4B32-95B8-FFF4BE13400B}-v19-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 1512 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\37\537-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v537-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v537-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 1704 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\38\538-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v538-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v538-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 1584 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\39\539-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v539-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v539-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 1712 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\46\546-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v546-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v546-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 1728 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\49\149-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v149-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v149-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 128 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\51\151-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v151-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v151-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 1408 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\52\152-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v152-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v152-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 2088 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\53\153-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v153-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v153-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 1456 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\54\154-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v154-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v154-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 1848 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\55\155-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v155-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v155-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 1552 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\56\156-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v156-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v156-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 1040 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\57\157-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v157-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v157-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 800 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\58\158-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v158-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v158-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 1096 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\63\163-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v163-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v163-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 2928 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\63\568-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v563-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v568-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1 9120 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\63\568-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v563-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v568-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 1000 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\64\582-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v564-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v582-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1 9192 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\64\582-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v564-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v582-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 1016 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\65\583-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v565-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v583-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1 9840 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\65\583-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v565-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v583-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 1096 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\66\566-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v566-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v566-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 1728 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\67\567-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v567-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v567-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 1808 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\70\570-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v570-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v570-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 848 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\71\571-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v571-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v571-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 1792 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\72\572-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v572-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v572-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 1800 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\73\173-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v173-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v173-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 488 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\73\573-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v573-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v573-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 1776 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\74\584-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v574-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v584-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1 15834 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\74\584-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v574-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v584-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 1792 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\75\585-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v575-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v585-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1 16662 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\75\585-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v575-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v585-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 1800 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\76\586-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v576-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v586-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1 16050 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\76\586-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v576-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v586-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 1792 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\77\577-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v577-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v577-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 1728 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\78\578-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v578-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v578-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 1792 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\79\579-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v579-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v579-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 1864 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\80\580-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v580-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v580-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 1376 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\82\382-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v382-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v382-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 1704 bytes hidden from API
E:\Documents and Settings\Matt2\Local Settings\Application Data\Microsoft\Messenger\hmmproductions_2000@hotmail.com\SharingMetadata\the_boredom_takes_over@hotmail.com\DFSR\Staging\CS{9F3D7A35-1186-874C-EE15-4EBA4B65B231}\87\187-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v187-{08D2D9E8-2AC3-4F9B-9B35-9005C9314960}-v187-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 1920 bytes hidden from API

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 86


--- Analysing Catchme logfile ---

no matching regkeys found


Finished!


Nothing was found on that file, either.

(Had to split it up, said the original post was too large)

shelf life
2007-11-26, 00:57
hi Plutonus,

no joy for you or me.
lets delete that copy of combofix like this:

go to start>run and type in combofix /u click ok
note; there is a space after the "x" in combofix
------------------------
next;

please do a online scan here:
F-secure scan:
http://support.f-secure.com/enu/home/ols.shtml

uses Internet Explorer only

click on the "start scanning button" near bottom of page.
click to accept/install the ActiveX applet
"accept" the License Agreement, click "full system scan"
Once the download of files completes,the scan will begin automatically.
The scan may take some time to finish.
When the scan completes, click the Automatic cleaning (recommended) button.

Click the Show Report button and Copy&Paste the entire report in your next reply along with a current HijackThis log.
--------------------
last: get the new combofix:
Please download ComboFix (by sUBs) from one of the following links:

http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Save it to the Desktop.
Double-click combofix.exe and follow the prompts.

CAUTION: Do not mouse-click ComboFix's window while it is running.
It may cause it to stall.

When finished, it produces a log.

Please provide the contents of the ComboFix log in your reply--

shelf life

Plutonus
2007-12-04, 07:35
F-Secure scan

Possibly infected with an unknown virus (virus)

* F:\MY STUFF\WEBBIES\CATS\ZENCART\ZEN-CART-V1.2.1D\INCLUDES\MODULES\ORDER_TOTAL\OT_COUPON.PHP (Submitted)

Tracking Cookie (spyware)

* System (Disinfected)
* System
* System
* System
* System
* System
* System
* System
* System
* System
* System
* System
* System
* System
* System
* System
* System
* System
* System
* System
* System
* System
* System
* System
* System
* System
* System
* System
* System

W32/Malware.BHMR (virus)

* E:\WINDOWS\SYSTEM32\BASSMOD.DLL (Submitted)

Statistics
Scanned:

* Files: 90093
* System: 4643
* Not scanned: 8

Actions:

* Disinfected: 1
* Renamed: 0
* Deleted: 0
* None: 30
* Submitted: 2

Files not scanned:

* E:\PAGEFILE.SYS
* E:\WINDOWS\TEMP\MCAFEE_QAABZ5XJV2CT629
* E:\WINDOWS\TEMP\MCMSC_58FY8CI22HLEJJT
* E:\WINDOWS\TEMP\MCMSC_P6EIWJY2WJAL8WI
* E:\WINDOWS\TEMP\MCMSC_VJ9IPSYNVDIICOO
* E:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* E:\DOCUMENTS AND SETTINGS\MATT2\LOCAL SETTINGS\TEMP\~ROMFN_00000BE8
* E:\DOCUMENTS AND SETTINGS\MATT2\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\OUTLOOK\OUTLOOK.PST

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:29:42 PM, on 4/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
E:\WINDOWS\Explorer.EXE
e:\program files\common files\mcafee\mna\mcnasvc.exe
e:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
E:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
E:\Program Files\McAfee\MPF\MPFSrv.exe
E:\Program Files\nHancer\nHancerService.exe
E:\PROGRA~1\McAfee.com\Agent\mcagent.exe
E:\WINDOWS\system32\CNAC6RPK.EXE
C:\Apps\NetLimiter 2 Pro\nlsvc.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\ASUS\Asus Probe\AsusProb.exe
E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Apps\Winamp\winampa.exe
E:\WINDOWS\LOGI_MWX.EXE
E:\WINDOWS\SOUNDMAN.EXE
E:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Apps\D-Tools\daemon.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
E:\WINDOWS\system32\ctfmon.exe
E:\WINDOWS\system32\wscntfy.exe
C:\Games\Steam\Steam.exe
E:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Apps\NetLimiter 2 Pro\NLClient.exe
E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
E:\Program Files\nHancer\nHancer.exe
E:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
E:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Apps\Winamp\winamp.exe
E:\Program Files\MSN Messenger\usnsvc.exe
E:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
E:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
E:\Program Files\MSN Messenger\msnmsgr.exe
C:\Apps\mIRC\mirc.exe
E:\WINDOWS\system32\WISPTIS.EXE
C:\Games\Flight Simulator 9\fs9.exe
C:\Games\Flight Simulator 9\fs9.exe
E:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
E:\Program Files\Internet Explorer\iexplore.exe
E:\DOCUME~1\Matt2\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk32.exe
E:\DOCUME~1\Matt2\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fssm32.exe
E:\PROGRA~1\MOZILL~1\FIREFOX.EXE
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe


Hijack this
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Apps\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - E:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - E:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [ASUS Probe] E:\Program Files\ASUS\Asus Probe\AsusProb.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [GrooveMonitor] "E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Apps\Winamp\winampa.exe
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Apps\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Apps\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] E:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [mcagent_exe] E:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [CTSyncU.exe] "E:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [Steam] "C:\Games\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "E:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [nHancer] "E:\Program Files\nHancer\nHancer.exe" /tray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = E:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = E:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190284954735
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1190285765076
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - E:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: tt - E:\WINDOWS\
O23 - Service: Adobe LM Service - Unknown owner - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - E:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - e:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - E:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - e:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - E:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - E:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - E:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - C:\Apps\Nero 7\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: nHancer Support (nHancer) - KSE - Korndörfer Software Engineering - E:\Program Files\nHancer\nHancerService.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Apps\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: NMIndexingService - Nero AG - E:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 9972 bytes

Plutonus
2007-12-04, 07:36
Combofix

ComboFix 07-12-02.7 - Matt2 2007-12-04 16:31:19.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.831 [GMT 11:00]
Running from: F:\My Stuff\Downloads\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-11-04 to 2007-12-04 )))))))))))))))))))))))))))))))
.

2007-11-26 10:52 . 2007-11-26 11:08 715 --a------ E:\WINDOWS\eReg.dat
2007-11-26 00:43 . 2007-12-02 00:12 54,156 --ah----- E:\WINDOWS\QTFont.qfn
2007-11-26 00:43 . 2007-11-26 00:43 1,409 --a------ E:\WINDOWS\QTFont.for
2007-11-25 19:49 . 2001-05-25 06:01 90,112 --a------ E:\WINDOWS\system32\RegDACL.exe
2007-11-25 19:49 . 2007-10-11 14:42 8,925 --a------ E:\clean.bat
2007-11-25 19:49 . 2004-07-22 12:15 4,096 --a------ E:\WINDOWS\system32\reboot.exe
2007-11-25 19:49 . 2007-10-11 08:55 347 --a------ E:\run2.reg
2007-11-25 16:37 . 2007-11-25 16:37 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\NVIDIA
2007-11-25 16:36 . 2007-11-25 16:36 <DIR> d-------- E:\Program Files\nHancer
2007-11-25 16:36 . 2007-11-25 16:37 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\nHancer
2007-11-22 19:46 . 2007-11-22 19:46 <DIR> d-------- E:\Program Files\MSXML 4.0
2007-11-22 19:46 . 2005-05-26 15:34 2,297,552 --a------ E:\WINDOWS\system32\d3dx9_26.dll
2007-11-11 22:08 . 2007-12-04 16:32 <DIR> d-------- E:\Documents and Settings\Matt2\Application Data\mIRC
2007-11-11 14:58 . 2007-11-11 14:58 <DIR> d-------- E:\Documents and Settings\Matt2\Application Data\InstallShield
2007-11-10 18:32 . 2003-06-05 20:13 53,248 --a------ E:\WINDOWS\system32\Process.exe
2007-11-10 18:32 . 2007-11-10 18:32 1,814 --a------ E:\WINDOWS\system32\tmp.reg
2007-11-10 18:29 . 2007-09-05 23:22 289,144 --a------ E:\WINDOWS\system32\VCCLSID.exe
2007-11-10 18:29 . 2006-04-27 16:49 288,417 --a------ E:\WINDOWS\system32\SrchSTS.exe
2007-11-10 18:29 . 2004-07-31 17:50 51,200 --a------ E:\WINDOWS\system32\dumphive.exe
2007-11-10 18:29 . 2007-10-03 23:36 25,600 --a------ E:\WINDOWS\system32\WS2Fix.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-25 07:18 --------- d-----w E:\Program Files\McAfee
2007-11-22 08:46 --------- d--h--w E:\Program Files\InstallShield Installation Information
2007-11-21 12:19 --------- d-----w E:\Program Files\Common Files\McAfee
2007-11-14 09:55 --------- d-----w E:\Program Files\Emirates TravelDesk
2007-11-11 12:49 --------- d-----w E:\Program Files\Common Files\InstallShield
2007-11-10 07:40 --------- d-----w E:\Program Files\SUPERAntiSpyware
2007-11-03 03:29 --------- d-----w E:\Documents and Settings\All Users\Application Data\Messenger Plus!
2007-11-01 06:37 --------- d-----w E:\Program Files\Windows Live
2007-11-01 06:37 --------- d-----w E:\Program Files\MSN Messenger
2007-11-01 06:37 --------- d-----w E:\Program Files\Messenger Plus! Live
2007-10-31 04:11 --------- d-----w E:\Program Files\Common Files\Wise Installation Wizard
2007-10-31 04:11 --------- d-----w E:\Documents and Settings\Matt2\Application Data\SUPERAntiSpyware.com
2007-10-31 04:11 --------- d-----w E:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-29 08:32 --------- d-----w E:\Documents and Settings\Matt2\Application Data\Locktime
2007-10-29 08:29 --------- d-----w E:\Documents and Settings\All Users\Application Data\Locktime
2007-10-26 06:51 --------- d-----w E:\Program Files\SkyTeam Travel Timetable
2007-10-22 07:58 --------- d-----w E:\Program Files\Creative
2007-10-18 06:29 --------- d-----w E:\Documents and Settings\Matt2\Application Data\AdobeUM
2007-10-18 06:28 --------- d-----w E:\Program Files\Canon
2007-10-14 04:39 --------- d-----w E:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-14 04:36 --------- d-----w E:\Program Files\Trend Micro
2007-10-11 23:58 --------- d-----w E:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-11 12:28 --------- d-----w E:\Documents and Settings\All Users\Application Data\McAfee
2007-10-11 12:27 --------- d-----w E:\Program Files\McAfee.com
2007-10-11 12:24 --------- d-----w E:\Program Files\Common Files\Symantec Shared
2007-10-11 12:24 --------- d-----w E:\Documents and Settings\All Users\Application Data\Symantec
2007-10-10 17:32 --------- d-----w E:\Documents and Settings\Matt2\Application Data\Symantec
2007-10-10 10:18 805 ----a-w E:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-10 10:18 10,740 ----a-w E:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-07 15:14 246,545 ----a-w E:\WINDOWS\system32\libssl32.dll
2007-10-07 15:14 1,188,375 ----a-w E:\WINDOWS\system32\libeay32.dll
2007-10-07 04:07 737,280 ----a-w E:\WINDOWS\iun6002.exe
2007-10-06 01:44 --------- d-----w E:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-09-29 09:36 356,352 ----a-w E:\WINDOWS\eSellerateEngine.dll
2007-09-23 10:57 108,144 ----a-w E:\WINDOWS\system32\CmdLineExt.dll
2007-09-21 09:30 60,416 ----a-w E:\WINDOWS\ALCFDRTM.EXE
2007-09-21 07:48 81,920 ------r E:\WINDOWS\bwUnin-6.1.4.68-8876480L.exe
2007-09-21 07:34 81,920 ------r E:\WINDOWS\bwUnin-6.1.4.36-8876480L.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSyncU.exe"="E:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-06-12 15:32]
"ctfmon.exe"="E:\WINDOWS\system32\ctfmon.exe" [2004-08-04 18:56]
"LDM"="E:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2007-09-21 18:48]
"Steam"="C:\Games\Steam\Steam.exe" [2007-12-01 18:29]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="E:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 20:03]
"SUPERAntiSpyware"="E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
"nHancer"="E:\Program Files\nHancer\nHancer.exe" [2007-10-31 10:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ASUS Probe"="E:\Program Files\ASUS\Asus Probe\AsusProb.exe" [2002-12-06 17:07]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 18:56 E:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2007-06-29 01:43 E:\WINDOWS\system32\nwiz.exe]
"GrooveMonitor"="E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 01:47]
"WinampAgent"="C:\Apps\Winamp\winampa.exe" [2007-05-15 09:22]
"Logitech Utility"="LOGI_MWX.EXE" [2002-11-08 20:50 E:\WINDOWS\LOGI_MWX.EXE]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-06-08 13:31 E:\WINDOWS\KHALMNPR.Exe]
"SoundMan"="SOUNDMAN.EXE" [2005-06-20 22:42 E:\WINDOWS\SOUNDMAN.EXE]
"QuickTime Task"="C:\Apps\QuickTime\qttask.exe" [2007-06-29 07:24]
"SunJavaUpdateSched"="E:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 05:00]
"DAEMON Tools-1033"="C:\Apps\D-Tools\daemon.exe" [2004-08-22 18:05]
"NeroFilterCheck"="E:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 16:57]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 18:56 E:\WINDOWS\system32\rundll32.exe]
"mcagent_exe"="E:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="E:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 18:56]

E:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-10-01 21:26:36]
Logitech Desktop Messenger.lnk - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-09-21 18:48:55]
Logitech SetPoint.lnk - E:\Program Files\Logitech\SetPoint\KEM.exe [2007-09-21 18:46:42]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= E:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
E:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 E:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tt]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R1 nltdi;nltdi;\??\E:\WINDOWS\system32\drivers\nltdi.sys
R3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\E:\DOCUME~1\Matt2\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys
R3 LUsbKbd;Logitech SetPoint USB Keyboard Filter;E:\WINDOWS\system32\Drivers\LUsbKbd.Sys
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;E:\WINDOWS\system32\drivers\WmBEnum.sys
R3 WmFilter;Logitech Gaming HID Filter Driver;E:\WINDOWS\system32\drivers\WmFilter.sys
R3 WmHidLo;Logitech Gaming USB Filter Driver;E:\WINDOWS\system32\drivers\WmHidLo.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;E:\WINDOWS\system32\drivers\WmXlCore.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;E:\WINDOWS\system32\drivers\WmVirHid.sys

*Newly Created Service* - F-SECURE_STANDALONE_MINIFILTER
.
Contents of the 'Scheduled Tasks' folder
"2007-11-14 15:16:56 E:\WINDOWS\Tasks\McDefragTask.job"
- e:\program files\mcafee\mqc\QcConsol.exe'
"2007-11-30 14:00:10 E:\WINDOWS\Tasks\McQcTask.job"
- e:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-04 16:33:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-04 16:33:34
E:\ComboFix2.txt ... 2007-11-17 18:46
E:\ComboFix3.txt ... 2007-10-19 21:22
.
--- E O F ---

shelf life
2007-12-05, 04:24
hi Plutonus,

not seeing much at all.

Copy the entire contents inside the code box and Paste it into Notepad ( this will only work with Notepad ) name the file Regfix.reg and in the drop down box, save it as All Files. Save it to your desktop. Then Rightclick on the Regfix.reg file and click on Merge, when it asks you to merge with the Registry, say yes.



REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tt]



reboot once. let me know how its going.

shelf life