PDA

View Full Version : Another VirtuMonde Victim, Please Help


gordard22
2007-11-02, 23:36
Thanks for looking/helping. I've used AdAware, Spybot S&D, and McAfee Antivirus. I've also already run VundoFix, but Spybot still reports VirtuMonde. I've run Hijack This, then renamed it and re-ran. The newer version is below, and the only additional items were the BHO's, none of which showed on the original run. Kaspersky log available, made initial post too big.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:05:33 PM, on 11/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Gateway\GWCares\GWCares.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Western Digital Technologies\NetCenter EasyLink\WDEzLink.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\Trend Micro\HijackThis\frank.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch=Consumer&Br=GTW&Loc=ENG_US&Sys=PTB&M=CX210X
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Consumer&Br=GTW&Loc=ENG_US&Sys=PTB&M=CX210X
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - (no file)
O2 - BHO: (no name) - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: GamesBar - {6F282B65-56BF-4BD1-A8B2-A4449A05863D} - C:\Program Files\GamesBar\oberontb.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: {0d3777a3-b47d-666b-88b4-7efb70ea234b} - {b432ae07-bfe7-4b88-b666-d74b3a7773d0} - C:\WINDOWS\system32\nsmglpjc.dll
O2 - BHO: (no name) - {BF1DE168-C99A-4352-8307-EECC7A963C53} - C:\WINDOWS\system32\ddabx.dll
O2 - BHO: (no name) - {F8706C6D-228F-40DA-981F-BB5F7AE84D85} - C:\WINDOWS\system32\btcs.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: GamesBar - {6F282B65-56BF-4BD1-A8B2-A4449A05863D} - C:\Program Files\GamesBar\oberontb.dll
O4 - HKLM\..\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [Snippet] "C:\Program Files\Microsoft Experience Pack\Snipping Tool\SnippingTool.exe" /i
O4 - HKLM\..\Run: [Gateway Extended Warranty] "C:\Program Files\Gateway\GWCares\GWCares.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [WD NetCenter EasyLink] C:\Program Files\Western Digital Technologies\NetCenter EasyLink\WDEzLink.exe -s
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [fcdbb7a7] rundll32.exe "C:\WINDOWS\system32\uccxyckj.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'Default user')
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\Sierra\Planner\PLNRnote.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMREMIND.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {1A93C934-025B-4c3a-B38E-9654A7003239} - C:\Program Files\GamesBar\oberontb.dll
O9 - Extra 'Tools' menuitem: GamesBar - {1A93C934-025B-4c3a-B38E-9654A7003239} - C:\Program Files\GamesBar\oberontb.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O24 - Desktop Component 0: Ink Desktop - {80E95280-2D38-3CB8-A215-FB5F14C4343E}

--
End of file - 13367 bytes
steamwiz
2007-11-03, 00:10
Hi

please post the C:\vundofix.txt log file ...

THEN ...

Download Superantispyware.

http://www.superantispyware.com/

Once downloaded and installed update the definitions
and then run a full system scan quarantine what it finds!

* Double-click SUPERAntiSypware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)

http://www.superantispyware.com/definitions.html

* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.

THEN ...

Please download Combofix: http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
and save to the desktop.

1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with a new hijackthis log.

Notes:
* Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
* Disable script blocking if you have NAV installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.

Please remember to post :-


1. SUPERAntiSpyware Scan Log
2. C:\ComboFix.txt
3. a new hijackthis log.( run after everything else)

steam
gordard22
2007-11-03, 00:26
VundoFix V6.5.0

Checking Java version...

Scan started at 4:10:10 PM 6/13/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.5.11

Checking Java version...

Scan started at 4:58:45 PM 11/1/2007

Listing files found while scanning....

C:\WINDOWS\system32\byxywxy.dll
C:\windows\system32\ctvsfojo.ini
C:\windows\system32\fpvwkgrt.ini
C:\WINDOWS\system32\oepikufn.dll
C:\windows\system32\ojofsvtc.dll
C:\windows\system32\trgkwvpf.dll
C:\windows\system32\ummkxddx.dll
C:\windows\system32\wffirxia.dll
C:\windows\system32\wyowtslx.dll
C:\windows\system32\xddxkmmu.ini
C:\windows\system32\xlstwoyw.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\byxywxy.dll
C:\WINDOWS\system32\byxywxy.dll Could not be deleted.

Attempting to delete C:\windows\system32\ctvsfojo.ini
C:\windows\system32\ctvsfojo.ini Has been deleted!

Attempting to delete C:\windows\system32\fpvwkgrt.ini
C:\windows\system32\fpvwkgrt.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\oepikufn.dll
C:\WINDOWS\system32\oepikufn.dll Has been deleted!

Attempting to delete C:\windows\system32\ojofsvtc.dll
C:\windows\system32\ojofsvtc.dll Has been deleted!

Attempting to delete C:\windows\system32\trgkwvpf.dll
C:\windows\system32\trgkwvpf.dll Has been deleted!

Attempting to delete C:\windows\system32\ummkxddx.dll
C:\windows\system32\ummkxddx.dll Has been deleted!

Attempting to delete C:\windows\system32\wffirxia.dll
C:\windows\system32\wffirxia.dll Has been deleted!

Attempting to delete C:\windows\system32\wyowtslx.dll
C:\windows\system32\wyowtslx.dll Has been deleted!

Attempting to delete C:\windows\system32\xddxkmmu.ini
C:\windows\system32\xddxkmmu.ini Has been deleted!

Attempting to delete C:\windows\system32\xlstwoyw.ini
C:\windows\system32\xlstwoyw.ini Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\byxywxy.dll
C:\WINDOWS\system32\byxywxy.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.11

Checking Java version...

Scan started at 10:28:17 PM 11/1/2007

Listing files found while scanning....

No infected files were found.
steamwiz
2007-11-03, 00:49
Hi

Thank you ... I await your other logs :)

steam
gordard22
2007-11-03, 02:44
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/02/2007 at 06:22 PM

Application Version : 3.9.1008

Core Rules Database Version : 3336
Trace Rules Database Version: 1337

Scan type : Complete Scan
Total Scan Time : 01:45:29

Memory items scanned : 638
Memory threats detected : 3
Registry items scanned : 6799
Registry threats detected : 4
File items scanned : 96475
File threats detected : 394

Adware.Vundo Variant
C:\WINDOWS\SYSTEM32\DDABX.DLL
C:\WINDOWS\SYSTEM32\DDABX.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BF1DE168-C99A-4352-8307-EECC7A963C53}
HKCR\CLSID\{BF1DE168-C99A-4352-8307-EECC7A963C53}
HKCR\CLSID\{BF1DE168-C99A-4352-8307-EECC7A963C53}\InprocServer32
HKCR\CLSID\{BF1DE168-C99A-4352-8307-EECC7A963C53}\InprocServer32#ThreadingModel

Trojan.Downloader-NewJuan/VM
C:\WINDOWS\SYSTEM32\YQMEINPM.DLL
C:\WINDOWS\SYSTEM32\YQMEINPM.DLL
C:\WINDOWS\SYSTEM32\NSMGLPJC.DLL
C:\WINDOWS\SYSTEM32\NSMGLPJC.DLL

Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[6].txt
C:\Documents and Settings\Administrator\Cookies\administrator@clickbank[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-kasperskylab.hitbox[34].txt
C:\Documents and Settings\Administrator\Cookies\administrator@tagiq.clickforensics[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@enhance[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@statse.webtrendslive[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@angleinteractive.directtrack[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[6].txt
C:\Documents and Settings\Administrator\Cookies\administrator@cgi-bin[5].txt
C:\Documents and Settings\Administrator\Cookies\administrator@www.levelclick[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@findwhat[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-pcsecurityshield.hitbox[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@statcounter[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[4].txt
C:\Documents and Settings\Administrator\Cookies\administrator@goclick[4].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adredired[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@www.admedia365[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@sexbuddies[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[66].txt
C:\Documents and Settings\Administrator\Cookies\administrator@directtrack[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@247realmedia[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@2o7[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@2o7[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@3.adbrite[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ad.afy11[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ad.xplusone[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adbrite[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adinterax[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adlegend[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adopt.euroclick[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adopt.specificclick[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adopt.specificclick[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adprofile[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adprofile[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adprofile[4].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adprofile[5].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adprofile[6].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adprofile[7].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adprofile[8].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adprofile[9].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adrevolver[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adrevolver[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adrevolver[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adrevolver[5].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.adbrite[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.addynamix[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.expedia[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.monster[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.pointroll[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.pointroll[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.pointroll[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.pointroll[5].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.realtechnetwork[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.traderonline[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adultfriendfinder[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adultfriendfinder[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adv.webmd[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@anad.tacoda[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@anad.tacoda[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@anat.tacoda[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@anat.tacoda[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[4].txt
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[5].txt
C:\Documents and Settings\Administrator\Cookies\administrator@atwola[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@azjmp[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@azoogleads[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@bizrate[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@bluestreak[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@bs.serving-sys[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@bs.serving-sys[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@burstnet[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@burstnet[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@buycom.122.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@casalemedia[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@cbs.112.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@classifiedventures1.112.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@clickbank[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@clicks.emarketmakers[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@counter.hitslink[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@da-tracking[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@dealtime[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@drivecleaner[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@drivecleaner[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wfk4enazclp.stats.esomniture[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6whl4qmajkco.stats.esomniture[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wjkowgcpmfo.stats.esomniture[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wjny-1ldpwe.stats.esomniture[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ecnext.advertserve[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@edge.ru4[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-bestbuy.hitbox[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-kasperskylab.hitbox[10].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-kasperskylab.hitbox[11].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-kasperskylab.hitbox[12].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-kasperskylab.hitbox[13].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-kasperskylab.hitbox[14].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-kasperskylab.hitbox[15].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-kasperskylab.hitbox[16].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-kasperskylab.hitbox[17].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-kasperskylab.hitbox[18].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-kasperskylab.hitbox[19].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-kasperskylab.hitbox[20].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-kasperskylab.hitbox[21].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-kasperskylab.hitbox[22].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-kasperskylab.hitbox[23].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-kasperskylab.hitbox[24].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-kasperskylab.hitbox[25].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-kasperskylab.hitbox[26].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-kasperskylab.hitbox[27].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-kasperskylab.hitbox[28].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-kasperskylab.hitbox[29].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-kasperskylab.hitbox[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-kasperskylab.hitbox[30].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-kasperskylab.hitbox[31].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-kasperskylab.hitbox[32].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-kasperskylab.hitbox[33].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-kasperskylab.hitbox[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-kasperskylab.hitbox[4].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-kasperskylab.hitbox[5].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-kasperskylab.hitbox[6].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-kasperskylab.hitbox[7].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-kasperskylab.hitbox[8].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-kasperskylab.hitbox[9].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-netquote.hitbox[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-olympus.hitbox[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-skybus.hitbox[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-traderpublishing.hitbox[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-usg.hitbox[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@emarketmakers[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@enhance[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@enhance[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@fastclick[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@fastclick[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@fastclick[4].txt
C:\Documents and Settings\Administrator\Cookies\administrator@findwhat[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@findwhat[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@goclick[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@goclick[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@h.starware[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@h.starware[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[10].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[11].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[12].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[13].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[14].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[15].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[16].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[17].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[18].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[19].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[20].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[21].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[22].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[23].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[24].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[25].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[26].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[27].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[28].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[29].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[30].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[31].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[32].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[33].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[34].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[35].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[36].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[37].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[38].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[39].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[40].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[41].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[42].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[43].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[44].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[45].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[46].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[47].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[48].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[49].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[4].txt
C:\Documents and
gordard22
2007-11-03, 02:45
Settings\Administrator\Cookies\administrator@hitbox[50].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[51].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[52].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[53].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[54].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[55].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[56].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[57].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[58].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[59].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[5].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[60].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[61].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[62].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[63].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[64].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[65].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[6].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[7].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[8].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[9].txt
C:\Documents and Settings\Administrator\Cookies\administrator@homestore.122.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@interclick[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@interclick[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@lifemedmedia.122.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@linkstattrack[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@linksynergy[10].txt
C:\Documents and Settings\Administrator\Cookies\administrator@linksynergy[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@linksynergy[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@linksynergy[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@linksynergy[4].txt
C:\Documents and Settings\Administrator\Cookies\administrator@linksynergy[5].txt
C:\Documents and Settings\Administrator\Cookies\administrator@linksynergy[6].txt
C:\Documents and Settings\Administrator\Cookies\administrator@linksynergy[7].txt
C:\Documents and Settings\Administrator\Cookies\administrator@linksynergy[8].txt
C:\Documents and Settings\Administrator\Cookies\administrator@login.tracking101[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@login.tracking101[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@login.tracking101[4].txt
C:\Documents and Settings\Administrator\Cookies\administrator@media.adrevolver[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@media.wii.ign[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@media303[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@media303[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@media303[4].txt
C:\Documents and Settings\Administrator\Cookies\administrator@media303[5].txt
C:\Documents and Settings\Administrator\Cookies\administrator@media303[6].txt
C:\Documents and Settings\Administrator\Cookies\administrator@media303[8].txt
C:\Documents and Settings\Administrator\Cookies\administrator@media303[9].txt
C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@nextag[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@nintendo.112.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@overture[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@overture[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@paypal.112.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@pch.122.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@perf.overture[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@popularscreensavers[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@pro-market[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@realmedia[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@redorbit[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@revsci[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@richmedia.yahoo[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@serving-sys[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@serving-sys[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@serving-sys[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@sexbuddies[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@shopping.112.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@specificclick[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@specificclick[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@specificclick[4].txt
C:\Documents and Settings\Administrator\Cookies\administrator@specificclick[5].txt
C:\Documents and Settings\Administrator\Cookies\administrator@stat.dealtime[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@stat.dealtime[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@statcounter[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@statcounter[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@stats.drivecleaner[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@stats1.reliablestats[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@statse.webtrendslive[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@tacoda[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@tacoda[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@tacoda[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@tacoda[4].txt
C:\Documents and Settings\Administrator\Cookies\administrator@toseeka[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@tqstats[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@traffic.buyservices[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@tremor.adbureau[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@tremor.adbureau[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[4].txt
C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[5].txt
C:\Documents and Settings\Administrator\Cookies\administrator@try.starware[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ulta.122.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@webstats[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@winantivirus[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@winantivirus[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@www.admedia365[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@www.burstnet[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@www.clickmanage[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@www.clicksmart[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@www.drivecleaner[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@www.stopzilla[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@www.winantispyware[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@www.winantiviruspro[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@zedo[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@zedo[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@zedo[4].txt
C:\Documents and Settings\carri\Cookies\carri@2o7[2].txt
C:\Documents and Settings\carri\Cookies\carri@ad.yieldmanager[1].txt
C:\Documents and Settings\carri\Cookies\carri@admarketplace[2].txt
C:\Documents and Settings\carri\Cookies\carri@adopt.specificclick[2].txt
C:\Documents and Settings\carri\Cookies\carri@adrevolver[2].txt
C:\Documents and Settings\carri\Cookies\carri@adrevolver[3].txt
C:\Documents and Settings\carri\Cookies\carri@ads.as4x.tmcs[2].txt
C:\Documents and Settings\carri\Cookies\carri@ads.monster[1].txt
C:\Documents and Settings\carri\Cookies\carri@ads.pointroll[1].txt
C:\Documents and Settings\carri\Cookies\carri@adtech[2].txt
C:\Documents and Settings\carri\Cookies\carri@advertising[1].txt
C:\Documents and Settings\carri\Cookies\carri@anad.tacoda[1].txt
C:\Documents and Settings\carri\Cookies\carri@apmebf[1].txt
C:\Documents and Settings\carri\Cookies\carri@as-us.falkag[1].txt
C:\Documents and Settings\carri\Cookies\carri@as.casalemedia[1].txt
C:\Documents and Settings\carri\Cookies\carri@atdmt[2].txt
C:\Documents and Settings\carri\Cookies\carri@atwola[1].txt
C:\Documents and Settings\carri\Cookies\carri@banner[1].txt
C:\Documents and Settings\carri\Cookies\carri@belnk[1].txt
C:\Documents and Settings\carri\Cookies\carri@bluestreak[1].txt
C:\Documents and Settings\carri\Cookies\carri@bookspan.122.2o7[1].txt
C:\Documents and Settings\carri\Cookies\carri@burstnet[2].txt
C:\Documents and Settings\carri\Cookies\carri@casalemedia[2].txt
C:\Documents and Settings\carri\Cookies\carri@cbs.112.2o7[1].txt
C:\Documents and Settings\carri\Cookies\carri@charmingshoppes.112.2o7[1].txt
C:\Documents and Settings\carri\Cookies\carri@chicagosuntimes.122.2o7[1].txt
C:\Documents and Settings\carri\Cookies\carri@clickbank[1].txt
C:\Documents and Settings\carri\Cookies\carri@data1.perf.overture[1].txt
C:\Documents and Settings\carri\Cookies\carri@data2.perf.overture[1].txt
C:\Documents and Settings\carri\Cookies\carri@dcsabnadxxhoz2k7tv4kd1033_4r7d[1].txt
C:\Documents and Settings\carri\Cookies\carri@dist.belnk[2].txt
C:\Documents and Settings\carri\Cookies\carri@doubleclick[1].txt
C:\Documents and Settings\carri\Cookies\carri@e-2dj6wjlokgc5ilq.stats.esomniture[2].txt
C:\Documents and Settings\carri\Cookies\carri@e-2dj6wjny-1gd5sk.stats.esomniture[2].txt
C:\Documents and Settings\carri\Cookies\carri@edge.ru4[2].txt
C:\Documents and Settings\carri\Cookies\carri@ehg-comcast.hitbox[1].txt
C:\Documents and Settings\carri\Cookies\carri@ehg-designreactor.hitbox[2].txt
C:\Documents and Settings\carri\Cookies\carri@ehg-dig.hitbox[2].txt
C:\Documents and Settings\carri\Cookies\carri@ehg-globalgamingleague.hitbox[2].txt
C:\Documents and Settings\carri\Cookies\carri@ehg-hawaiianairlines.hitbox[1].txt
C:\Documents and Settings\carri\Cookies\carri@ehg-hollywood.hitbox[1].txt
C:\Documents and Settings\carri\Cookies\carri@ehg-tigerdirect2.hitbox[2].txt
C:\Documents and Settings\carri\Cookies\carri@ehg-viacom.hitbox[1].txt
C:\Documents and Settings\carri\Cookies\carri@ehg-wacomtechnology.hitbox[1].txt
C:\Documents and Settings\carri\Cookies\carri@evite.112.2o7[1].txt
C:\Documents and Settings\carri\Cookies\carri@fastclick[1].txt
C:\Documents and Settings\carri\Cookies\carri@fortunecity[1].txt
C:\Documents and Settings\carri\Cookies\carri@h.starware[1].txt
C:\Documents and Settings\carri\Cookies\carri@hitbox[2].txt
C:\Documents and Settings\carri\Cookies\carri@hypertracker[2].txt
C:\Documents and Settings\carri\Cookies\carri@kanoodle[2].txt
C:\Documents and Settings\carri\Cookies\carri@laptopmag.122.2o7[1].txt
C:\Documents and Settings\carri\Cookies\carri@lenovo.112.2o7[1].txt
C:\Documents and Settings\carri\Cookies\carri@linksynergy[1].txt
C:\Documents and Settings\carri\Cookies\carri@maxis.112.2o7[1].txt
C:\Documents and Settings\carri\Cookies\carri@maxserving[1].txt
C:\Documents and Settings\carri\Cookies\carri@media.adrevolver[2].txt
C:\Documents and Settings\carri\Cookies\carri@mediaplex[2].txt
C:\Documents and Settings\carri\Cookies\carri@microsofteup.112.2o7[1].txt
C:\Documents and Settings\carri\Cookies\carri@msnportal.112.2o7[1].txt
C:\Documents and Settings\carri\Cookies\carri@mywebsearch[2].txt
C:\Documents and Settings\carri\Cookies\carri@nbads[2].txt
C:\Documents and Settings\carri\Cookies\carri@network.realmedia[2].txt
C:\Documents and Settings\carri\Cookies\carri@nextag[2].txt
C:\Documents and Settings\carri\Cookies\carri@optimost[1].txt
C:\Documents and Settings\carri\Cookies\carri@overture[1].txt
C:\Documents and Settings\carri\Cookies\carri@partner2profit[2].txt
C:\Documents and Settings\carri\Cookies\carri@perf.overture[1].txt
C:\Documents and Settings\carri\Cookies\carri@questionmarket[1].txt
C:\Documents and Settings\carri\Cookies\carri@realmedia[1].txt
C:\Documents and Settings\carri\Cookies\carri@revenue[2].txt
C:\Documents and Settings\carri\Cookies\carri@revsci[1].txt
C:\Documents and Settings\carri\Cookies\carri@roiservice[1].txt
C:\Documents and Settings\carri\Cookies\carri@sales.liveperson[1].txt
C:\Documents and Settings\carri\Cookies\carri@serving-sys[2].txt
C:\Documents and Settings\carri\Cookies\carri@smileycentral[1].txt
C:\Documents and Settings\carri\Cookies\carri@stat.dealtime[2].txt
C:\Documents and Settings\carri\Cookies\carri@statcounter[2].txt
C:\Documents and Settings\carri\Cookies\carri@tacoda[2].txt
C:\Documents and Settings\carri\Cookies\carri@trafficmp[1].txt
C:\Documents and Settings\carri\Cookies\carri@tribalfusion[2].txt
C:\Documents and Settings\carri\Cookies\carri@try.starware[1].txt
C:\Documents and Settings\carri\Cookies\carri@www.burstbeacon[1].txt
C:\Documents and Settings\carri\Cookies\carri@www.burstnet[1].txt
C:\Documents and Settings\carri\Cookies\carri@www.macromedia[1].txt
C:\Documents and Settings\carri\Cookies\carri@www.oberon-media[2].txt
C:\Documents and Settings\carri\Cookies\carri@z1.adserver[1].txt
C:\Documents and Settings\carri\Cookies\carri@zedo[1].txt

Adware.eZula
C:\WINDOWS\SYSTEM32\AHEFXNMO.EXE
C:\WINDOWS\SYSTEM32\KPTCQATO.EXE
C:\WINDOWS\SYSTEM32\RMVLBQMY.EXE

Trojan.Downloader-Gen/HitItQuitIt
C:\WINDOWS\SYSTEM32\OPNMKLJ.DLL


**Comment** Getting ready to run combofix.....
gordard22
2007-11-03, 02:59
ComboFix 07-11-02.3 - Administrator 2007-11-02 18:50:05.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.480 [GMT -7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\windows\cookies.ini
C:\windows\system32\btcs.dll
C:\WINDOWS\system32\cfhkj.bak1
C:\WINDOWS\system32\cfhkj.bak2
C:\WINDOWS\system32\cfhkj.ini
C:\WINDOWS\system32\cfhkj.ini2
C:\WINDOWS\system32\cfhkj.tmp
C:\windows\system32\drivers\iiqzdxmf.dat
C:\windows\system32\drivers\iiqzdxmf.sys
C:\windows\system32\drivers\ktocrvqk.dat
C:\windows\system32\drivers\ktocrvqk.sys
C:\windows\system32\lckeybue.dll
C:\windows\system32\uctbtsvn.dll
C:\windows\system32\vdniylfe.dll
C:\WINDOWS\system32\xbadd.bak1
C:\WINDOWS\system32\xbadd.bak2
C:\WINDOWS\system32\xbadd.ini
C:\windows\system32\xsfxfmya.dll
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NPVMNGVZ
-------\npvmngvz


((((((((((((((((((((((((( Files Created from 2007-10-03 to 2007-11-03 )))))))))))))))))))))))))))))))
.

2007-11-02 18:49 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-02 16:32 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-02 16:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-02 16:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2007-11-02 12:41 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-02 12:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-02 08:33 86,080 --a------ C:\WINDOWS\system32\uccxyckj.dll
2007-11-01 22:43 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-01 10:56 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ForgottenRiddles
2007-10-29 07:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2007-10-29 07:36 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PlayFirst
2007-10-28 19:37 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gaijin Ent
2007-10-10 21:26 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-10 21:25 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-09 17:37 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-02 19:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\GamesBar
2007-11-01 19:07 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-01 17:55 --------- d-----w C:\Program Files\Comcast Play Games
2007-10-29 02:36 --------- d-----w C:\Program Files\GamesBar
2007-10-29 02:35 --------- d-----w C:\Program Files\Common Files\Oberon Media
2007-10-08 18:46 --------- d-----w C:\Program Files\McAfee
2006-10-06 05:46 0 ----a-w C:\Documents and Settings\Administrator\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6F282B65-56BF-4BD1-A8B2-A4449A05863D}]
2007-06-19 08:09 380928 --a------ C:\Program Files\GamesBar\oberontb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b432ae07-bfe7-4b88-b666-d74b3a7773d0}]
C:\WINDOWS\system32\nsmglpjc.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6F282B65-56BF-4BD1-A8B2-A4449A05863D}"= C:\Program Files\GamesBar\oberontb.dll [2007-06-19 08:09 380928]

[HKEY_CLASSES_ROOT\CLSID\{6F282B65-56BF-4BD1-A8B2-A4449A05863D}]
[HKEY_CLASSES_ROOT\Oberontb.Band.1]
[HKEY_CLASSES_ROOT\TypeLib\{AD76633E-E50D-4844-9E7F-4DFBC7C18467}]
[HKEY_CLASSES_ROOT\Oberontb.Band]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TabletWizard"="C:\WINDOWS\help\SplshWrp.exe" [2004-08-04 12:00]
"TabletTip"="C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" [2005-04-26 03:10]
"Snippet"="C:\Program Files\Microsoft Experience Pack\Snipping Tool\SnippingTool.exe" [2005-02-25 20:20]
"Gateway Extended Warranty"="C:\Program Files\Gateway\GWCares\GWCares.exe" [2004-02-08 16:30]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-24 03:24]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 03:01]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 07:47]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 07:47]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" []
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 12:30]
"SigmatelSysTrayApp"="stsystra.exe" [2005-12-27 10:20 C:\WINDOWS\stsystra.exe]
"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-05-23 19:22]
"WD NetCenter EasyLink"="C:\Program Files\Western Digital Technologies\NetCenter EasyLink\WDEzLink.exe" [2005-06-08 11:26]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-09-25 14:54]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 01:38]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 01:32]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2006-10-06 13:11]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2006-10-06 13:13]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2006-10-06 13:10]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" []
"fcdbb7a7"="C:\WINDOWS\system32\uccxyckj.dll" [2007-11-02 08:33]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\windows\system32\ctfmon.exe" [2004-08-04 12:00]
"Power2GoExpress"="NA" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-18 20:21]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"TabletWizard"=%windir%\help\wizard.hta

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2005-03-17 14:06:14]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
C:\Program Files\Common Files\Microsoft Shared\Ink\loginkey.dll 2004-08-04 12:00 47104 C:\Program Files\Common Files\Microsoft Shared\Ink\LoginKey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
TabBtnWL.dll 2002-08-29 10:41 11776 C:\WINDOWS\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
tpgwlnot.dll 2004-08-04 12:00 30208 C:\WINDOWS\system32\tpgwlnot.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R3 FinePnt;FinePoint Innovations HID Driver;C:\windows\system32\DRIVERS\FpHidDrv.sys
R3 MSTabBtn;Quanta Computer Tablet PC Buttons HID Driver;C:\windows\system32\DRIVERS\MSTabBtn.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2007-10-10 02:12:02 C:\windows\Tasks\AppleSoftwareUpdate.job"
"2007-05-15 09:06:23 C:\windows\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2007-01-30 05:50:07 C:\windows\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-02 18:55:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-02 18:58:23 - machine was rebooted
.
--- E O F ---
gordard22
2007-11-03, 03:03
And, at long last, the last HiJack This log....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:03:40 PM, on 11/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\windows\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\windows\SYSTEM32\WISPTIS.EXE
C:\windows\System32\tabbtnu.exe
C:\windows\Explorer.EXE
C:\windows\system32\ctfmon.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\Program Files\Gateway\GWCares\GWCares.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\windows\stsystra.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Western Digital Technologies\NetCenter EasyLink\WDEzLink.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\Trend Micro\HijackThis\frank.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch=Consumer&Br=GTW&Loc=ENG_US&Sys=PTB&M=CX210X
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Consumer&Br=GTW&Loc=ENG_US&Sys=PTB&M=CX210X
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - (no file)
O2 - BHO: (no name) - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: GamesBar - {6F282B65-56BF-4BD1-A8B2-A4449A05863D} - C:\Program Files\GamesBar\oberontb.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: {0d3777a3-b47d-666b-88b4-7efb70ea234b} - {b432ae07-bfe7-4b88-b666-d74b3a7773d0} - C:\WINDOWS\system32\nsmglpjc.dll (file missing)
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: GamesBar - {6F282B65-56BF-4BD1-A8B2-A4449A05863D} - C:\Program Files\GamesBar\oberontb.dll
O4 - HKLM\..\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [Snippet] "C:\Program Files\Microsoft Experience Pack\Snipping Tool\SnippingTool.exe" /i
O4 - HKLM\..\Run: [Gateway Extended Warranty] "C:\Program Files\Gateway\GWCares\GWCares.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [WD NetCenter EasyLink] C:\Program Files\Western Digital Technologies\NetCenter EasyLink\WDEzLink.exe -s
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [fcdbb7a7] rundll32.exe "C:\WINDOWS\system32\uccxyckj.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'Default user')
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\Sierra\Planner\PLNRnote.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMREMIND.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {1A93C934-025B-4c3a-B38E-9654A7003239} - C:\Program Files\GamesBar\oberontb.dll
O9 - Extra 'Tools' menuitem: GamesBar - {1A93C934-025B-4c3a-B38E-9654A7003239} - C:\Program Files\GamesBar\oberontb.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O24 - Desktop Component 0: Ink Desktop - {80E95280-2D38-3CB8-A215-FB5F14C4343E}

--
End of file - 13530 bytes
steamwiz
2007-11-04, 00:38
Hi

Disconnect from the internet Close ALL browser windows (including this one) - run hijackthis and tick to fix (check the box next to) the list below.........when all are ticked (checked) click the Fix Checked button at the bottom. :-

O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - (no file)
O2 - BHO: (no name) - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - (no file)

O2 - BHO: {0d3777a3-b47d-666b-88b4-7efb70ea234b} - {b432ae07-bfe7-4b88-b666-d74b3a7773d0} - C:\WINDOWS\system32\nsmglpjc.dll (file missing)

O4 - HKLM\..\Run: [fcdbb7a7] rundll32.exe "C:\WINDOWS\system32\uccxyckj.dll",b

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -


Then...

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)


File::
C:\WINDOWS\system32\uccxyckj.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b432ae07-bfe7-4b88-b666-d74b3a7773d0}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]



Save this as "CFScript.txt"

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

steam
gordard22
2007-11-04, 02:03
ComboFix 07-11-02.3 - Administrator 2007-11-03 17:50:38.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.370 [GMT -7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\uccxyckj.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\uccxyckj.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-04 to 2007-11-04 )))))))))))))))))))))))))))))))
.

2007-11-02 20:00 <DIR> d-------- C:\WINDOWS\Sun
2007-11-02 19:53 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-02 18:49 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-02 16:32 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-02 16:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-02 16:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2007-11-02 12:41 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-02 12:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-01 22:43 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-01 10:56 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ForgottenRiddles
2007-10-29 07:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2007-10-29 07:36 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PlayFirst
2007-10-28 19:37 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gaijin Ent
2007-10-10 21:26 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-10 21:25 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-09 17:37 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-03 23:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-03 20:23 --------- d-----w C:\Program Files\Pure Networks
2007-11-03 20:17 --------- d-----w C:\Program Files\Comcast Play Games
2007-11-03 20:10 --------- d-----w C:\Program Files\GamesBar
2007-11-03 20:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\GamesBar
2007-11-03 20:09 --------- d-----w C:\Program Files\Common Files\Oberon Media
2007-11-03 19:05 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-03 02:54 --------- d-----w C:\Program Files\Java
2007-10-08 18:46 --------- d-----w C:\Program Files\McAfee
2006-10-06 05:46 0 ----a-w C:\Documents and Settings\Administrator\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((( snapshot@2007-11-02_18.57.45.06 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-09-29 14:08:25 24,670 ----a-w C:\windows\system32\java.exe
+ 2007-09-25 05:30:28 135,168 ----a-w C:\windows\system32\java.exe
- 2006-09-29 14:08:25 28,768 ----a-w C:\windows\system32\javaw.exe
+ 2007-09-25 05:30:30 135,168 ----a-w C:\windows\system32\javaw.exe
+ 2007-09-25 06:31:42 139,264 ----a-w C:\windows\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TabletWizard"="C:\WINDOWS\help\SplshWrp.exe" [2004-08-04 12:00]
"TabletTip"="C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" [2005-04-26 03:10]
"Snippet"="C:\Program Files\Microsoft Experience Pack\Snipping Tool\SnippingTool.exe" [2005-02-25 20:20]
"Gateway Extended Warranty"="C:\Program Files\Gateway\GWCares\GWCares.exe" [2004-02-08 16:30]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-24 03:24]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 03:01]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 07:47]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 07:47]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" []
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 12:30]
"SigmatelSysTrayApp"="stsystra.exe" [2005-12-27 10:20 C:\WINDOWS\stsystra.exe]
"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-05-23 19:22]
"WD NetCenter EasyLink"="C:\Program Files\Western Digital Technologies\NetCenter EasyLink\WDEzLink.exe" [2005-06-08 11:26]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-09-25 14:54]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 01:38]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 01:32]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2006-10-06 13:11]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2006-10-06 13:13]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2006-10-06 13:10]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\windows\system32\ctfmon.exe" [2004-08-04 12:00]
"Power2GoExpress"="NA" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-18 20:21]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"TabletWizard"=%windir%\help\wizard.hta

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2005-03-17 14:06:14]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
C:\Program Files\Common Files\Microsoft Shared\Ink\loginkey.dll 2004-08-04 12:00 47104 C:\Program Files\Common Files\Microsoft Shared\Ink\LoginKey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
TabBtnWL.dll 2002-08-29 10:41 11776 C:\WINDOWS\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R3 FinePnt;FinePoint Innovations HID Driver;C:\windows\system32\DRIVERS\FpHidDrv.sys
R3 MSTabBtn;Quanta Computer Tablet PC Buttons HID Driver;C:\windows\system32\DRIVERS\MSTabBtn.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2007-10-10 02:12:02 C:\windows\Tasks\AppleSoftwareUpdate.job"
"2007-05-15 09:06:23 C:\windows\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2007-01-30 05:50:07 C:\windows\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-03 17:55:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-03 17:57:47 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-02 18:58
.
--- E O F ---
gordard22
2007-11-04, 02:06
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:02:59 PM, on 11/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\windows\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\windows\SYSTEM32\WISPTIS.EXE
C:\windows\System32\tabbtnu.exe
C:\windows\Explorer.EXE
C:\windows\system32\ctfmon.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\Program Files\Gateway\GWCares\GWCares.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\windows\stsystra.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Western Digital Technologies\NetCenter EasyLink\WDEzLink.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\windows\system32\wuauclt.exe
C:\windows\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\frank.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch=Consumer&Br=GTW&Loc=ENG_US&Sys=PTB&M=CX210X
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Consumer&Br=GTW&Loc=ENG_US&Sys=PTB&M=CX210X
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [Snippet] "C:\Program Files\Microsoft Experience Pack\Snipping Tool\SnippingTool.exe" /i
O4 - HKLM\..\Run: [Gateway Extended Warranty] "C:\Program Files\Gateway\GWCares\GWCares.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [WD NetCenter EasyLink] C:\Program Files\Western Digital Technologies\NetCenter EasyLink\WDEzLink.exe -s
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'Default user')
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\Sierra\Planner\PLNRnote.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMREMIND.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O24 - Desktop Component 0: Ink Desktop - {80E95280-2D38-3CB8-A215-FB5F14C4343E}

--
End of file - 13104 bytes


While I was waiting, I removed older versions of JAVA and Spybot S&D, along with several programs that were no longer being used. This may have resulted in some changes to the HJT log, but all entries you pointed out were still there. Am I clean? Kind of?

Thanks again for what you people do!
steamwiz
2007-11-04, 20:56
Hi



While I was waiting, I removed older versions of JAVA and Spybot S&D, along with several programs that were no longer being used. This may have resulted in some changes to the HJT log, but all entries you pointed out were still there. Am I clean? Kind of?


All the entries I pointed out for removal are GONE ...

Your hijackthis log & Combofix logs are now clean ... so as far as I can tell you are clean (unless there is something you have to tell me)

I would suggest you run this though ...

Download CCleaner from :-

http://www.filehippo.com/download_ccleaner/ (click the download tab)

During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it.

doubleclick the ccsetup.exe file and install the program...

After installing, go to Start > programs > CCleaner > Options > Advanced > UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

Make sure the "windows" tab is selected

Under "internet explorer" tick...

Temporary internet files
Cookies* > see Note below
History
Recently typed URL's (leave this unticked if you DON'T want to clear the drop down list in the address window of IE)
Delete index.dat files
Last download location
Autocomplete form history


under "Windows explorer" these are optional, but you can safely tick them all if you wish, they are only "most recently used lists"

Other explorer MRU's (leave this unticked if you DON'T want to clear lists such as the start\run list)

under "System"

Tick ALL these ...


under "Advanced"

no need to tick any of these (but you can if you want, and realise what they do)


Applications tab...

These will mostly clean out old log files for these applications...

Clean:- (if you use them)

Firefox/Mozilla (optional - leave the cookies - see note)
Opera
Sun Java
ZoneAlarm
...
Personally I clean everything in the applications tab... but you tick what you want...

Note: *If there are any cookies you want to keep (if you remove the cookie for a site you require a password for, you will need to re-enter your password when you next visit that site) ... click options > cookies > then keep the cookies you want.

click "analyse" if you want to see a list of what is going to be removed, before it is removed.

Or

click "run cleaner" to let it get on with it's work... clicking this will result in the following pop-up

"This process will permanently delete files from your system. Are you sure you wish to proceed?"

click OK.

cheers

steam