PDA

View Full Version : Vrtumonde, security 7.1 toolbar, savethisinformation.com troubles



rosey911
2007-11-04, 03:54
I got into something nasty a few days ago and my browser was being redirected to savethisinformation.com and I had a security 7.1 toolbar added up top. I have followed the procedures requested before posting, but my Kasersky scan locked up three times so I couldnt get that log. I ran Spybot in safe and now it seems savethis is gone (maybe) but virtuemondo was still coming back after 4 spybot tries. Here is my HJT log. Any help would be so appreciated

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:27:56 PM, on 11/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Linksys\Wireless-B PCI Adapter\OdHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Linksys\Wireless-B PCI Adapter\WMP11Cfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\jrfkhhva.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [39c8702f] rundll32.exe "C:\WINDOWS\system32\uywnwgkl.dll",b
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B PCI Adapter\Startup.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://my.lennar.com/inotes/iNotes6W.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133627876228
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133627864900
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICSer_WMP11 - Unknown owner - C:\Program Files\Linksys\Wireless-B PCI Adapter\NICServ.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 10887 bytes

__RiP_ChAiN_
2007-11-04, 05:22
Hello rosey911,

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

Open Spybot Search & Destroy.
In the Mode menu click "Advanced mode" if not already selected.
Choose "Yes" at the Warning prompt.
Expand the "Tools" menu.
Click "Resident".
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
In the File menu click "Exit" to exit Spybot Search & Destroy.


Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

rosey911
2007-11-04, 07:09
I am so sorry, I have been pulling my hair out trying to follow the instructions you gave me in the first post. I got the tea disabled, then went to get you the program log for HJT and every single time I try as soon as I the program closes, no log, no goodbye, nothing. So, I tried the combofix and got equal trouble. I thought all was going well, then I get this:

Preparing log report

Do not run any programs until combofix has finished (I didnt touch a thing) Then this:

access is denied
access is denied
access is denied

SED: Couldn't flush STdout

Then that program shut down

The second time I tried I got :
please wait,
combo fix is preparing to run, then it shut down
I hav tried to reboot the computer and try both of these again. I am just at a loss.

__RiP_ChAiN_
2007-11-04, 07:40
Hello rosey911 :)


I am so sorry, I have been pulling my hair out trying to follow the instructions you gave me in the first post. I got the tea disabled, then went to get you the program log for HJT and every single time I try as soon as I the program closes, no log, no goodbye, nothing. So, I tried the combofix and got equal trouble. I thought all was going well, then I get this:
These things happen quite often, please try not to stress over this problem too much, I trust we'll be able to fix these problems one step at a time. If at any point during these fixes we run you are unsure about something, feel free to ask before performing it.

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Boot into Safe Mode:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
5) Select your normal user account.

Now let's try running combofix again:

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Then reboot into normal Windows and let me know how it went.

rosey911
2007-11-04, 18:07
First Rip-chain I just want to say thank you in advance for the help you provide on this forum, not just to me but others as well. Your time is very much appreiated.

Ok, I tried to run combofix in safe mode and here is what I got.

Please wait.
Combo fix is preparing to run.

Then another box pops up (an error box) that says:
(In header) Vfind.cfexe - application error

The exception Breakpoint
A breakpoint has been reached
(0x80000003) occurred in the application at location
07c839a95

Click OK to terminate the program
Click CANCEL to debug the program

Also tried to get you the HJT log under the add/remove programs manager and today the program is not shutting down but when I hit the save list, nothing happens. No log is created, nada.

__RiP_ChAiN_
2007-11-04, 19:47
Hello rosey911,

Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

----------------------------- Part 2 ----------------------------

Please download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) and save it to your Desktop.
Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

rosey911
2007-11-05, 00:00
Rip chain,
Things are just not working out well on this end.

Vundofix - no infected files were found (which is good thing I suppose)

DSS.exe has encountered a problem and will need to close (tried to run three times)

Dont know if it will help or do any good, but I got a new log from HJT and it is below

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:55, on 2007-11-04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Linksys\Wireless-B PCI Adapter\OdHost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys\Wireless-B PCI Adapter\WMP11Cfg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [39c8702f] rundll32.exe "C:\WINDOWS\system32\uywnwgkl.dll",b
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B PCI Adapter\Startup.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://my.lennar.com/inotes/iNotes6W.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133627876228
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133627864900
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICSer_WMP11 - Unknown owner - C:\Program Files\Linksys\Wireless-B PCI Adapter\NICServ.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 9781 bytes

rosey911
2007-11-06, 05:13
Rip Chain,
What a difference a day makes. I tried combofix today and it worked without a hitch, here is the log from it

ComboFix 07-11-01.1** - Owner 2007-11-05 18:57:10.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.162 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Owner\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Owner\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Owner\Favorites\Online Security Guide.lnk
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\cwsykwyf.exe
C:\WINDOWS\system32\hhkmp.bak1
C:\WINDOWS\system32\hhkmp.ini
C:\WINDOWS\system32\hjllm.bak1
C:\WINDOWS\system32\hjllm.ini
C:\WINDOWS\system32\ijkmp.bak1
C:\WINDOWS\system32\ijkmp.ini
C:\WINDOWS\system32\ijllm.bak1
C:\WINDOWS\system32\ijllm.ini
C:\WINDOWS\system32\ilnmp.bak1
C:\WINDOWS\system32\ilnmp.bak2
C:\WINDOWS\system32\ilnmp.ini
C:\WINDOWS\system32\m2
C:\WINDOWS\system32\nlmiemkx.exe
C:\WINDOWS\system32\o1
C:\WINDOWS\system32\o1\c124wvr.exe
C:\WINDOWS\system32\oTt04e
C:\WINDOWS\system32\oTt04e\oTt04e1080.exe
C:\WINDOWS\system32\rqtss.bak1
C:\WINDOWS\system32\rqtss.bak2
C:\WINDOWS\system32\rqtss.ini
C:\WINDOWS\system32\sstqr.dll
C:\WINDOWS\system32\v4
C:\WINDOWS\system32\v4\caws83122.exe
C:\WINDOWS\system32\xycdd.bak1
C:\WINDOWS\system32\xycdd.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2007-10-06 to 2007-11-06 )))))))))))))))))))))))))))))))
.

2007-11-05 16:38 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-11-05 07:39 83,008 --a------ C:\WINDOWS\system32\oidxmyqb.dll
2007-11-05 07:35 85,568 --a------ C:\WINDOWS\system32\qayvvbax.dll
2007-11-04 12:53 <DIR> d-------- C:\Deckard
2007-11-04 12:48 <DIR> d-------- C:\VundoFix Backups
2007-11-03 20:14 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-03 15:04 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-03 15:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-03 14:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-03 07:29 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-11-03 07:29 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\PC Tools
2007-11-03 07:29 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-03 07:29 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-11-03 07:29 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-11-03 07:29 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-11-03 07:29 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-11-03 07:28 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-11-02 13:15 82,496 --a------ C:\WINDOWS\system32\mgxnsskp.dll
2007-11-01 21:43 9,264 --a------ C:\WINDOWS\system32\msqtvcap.dat
2007-11-01 21:39 <DIR> d-------- C:\WINDOWS\system32\aliedit
2007-11-01 21:39 <DIR> d-------- C:\Program Files\Alibaba
2007-10-31 19:06 <DIR> d-------- C:\Program Files\Windows Defender
2007-10-31 18:48 35,840 --a------ C:\WINDOWS\mrofinu1000137.exe
2007-10-31 17:54 269 --a------ C:\WINDOWS\system32\1551.bat
2007-10-31 17:53 32,256 --a------ C:\WINDOWS\system32\khfggfc.dll
2007-10-31 17:51 0 --a------ C:\WINDOWS\system32\taskkill.exe
2007-10-31 17:19 <DIR> d-------- C:\Program Files\PasswordTools
2007-10-30 17:57 <DIR> d-------- C:\WINDOWS\tmpDSM1
2007-10-23 16:46 <DIR> d-------- C:\Program Files\Norton Security Scan
2007-10-17 13:48 <DIR> d-------- C:\Program Files\MySpace
2007-10-17 13:48 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\MySpace
2007-10-11 11:46 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-05 02:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-11-04 01:27 --------- d-----w C:\Program Files\Trend Micro
2007-11-01 05:53 --------- d-----w C:\Program Files\motive
2007-11-01 03:00 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2007-11-01 02:32 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-01 01:57 --------- d-----w C:\Documents and Settings\Owner\Application Data\Apple Computer
2007-11-01 01:12 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2007-11-01 00:52 --------- d-----w C:\Program Files\Trial123FileConvert
2007-10-27 03:46 --------- d-----w C:\Program Files\Microsoft Games
2007-10-02 23:41 --------- d-----w C:\Program Files\Last Seconds Bidder
2007-10-02 17:00 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-01 16:42 --------- d-----w C:\Program Files\iTunes
2007-10-01 16:42 --------- d-----w C:\Program Files\iPod
2007-09-30 23:45 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2007-09-25 00:13 --------- d-----w C:\Program Files\ewido anti-malware
2007-09-25 00:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2007-09-24 22:31 --------- d-----w C:\Program Files\Common Files\xing shared
2007-09-24 22:31 --------- d-----w C:\Program Files\Common Files\Real
2007-09-24 21:38 --------- d-----w C:\Program Files\Kodak
2007-09-24 21:34 --------- d-----w C:\Program Files\HyperVRE
2007-09-24 21:33 --------- d-----w C:\Program Files\DivX
2007-09-24 21:31 --------- d-----w C:\Program Files\Article Distributor
2007-09-24 21:29 --------- d-----w C:\Program Files\Google
2007-09-24 21:23 --------- d-----w C:\Program Files\OpenOffice.org 2.0
2007-09-24 21:21 --------- d-----w C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2007-09-24 21:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-09-24 20:54 --------- d-----w C:\Program Files\Pure Networks
2007-09-24 20:54 --------- d-----w C:\Program Files\Common Files\AOL
2007-09-24 20:53 --------- d-----w C:\Documents and Settings\Owner\Application Data\AOL
2007-09-20 23:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-09-20 23:49 --------- d-----w C:\Documents and Settings\Owner\Application Data\dvdcss
2007-09-09 22:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-09-09 22:24 --------- d-----w C:\Program Files\QuickTime
2007-09-09 22:22 --------- d-----w C:\Program Files\Common Files\Apple
2007-09-09 22:22 --------- d-----w C:\Program Files\Apple Software Update
2007-09-09 22:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-09-01 18:23 24,192 ----a-w C:\Documents and Settings\Owner\usbsermptxp.sys
2007-09-01 18:23 22,768 ----a-w C:\Documents and Settings\Owner\usbsermpt.sys
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-01-21 18:30 557 ----a-w C:\Program Files\INSTALL.LOG
2005-09-14 16:24 33,280 ----a-w C:\Program Files\EndProcess.exe
2005-07-29 23:24:26 472 --sha-r C:\WINDOWS\UmFjaGVs\oAI3u3pP.vbs
.

((((((((((((((((((((((((((((( snapshot@2007-11-03_21.33.28.98 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-30 01:56:19 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-30 02:56:19 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2007-03-13 18:57:10 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE
- 2007-11-03 15:30:42 52,764 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-11-04 14:39:16 52,764 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-11-03 15:30:43 380,350 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-04 14:39:16 380,350 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2007-04-02 21:21:27 139,776 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2007-04-02 22:21:27 139,776 ----a-w C:\WINDOWS\system32\swreg.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25997E08-274A-4217-8F71-C89C754242C1}]
2007-10-31 17:53 32256 --a------ C:\WINDOWS\system32\khfggfc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5F174EBF-59B4-4F17-9FFC-E2398BD28457}]
C:\WINDOWS\system32\pmnli.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{790f562f-fd72-4f6f-b660-f3ec9325dcf1}]
2007-11-05 07:39 83008 --a------ C:\WINDOWS\system32\oidxmyqb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 07:59]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 07:59]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2005-03-15 01:46]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-03-23 15:26]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-24 14:31]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"39c8702f"="C:\WINDOWS\system32\qayvvbax.dll" [2007-11-05 07:35]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Launchpad"="C:\Program Files\ATI Multimedia\main\launchpd.exe" [2004-06-15 22:22]
"ATI Remote Control"="C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe" [2004-04-16 06:43]
"PopUpStopperFreeEdition"="C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" [2005-03-17 11:10]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2006-06-02 20:23]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2005-12-04 21:07:15]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 20:37:56]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-12-21 06:36:06]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-09-24 13:29:10]
Wireless-B Notebook Adapter Utility.lnk - C:\Program Files\Linksys\Wireless-B PCI Adapter\Startup.exe [2005-12-02 15:33:28]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{25997E08-274A-4217-8F71-C89C754242C1}"= C:\WINDOWS\system32\khfggfc.dll [2007-10-31 17:53 32256]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jrfkhhva]
jrfkhhva.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfggfc]
khfggfc.dll 2007-10-31 17:53 32256 C:\WINDOWS\system32\khfggfc.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\sstqr.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Webshots.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Webshots.lnk
backup=C:\WINDOWS\pss\Webshots.lnkStartup


R3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\System32\CBTNDIS5.SYS
R3 odysseyIM3;Odyssey Network Services Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM3.sys
S2 Ca533av;Polaroid Digital Cam Video;C:\WINDOWS\system32\Drivers\Ca533av.sys
S3 IPN2120;Wireless-B PCI Adapter Driver;C:\WINDOWS\system32\DRIVERS\LSIPNDS.sys
S3 USBCamera;Icatch(IV) Still Camera Device;C:\WINDOWS\system32\Drivers\Bulk533.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\EE2AutoRun.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-05 17:18:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-11-06 01:47:20 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-11-02 22:00:00 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-05 19:07:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-05 19:09:19 - machine was rebooted
.
--- E O F ---

rosey911
2007-11-06, 05:15
I thought what the heck, let me try the HJT uninstall list to see if I could get that log and wala it worked also, so here is that log as well

Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Acrobat 6.0.1 Professional - English, Français, Deutsch
Adobe Flash Player 9 ActiveX
Adobe Photoshop 7.0
Adobe Reader 8.1.1
Age of Empires III
Age of Empires III - The Asian Dynasties Trial
Age of Empires III - The WarChiefs
AI RoboForm (All Users)
Apple Mobile Device Support
Apple Software Update
ArcSoft PhotoImpression
ATI - Software Uninstall Utility
ATI Control Panel
ATI Decoder
ATI Display Driver
ATI HYDRAVISION
ATI Multimedia Center 9.01
ATI Remote Wonder 2.3
BCM V.92 56K Modem
Broadcom 440x 10/100 Integrated Controller
BroadJump Client Foundation
CivCity
Compaq FP7317 INF and ICM software
DAO
Dell ResourceCD
DVD Decrypter (Remove Only)
DVD Shrink 3.2
DVD-Cover Printmaster 1.2
DVDFab Decrypter 2.9.8.3
Empire Earth II
EPSON Print CD
EPSON Printer Software
GameShadow
Google Toolbar for Internet Explorer
Google Updater
HijackThis 2.0.2
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Intel(R) Extreme Graphics Driver
iTunes
J2SE Runtime Environment 5.0 Update 6
Kaspersky Online Scanner
Last Seconds Bidder
Lavasoft VX2 Cleaner
Microsoft .NET Framework 1.1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
mIRC
Morrowind
MSN Music Assistant
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Namo WebEditor 5
Nero 6 Ultra Edition
Nero Digital
Norton Security Scan
Odyssey Client
PartyPoker
PasswordTools
PeerGuardian 2.0
Polaroid Digital Cam
Pop-Up Stopper Free Edition
PowerDVD
QuickTime
RealPlayer
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
SimCity 4 Deluxe
SoundMAX
Spybot - Search & Destroy
Spyware Doctor 5.1
TES Construction Set
The Battle for Middle-earth (tm)
The Sims 2
TradeManager
Trial 1-2-3FileConvert
Turbo Lister 2
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
VideoLAN VLC media player 0.8.4a
Viewpoint Media Player
Webshots Desktop
WinAVI VideoConverter
WinAVIVideoConverter
Windows Defender
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
WinZip
Wireless-B PCI Adapter

rosey911
2007-11-06, 05:16
I was also able to get the combofix to work properly today and I have a log for that also, I dont know what the deal was yesterday, but here is the combofix log

ComboFix 07-11-01.1** - Owner 2007-11-05 18:57:10.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.162 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Owner\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Owner\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Owner\Favorites\Online Security Guide.lnk
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\cwsykwyf.exe
C:\WINDOWS\system32\hhkmp.bak1
C:\WINDOWS\system32\hhkmp.ini
C:\WINDOWS\system32\hjllm.bak1
C:\WINDOWS\system32\hjllm.ini
C:\WINDOWS\system32\ijkmp.bak1
C:\WINDOWS\system32\ijkmp.ini
C:\WINDOWS\system32\ijllm.bak1
C:\WINDOWS\system32\ijllm.ini
C:\WINDOWS\system32\ilnmp.bak1
C:\WINDOWS\system32\ilnmp.bak2
C:\WINDOWS\system32\ilnmp.ini
C:\WINDOWS\system32\m2
C:\WINDOWS\system32\nlmiemkx.exe
C:\WINDOWS\system32\o1
C:\WINDOWS\system32\o1\c124wvr.exe
C:\WINDOWS\system32\oTt04e
C:\WINDOWS\system32\oTt04e\oTt04e1080.exe
C:\WINDOWS\system32\rqtss.bak1
C:\WINDOWS\system32\rqtss.bak2
C:\WINDOWS\system32\rqtss.ini
C:\WINDOWS\system32\sstqr.dll
C:\WINDOWS\system32\v4
C:\WINDOWS\system32\v4\caws83122.exe
C:\WINDOWS\system32\xycdd.bak1
C:\WINDOWS\system32\xycdd.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2007-10-06 to 2007-11-06 )))))))))))))))))))))))))))))))
.

2007-11-05 16:38 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-11-05 07:39 83,008 --a------ C:\WINDOWS\system32\oidxmyqb.dll
2007-11-05 07:35 85,568 --a------ C:\WINDOWS\system32\qayvvbax.dll
2007-11-04 12:53 <DIR> d-------- C:\Deckard
2007-11-04 12:48 <DIR> d-------- C:\VundoFix Backups
2007-11-03 20:14 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-03 15:04 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-03 15:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-03 14:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-03 07:29 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-11-03 07:29 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\PC Tools
2007-11-03 07:29 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-03 07:29 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-11-03 07:29 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-11-03 07:29 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-11-03 07:29 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-11-03 07:28 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-11-02 13:15 82,496 --a------ C:\WINDOWS\system32\mgxnsskp.dll
2007-11-01 21:43 9,264 --a------ C:\WINDOWS\system32\msqtvcap.dat
2007-11-01 21:39 <DIR> d-------- C:\WINDOWS\system32\aliedit
2007-11-01 21:39 <DIR> d-------- C:\Program Files\Alibaba
2007-10-31 19:06 <DIR> d-------- C:\Program Files\Windows Defender
2007-10-31 18:48 35,840 --a------ C:\WINDOWS\mrofinu1000137.exe
2007-10-31 17:54 269 --a------ C:\WINDOWS\system32\1551.bat
2007-10-31 17:53 32,256 --a------ C:\WINDOWS\system32\khfggfc.dll
2007-10-31 17:51 0 --a------ C:\WINDOWS\system32\taskkill.exe
2007-10-31 17:19 <DIR> d-------- C:\Program Files\PasswordTools
2007-10-30 17:57 <DIR> d-------- C:\WINDOWS\tmpDSM1
2007-10-23 16:46 <DIR> d-------- C:\Program Files\Norton Security Scan
2007-10-17 13:48 <DIR> d-------- C:\Program Files\MySpace
2007-10-17 13:48 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\MySpace
2007-10-11 11:46 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-05 02:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-11-04 01:27 --------- d-----w C:\Program Files\Trend Micro
2007-11-01 05:53 --------- d-----w C:\Program Files\motive
2007-11-01 03:00 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2007-11-01 02:32 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-01 01:57 --------- d-----w C:\Documents and Settings\Owner\Application Data\Apple Computer
2007-11-01 01:12 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2007-11-01 00:52 --------- d-----w C:\Program Files\Trial123FileConvert
2007-10-27 03:46 --------- d-----w C:\Program Files\Microsoft Games
2007-10-02 23:41 --------- d-----w C:\Program Files\Last Seconds Bidder
2007-10-02 17:00 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-01 16:42 --------- d-----w C:\Program Files\iTunes
2007-10-01 16:42 --------- d-----w C:\Program Files\iPod
2007-09-30 23:45 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2007-09-25 00:13 --------- d-----w C:\Program Files\ewido anti-malware
2007-09-25 00:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2007-09-24 22:31 --------- d-----w C:\Program Files\Common Files\xing shared
2007-09-24 22:31 --------- d-----w C:\Program Files\Common Files\Real
2007-09-24 21:38 --------- d-----w C:\Program Files\Kodak
2007-09-24 21:34 --------- d-----w C:\Program Files\HyperVRE
2007-09-24 21:33 --------- d-----w C:\Program Files\DivX
2007-09-24 21:31 --------- d-----w C:\Program Files\Article Distributor
2007-09-24 21:29 --------- d-----w C:\Program Files\Google
2007-09-24 21:23 --------- d-----w C:\Program Files\OpenOffice.org 2.0
2007-09-24 21:21 --------- d-----w C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2007-09-24 21:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-09-24 20:54 --------- d-----w C:\Program Files\Pure Networks
2007-09-24 20:54 --------- d-----w C:\Program Files\Common Files\AOL
2007-09-24 20:53 --------- d-----w C:\Documents and Settings\Owner\Application Data\AOL
2007-09-20 23:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-09-20 23:49 --------- d-----w C:\Documents and Settings\Owner\Application Data\dvdcss
2007-09-09 22:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-09-09 22:24 --------- d-----w C:\Program Files\QuickTime
2007-09-09 22:22 --------- d-----w C:\Program Files\Common Files\Apple
2007-09-09 22:22 --------- d-----w C:\Program Files\Apple Software Update
2007-09-09 22:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-09-01 18:23 24,192 ----a-w C:\Documents and Settings\Owner\usbsermptxp.sys
2007-09-01 18:23 22,768 ----a-w C:\Documents and Settings\Owner\usbsermpt.sys
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-01-21 18:30 557 ----a-w C:\Program Files\INSTALL.LOG
2005-09-14 16:24 33,280 ----a-w C:\Program Files\EndProcess.exe
2005-07-29 23:24:26 472 --sha-r C:\WINDOWS\UmFjaGVs\oAI3u3pP.vbs
.

((((((((((((((((((((((((((((( snapshot@2007-11-03_21.33.28.98 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-30 01:56:19 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-30 02:56:19 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2007-03-13 18:57:10 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE
- 2007-11-03 15:30:42 52,764 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-11-04 14:39:16 52,764 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-11-03 15:30:43 380,350 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-04 14:39:16 380,350 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2007-04-02 21:21:27 139,776 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2007-04-02 22:21:27 139,776 ----a-w C:\WINDOWS\system32\swreg.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25997E08-274A-4217-8F71-C89C754242C1}]
2007-10-31 17:53 32256 --a------ C:\WINDOWS\system32\khfggfc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5F174EBF-59B4-4F17-9FFC-E2398BD28457}]
C:\WINDOWS\system32\pmnli.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{790f562f-fd72-4f6f-b660-f3ec9325dcf1}]
2007-11-05 07:39 83008 --a------ C:\WINDOWS\system32\oidxmyqb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 07:59]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 07:59]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2005-03-15 01:46]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-03-23 15:26]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-24 14:31]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"39c8702f"="C:\WINDOWS\system32\qayvvbax.dll" [2007-11-05 07:35]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Launchpad"="C:\Program Files\ATI Multimedia\main\launchpd.exe" [2004-06-15 22:22]
"ATI Remote Control"="C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe" [2004-04-16 06:43]
"PopUpStopperFreeEdition"="C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" [2005-03-17 11:10]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2006-06-02 20:23]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2005-12-04 21:07:15]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 20:37:56]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-12-21 06:36:06]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-09-24 13:29:10]
Wireless-B Notebook Adapter Utility.lnk - C:\Program Files\Linksys\Wireless-B PCI Adapter\Startup.exe [2005-12-02 15:33:28]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{25997E08-274A-4217-8F71-C89C754242C1}"= C:\WINDOWS\system32\khfggfc.dll [2007-10-31 17:53 32256]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jrfkhhva]
jrfkhhva.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfggfc]
khfggfc.dll 2007-10-31 17:53 32256 C:\WINDOWS\system32\khfggfc.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\sstqr.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Webshots.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Webshots.lnk
backup=C:\WINDOWS\pss\Webshots.lnkStartup


R3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\System32\CBTNDIS5.SYS
R3 odysseyIM3;Odyssey Network Services Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM3.sys
S2 Ca533av;Polaroid Digital Cam Video;C:\WINDOWS\system32\Drivers\Ca533av.sys
S3 IPN2120;Wireless-B PCI Adapter Driver;C:\WINDOWS\system32\DRIVERS\LSIPNDS.sys
S3 USBCamera;Icatch(IV) Still Camera Device;C:\WINDOWS\system32\Drivers\Bulk533.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\EE2AutoRun.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-05 17:18:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-11-06 01:47:20 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-11-02 22:00:00 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-05 19:07:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-05 19:09:19 - machine was rebooted
.
--- E O F ---

rosey911
2007-11-06, 05:18
sorry didnt mean to post the combo log twice, my bad

__RiP_ChAiN_
2007-11-06, 09:54
Hello rosey911,

Using Add Or Remove Programs remove the following entries (if present): (To get into add Or Remove Programs press the START button > Control Panel > Add Or Remove Programs.)

Viewpoint Media Player

A. Please RUN HijackThis
Click the SCAN button to produce a log.


Place a check mark beside each one of the following items:

O4 - HKLM\..\Run: [39c8702f] rundll32.exe "C:\WINDOWS\system32\uywnwgkl.dll",b


Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.


B. 1. Please open Notepad Click Start , then Run Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:



File::
C:\WINDOWS\system32\mgxnsskp.dll
C:\WINDOWS\system32\msqtvcap.dat
C:\WINDOWS\mrofinu1000137.exe
C:\WINDOWS\system32\1551.bat
C:\WINDOWS\system32\khfggfc.dll
C:\WINDOWS\system32\uywnwgkl.dll

Folder::
C:\VundoFix Backups
C:\WINDOWS\system32\aliedit
C:\Program Files\Alibaba
C:\WINDOWS\tmpDSM1
C:\WINDOWS\UmFjaGVs

Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
Combofix.txt
A new HijackThis log.

rosey911
2007-11-06, 19:18
Combofix log too long, so I am posting in peices

ComboFix 07-11-01.1** - Owner 2007-11-06 8:35:07.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.96 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\mrofinu1000137.exe
C:\WINDOWS\system32\1551.bat
C:\WINDOWS\system32\khfggfc.dll
C:\WINDOWS\system32\mgxnsskp.dll
C:\WINDOWS\system32\msqtvcap.dat
C:\WINDOWS\system32\uywnwgkl.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Owner\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Owner\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Owner\Favorites\Online Security Guide.lnk
C:\Program Files\Alibaba
C:\Program Files\Alibaba\TradeManager\Ad\1.gif
C:\Program Files\Alibaba\TradeManager\Ad\2.gif
C:\Program Files\Alibaba\TradeManager\Ad\Default.htm
C:\Program Files\Alibaba\TradeManager\Ad\NewUserHelp.htm
C:\Program Files\Alibaba\TradeManager\Alitalk_Update.exe
C:\Program Files\Alibaba\TradeManager\AliUpdateConfigFile.ini
C:\Program Files\Alibaba\TradeManager\AliViewerApi.dll
C:\Program Files\Alibaba\TradeManager\ATabControl2.ocx
C:\Program Files\Alibaba\TradeManager\Beginner\add_contact.gif
C:\Program Files\Alibaba\TradeManager\Beginner\Add_to_contact_list.gif
C:\Program Files\Alibaba\TradeManager\Beginner\Close.gif
C:\Program Files\Alibaba\TradeManager\Beginner\match_bg.jpg
C:\Program Files\Alibaba\TradeManager\Beginner\match_bottom_bg.jpg
C:\Program Files\Alibaba\TradeManager\Beginner\matching_01.html
C:\Program Files\Alibaba\TradeManager\CodingTable\BIG52GBK_S.bin
C:\Program Files\Alibaba\TradeManager\CodingTable\CodingTable.dll
C:\Program Files\Alibaba\TradeManager\CodingTable\GBK2BIG5.bin
C:\Program Files\Alibaba\TradeManager\Config.ini
C:\Program Files\Alibaba\TradeManager\config\IMHistory.htm
C:\Program Files\Alibaba\TradeManager\config\myt_swfw_ct_loading.gif
C:\Program Files\Alibaba\TradeManager\config\SearchContactConfig.ini
C:\Program Files\Alibaba\TradeManager\config\Signin.html
C:\Program Files\Alibaba\TradeManager\config\Signin_INTL_FREE.html
C:\Program Files\Alibaba\TradeManager\config\Signin_INTL_GS.html
C:\Program Files\Alibaba\TradeManager\config\Signin1.html
C:\Program Files\Alibaba\TradeManager\CrashDumper.exe
C:\Program Files\Alibaba\TradeManager\CrashDumper.ini
C:\Program Files\Alibaba\TradeManager\CSUpdateModule.dll
C:\Program Files\Alibaba\TradeManager\dbghelp.dll
C:\Program Files\Alibaba\TradeManager\DefaultPages\BizCard.html
C:\Program Files\Alibaba\TradeManager\DefaultPages\crm_add_pop.htm
C:\Program Files\Alibaba\TradeManager\DefaultPages\default.html
C:\Program Files\Alibaba\TradeManager\DefaultPages\myt_grey.gif
C:\Program Files\Alibaba\TradeManager\DefaultPages\myt_refresh.gif
C:\Program Files\Alibaba\TradeManager\DefaultPages\namecard_404.htm
C:\Program Files\Alibaba\TradeManager\DefaultPages\Product.html
C:\Program Files\Alibaba\TradeManager\DefaultPages\Recommend_Offer.html
C:\Program Files\Alibaba\TradeManager\DefaultPages\refresh.gif
C:\Program Files\Alibaba\TradeManager\DefaultPages\refresh_b.gif
C:\Program Files\Alibaba\TradeManager\DefaultPages\sqdy.html
C:\Program Files\Alibaba\TradeManager\DefaultPages\trust.gif
C:\Program Files\Alibaba\TradeManager\FileTransferLog.txt
C:\Program Files\Alibaba\TradeManager\Industry.db
C:\Program Files\Alibaba\TradeManager\INSTALL.LOG
C:\Program Files\Alibaba\TradeManager\Language.ini
C:\Program Files\Alibaba\TradeManager\MessageManager.dll
C:\Program Files\Alibaba\TradeManager\MessageNotify.dll
C:\Program Files\Alibaba\TradeManager\MultiMedia\AliViewCtrl.dll
C:\Program Files\Alibaba\TradeManager\MultiMedia\AliViewer.exe
C:\Program Files\Alibaba\TradeManager\MultiMedia\AliViewMedia.dll
C:\Program Files\Alibaba\TradeManager\MultiMedia\FileRequired.txt
C:\Program Files\Alibaba\TradeManager\MultiMedia\JsmQEdit.ax
C:\Program Files\Alibaba\TradeManager\MultiMedia\JsmRender.ax
C:\Program Files\Alibaba\TradeManager\MultiMedia\JsmShow.dll
C:\Program Files\Alibaba\TradeManager\MultiMedia\JsmSource.ax
C:\Program Files\Alibaba\TradeManager\MultiMedia\MMCfg.cfg
C:\Program Files\Alibaba\TradeManager\MultiMedia\VideoCap.dll
C:\Program Files\Alibaba\TradeManager\MultiMedia\VLAudio.dll
C:\Program Files\Alibaba\TradeManager\MultiMedia\VLNetwork.dll
C:\Program Files\Alibaba\TradeManager\MultiMedia\xvid.dll
C:\Program Files\Alibaba\TradeManager\MultiMedia\xvidcore.dll
C:\Program Files\Alibaba\TradeManager\MultiMedia\xvidDec.ax
C:\Program Files\Alibaba\TradeManager\pdupdate.ini
C:\Program Files\Alibaba\TradeManager\readme.txt
C:\Program Files\Alibaba\TradeManager\Remind.ini
C:\Program Files\Alibaba\TradeManager\riched20.dll
C:\Program Files\Alibaba\TradeManager\riched32.dll
C:\Program Files\Alibaba\TradeManager\skins\chat_dlg.ico
C:\Program Files\Alibaba\TradeManager\skins\default\add_cnt_center.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\add_contact_center.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\add_contact_invite.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\add_contact_left.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\add_contact_logo.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\add_contact_right.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\add_contact_seach.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\add_contact_top_left.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\add_contact_top_mid.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\add_contact_top_right.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\add_im_cnt_center.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\add_im_cnt_image.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\add_im_cnt_left.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\add_im_cnt_right.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\adduser_bt_add.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\adduser_bt_cancel.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\adduser_bt_next.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\adduser_bt_previous.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\adduser_bt_search.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\adduser_bt_upgrade.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\adduser_tab_search1.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\adduser_tab_search2.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\alarm.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\arrow_left.gif
C:\Program Files\Alibaba\TradeManager\skins\default\arrow_right.gif
C:\Program Files\Alibaba\TradeManager\skins\default\Autoupdate_left.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\beginner_setting.gif
C:\Program Files\Alibaba\TradeManager\skins\default\BottomBorder.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\BottomLeftCorner.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\BottomRightCorner.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\btn_contact_view_add_hover.ico
C:\Program Files\Alibaba\TradeManager\skins\default\btn_contact_view_add_normal.ico
C:\Program Files\Alibaba\TradeManager\skins\default\btn_contact_view_filter_hover.ico
C:\Program Files\Alibaba\TradeManager\skins\default\btn_contact_view_filter_normal.ico
C:\Program Files\Alibaba\TradeManager\skins\default\btn_contact_view_find.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\btn_contact_view_more.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\btn_logoned_mail.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\btn_logoned_nomail.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\btn_logoned_post_offer.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\btn_logoned_search.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\btn_logoned_sms.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\But_AddContact.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\But_Audio.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\But_BlockContact.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\But_Cancel.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\But_ChatIMS_More.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\But_DelUser.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\But_Emotion.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\But_Exit.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\But_Font.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\But_Font_Bold.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\But_Font_Color.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\But_Font_Emotion.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\But_Font_Itali.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\But_Font_Underline.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\But_HideInfo.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\But_InviteContact.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\But_Login.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\But_Logining_Cancel.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\But_MainFunPanel_AddContact.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\But_MainFunPanel_More.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\But_MainFunPanel_SearchContact.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\But_MainView_Search.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\But_Next.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\But_Ok.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\But_OmitUser.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\But_PrivateChat.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\But_RecentHistory.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\But_Recommend.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\But_ReLogin.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\But_Retry.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\But_SelfStatus.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\But_SendFile.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\But_SendIMS.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\But_ShortcutMsg.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\But_Stop.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\But_SuperTip_Close.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\But_Video.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\chat_capture_screen.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\ChatIMS_Client_Separator.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\ChatIMS_ClientBottom_Left.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\ChatIMS_ClientBottom_Mid.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\ChatIMS_ClientBottom_Right.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\ChatIMS_ClientBottom_Right2.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\ChatIMS_ClientLeft.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\ChatIMS_ClientRight.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\ChatIMS_ClientRight2.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\ChatIMS_ClientTop_Left.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\ChatIMS_ClientTop_Mid.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\ChatIMS_ClientTop_Right.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\ChatIMS_ContactLabel_Left.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\ChatIMS_ContactLabel_Mid.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\ChatIMS_ContactLabel_Right.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\ChatIMS_FormatBar_Left.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\ChatIMS_FormatBar_Mid.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\ChatIMS_FormatBar_Right.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\ChatIMS_Notify_Mid.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\ChatIms_right_top_bg.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\ChatIMS_Seperator_Bottom.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\ChatIms_seperator_top_bg.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\ChatIMS_Tab_Server.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\ChatIMS_Tab1.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\ChatIMS_Tab2.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\ChatIMS_ToolBarLeft.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\ChatIMS_ToolBarMid.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\ChatIMS_ToolBarRight.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\ChatMPC_FormatBar_Left.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\ChatMPC_RightBottom_BK.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\contact_detail_infor_bottom_left.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\contact_detail_infor_bottom_mid.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\contact_detail_infor_bottom_right.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\contact_detail_infor_btn_cancel.bmp

rosey911
2007-11-06, 19:21
C:\Program Files\Alibaba\TradeManager\skins\default\contact_detail_infor_btn_confirm.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\contact_detail_infor_left.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\contact_detail_infor_right.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\contact_detail_infor_symbol.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\contact_detail_infor_tab_basic.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\contact_detail_infor_tab_company.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\contact_detail_infor_tab_others.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\contact_detail_infor_tab_personal.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\contact_detail_infor_top_left.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\contact_detail_infor_top_mid.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\contact_detail_infor_top_right.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\ContactList_Bk.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\contactlist_toolbar_left.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\contactlist_toolbar_mid.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\contactlist_toolbar_right.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\CRM.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\drop_down_arrow_black.ico
C:\Program Files\Alibaba\TradeManager\skins\default\drop_down_arrow_white.ico
C:\Program Files\Alibaba\TradeManager\skins\default\emotions.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\Icon_Alert.gif
C:\Program Files\Alibaba\TradeManager\skins\default\Icon_Camera.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\Icon_Club.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\Icon_Find.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\Icon_grp_close.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\Icon_grp_open.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\Icon_gs_away.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\Icon_gs_busy.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\Icon_gs_m_away.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\Icon_gs_m_black.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\Icon_gs_m_busy.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\Icon_gs_m_offline.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\Icon_gs_m_online.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\Icon_gs_offline.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\Icon_gs_online.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\Icon_helper.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\Icon_Mobile.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\Icon_Notice.gif
C:\Program Files\Alibaba\TradeManager\skins\default\Icon_Remind.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\Icon_Right.gif
C:\Program Files\Alibaba\TradeManager\skins\default\Icon_tpu_away.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\Icon_tpu_busy.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\Icon_tpu_m_away.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\Icon_tpu_m_black.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\Icon_tpu_m_busy.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\Icon_tpu_m_offline.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\Icon_tpu_m_online.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\Icon_tpu_offline.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\Icon_tpu_online.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\Icon_u_away.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\Icon_u_busy.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\Icon_u_m_away.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\Icon_u_m_black.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\Icon_u_m_busy.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\Icon_u_m_offline.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\Icon_u_m_online.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\Icon_u_offline.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\Icon_u_online.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\InfoBarBack.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\infocard_fortune1.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\infocard_fortune2.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\infocard_fortune3.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\inforcard_bottom_left.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\inforcard_bottom_mid.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\inforcard_bottom_right.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\inforcard_btn_close.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\inforcard_btn_edit_contact.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\inforcard_btn_email.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\inforcard_btn_mobile.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\inforcard_btn_modify_profile.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\inforcard_btn_sms.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\inforcard_btn_tel.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\inforcard_btn_use_fortune.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\inforcard_center.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\inforcard_left.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\inforcard_right.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\inforcard_top_left.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\inforcard_top_mid.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\inforcard_top_right.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\join_in.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\join_in_arrow.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\LeftBorder.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\login_failed.gif
C:\Program Files\Alibaba\TradeManager\skins\default\Logo.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\logo_normal_away.ico
C:\Program Files\Alibaba\TradeManager\skins\default\logo_normal_busy.ico
C:\Program Files\Alibaba\TradeManager\skins\default\logo_normal_invisible.ico
C:\Program Files\Alibaba\TradeManager\skins\default\logo_normal_online.ico
C:\Program Files\Alibaba\TradeManager\skins\default\Logo_ToolBar.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\logo_tp_away.ico
C:\Program Files\Alibaba\TradeManager\skins\default\logo_tp_busy.ico
C:\Program Files\Alibaba\TradeManager\skins\default\logo_tp_invisible.ico
C:\Program Files\Alibaba\TradeManager\skins\default\logo_tp_online.ico
C:\Program Files\Alibaba\TradeManager\skins\default\Logoned_Bottom_Left.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\Logoned_Bottom_Left2.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\Logoned_Bottom_Mid.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\Logoned_Bottom_Mid2.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\Logoned_Bottom_Right.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\Logoned_Bottom_Right2.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\logoned_head_left.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\logoned_head_left1.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\logoned_head_left2.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\logoned_head_mid.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\logoned_head_mid1.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\logoned_head_mid2.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\logoned_head_right.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\logoned_head_right1.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\logoned_head_right2.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\Logoned_Left.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\Logoned_Right.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\Logoned_Top_Left.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\Logoned_Top_Mid.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\Logoned_Top_Right.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\LogOuted.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\LogOuting.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\MainLogin_Bk.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\MainLogin_Logo.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\MainLogin_Register.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\MainLogining_Bk.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\MainLogining_Image.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\MainLogoffed_Bk.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\MainLogouting_Bk.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\MainView_ToolBar_Left.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\MainView_ToolBar_Right.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\mm_but_advsearch.gif
C:\Program Files\Alibaba\TradeManager\skins\default\mm_but_search.gif
C:\Program Files\Alibaba\TradeManager\skins\default\MN_bottom.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\MN_icon.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\MN_left.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\MN_leftbottom.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\MN_lefttop.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\MN_mid.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\MN_right.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\MN_rightbottom.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\MN_righttop.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\MN_top.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\multichat_client_top_left.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\multichat_client_top_mid.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\multichat_client_top_right.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\MyAlibabaMain.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\normal_contact.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\NotifyMain.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\offline_icon.gif
C:\Program Files\Alibaba\TradeManager\skins\default\online_icon.gif
C:\Program Files\Alibaba\TradeManager\skins\default\online_offline_bg.gif
C:\Program Files\Alibaba\TradeManager\skins\default\online_offline_bg2.gif
C:\Program Files\Alibaba\TradeManager\skins\default\PersonalManage.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\pop_arrow.gif
C:\Program Files\Alibaba\TradeManager\skins\default\pop_bg.gif
C:\Program Files\Alibaba\TradeManager\skins\default\pop_close.gif
C:\Program Files\Alibaba\TradeManager\skins\default\pop_close2.gif
C:\Program Files\Alibaba\TradeManager\skins\default\pop_close3.gif
C:\Program Files\Alibaba\TradeManager\skins\default\quit.gif
C:\Program Files\Alibaba\TradeManager\skins\default\refreshContactInfo.gif
C:\Program Files\Alibaba\TradeManager\skins\default\RightBorder.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\select.cur
C:\Program Files\Alibaba\TradeManager\skins\default\server_bottom_left.gif
C:\Program Files\Alibaba\TradeManager\skins\default\server_bottom_mid.gif
C:\Program Files\Alibaba\TradeManager\skins\default\server_bottom_right.gif
C:\Program Files\Alibaba\TradeManager\skins\default\server_tab_back.gif
C:\Program Files\Alibaba\TradeManager\skins\default\ServiceMain.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\ServiceTipItem1.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\SkinConfig.ini
C:\Program Files\Alibaba\TradeManager\skins\default\StatusBar_Size_Bk.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\StatusBar_Tile_Bk.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\SuperTip_Title_Left.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\SuperTip_Title_Mid.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\SuperTip_Title_Right.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\Tab1.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\Tab1_mini.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\Tab2.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\Tab2_crm.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\Tab3.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\Tab3_mini.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\Tab4.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\TitlebarBk_Bottom.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\TitlebarBk_Bottom_Inactive.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\TitlebarBk_Top.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\TitlebarBk_Top_Inactive.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\universal_bottom_left.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\universal_bottom_mid.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\universal_bottom_right.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\universal_center.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\universal_left.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\universal_right.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\universal_top_left.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\universal_top_mid.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\universal_top_right.bmp
C:\Program Files\Alibaba\TradeManager\skins\default\w_close.gif
C:\Program Files\Alibaba\TradeManager\skins\default\w_close_hover.gif
C:\Program Files\Alibaba\TradeManager\skins\default\w_close_pressed.gif
C:\Program Files\Alibaba\TradeManager\skins\default\w_max.gif
C:\Program Files\Alibaba\TradeManager\skins\default\w_max_hover.gif
C:\Program Files\Alibaba\TradeManager\skins\default\w_max_pressed.gif
C:\Program Files\Alibaba\TradeManager\skins\default\w_mini.gif
C:\Program Files\Alibaba\TradeManager\skins\default\w_mini_hover.gif
C:\Program Files\Alibaba\TradeManager\skins\default\w_mini_pressed.gif
C:\Program Files\Alibaba\TradeManager\skins\default\w_restore.gif
C:\Program Files\Alibaba\TradeManager\skins\default\w_restore_hover.gif
C:\Program Files\Alibaba\TradeManager\skins\default\w_restore_pressed.gif
C:\Program Files\Alibaba\TradeManager\skins\helper.ico
C:\Program Files\Alibaba\TradeManager\skins\Smileys\00.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\01.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\02.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\03.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\04.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\04.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\05.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\06.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\07.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\08.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\08.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\09.gif

rosey911
2007-11-06, 19:23
C:\Program Files\Alibaba\TradeManager\skins\Smileys\10.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\10.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\11.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\11.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\12.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\12.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\13.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\14.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\15.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\16.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\17.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\17.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\18.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\19.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\20.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\21.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\22.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\23.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\24.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\25.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\25.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\26.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\26.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\27.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\27.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\28.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\29.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\30.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\31.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\32.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\33.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\33.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\34.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\35.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\35.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\36.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\37.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\38.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\39.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\39.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\40.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\40.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\41.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\42.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\42.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\43.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\43.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\44.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\44.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\45.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\45.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\46.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\46.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\47.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\47.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\48.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\48.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\49.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\49.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\50.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\50.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\51.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\51.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\52.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\53.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\53.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\config.ini
C:\Program Files\Alibaba\TradeManager\skins\Smileys\old_00.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\old_01.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\old_02.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\old_03.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\old_04.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\old_05.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\old_06.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\old_07.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\old_08.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\old_09.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\old_10.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\old_11.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\old_12.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\old_13.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\old_14.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\old_15.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\old_16.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\old_17.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\old_18.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\old_19.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\old_20.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\old_21.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\old_22.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\old_23.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\old_24.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\old_25.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\old_26.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\old_27.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\old_28.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\old_29.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\old_30.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\old_31.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\old_32.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\old_33.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\old_34.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\old_35.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\old_36.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\old_37.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\old_38.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\old_39.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\old_40.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\old_41.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\old_42.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\old_43.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\old_44.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\old_45.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\old_46.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\old_47.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\old_48.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\old_49.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\old_50.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\old_51.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\old_52.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\old_53.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\old_54.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\old_55.gif
C:\Program Files\Alibaba\TradeManager\skins\Smileys\oldi_00.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\oldi_01.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\oldi_02.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\oldi_03.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\oldi_04.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\oldi_05.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\oldi_06.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\oldi_07.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\oldi_08.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\oldi_09.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\oldi_10.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\oldi_11.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\oldi_12.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\oldi_13.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\oldi_14.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\oldi_15.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\oldi_16.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\oldi_17.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\oldi_18.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\oldi_19.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\oldi_20.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\oldi_21.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\oldi_22.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\oldi_23.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\oldi_24.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\oldi_25.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\oldi_26.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\oldi_27.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\oldi_28.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\oldi_29.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\oldi_30.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\oldi_31.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\oldi_32.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\oldi_33.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\oldi_34.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\oldi_35.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\oldi_36.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\oldi_37.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\oldi_38.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\oldi_39.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\oldi_40.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\oldi_41.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\oldi_42.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\oldi_43.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\oldi_44.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\oldi_45.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\oldi_46.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\oldi_47.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\oldi_48.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\oldi_49.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\oldi_50.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\oldi_51.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\oldi_52.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\oldi_53.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\oldi_54.bmp
C:\Program Files\Alibaba\TradeManager\skins\Smileys\oldi_55.bmp
C:\Program Files\Alibaba\TradeManager\skins\Tray_away.ico
C:\Program Files\Alibaba\TradeManager\skins\Tray_busy.ico
C:\Program Files\Alibaba\TradeManager\skins\Tray_invisible.ico
C:\Program Files\Alibaba\TradeManager\skins\Tray_offline.ico
C:\Program Files\Alibaba\TradeManager\skins\Tray_online.ico
C:\Program Files\Alibaba\TradeManager\sound\alert0.WAV
C:\Program Files\Alibaba\TradeManager\sound\alert1.WAV
C:\Program Files\Alibaba\TradeManager\sound\alert2.WAV
C:\Program Files\Alibaba\TradeManager\sound\Dang.WAV
C:\Program Files\Alibaba\TradeManager\sound\Offline.wav
C:\Program Files\Alibaba\TradeManager\sound\Online.wav
C:\Program Files\Alibaba\TradeManager\sound\Sent.wav
C:\Program Files\Alibaba\TradeManager\SysIdle.dll
C:\Program Files\Alibaba\TradeManager\TradeManager.exe
C:\Program Files\Alibaba\TradeManager\TradeManager_Check.dll
C:\Program Files\Alibaba\TradeManager\TransDB.exe
C:\Program Files\Alibaba\TradeManager\Unwise.exe
C:\Program Files\Alibaba\TradeManager\URLConfig.ini
C:\Program Files\Alibaba\TradeManager\users\enaliintrosey911\CacheDB.db
C:\Program Files\Alibaba\TradeManager\users\enaliintrosey911\Config.bak
C:\Program Files\Alibaba\TradeManager\users\enaliintrosey911\Config.db
C:\Program Files\Alibaba\TradeManager\users\enaliintrosey911\msglog.bak
C:\Program Files\Alibaba\TradeManager\users\enaliintrosey911\msglog.db
C:\Program Files\Alibaba\TradeManager\users\system\Config.db
C:\Program Files\Alibaba\TradeManager\Zone.db
C:\VundoFix Backups
C:\WINDOWS\mrofinu1000137.exe
C:\WINDOWS\system32\1551.bat
C:\WINDOWS\system32\aliedit
C:\WINDOWS\system32\aliedit\aliedit.dll
C:\WINDOWS\system32\bkekqtmh.exe
C:\WINDOWS\system32\cbeeg.bak1
C:\WINDOWS\system32\cbeeg.ini
C:\WINDOWS\system32\geebc.dll
C:\WINDOWS\system32\gslrfoyf.dllbox
C:\WINDOWS\system32\khfggfc.dll
C:\WINDOWS\system32\mgxnsskp.dll
C:\WINDOWS\system32\msqtvcap.dat

rosey911
2007-11-06, 19:24
C:\WINDOWS\tmpDSM1
C:\WINDOWS\tmpDSM1\Pdf\PdfFile.pdf
C:\WINDOWS\tmpDSM1\Pdf\PsFile.ps
C:\WINDOWS\UmFjaGVs
C:\WINDOWS\UmFjaGVs\oAI3u3pP.vbs

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-10-06 to 2007-11-06 )))))))))))))))))))))))))))))))
.

2007-11-06 07:24 87,104 --a------ C:\WINDOWS\system32\rvwxugno.dll
2007-11-06 07:21 81,472 --a------ C:\WINDOWS\system32\oatmhcmt.dll
2007-11-06 07:15 340,032 --a------ C:\WINDOWS\system32\kyfxbonj.dll
2007-11-06 07:15 340,032 --a------ C:\WINDOWS\system32\gslrfoyf.dll
2007-11-05 16:38 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-11-05 07:39 83,008 --a------ C:\WINDOWS\system32\oidxmyqb.dll
2007-11-04 12:53 <DIR> d-------- C:\Deckard
2007-11-03 20:14 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-03 15:04 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-03 15:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-03 14:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-03 07:29 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-11-03 07:29 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\PC Tools
2007-11-03 07:29 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-03 07:29 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-11-03 07:29 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-11-03 07:29 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-11-03 07:29 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-11-03 07:28 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-10-31 19:06 <DIR> d-------- C:\Program Files\Windows Defender
2007-10-31 17:51 0 --a------ C:\WINDOWS\system32\taskkill.exe
2007-10-31 17:19 <DIR> d-------- C:\Program Files\PasswordTools
2007-10-23 16:46 <DIR> d-------- C:\Program Files\Norton Security Scan
2007-10-17 13:48 <DIR> d-------- C:\Program Files\MySpace
2007-10-17 13:48 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\MySpace
2007-10-11 11:46 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-06 03:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-11-04 01:27 --------- d-----w C:\Program Files\Trend Micro
2007-11-01 05:53 --------- d-----w C:\Program Files\motive
2007-11-01 03:00 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2007-11-01 02:32 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-01 01:57 --------- d-----w C:\Documents and Settings\Owner\Application Data\Apple Computer
2007-11-01 01:12 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2007-11-01 00:52 --------- d-----w C:\Program Files\Trial123FileConvert
2007-10-27 03:46 --------- d-----w C:\Program Files\Microsoft Games
2007-10-02 23:41 --------- d-----w C:\Program Files\Last Seconds Bidder
2007-10-02 17:00 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-01 16:42 --------- d-----w C:\Program Files\iTunes
2007-10-01 16:42 --------- d-----w C:\Program Files\iPod
2007-09-25 00:13 --------- d-----w C:\Program Files\ewido anti-malware
2007-09-25 00:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2007-09-24 22:31 --------- d-----w C:\Program Files\Common Files\xing shared
2007-09-24 22:31 --------- d-----w C:\Program Files\Common Files\Real
2007-09-24 21:38 --------- d-----w C:\Program Files\Kodak
2007-09-24 21:34 --------- d-----w C:\Program Files\HyperVRE
2007-09-24 21:33 --------- d-----w C:\Program Files\DivX
2007-09-24 21:31 --------- d-----w C:\Program Files\Article Distributor
2007-09-24 21:29 --------- d-----w C:\Program Files\Google
2007-09-24 21:23 --------- d-----w C:\Program Files\OpenOffice.org 2.0
2007-09-24 21:21 --------- d-----w C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2007-09-24 21:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-09-24 20:54 --------- d-----w C:\Program Files\Pure Networks
2007-09-24 20:54 --------- d-----w C:\Program Files\Common Files\AOL
2007-09-24 20:53 --------- d-----w C:\Documents and Settings\Owner\Application Data\AOL
2007-09-20 23:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-09-20 23:49 --------- d-----w C:\Documents and Settings\Owner\Application Data\dvdcss
2007-09-09 22:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-09-09 22:24 --------- d-----w C:\Program Files\QuickTime
2007-09-09 22:22 --------- d-----w C:\Program Files\Common Files\Apple
2007-09-09 22:22 --------- d-----w C:\Program Files\Apple Software Update
2007-09-09 22:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-09-01 18:23 24,192 ----a-w C:\Documents and Settings\Owner\usbsermptxp.sys
2007-09-01 18:23 22,768 ----a-w C:\Documents and Settings\Owner\usbsermpt.sys
2007-01-21 18:30 557 ----a-w C:\Program Files\INSTALL.LOG
2005-09-14 16:24 33,280 ----a-w C:\Program Files\EndProcess.exe
.

((((((((((((((((((((((((((((( snapshot@2007-11-03_21.33.28.98 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-30 01:56:19 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-30 02:56:19 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2007-03-13 18:57:10 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE
- 2007-11-03 15:30:42 52,764 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-11-04 14:39:16 52,764 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-11-03 15:30:43 380,350 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-04 14:39:16 380,350 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2007-04-02 21:21:27 139,776 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2007-04-02 22:21:27 139,776 ----a-w C:\WINDOWS\system32\swreg.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{246112fa-388a-4433-9f82-785bcc54ba36}]
2007-11-06 07:21 81472 --a------ C:\WINDOWS\system32\oatmhcmt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5F174EBF-59B4-4F17-9FFC-E2398BD28457}]
C:\WINDOWS\system32\pmnli.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-06 07:15 340032 --a------ C:\WINDOWS\system32\gslrfoyf.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\gslrfoyf.dll [2007-11-06 07:15 340032]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 07:59]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 07:59]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2005-03-15 01:46]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-03-23 15:26]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-24 14:31]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Launchpad"="C:\Program Files\ATI Multimedia\main\launchpd.exe" [2004-06-15 22:22]
"ATI Remote Control"="C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe" [2004-04-16 06:43]
"PopUpStopperFreeEdition"="C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" [2005-03-17 11:10]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2006-06-02 20:23]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2005-12-04 21:07:15]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 20:37:56]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-12-21 06:36:06]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-09-24 13:29:10]
Wireless-B Notebook Adapter Utility.lnk - C:\Program Files\Linksys\Wireless-B PCI Adapter\Startup.exe [2005-12-02 15:33:28]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gslrfoyf]
gslrfoyf.dll 2007-11-06 07:15 340032 C:\WINDOWS\system32\gslrfoyf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jrfkhhva]
jrfkhhva.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfggfc]
khfggfc.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Webshots.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Webshots.lnk
backup=C:\WINDOWS\pss\Webshots.lnkStartup


R3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\System32\CBTNDIS5.SYS
R3 odysseyIM3;Odyssey Network Services Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM3.sys
S2 Ca533av;Polaroid Digital Cam Video;C:\WINDOWS\system32\Drivers\Ca533av.sys
S3 IPN2120;Wireless-B PCI Adapter Driver;C:\WINDOWS\system32\DRIVERS\LSIPNDS.sys
S3 USBCamera;Icatch(IV) Still Camera Device;C:\WINDOWS\system32\Drivers\Bulk533.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-05 17:18:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-11-06 16:51:59 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-11-02 22:00:00 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-06 08:55:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-06 8:56:30 - machine was rebooted
.
--- E O F ---

rosey911
2007-11-06, 19:25
Here is new HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:24:39 AM, on 11/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Linksys\Wireless-B PCI Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-B PCI Adapter\WMP11Cfg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: {63ab45cc-b587-28f9-3344-a883af211642} - {246112fa-388a-4433-9f82-785bcc54ba36} - C:\WINDOWS\system32\oatmhcmt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5F174EBF-59B4-4F17-9FFC-E2398BD28457} - C:\WINDOWS\system32\pmnli.dll (file missing)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\gslrfoyf.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\gslrfoyf.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B PCI Adapter\Startup.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://my.lennar.com/inotes/iNotes6W.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133627876228
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133627864900
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: gslrfoyf - C:\WINDOWS\SYSTEM32\gslrfoyf.dll
O20 - Winlogon Notify: jrfkhhva - jrfkhhva.dll (file missing)
O20 - Winlogon Notify: khfggfc - khfggfc.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICSer_WMP11 - Unknown owner - C:\Program Files\Linksys\Wireless-B PCI Adapter\NICServ.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 11281 bytes

__RiP_ChAiN_
2007-11-06, 23:13
Hello rosey911,

A. Please RUN HijackThis
Click the SCAN button to produce a log.


Place a check mark beside each one of the following items:

O2 - BHO: {63ab45cc-b587-28f9-3344-a883af211642} - {246112fa-388a-4433-9f82-785bcc54ba36} - C:\WINDOWS\system32\oatmhcmt.dll
O2 - BHO: (no name) - {5F174EBF-59B4-4F17-9FFC-E2398BD28457} - C:\WINDOWS\system32\pmnli.dll (file missing)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\gslrfoyf.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\gslrfoyf.dll
O20 - Winlogon Notify: gslrfoyf - C:\WINDOWS\SYSTEM32\gslrfoyf.dll
O20 - Winlogon Notify: jrfkhhva - jrfkhhva.dll (file missing)
O20 - Winlogon Notify: khfggfc - khfggfc.dll (file missing)


Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.


B. 1. Please open Notepad Click Start , then Run Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:


File::
C:\WINDOWS\system32\rvwxugno.dll
C:\WINDOWS\system32\oatmhcmt.dll
C:\WINDOWS\system32\kyfxbonj.dll
C:\WINDOWS\system32\gslrfoyf.dll
C:\WINDOWS\system32\oidxmyqb.dll

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
Combofix.txt
A new HijackThis log.

rosey911
2007-11-07, 02:24
ComboFix 07-11-01.1** - Owner 2007-11-06 16:12:53.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.180 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\gslrfoyf.dll
C:\WINDOWS\system32\kyfxbonj.dll
C:\WINDOWS\system32\oatmhcmt.dll
C:\WINDOWS\system32\oidxmyqb.dll
C:\WINDOWS\system32\rvwxugno.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\gslrfoyf.dllbox
C:\WINDOWS\system32\oidxmyqb.dll
C:\WINDOWS\system32\rvwxugno.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-07 to 2007-11-07 )))))))))))))))))))))))))))))))
.

2007-11-05 16:38 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-11-04 12:53 <DIR> d-------- C:\Deckard
2007-11-03 20:14 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-03 15:04 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-03 15:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-03 14:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-03 07:29 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-11-03 07:29 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\PC Tools
2007-11-03 07:29 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-03 07:29 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-11-03 07:29 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-11-03 07:29 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-11-03 07:29 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-11-03 07:28 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-10-31 19:06 <DIR> d-------- C:\Program Files\Windows Defender
2007-10-31 17:51 0 --a------ C:\WINDOWS\system32\taskkill.exe
2007-10-31 17:19 <DIR> d-------- C:\Program Files\PasswordTools
2007-10-23 16:46 <DIR> d-------- C:\Program Files\Norton Security Scan
2007-10-17 13:48 <DIR> d-------- C:\Program Files\MySpace
2007-10-17 13:48 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\MySpace
2007-10-11 11:46 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-06 17:42 --------- d-----w C:\Program Files\Google
2007-11-06 03:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-11-04 01:27 --------- d-----w C:\Program Files\Trend Micro
2007-11-01 05:53 --------- d-----w C:\Program Files\motive
2007-11-01 03:00 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2007-11-01 02:32 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-01 01:57 --------- d-----w C:\Documents and Settings\Owner\Application Data\Apple Computer
2007-11-01 01:12 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2007-11-01 00:52 --------- d-----w C:\Program Files\Trial123FileConvert
2007-10-27 03:46 --------- d-----w C:\Program Files\Microsoft Games
2007-10-02 23:41 --------- d-----w C:\Program Files\Last Seconds Bidder
2007-10-02 17:00 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-01 16:42 --------- d-----w C:\Program Files\iTunes
2007-10-01 16:42 --------- d-----w C:\Program Files\iPod
2007-09-25 00:13 --------- d-----w C:\Program Files\ewido anti-malware
2007-09-25 00:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2007-09-24 22:31 --------- d-----w C:\Program Files\Common Files\xing shared
2007-09-24 22:31 --------- d-----w C:\Program Files\Common Files\Real
2007-09-24 21:38 --------- d-----w C:\Program Files\Kodak
2007-09-24 21:34 --------- d-----w C:\Program Files\HyperVRE
2007-09-24 21:33 --------- d-----w C:\Program Files\DivX
2007-09-24 21:31 --------- d-----w C:\Program Files\Article Distributor
2007-09-24 21:23 --------- d-----w C:\Program Files\OpenOffice.org 2.0
2007-09-24 21:21 --------- d-----w C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2007-09-24 21:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-09-24 20:54 --------- d-----w C:\Program Files\Pure Networks
2007-09-24 20:54 --------- d-----w C:\Program Files\Common Files\AOL
2007-09-24 20:53 --------- d-----w C:\Documents and Settings\Owner\Application Data\AOL
2007-09-20 23:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-09-20 23:49 --------- d-----w C:\Documents and Settings\Owner\Application Data\dvdcss
2007-09-09 22:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-09-09 22:24 --------- d-----w C:\Program Files\QuickTime
2007-09-09 22:22 --------- d-----w C:\Program Files\Common Files\Apple
2007-09-09 22:22 --------- d-----w C:\Program Files\Apple Software Update
2007-09-09 22:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-09-01 18:23 24,192 ----a-w C:\Documents and Settings\Owner\usbsermptxp.sys
2007-09-01 18:23 22,768 ----a-w C:\Documents and Settings\Owner\usbsermpt.sys
2007-01-21 18:30 557 ----a-w C:\Program Files\INSTALL.LOG
2005-09-14 16:24 33,280 ----a-w C:\Program Files\EndProcess.exe
.

((((((((((((((((((((((((((((( snapshot@2007-11-03_21.33.28.98 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-30 01:56:19 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-30 02:56:19 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-02 20:29:32 224,256 ----a-w C:\WINDOWS\Downloaded Program Files\GoogleGadgetPluginIEWin.dll
+ 2007-03-13 18:57:10 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE
- 2007-11-03 15:30:42 52,764 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-11-04 14:39:16 52,764 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-11-03 15:30:43 380,350 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-04 14:39:16 380,350 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2007-04-02 21:21:27 139,776 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2007-04-02 22:21:27 139,776 ----a-w C:\WINDOWS\system32\swreg.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 07:59]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 07:59]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2005-03-15 01:46]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-03-23 15:26]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-24 14:31]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-11-06 09:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Launchpad"="C:\Program Files\ATI Multimedia\main\launchpd.exe" [2004-06-15 22:22]
"ATI Remote Control"="C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe" [2004-04-16 06:43]
"PopUpStopperFreeEdition"="C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" [2005-03-17 11:10]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2006-06-02 20:23]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2005-12-04 21:07:15]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 20:37:56]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-12-21 06:36:06]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-09-24 13:29:10]
Wireless-B Notebook Adapter Utility.lnk - C:\Program Files\Linksys\Wireless-B PCI Adapter\Startup.exe [2005-12-02 15:33:28]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Webshots.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Webshots.lnk
backup=C:\WINDOWS\pss\Webshots.lnkStartup


R3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\System32\CBTNDIS5.SYS
R3 odysseyIM3;Odyssey Network Services Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM3.sys
S2 Ca533av;Polaroid Digital Cam Video;C:\WINDOWS\system32\Drivers\Ca533av.sys
S3 GoogleDesktopManager-093007-112848;Google Desktop Manager 5.5.709.30344;"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe"
S3 IPN2120;Wireless-B PCI Adapter Driver;C:\WINDOWS\system32\DRIVERS\LSIPNDS.sys
S3 USBCamera;Icatch(IV) Still Camera Device;C:\WINDOWS\system32\Drivers\Bulk533.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-05 17:18:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-11-07 00:03:15 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-11-02 22:00:00 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-06 16:19:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-06 16:21:56 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-06 08:56
.
--- E O F ---

rosey911
2007-11-07, 02:25
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:24:36 PM, on 11/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Linksys\Wireless-B PCI Adapter\OdHost.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Linksys\Wireless-B PCI Adapter\WMP11Cfg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B PCI Adapter\Startup.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://my.lennar.com/inotes/iNotes6W.cab
O16 - DPF: {5D80A6D1-B500-47DA-82B8-EB9875F85B4D} (Google Gadget Control) - http://dl.google.com/dl/desktop/nv/GoogleGadgetPluginIEWin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133627876228
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133627864900
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICSer_WMP11 - Unknown owner - C:\Program Files\Linksys\Wireless-B PCI Adapter\NICServ.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 11353 bytes

__RiP_ChAiN_
2007-11-07, 22:55
Hello rosey911,

Please go HERE (http://www.pandasoftware.com/products/activescan.htm) to run Panda's ActiveScan
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

rosey911
2007-11-08, 06:12
Incident Status Location

Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Owner\Cookies\owner@2o7[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Owner\Cookies\owner@adrevolver[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@advertising[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Owner\Cookies\owner@atwola[2].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Owner\Cookies\owner@bluestreak[2].txt
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Owner\Cookies\owner@clickbank[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Owner\Cookies\owner@doubleclick[2].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Owner\Cookies\owner@server.iad.liveperson[2].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Owner\Cookies\owner@server.iad.liveperson[4].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Owner\Cookies\owner@statcounter[2].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Owner\Desktop\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Owner\Desktop\ComboFix.exe[nircmd.cfexe]
Virus:Generic Malware Disinfected C:\My Downloads\Install Files\BSINSTALL.exe
Adware:Adware/Ucmore Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\CD2FE3E2-DF79-43D2-B8DE-DA15D3\CF848EF6-F477-48DC-ABED-37475B
Adware:Adware/Ucmore Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\CD2FE3E2-DF79-43D2-B8DE-DA15D3\FF992919-A05F-451F-BD9A-A60EAE
Virus:Trj/Downloader.MDW Disinfected C:\qoobox\Quarantine\C\WINDOWS\b122.exe.vir
Adware:Adware/Yazzle Not disinfected C:\qoobox\Quarantine\C\WINDOWS\mrofinu1000137.exe.vir
Virus:Trj/Downloader.OZB Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\bkekqtmh.exe.vir
Virus:Trj/Downloader.OZB Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\cwsykwyf.exe.vir
Virus:Trj/Downloader.OZB Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\nlmiemkx.exe.vir
Virus:W32/Nuwar.HT.worm Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\o1\c124wvr.exe.vir
Adware:Adware/TTC Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\v4\caws83122.exe.vir
Adware:Adware/CommAd Not disinfected C:\qoobox\Quarantine\C\WINDOWS\UmFjaGVs\oAI3u3pP.vbs.vir
Spyware:Spyware/Virtumonde Not disinfected C:\qoobox\Quarantine\catchme2007-11-05_190640.95.zip[sstqr.dll]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe

__RiP_ChAiN_
2007-11-08, 18:10
Hello rosey911,

Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune.
This program is for XP and Windows 2000 only

Run ATF Cleaner:Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Using Windows Explorer delete the following folder (if present): (To get into Windows Explorer, right click the START button and select "explore.")

C:\Qoobox

Go ahead and remove any tools used duiring the fix as they will no longer be needed.

Congratulations, your computer is now clean of malware!

Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
Go to Start > Programs > Accessories > System Tools and click "System Restore".
Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
Then go to Start > Run and type: Cleanmgr
Click "OK".
Click the "More Options" Tab.
Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.


Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources (http://www.bleepingcomputer.com/forums/topict405.html)

Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls (http://www.bleepingcomputer.com/forums/tutorial60.html)

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/forums/tutorial49.html)

Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety
IE/Spyad (http://www.bleepingcomputer.com/tutorials/tutorial53.html) <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar (http://toolbar.google.com/) <= Get the free google toolbar to help stop pop up windows.
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)

rosey911
2007-11-08, 18:41
Rip Chain,
I just wanted to once again say thank you sooo much for your help, I am sure you get this gratitude daily, but without folks like you and the others, our computer makers would be richer than they already are, because I was ready to call Dell and order a new one. Tell your friends, wife, family, g-friend whatever we thank them also because I know this takes hours away from them. Good luck in any endeavor you choose to undertake.

Best wishes for the holidays.
Rachel
Las Vegas Nevada, USA

rosey911
2007-11-08, 18:53
Sorry, one more quick question, should I turn Tea Timer back on? and if so how?

Ty

__RiP_ChAiN_
2007-11-08, 19:06
Hello rosey911,

Open Spybot.
On the tool bar, at the top left, click Mode.
Click Advanced Mode.
A box will open, asking if you want to go to Advanced Mode, click Yes.
On the left, near the bottom, click the Tools tab.
Then on the menu, click Resident.
In the panel on the right, put a check in the box next to Resident "TeaTimer".
Close Spybot.


Rip Chain,
I just wanted to once again say thank you sooo much for your help, I am sure you get this gratitude daily, but without folks like you and the others, our computer makers would be richer than they already are, because I was ready to call Dell and order a new one. Tell your friends, wife, family, g-friend whatever we thank them also because I know this takes hours away from them. Good luck in any endeavor you choose to undertake.
I do greatly thank you for your kindly worded reply. In all honesty, there aren't many joys in doing this job, but great people like you are the ones that keep me and others like me doing this as well.

Regards,
Kevin.