View Full Version : virus support
sludgeguts
2007-11-27, 09:06
I have had virumonde trojan and have followed your process and attached is HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:03:57, on 27/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\PROGRA~1\FNTS~1\dexplore.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
C:\Program Files\BT Broadband Desktop Help\bin\mpbtn.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchFilter.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://as.starware.com/dp/search?x=wKX1ILEOi+UdWpSlz2q9Dzn13Emww/YwiC273s2RLPnFhV4qIjHixhSb4qR3XBQxLmKBz2lu1xynEmjXXxHnToyHW1cjcXfwGUXu87cR5blAjUMymJ6LGNGHBc6zH7+FG+2NpdvkfFA=
R3 - Default URLSearchHook is missing
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [DLCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [btbb_McciTrayApp] C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [54323f93] rundll32.exe "C:\WINDOWS\system32\yagwgcwy.dll",b
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Uvyi] C:\WINDOWS\system32\WWEXEC~1.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Sen] "C:\WINDOWS\YMBOLS~1\alg.exe" -vt mtx
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Opqjg] C:\WINDOWS\F?nts\j?vaw.exe
O4 - HKCU\..\Run: [Uvaiat] C:\WINDOWS\SYSTEM32\?ystem32\w?nlogon.exe
O4 - HKCU\..\Run: [Arwm] "C:\PROGRA~1\FNTS~1\dexplore.exe" -vt mtx
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZCxdm413YYGB
O8 - Extra context menu item: Grip.com - file://C:\Program Files\GRIPCZ29\Cache\SelectedContextSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper2007261.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195318132796
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/prequal/MotivePreQual.cab
O20 - AppInit_DLLs: regsvr32.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
--
End of file - 12051 bytes
__RiP_ChAiN_
2007-11-27, 10:51
Hello sludgeguts,
Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
sludgeguts
2007-11-27, 13:08
I have done as instructed please find attached the combi log in two parts
ComboFix 07-11-19.4 - max 2007-11-27 10:26:20.1 - NTFSx86
Running from: C:\Documents and Settings\max\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\mark\Favorites\Online Security Guide.lnk
C:\Documents and Settings\max\Application Data\ASEMBL~1
C:\Documents and Settings\max\Application Data\ASKS~1
C:\Documents and Settings\max\Application Data\CROSOF~1
C:\Documents and Settings\max\Application Data\DOBE~1
C:\Documents and Settings\max\Application Data\FNTS~1
C:\Documents and Settings\max\Application Data\ICROSO~1
C:\Documents and Settings\max\Application Data\ICROSO~1.NET
C:\Documents and Settings\max\Application Data\MANTEC~1
C:\Documents and Settings\max\Application Data\MCROSO~1
C:\Documents and Settings\max\Application Data\PPATCH~1
C:\Documents and Settings\max\Application Data\PPATCH~2
C:\Documents and Settings\max\Application Data\RACLE~1
C:\Documents and Settings\max\Application Data\SMBOLS~1
C:\Documents and Settings\max\Application Data\SSTEM~1
C:\Documents and Settings\max\Application Data\YSTEM3~1
C:\Documents and Settings\max\Favorites\Online Security Guide.lnk
C:\Documents and Settings\max\My Documents\CROSOF~1
C:\Documents and Settings\max\My Documents\DOBE~1
C:\Documents and Settings\max\My Documents\MANTEC~1
C:\Documents and Settings\max\My Documents\PPATCH~1
C:\Documents and Settings\max\My Documents\PPPATC~1
C:\Documents and Settings\max\My Documents\RACLE~1
C:\Documents and Settings\max\My Documents\RACLE~2
C:\Documents and Settings\max\My Documents\SCURIT~1
C:\Documents and Settings\max\My Documents\SEMBLY~1
C:\Documents and Settings\max\My Documents\SKS~1
C:\Documents and Settings\max\My Documents\SSTEM~1
C:\Documents and Settings\max\My Documents\SSTEM3~1
C:\Documents and Settings\max\My Documents\WNSXS~1
C:\Documents and Settings\max\My Documents\YSTEM3~1
C:\Documents and Settings\max\Start Menu\Programs\Outerinfo
C:\Documents and Settings\max\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\max\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Documents and Settings\sue\Favorites\Online Security Guide.lnk
C:\Program Files\asembl~1
C:\Program Files\asks~1
C:\Program Files\Common Files\crosof~1
C:\Program Files\Common Files\curity~1
C:\Program Files\Common Files\dobe~1
C:\Program Files\Common Files\icroso~1
C:\Program Files\Common Files\mbols~1
C:\Program Files\Common Files\scurit~1
C:\Program Files\Common Files\sembly~1
C:\Program Files\Common Files\sks~1
C:\Program Files\Common Files\smante~1
C:\Program Files\Common Files\smbols~1
C:\Program Files\Common Files\ssembl~1
C:\Program Files\Common Files\stem32~1
C:\Program Files\Common Files\wnsxs~1
C:\Program Files\Common Files\ymbols~1
C:\Program Files\fnts~1
C:\Program Files\fnts~1\dexplore.exe
C:\Program Files\fnts~1\W?nSxS\
C:\Program Files\icroso~1
C:\Program Files\mantec~1
C:\Program Files\mcroso~1
C:\Program Files\mcroso~1.net
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\racle~1
C:\Program Files\racle~2
C:\Program Files\sks~1
C:\Program Files\smante~1
C:\Program Files\sstem3~1
C:\Program Files\stem~1
C:\Program Files\wnsxs~1
C:\Program Files\ymbols~1
C:\Program Files\ystem~1
C:\Program Files\ystem3~1
C:\WINDOWS\asks~1
C:\WINDOWS\asks~2
C:\WINDOWS\cookies.ini
C:\WINDOWS\crosof~1
C:\WINDOWS\crosof~1.net
C:\WINDOWS\fnts~1
C:\WINDOWS\fnts~2
C:\WINDOWS\icroso~1
C:\WINDOWS\icroso~1.net
C:\WINDOWS\mantec~1
C:\WINDOWS\mbols~1
C:\WINDOWS\mcroso~1
C:\WINDOWS\ppatch~1
C:\WINDOWS\pppatc~1
C:\WINDOWS\racle~1
C:\WINDOWS\sstem3~1
C:\WINDOWS\system32\asks~1
C:\WINDOWS\system32\awtqq.dll
C:\WINDOWS\system32\crosof~1
C:\WINDOWS\system32\dobe~1
C:\WINDOWS\system32\drivers\sfsync02.sys
C:\WINDOWS\SYSTEM32\ehhkj.ini
C:\WINDOWS\SYSTEM32\ehhkj.ini2
C:\WINDOWS\system32\fnts~1
C:\WINDOWS\system32\icroso~1
C:\WINDOWS\system32\jkhhe.dll
C:\WINDOWS\system32\mantec~1
C:\WINDOWS\system32\mcroso~1
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pppatc~1
C:\WINDOWS\SYSTEM32\qqtwa.ini
C:\WINDOWS\SYSTEM32\qqtwa.ini2
C:\WINDOWS\system32\racle~1
C:\WINDOWS\system32\regsvr32.dll
C:\WINDOWS\system32\scurit~1
C:\WINDOWS\system32\wnsintit.exe
C:\WINDOWS\system32\wnsintsv32.exe
C:\WINDOWS\system32\wnsxs~1
C:\WINDOWS\system32\ystem3~1
C:\WINDOWS\ymbols~1
C:\WINDOWS\ymbols~1\alg.exe
C:\WINDOWS\ymbols~1\YMBOLS~1\ctxad-559.0000
C:\WINDOWS\ymbols~1\YMBOLS~1\ctxad-559.0001
C:\WINDOWS\ystem3~1
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_SFSYNC02
-------\sfsync02
((((((((((((((((((((((((( Files Created from 2007-10-27 to 2007-11-27 )))))))))))))))))))))))))))))))
.
2007-11-27 07:55 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-26 18:49 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-11-26 18:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-26 18:45 78,085 --a------ C:\WINDOWS\SYSTEM32\iuyghxtx.dll
2007-11-26 18:42 80,960 --a------ C:\WINDOWS\SYSTEM32\hkndpqyd.dll
2007-11-24 18:49 81,472 --a------ C:\WINDOWS\SYSTEM32\cqvohfdr.dll
2007-11-23 20:50 <DIR> d-------- C:\Program Files\Safer Networking
2007-11-23 18:44 83,520 --a------ C:\WINDOWS\SYSTEM32\tfhsanrg.dll
2007-11-23 18:41 75,620 --a------ C:\WINDOWS\SYSTEM32\tecewkof.dll
2007-11-22 19:39 28,288 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\xjis.nls
2007-11-22 19:38 83,748 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\prcp.nls
2007-11-22 19:38 83,748 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\prc.nls
2007-11-22 19:38 57,856 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_scripto.dll
2007-11-22 19:38 26,112 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_seos.dll
2007-11-22 19:38 23,040 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_regtrace.exe
2007-11-22 19:38 12,288 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_smtpctrs.dll
2007-11-22 19:38 7,168 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_snprfdll.dll
2007-11-22 19:37 482,304 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\pintlgnt.ime
2007-11-22 19:37 131,584 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\pmxviceo.dll
2007-11-22 19:37 70,144 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\pintlphr.exe
2007-11-22 19:37 67,584 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\pmigrate.dll
2007-11-22 19:37 65,536 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_mailmsg.dll
2007-11-22 19:37 38,912 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_ntfsdrv.dll
2007-11-22 19:37 36,927 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\padrs411.dll
2007-11-22 19:37 14,336 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\padrs412.dll
2007-11-22 19:37 11,264 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\pmxmcro.dll
2007-11-22 19:37 6,144 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\pmxgl.dll
2007-11-22 19:36 13,463,552 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\hwxjpn.dll
2007-11-22 19:36 10,129,408 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\hwxkor.dll
2007-11-22 19:36 10,096,640 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\hwxcht.dll
2007-11-22 19:36 173,602 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\c_20002.nls
2007-11-22 19:36 54,528 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\cap7146.sys
2007-11-22 19:36 43,520 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_fcachdll.dll
2007-11-22 19:36 24,632 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\fpadmcgi.exe
2007-11-22 19:36 14,848 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\flattemp.exe
2007-11-22 19:36 7,168 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\f3ahvoas.dll
2007-11-22 19:35 188,480 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\cfgwiz.exe
2007-11-22 19:35 162,850 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\c_10001.nls
2007-11-22 19:35 45,056 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_aqadmin.dll
2007-11-22 19:35 5,632 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_adsiisex.dll
2007-11-22 19:30 749 -rah----- C:\WINDOWS\SYSTEM32\sapi.cpl.manifest
2007-11-22 19:30 749 -rah----- C:\WINDOWS\SYSTEM32\ncpa.cpl.manifest
2007-11-22 19:30 488 -rah----- C:\WINDOWS\SYSTEM32\logonui.exe.manifest
2007-11-22 19:28 214,528 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\icwconn1.exe
2007-11-22 19:28 86,016 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\icwconn2.exe
2007-11-22 19:28 32,768 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\icwdl.dll
2007-11-22 19:28 20,480 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\inetwiz.exe
2007-11-22 18:11 34 --a------ C:\WINDOWS\SYSTEM\oeminfo.ini
2007-11-22 18:10 2,012,670 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\NT5.CAT
2007-11-22 18:10 1,086,058 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\NTPRINT.CAT
2007-11-22 18:10 1,042,903 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\SP2.CAT
2007-11-22 18:10 797,189 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\NT5IIS.CAT
2007-11-22 18:10 399,645 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\MAPIMIG.CAT
2007-11-22 18:10 382,952 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\NT5INF.CAT
2007-11-22 18:10 37,484 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\MW770.CAT
2007-11-22 18:10 31,281 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\FP4.CAT
2007-11-22 18:10 24,661 --a------ C:\WINDOWS\SYSTEM32\spxcoins.dll
2007-11-22 18:10 24,661 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\spxcoins.dll
2007-11-22 18:10 13,472 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\HPCRDP.CAT
2007-11-22 18:10 13,312 --a------ C:\WINDOWS\SYSTEM32\irclass.dll
2007-11-22 18:10 8,574 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\IASNT4.CAT
2007-11-22 18:10 7,710 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\OEMBIOS.CAT
2007-11-22 18:10 7,334 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\wmerrenu.cat
2007-11-22 17:58 <DIR> d-------- C:\WINDOWS\dell
2007-11-22 17:55 79,936 --a------ C:\WINDOWS\SYSTEM32\otkjhtql.dll
2007-11-22 17:53 776,072 --ahs---- C:\WINDOWS\SYSTEM32\mcejqbyf.ini
2007-11-21 10:47 694,433 --ahs---- C:\WINDOWS\SYSTEM32\bdpaepvo.ini
2007-11-21 10:47 84,545 --a------ C:\WINDOWS\SYSTEM32\ovpeapdb.dll
2007-11-21 10:46 80,960 --a------ C:\WINDOWS\SYSTEM32\audofben.dll
2007-11-20 20:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-11-18 19:52 <DIR> d-------- C:\WINDOWS\SYSTEM32\ZoneLabs
2007-11-18 19:51 350,920 --a------ C:\WINDOWS\SYSTEM32\vsconfig.xml
2007-11-18 19:50 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-11-18 19:06 <DIR> d-------- C:\Program Files\Registry Defender
2007-11-18 16:21 677,980 --ahs---- C:\WINDOWS\SYSTEM32\jtqpagun.ini
2007-11-18 16:20 84,545 --a------ C:\WINDOWS\SYSTEM32\nugapqtj.dll
2007-11-18 16:19 71,232 --a------ C:\WINDOWS\SYSTEM32\rxdnblub.exe
2007-11-18 13:24 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2007-11-18 13:24 30,072 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll.mui
2007-11-17 17:38 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-11-17 15:32 8,625 --a------ C:\WINDOWS\SYSTEM32\gnrvuxtw.dll
2007-11-17 15:29 71,232 --a------ C:\WINDOWS\SYSTEM32\cnjvjtqk.exe
2007-11-16 15:51 675,260 --ahs---- C:\WINDOWS\SYSTEM32\rqxhrsoo.ini
2007-11-16 15:33 71,232 --a------ C:\WINDOWS\SYSTEM32\qpkvyobf.exe
2007-11-14 15:36 671,489 --ahs---- C:\WINDOWS\SYSTEM32\nptghvsf.ini
2007-11-14 15:33 79,424 --a------ C:\WINDOWS\SYSTEM32\jokpcjje.dll
2007-11-14 15:30 71,232 --a------ C:\WINDOWS\SYSTEM32\uansobhs.exe
2007-11-13 17:21 143 --a------ C:\WINDOWS\SYSTEM32\mcrh.tmp
2007-11-12 21:51 <DIR> d-------- C:\WINDOWS\SYSTEM32\rMa01yy
2007-11-12 21:51 <DIR> d-------- C:\Temp\abW9
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-27 11:07 0 ----a-w C:\WINDOWS\system32\drivers\lvuvc.hs
2007-11-17 17:37 --------- d-----w C:\Program Files\Logitech
2007-11-17 17:37 --------- d-----w C:\Program Files\Common Files\logishrd
2007-11-17 17:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logishrd
2007-11-12 17:47 --------- d-----w C:\Documents and Settings\max\Application Data\HP
2007-11-07 15:19 --------- d-----w C:\Program Files\Dl_cats
2007-10-15 20:03 --------- d-----w C:\Program Files\Full Tilt Poker.Net
2007-10-11 17:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-08 14:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Motive
2007-10-06 09:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-06 09:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\soft chic meet great
2007-10-05 19:43 --------- d-----w C:\Documents and Settings\mark\Application Data\Motive
2007-10-05 19:39 --------- d-----w C:\Program Files\BT Broadband Desktop Help
2007-10-05 19:38 --------- d-----w C:\Program Files\Common Files\Motive
2007-10-05 19:37 --------- d-----w C:\Program Files\Motive
2007-10-05 19:36 --------- d-----w C:\Program Files\BT Home Hub
2005-05-02 12:42 374,279 --sh--w C:\WINDOWS\Help\litusm.bak1
.
sludgeguts
2007-11-27, 13:10
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{040B7D23-99E1-BD14-BF1B-BFEE8A86EF9C}]
C:\WINDOWS\system32\xwsf.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0DD98BA3-25B7-4913-88AF-CFBDB28DA4CE}]
C:\WINDOWS\system32\hggfgge.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{14DB7B51-B663-4BBA-9320-EB84949A098F}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{197846A8-E57E-F0A4-16D4-8563E6C3B0FF}]
C:\WINDOWS\system32\bkmyaflh.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1AD5FCBE-100B-4D8F-7871-3CB6094DF4C3}]
C:\WINDOWS\system32\xdtxgmnv.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{34877841-C4D0-C554-A648-E82B2CE6D8CC}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{42C76E27-D4E8-8A39-CF3D-AAEF3E7DA299}]
C:\WINDOWS\system32\gyo.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{449FC5FC-81F2-4A4A-A7C6-3E42A88C62C9}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{525EB293-5C57-76FC-05B0-7032D76FB69F}]
C:\WINDOWS\system32\rzibh.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5645ED67-538B-0D5B-817D-7C129130E693}]
C:\WINDOWS\system32\nimn.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{599D53DB-B54C-BD94-6604-9C3C6058E0C4}]
C:\WINDOWS\system32\hkunhu.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6A857019-91D0-9D02-A848-E82B2CE6D99E}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{88F78A1D-CD35-40F0-B3E5-946FB1BBF89A}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9C8A6B4D-6D6E-4843-891C-04439102F574}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a30783ae-366a-47ed-b4d5-31c0cefde678}]
2007-11-26 18:42 80960 --a------ C:\WINDOWS\system32\hkndpqyd.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A56A934A-85F4-4388-A362-BEB546E8F73C}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AAEE8DC8-830F-496F-AE31-8D4A51C01914}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B3FBAB34-16AC-4E79-DC2F-3EE600F60293}]
C:\WINDOWS\system32\pvmceqy.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f1b580b4-b04c-470f-8e10-0b5224ebab90}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09]
"Uvyi"="C:\WINDOWS\system32\WWEXEC~1.EXE" []
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]
"Sen"="C:\WINDOWS\YMBOLS~1\alg.exe" []
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2005-07-19 10:14]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 13:56]
"Opqjg"="C:\WINDOWS\F?nts\j?vaw.exe" []
"Uvaiat"="C:\WINDOWS\SYSTEM32\?ystem32\w?nlogon.exe" []
"Arwm"="C:\PROGRA~1\FNTS~1\dexplore.exe" []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 15:42]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 17:48]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 12:52]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 20:12]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 16:54]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-01-26 00:41]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 01:01]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2004-09-15 01:01]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-06-18 15:30]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2004-10-08 11:52]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-11-16 01:05]
"vptray"="C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe" [2004-02-12 11:49]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-12 13:55 C:\WINDOWS\SYSTEM32\bthprops.cpl]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-10-06 18:03]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2005-07-19 10:06]
"DLCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll" [2005-09-08 18:55]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41]
"btbb_wcm_McciTrayApp"="C:\Program Files\btbb_wcm\McciTrayApp.exe" [2006-11-30 10:51]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"btbb_McciTrayApp"="C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe" [2007-08-22 12:34]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" []
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" []
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]
"54323f93"="C:\WINDOWS\system32\yagwgcwy.dll" [2007-11-24 18:43]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-12 13:56]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-12 14:01 C:\WINDOWS\SYSTEM32\narrator.exe]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-04 05:00]
C:\Documents and Settings\sam\Start Menu\Programs\Startup\
eTomi Pro On Startup.lnk - C:\Program Files\eTomiPro\Gui\etomipro.exe [2005-02-08 14:15:28]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2006-03-16 14:24:02]
BT Broadband Desktop Help.lnk - C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe [2007-10-05 19:37:10]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22]
Image Transfer.lnk - C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe [2005-02-07 18:53:16]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2005-01-28 18:35:59]
Windows Desktop Search.lnk - C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe [2005-09-20 17:10:04]
[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{0DD98BA3-25B7-4913-88AF-CFBDB28DA4CE}"= C:\WINDOWS\system32\hggfgge.dll [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggfgge]
hggfgge.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loctmiga]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\msutil]
C:\WINDOWS\Help\msutil.dll
C:\WINDOWS\system32\NavLogon.dll 2004-02-12 11:38 45172 C:\WINDOWS\SYSTEM32\NavLogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\req]
C:\WINDOWS\system32\req.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\jkhhe.dll
S3 BTCOMM;BTCOMM;C:\WINDOWS\system32\drivers\Btcomm.sys
S3 BTKRNBDG;Bluetooth COM Bridge;C:\WINDOWS\system32\DRIVERS\btkrnbdg.sys
S3 BTNetFilter;Bluetooth Network Filter;\??\C:\WINDOWS\system32\drivers\BTNetFilter.sys
S3 CSRBC01;%CSRBC01.SvcDesc%;C:\WINDOWS\system32\Drivers\csrbc01.sys
S3 ewdmaudn;ewdmaudn;\??\C:\DOCUME~1\max\LOCALS~1\Temp\ewdmaudn.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{20452f93-714b-11d9-a746-806d6172696f}]
\Shell\AutoRun\command - D:\Start.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-11-21 14:32:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-27 11:28:48
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-27 11:40:05 - machine was rebooted
.
--- E O F ---
The HJT did not produce a txt file at least not one I could find thankyou for your kind help
sludgeguts
2007-11-27, 14:23
Tried the uninstall HJT again and this what was produced
ABBYY FineReader 5.0 Sprint Plus
Adobe Acrobat Reader 3.02
Adobe Flash Player 9
Adobe Reader 7.0.9
Apple Software Update
Application name
ArcSoft PhotoImpression
ArcSoft VideoImpression 1.6
ATI Control Panel
ATI Display Driver
BAMZOOKi v3.1 (build 115.158)
Bikinicom_Groups_SS1 Screen Saver
BitLord 1.1
BlueSoleil
Broadcom Management Programs
BroadJump Client Foundation
BT Broadband Desktop Help
BT Yahoo! Applications
Caesar 3
ConvertXtoDVD 2.2.3.258
Cossacks - The Art Of War
Cossacks II
CP210x USB to UART Bridge Controller
Dell Color Printer 725
Dell Driver Reset Tool
Dell Media Experience
Dell Media Experience Update
Dell Photo AIO Printer 922
DellSupport
eTomi Pro(remove only)
FileAlyzer
Full Tilt Poker.Net
GameShadow
HijackThis 2.0.2
HP Customer Participation Program 7.0
HP Imaging Device Functions 7.0
HP Photosmart and Deskjet 7.0 Software
HP Photosmart Essential
HP Software Update
HP Solution Center 7.0
Image Transfer
ImageMixer for Sony
ImageMixer VCD/DVD2 for OLYMPUS
Intel(R) 537EP V9x DF PCI Modem
Internet Explorer Default Page
iPod for Windows 2005-10-12
iTunes
Jasc Paint Shop Photo Album
Jasc Paint Shop Photo Album 5
Jasc Paint Shop Pro 8 Dell Edition
Jasc Paint Shop Pro Studio, Dell Editon
Java 2 Runtime Environment, SE v1.4.2_03
Kaspersky Online Scanner
Key Design Center 3D 1.1
Learn2 Player (Uninstall Only)
LiveUpdate 1.80 (Symantec Corporation)
Logitech Desktop Messenger
Logitech Print Service
Logitech QuickCam Software
Logitech® Camera Driver
Macromedia Shockwave Player
MAP
Match-Up!
MEDION-Navigator
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft ActiveSync 3.7
Microsoft Midtown Madness
Microsoft Monster Truck Madness 2
Microsoft Office PowerPoint Viewer 2003
Microsoft Works 7.0
Modem Event Monitor
Modem Helper
Modem On Hold
MSN
MSN Search Toolbar
Network Play System (Patching)
OLYMPUS Master
PB-WC100 USB Camera
PowerDVD 5.3
QuickTime
RealPlayer Basic
RegAlyzer
RunAlyzer
SAMSUNG CDMA Modem Driver Set
SAMSUNG Mobile Composite Device Software
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio
Samsung PC Studio 3 USB Driver Installer
Samsung Samples Installer
Science Explorer
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
SHARP GSM GPRS Driver Ver1.1.1
Shockwave
Sierra Utilities
Sonic DLA
Sonic MyDVD
Sonic RecordNow!
Sonic Update Manager
Sony USB Driver
Spybot - Search & Destroy
Star Wars Galactic Battlegrounds
Starsiege
Symantec AntiVirus Client
The Battle for Middle-earth (tm) II
The Sims 2
The Sims 2 Nightlife
The Sims 2 Open For Business
The Sims 2 Pets
The Sims Livin' it up
The Sims Unleashed
Theme Hospital
Theory Interactive
Victor Chandler Poker
Viewpoint Media Player
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 11
WinRAR archiver
XP Codec Pack
Yahoo! Address AutoComplete
ZoneAlarm Anti-Spyware
__RiP_ChAiN_
2007-11-27, 21:32
Hello sludgeguts,
Please post back with a new HijackThis log, as well.
sludgeguts
2007-11-27, 21:38
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:37:38, on 27/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\BT Broadband Desktop Help\bin\mpbtn.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://as.starware.com/dp/search?x=wKX1ILEOi+UdWpSlz2q9Dzn13Emww/YwiC273s2RLPnFhV4qIjHixhSb4qR3XBQxLmKBz2lu1xynEmjXXxHnToyHW1cjcXfwGUXu87cR5blAjUMymJ6LGNGHBc6zH7+FG+2NpdvkfFA=
O2 - BHO: (no name) - {040B7D23-99E1-BD14-BF1B-BFEE8A86EF9C} - C:\WINDOWS\system32\xwsf.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0DD98BA3-25B7-4913-88AF-CFBDB28DA4CE} - C:\WINDOWS\system32\hggfgge.dll (file missing)
O2 - BHO: (no name) - {14DB7B51-B663-4BBA-9320-EB84949A098F} - (no file)
O2 - BHO: (no name) - {197846A8-E57E-F0A4-16D4-8563E6C3B0FF} - C:\WINDOWS\system32\bkmyaflh.dll (file missing)
O2 - BHO: (no name) - {1AD5FCBE-100B-4D8F-7871-3CB6094DF4C3} - C:\WINDOWS\system32\xdtxgmnv.dll (file missing)
O2 - BHO: (no name) - {34877841-C4D0-C554-A648-E82B2CE6D8CC} - (no file)
O2 - BHO: (no name) - {42C76E27-D4E8-8A39-CF3D-AAEF3E7DA299} - C:\WINDOWS\system32\gyo.dll (file missing)
O2 - BHO: (no name) - {449FC5FC-81F2-4A4A-A7C6-3E42A88C62C9} - (no file)
O2 - BHO: (no name) - {525EB293-5C57-76FC-05B0-7032D76FB69F} - C:\WINDOWS\system32\rzibh.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5645ED67-538B-0D5B-817D-7C129130E693} - C:\WINDOWS\system32\nimn.dll (file missing)
O2 - BHO: (no name) - {599D53DB-B54C-BD94-6604-9C3C6058E0C4} - C:\WINDOWS\system32\hkunhu.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6A857019-91D0-9D02-A848-E82B2CE6D99E} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {88F78A1D-CD35-40F0-B3E5-946FB1BBF89A} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9C8A6B4D-6D6E-4843-891C-04439102F574} - (no file)
O2 - BHO: {876edfec-0c13-5d4b-de74-a663ea38703a} - {a30783ae-366a-47ed-b4d5-31c0cefde678} - C:\WINDOWS\system32\hkndpqyd.dll
O2 - BHO: (no name) - {A56A934A-85F4-4388-A362-BEB546E8F73C} - (no file)
O2 - BHO: (no name) - {AAEE8DC8-830F-496F-AE31-8D4A51C01914} - (no file)
O2 - BHO: (no name) - {B3FBAB34-16AC-4E79-DC2F-3EE600F60293} - C:\WINDOWS\system32\pvmceqy.dll (file missing)
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O2 - BHO: (no name) - {f1b580b4-b04c-470f-8e10-0b5224ebab90} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [DLCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [btbb_McciTrayApp] C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [54323f93] rundll32.exe "C:\WINDOWS\system32\yagwgcwy.dll",b
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Uvyi] C:\WINDOWS\system32\WWEXEC~1.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Sen] "C:\WINDOWS\YMBOLS~1\alg.exe" -vt mtx
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Opqjg] C:\WINDOWS\F?nts\j?vaw.exe
O4 - HKCU\..\Run: [Uvaiat] C:\WINDOWS\SYSTEM32\?ystem32\w?nlogon.exe
O4 - HKCU\..\Run: [Arwm] "C:\PROGRA~1\FNTS~1\dexplore.exe" -vt mtx
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZCxdm413YYGB
O8 - Extra context menu item: Grip.com - file://C:\Program Files\GRIPCZ29\Cache\SelectedContextSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper2007261.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195318132796
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/prequal/MotivePreQual.cab
O20 - Winlogon Notify: hggfgge - hggfgge.dll (file missing)
O20 - Winlogon Notify: loctmiga - C:\WINDOWS\
O20 - Winlogon Notify: msutil - C:\WINDOWS\Help\msutil.dll (file missing)
O20 - Winlogon Notify: req - C:\WINDOWS\system32\req.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
--
End of file - 13967 bytes
__RiP_ChAiN_
2007-11-28, 23:34
Hello sludgeguts,
Using Add Or Remove Programs remove the following entries (if present): (To get into add Or Remove Programs press the START button > Control Panel > Add Or Remove Programs.)
BitLord 1.1
Viewpoint Media Player
A. Please RUN HijackThis
Click the SCAN button to produce a log.
Place a check mark beside each one of the following items:
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://as.starware.com/dp/search?x=w...+FG+2NpdvkfFA=
O2 - BHO: (no name) - {040B7D23-99E1-BD14-BF1B-BFEE8A86EF9C} - C:\WINDOWS\system32\xwsf.dll (file missing)
O2 - BHO: (no name) - {0DD98BA3-25B7-4913-88AF-CFBDB28DA4CE} - C:\WINDOWS\system32\hggfgge.dll (file missing)
O2 - BHO: (no name) - {14DB7B51-B663-4BBA-9320-EB84949A098F} - (no file)
O2 - BHO: (no name) - {197846A8-E57E-F0A4-16D4-8563E6C3B0FF} - C:\WINDOWS\system32\bkmyaflh.dll (file missing)
O2 - BHO: (no name) - {1AD5FCBE-100B-4D8F-7871-3CB6094DF4C3} - C:\WINDOWS\system32\xdtxgmnv.dll (file missing)
O2 - BHO: (no name) - {34877841-C4D0-C554-A648-E82B2CE6D8CC} - (no file)
O2 - BHO: (no name) - {42C76E27-D4E8-8A39-CF3D-AAEF3E7DA299} - C:\WINDOWS\system32\gyo.dll (file missing)
O2 - BHO: (no name) - {449FC5FC-81F2-4A4A-A7C6-3E42A88C62C9} - (no file)
O2 - BHO: (no name) - {525EB293-5C57-76FC-05B0-7032D76FB69F} - C:\WINDOWS\system32\rzibh.dll (file missing)
O2 - BHO: (no name) - {5645ED67-538B-0D5B-817D-7C129130E693} - C:\WINDOWS\system32\nimn.dll (file missing)
O2 - BHO: (no name) - {599D53DB-B54C-BD94-6604-9C3C6058E0C4} - C:\WINDOWS\system32\hkunhu.dll (file missing)
O2 - BHO: (no name) - {6A857019-91D0-9D02-A848-E82B2CE6D99E} - (no file)
O2 - BHO: (no name) - {88F78A1D-CD35-40F0-B3E5-946FB1BBF89A} - (no file)
O2 - BHO: (no name) - {9C8A6B4D-6D6E-4843-891C-04439102F574} - (no file)
O2 - BHO: {876edfec-0c13-5d4b-de74-a663ea38703a} - {a30783ae-366a-47ed-b4d5-31c0cefde678} - C:\WINDOWS\system32\hkndpqyd.dll
O2 - BHO: (no name) - {A56A934A-85F4-4388-A362-BEB546E8F73C} - (no file)
O2 - BHO: (no name) - {AAEE8DC8-830F-496F-AE31-8D4A51C01914} - (no file)
O2 - BHO: (no name) - {B3FBAB34-16AC-4E79-DC2F-3EE600F60293} - C:\WINDOWS\system32\pvmceqy.dll (file missing)
O2 - BHO: (no name) - {f1b580b4-b04c-470f-8e10-0b5224ebab90} - (no file)
O4 - HKCU\..\Run: [Sen] "C:\WINDOWS\YMBOLS~1\alg.exe" -vt mtx
O4 - HKCU\..\Run: [Opqjg] C:\WINDOWS\F?nts\j?vaw.exe
O4 - HKCU\..\Run: C:\WINDOWS\SYSTEM32\?ystem32\w?nlogon.exe
O4 - HKCU\..\Run: [Arwm] "C:\PROGRA~1\FNTS~1\dexplore.exe" -vt mtx
O20 - Winlogon Notify: hggfgge - hggfgge.dll (file missing)
O20 - Winlogon Notify: loctmiga - C:\WINDOWS\
O20 - Winlogon Notify: msutil - C:\WINDOWS\Help\msutil.dll (file missing)
O20 - Winlogon Notify: req - C:\WINDOWS\system32\req.dll (file missing)
Now with all the items selected, and [U]all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.
B. 1. Please open Notepad Click Start , then Run Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
File::
C:\WINDOWS\SYSTEM32\iuyghxtx.dll
C:\WINDOWS\SYSTEM32\hkndpqyd.dll
C:\WINDOWS\SYSTEM32\cqvohfdr.dll
C:\WINDOWS\SYSTEM32\tfhsanrg.dll
C:\WINDOWS\SYSTEM32\tecewkof.dll
C:\WINDOWS\SYSTEM32\otkjhtql.dll
C:\WINDOWS\SYSTEM32\mcejqbyf.ini
C:\WINDOWS\SYSTEM32\bdpaepvo.ini
C:\WINDOWS\SYSTEM32\ovpeapdb.dll
C:\WINDOWS\SYSTEM32\audofben.dll
C:\WINDOWS\SYSTEM32\jtqpagun.ini
C:\WINDOWS\SYSTEM32\nugapqtj.dll
C:\WINDOWS\SYSTEM32\rxdnblub.exe
C:\WINDOWS\SYSTEM32\gnrvuxtw.dll
C:\WINDOWS\SYSTEM32\cnjvjtqk.exe
C:\WINDOWS\SYSTEM32\rqxhrsoo.ini
C:\WINDOWS\SYSTEM32\qpkvyobf.exe
C:\WINDOWS\SYSTEM32\nptghvsf.ini
C:\WINDOWS\SYSTEM32\jokpcjje.dll
C:\WINDOWS\SYSTEM32\uansobhs.exe
C:\WINDOWS\SYSTEM32\mcrh.tmp
C:\WINDOWS\system32\drivers\lvuvc.hs
Folder::
C:\WINDOWS\SYSTEM32\rMa01yy
C:\Temp\abW9
C:\Documents and Settings\All Users\Application Data\soft chic meet great
Driver::
ewdmaudn
3. Save the above as CFScript.txt
4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
Combofix.txt
A new HijackThis log.
sludgeguts
2007-11-29, 18:17
ComboFix 07-11-19.4 - max 2007-11-29 9:17:48.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.134 [GMT 0:00]
Running from: C:\Documents and Settings\max\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\max\Desktop\CFScript.txt
* Created a new restore point
FILE
C:\WINDOWS\SYSTEM32\audofben.dll
C:\WINDOWS\SYSTEM32\bdpaepvo.ini
C:\WINDOWS\SYSTEM32\cnjvjtqk.exe
C:\WINDOWS\SYSTEM32\cqvohfdr.dll
C:\WINDOWS\system32\drivers\lvuvc.hs
C:\WINDOWS\SYSTEM32\gnrvuxtw.dll
C:\WINDOWS\SYSTEM32\hkndpqyd.dll
C:\WINDOWS\SYSTEM32\iuyghxtx.dll
C:\WINDOWS\SYSTEM32\jokpcjje.dll
C:\WINDOWS\SYSTEM32\jtqpagun.ini
C:\WINDOWS\SYSTEM32\mcejqbyf.ini
C:\WINDOWS\SYSTEM32\mcrh.tmp
C:\WINDOWS\SYSTEM32\nptghvsf.ini
C:\WINDOWS\SYSTEM32\nugapqtj.dll
C:\WINDOWS\SYSTEM32\otkjhtql.dll
C:\WINDOWS\SYSTEM32\ovpeapdb.dll
C:\WINDOWS\SYSTEM32\qpkvyobf.exe
C:\WINDOWS\SYSTEM32\rqxhrsoo.ini
C:\WINDOWS\SYSTEM32\rxdnblub.exe
C:\WINDOWS\SYSTEM32\tecewkof.dll
C:\WINDOWS\SYSTEM32\tfhsanrg.dll
C:\WINDOWS\SYSTEM32\uansobhs.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\soft chic meet great
C:\Temp\abW9
C:\WINDOWS\cookies.ini
C:\WINDOWS\SYSTEM32\audofben.dll
C:\WINDOWS\SYSTEM32\bdpaepvo.ini
C:\WINDOWS\SYSTEM32\cnjvjtqk.exe
C:\WINDOWS\SYSTEM32\cqvohfdr.dll
C:\WINDOWS\system32\drivers\lvuvc.hs
C:\WINDOWS\SYSTEM32\gnrvuxtw.dll
C:\WINDOWS\SYSTEM32\iuyghxtx.dll
C:\WINDOWS\SYSTEM32\jokpcjje.dll
C:\WINDOWS\SYSTEM32\jtqpagun.ini
C:\WINDOWS\SYSTEM32\mcejqbyf.ini
C:\WINDOWS\SYSTEM32\mcrh.tmp
C:\WINDOWS\SYSTEM32\nptghvsf.ini
C:\WINDOWS\SYSTEM32\nugapqtj.dll
C:\WINDOWS\SYSTEM32\otkjhtql.dll
C:\WINDOWS\SYSTEM32\ovpeapdb.dll
C:\WINDOWS\SYSTEM32\qpkvyobf.exe
C:\WINDOWS\SYSTEM32\rMa01yy
C:\WINDOWS\SYSTEM32\rqxhrsoo.ini
C:\WINDOWS\SYSTEM32\rxdnblub.exe
C:\WINDOWS\SYSTEM32\tecewkof.dll
C:\WINDOWS\SYSTEM32\tfhsanrg.dll
C:\WINDOWS\SYSTEM32\uansobhs.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\ewdmaudn
((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-29 )))))))))))))))))))))))))))))))
.
2007-11-29 09:29 <DIR> d-------- C:\WINDOWS\LastGood
2007-11-27 07:55 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-26 18:49 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-11-26 18:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-23 20:50 <DIR> d-------- C:\Program Files\Safer Networking
2007-11-22 19:39 28,288 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\xjis.nls
2007-11-22 19:38 83,748 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\prcp.nls
2007-11-22 19:38 83,748 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\prc.nls
2007-11-22 19:38 57,856 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_scripto.dll
2007-11-22 19:38 26,112 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_seos.dll
2007-11-22 19:38 23,040 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_regtrace.exe
2007-11-22 19:38 12,288 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_smtpctrs.dll
2007-11-22 19:38 7,168 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_snprfdll.dll
2007-11-22 19:37 482,304 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\pintlgnt.ime
2007-11-22 19:37 131,584 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\pmxviceo.dll
2007-11-22 19:37 70,144 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\pintlphr.exe
2007-11-22 19:37 67,584 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\pmigrate.dll
2007-11-22 19:37 65,536 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_mailmsg.dll
2007-11-22 19:37 38,912 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_ntfsdrv.dll
2007-11-22 19:37 36,927 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\padrs411.dll
2007-11-22 19:37 14,336 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\padrs412.dll
2007-11-22 19:37 11,264 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\pmxmcro.dll
2007-11-22 19:37 6,144 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\pmxgl.dll
2007-11-22 19:36 13,463,552 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\hwxjpn.dll
2007-11-22 19:36 10,129,408 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\hwxkor.dll
2007-11-22 19:36 10,096,640 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\hwxcht.dll
2007-11-22 19:36 173,602 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\c_20002.nls
2007-11-22 19:36 54,528 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\cap7146.sys
2007-11-22 19:36 43,520 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_fcachdll.dll
2007-11-22 19:36 24,632 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\fpadmcgi.exe
2007-11-22 19:36 14,848 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\flattemp.exe
2007-11-22 19:36 7,168 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\f3ahvoas.dll
2007-11-22 19:35 188,480 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\cfgwiz.exe
2007-11-22 19:35 162,850 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\c_10001.nls
2007-11-22 19:35 45,056 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_aqadmin.dll
2007-11-22 19:35 5,632 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_adsiisex.dll
2007-11-22 19:30 749 -rah----- C:\WINDOWS\SYSTEM32\sapi.cpl.manifest
2007-11-22 19:30 749 -rah----- C:\WINDOWS\SYSTEM32\ncpa.cpl.manifest
2007-11-22 19:30 488 -rah----- C:\WINDOWS\SYSTEM32\logonui.exe.manifest
2007-11-22 19:28 214,528 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\icwconn1.exe
2007-11-22 19:28 86,016 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\icwconn2.exe
2007-11-22 19:28 32,768 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\icwdl.dll
2007-11-22 19:28 20,480 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\inetwiz.exe
2007-11-22 18:11 34 --a------ C:\WINDOWS\SYSTEM\oeminfo.ini
2007-11-22 18:10 2,012,670 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\NT5.CAT
2007-11-22 18:10 1,086,058 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\NTPRINT.CAT
2007-11-22 18:10 1,042,903 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\SP2.CAT
2007-11-22 18:10 797,189 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\NT5IIS.CAT
2007-11-22 18:10 399,645 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\MAPIMIG.CAT
2007-11-22 18:10 382,952 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\NT5INF.CAT
2007-11-22 18:10 37,484 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\MW770.CAT
2007-11-22 18:10 31,281 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\FP4.CAT
2007-11-22 18:10 24,661 --a------ C:\WINDOWS\SYSTEM32\spxcoins.dll
2007-11-22 18:10 24,661 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\spxcoins.dll
2007-11-22 18:10 13,472 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\HPCRDP.CAT
2007-11-22 18:10 13,312 --a------ C:\WINDOWS\SYSTEM32\irclass.dll
2007-11-22 18:10 8,574 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\IASNT4.CAT
2007-11-22 18:10 7,710 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\OEMBIOS.CAT
2007-11-22 18:10 7,334 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\wmerrenu.cat
2007-11-22 17:58 <DIR> d-------- C:\WINDOWS\dell
2007-11-20 20:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-11-18 19:52 <DIR> d-------- C:\WINDOWS\SYSTEM32\ZoneLabs
2007-11-18 19:51 350,920 --a------ C:\WINDOWS\SYSTEM32\vsconfig.xml
2007-11-18 19:50 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-11-18 19:06 <DIR> d-------- C:\Program Files\Registry Defender
2007-11-18 13:24 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2007-11-18 13:24 30,072 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll.mui
2007-11-17 17:38 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-29 09:03 --------- d-----w C:\Program Files\BitLord
2007-11-17 17:37 --------- d-----w C:\Program Files\Logitech
2007-11-17 17:37 --------- d-----w C:\Program Files\Common Files\logishrd
2007-11-17 17:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logishrd
2007-11-12 17:47 --------- d-----w C:\Documents and Settings\max\Application Data\HP
2007-11-07 15:19 --------- d-----w C:\Program Files\Dl_cats
2007-10-15 20:03 --------- d-----w C:\Program Files\Full Tilt Poker.Net
2007-10-11 17:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-08 14:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Motive
2007-10-06 09:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-05 19:43 --------- d-----w C:\Documents and Settings\mark\Application Data\Motive
2007-10-05 19:39 --------- d-----w C:\Program Files\BT Broadband Desktop Help
2007-10-05 19:38 --------- d-----w C:\Program Files\Common Files\Motive
2007-10-05 19:37 --------- d-----w C:\Program Files\Motive
2007-10-05 19:36 --------- d-----w C:\Program Files\BT Home Hub
2005-05-02 12:42 374,279 --sh--w C:\WINDOWS\Help\litusm.bak1
.
((((((((((((((((((((((((((((( snapshot@2007-11-27_11.31.21.89 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-27 07:39:12 4,212 ---ha-w C:\WINDOWS\SYSTEM32\zllictbl.dat
+ 2007-11-29 09:28:06 4,212 ---h--w C:\WINDOWS\SYSTEM32\zllictbl.dat
- 2007-11-26 18:13:50 6,878,638 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\spyware.dat
+ 2007-11-27 15:00:30 6,896,533 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\spyware.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09]
"Uvyi"="C:\WINDOWS\system32\WWEXEC~1.EXE" []
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2005-07-19 10:14]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 13:56]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 15:42]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 17:48]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 12:52]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 20:12]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 16:54]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-01-26 00:41]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 01:01]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2004-09-15 01:01]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-06-18 15:30]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2004-10-08 11:52]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-11-16 01:05]
"vptray"="C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe" [2004-02-12 11:49]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-12 13:55 C:\WINDOWS\SYSTEM32\bthprops.cpl]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-10-06 18:03]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2005-07-19 10:06]
"DLCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll" [2005-09-08 18:55]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41]
"btbb_wcm_McciTrayApp"="C:\Program Files\btbb_wcm\McciTrayApp.exe" [2006-11-30 10:51]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"btbb_McciTrayApp"="C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe" [2007-08-22 12:34]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" []
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" []
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]
"54323f93"="C:\WINDOWS\system32\yagwgcwy.dll" [2007-11-24 18:43]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-12 13:56]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-12 14:01 C:\WINDOWS\SYSTEM32\narrator.exe]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-04 05:00]
C:\Documents and Settings\sam\Start Menu\Programs\Startup\
eTomi Pro On Startup.lnk - C:\Program Files\eTomiPro\Gui\etomipro.exe [2005-02-08 14:15:28]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2006-03-16 14:24:02]
BT Broadband Desktop Help.lnk - C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe [2007-10-05 19:37:10]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22]
Image Transfer.lnk - C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe [2005-02-07 18:53:16]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2005-01-28 18:35:59]
Windows Desktop Search.lnk - C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe [2005-09-20 17:10:04]
C:\WINDOWS\system32\NavLogon.dll 2004-02-12 11:38 45172 C:\WINDOWS\SYSTEM32\NavLogon.dll
S3 BTCOMM;BTCOMM;C:\WINDOWS\system32\drivers\Btcomm.sys
S3 BTKRNBDG;Bluetooth COM Bridge;C:\WINDOWS\system32\DRIVERS\btkrnbdg.sys
S3 BTNetFilter;Bluetooth Network Filter;\??\C:\WINDOWS\system32\drivers\BTNetFilter.sys
S3 CSRBC01;%CSRBC01.SvcDesc%;C:\WINDOWS\system32\Drivers\csrbc01.sys
S3 vad_multi;Windigo Virtual Audio Device (WDM);C:\WINDOWS\system32\drivers\vadmulti.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{20452f93-714b-11d9-a746-806d6172696f}]
\Shell\AutoRun\command - D:\Start.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-11-21 14:32:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-29 17:09:28
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-29 17:12:36 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-27 11:40
.
--- E O F ---
sludgeguts
2007-11-29, 18:19
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:15:47, on 29/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe
C:\Program Files\BT Broadband Desktop Help\bin\mpbtn.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [DLCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [btbb_McciTrayApp] C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [54323f93] rundll32.exe "C:\WINDOWS\system32\yagwgcwy.dll",b
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Uvyi] C:\WINDOWS\system32\WWEXEC~1.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZCxdm413YYGB
O8 - Extra context menu item: Grip.com - file://C:\Program Files\GRIPCZ29\Cache\SelectedContextSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper2007261.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195318132796
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/prequal/MotivePreQual.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
--
End of file - 11409 bytes
__RiP_ChAiN_
2007-11-30, 22:00
Hello sludgeguts,
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
sludgeguts
2007-11-30, 22:17
Nothing found with the vundo fix
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:17:12, on 30/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
C:\Program Files\BT Broadband Desktop Help\bin\mpbtn.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [DLCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [btbb_McciTrayApp] C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [54323f93] rundll32.exe "C:\WINDOWS\system32\yagwgcwy.dll",b
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Uvyi] C:\WINDOWS\system32\WWEXEC~1.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZCxdm413YYGB
O8 - Extra context menu item: Grip.com - file://C:\Program Files\GRIPCZ29\Cache\SelectedContextSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper2007261.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195318132796
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/prequal/MotivePreQual.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
--
End of file - 11430 bytes
__RiP_ChAiN_
2007-12-01, 22:00
Hello sludgeguts,
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to infect your system. Please follow these steps to remove older version Java components and update: Download the latest version of Java Runtime Environment (JRE) Version 6 (http://java.sun.com/javase/downloads/index.jsp) and save it to your desktop.
Scroll down to where it says "Java Runtime Environment (JRE)6 Update 3...allows end-users to run Java applications".
Click the "Download" button to the right.
Read the License Agreement and then check the box that says: "Accept License Agreement". The page will refresh.
Click on the link to download Windows Offline Installation and save the file to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs (http://www.bleepingcomputer.com/forums/topic42133.html) and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.
Let's run through combofix again, as it seems vundo has come back into swing.
Doubleclick combo.exe to launch the application.
Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
sludgeguts
2007-12-02, 15:54
ComboFix 07-11-19.4 - max 2007-12-02 14:43:22.3 - NTFSx86
Running from: C:\Documents and Settings\max\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\cookies.ini
.
((((((((((((((((((((((((( Files Created from 2007-11-02 to 2007-12-02 )))))))))))))))))))))))))))))))
.
2007-12-02 14:41 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-02 14:41 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2007-12-02 14:22 <DIR> d-------- C:\WINDOWS\LastGood
2007-11-30 21:01 <DIR> d-------- C:\VundoFix Backups
2007-11-29 17:38 0 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\lvuvc.hs
2007-11-27 07:55 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-26 18:49 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-11-26 18:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-23 20:50 <DIR> d-------- C:\Program Files\Safer Networking
2007-11-22 19:39 28,288 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\xjis.nls
2007-11-22 19:38 83,748 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\prcp.nls
2007-11-22 19:38 83,748 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\prc.nls
2007-11-22 19:38 57,856 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_scripto.dll
2007-11-22 19:38 26,112 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_seos.dll
2007-11-22 19:38 23,040 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_regtrace.exe
2007-11-22 19:38 12,288 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_smtpctrs.dll
2007-11-22 19:38 7,168 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_snprfdll.dll
2007-11-22 19:37 482,304 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\pintlgnt.ime
2007-11-22 19:37 131,584 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\pmxviceo.dll
2007-11-22 19:37 70,144 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\pintlphr.exe
2007-11-22 19:37 67,584 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\pmigrate.dll
2007-11-22 19:37 65,536 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_mailmsg.dll
2007-11-22 19:37 38,912 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_ntfsdrv.dll
2007-11-22 19:37 36,927 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\padrs411.dll
2007-11-22 19:37 14,336 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\padrs412.dll
2007-11-22 19:37 11,264 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\pmxmcro.dll
2007-11-22 19:37 6,144 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\pmxgl.dll
2007-11-22 19:36 13,463,552 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\hwxjpn.dll
2007-11-22 19:36 10,129,408 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\hwxkor.dll
2007-11-22 19:36 10,096,640 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\hwxcht.dll
2007-11-22 19:36 173,602 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\c_20002.nls
2007-11-22 19:36 54,528 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\cap7146.sys
2007-11-22 19:36 43,520 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_fcachdll.dll
2007-11-22 19:36 24,632 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\fpadmcgi.exe
2007-11-22 19:36 14,848 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\flattemp.exe
2007-11-22 19:36 7,168 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\f3ahvoas.dll
2007-11-22 19:35 188,480 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\cfgwiz.exe
2007-11-22 19:35 162,850 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\c_10001.nls
2007-11-22 19:35 45,056 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_aqadmin.dll
2007-11-22 19:35 5,632 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_adsiisex.dll
2007-11-22 19:30 749 -rah----- C:\WINDOWS\SYSTEM32\sapi.cpl.manifest
2007-11-22 19:30 749 -rah----- C:\WINDOWS\SYSTEM32\ncpa.cpl.manifest
2007-11-22 19:30 488 -rah----- C:\WINDOWS\SYSTEM32\logonui.exe.manifest
2007-11-22 19:28 214,528 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\icwconn1.exe
2007-11-22 19:28 86,016 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\icwconn2.exe
2007-11-22 19:28 32,768 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\icwdl.dll
2007-11-22 19:28 20,480 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\inetwiz.exe
2007-11-22 18:11 34 --a------ C:\WINDOWS\SYSTEM\oeminfo.ini
2007-11-22 18:10 2,012,670 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\NT5.CAT
2007-11-22 18:10 1,086,058 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\NTPRINT.CAT
2007-11-22 18:10 1,042,903 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\SP2.CAT
2007-11-22 18:10 797,189 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\NT5IIS.CAT
2007-11-22 18:10 399,645 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\MAPIMIG.CAT
2007-11-22 18:10 382,952 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\NT5INF.CAT
2007-11-22 18:10 37,484 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\MW770.CAT
2007-11-22 18:10 31,281 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\FP4.CAT
2007-11-22 18:10 24,661 --a------ C:\WINDOWS\SYSTEM32\spxcoins.dll
2007-11-22 18:10 24,661 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\spxcoins.dll
2007-11-22 18:10 13,472 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\HPCRDP.CAT
2007-11-22 18:10 13,312 --a------ C:\WINDOWS\SYSTEM32\irclass.dll
2007-11-22 18:10 8,574 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\IASNT4.CAT
2007-11-22 18:10 7,710 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\OEMBIOS.CAT
2007-11-22 18:10 7,334 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\wmerrenu.cat
2007-11-22 17:58 <DIR> d-------- C:\WINDOWS\dell
2007-11-20 20:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-11-18 19:52 <DIR> d-------- C:\WINDOWS\SYSTEM32\ZoneLabs
2007-11-18 19:51 351,888 --a------ C:\WINDOWS\SYSTEM32\vsconfig.xml
2007-11-18 19:50 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-11-18 19:06 <DIR> d-------- C:\Program Files\Registry Defender
2007-11-18 13:24 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2007-11-18 13:24 30,072 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll.mui
2007-11-17 17:38 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-02 14:41 --------- d-----w C:\Program Files\Java
2007-11-29 09:03 --------- d-----w C:\Program Files\BitLord
2007-11-24 18:43 84,545 ----a-w C:\WINDOWS\SYSTEM32\yagwgcwy.dll
2007-11-19 16:24 81,625 ----a-w C:\WINDOWS\SYSTEM32\whhfhrtt.dll
2007-11-17 17:37 --------- d-----w C:\Program Files\Logitech
2007-11-17 17:37 --------- d-----w C:\Program Files\Common Files\logishrd
2007-11-17 17:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logishrd
2007-11-14 16:05 1,086,952 ----a-w C:\WINDOWS\SYSTEM32\zpeng24.dll
2007-11-12 17:47 --------- d-----w C:\Documents and Settings\max\Application Data\HP
2007-11-07 15:19 --------- d-----w C:\Program Files\Dl_cats
2007-10-15 20:03 --------- d-----w C:\Program Files\Full Tilt Poker.Net
2007-10-11 17:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-08 14:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Motive
2007-10-06 09:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-05 19:43 --------- d-----w C:\Documents and Settings\mark\Application Data\Motive
2007-10-05 19:39 --------- d-----w C:\Program Files\BT Broadband Desktop Help
2007-10-05 19:38 --------- d-----w C:\Program Files\Common Files\Motive
2007-10-05 19:37 --------- d-----w C:\Program Files\Motive
2007-10-05 19:36 --------- d-----w C:\Program Files\BT Home Hub
2005-05-02 12:42 374,279 --sh--w C:\WINDOWS\Help\litusm.bak1
.
((((((((((((((((((((((((((((( snapshot@2007-11-27_11.31.21.89 )))))))))))))))))))))))))))))))))))))))))
.
- 2003-11-19 16:36:26 24,681 ----a-w C:\WINDOWS\SYSTEM32\java.exe
+ 2007-09-24 22:30:28 135,168 ----a-w C:\WINDOWS\SYSTEM32\java.exe
- 2003-11-19 16:36:30 28,779 ----a-w C:\WINDOWS\SYSTEM32\javaw.exe
+ 2007-09-24 22:30:30 135,168 ----a-w C:\WINDOWS\SYSTEM32\javaw.exe
+ 2007-09-24 23:31:42 139,264 ----a-w C:\WINDOWS\SYSTEM32\javaws.exe
- 2007-09-06 16:14:04 83,432 ----a-w C:\WINDOWS\SYSTEM32\vsdata.dll
+ 2007-11-14 16:04:52 83,432 ----a-w C:\WINDOWS\SYSTEM32\vsdata.dll
- 2007-09-06 16:14:28 395,080 ----a-w C:\WINDOWS\SYSTEM32\vsdatant.sys
+ 2007-11-14 16:05:16 394,952 ----a-w C:\WINDOWS\SYSTEM32\vsdatant.sys
- 2007-09-06 16:14:04 157,160 ----a-w C:\WINDOWS\SYSTEM32\vsinit.dll
+ 2007-11-14 16:04:52 157,160 ----a-w C:\WINDOWS\SYSTEM32\vsinit.dll
- 2007-09-06 16:14:04 103,912 ----a-w C:\WINDOWS\SYSTEM32\vsmonapi.dll
+ 2007-11-14 16:04:52 103,912 ----a-w C:\WINDOWS\SYSTEM32\vsmonapi.dll
- 2007-09-06 16:14:04 275,944 ----a-w C:\WINDOWS\SYSTEM32\vspubapi.dll
+ 2007-11-14 16:04:52 275,944 ----a-w C:\WINDOWS\SYSTEM32\vspubapi.dll
- 2007-09-06 16:14:04 71,144 ----a-w C:\WINDOWS\SYSTEM32\vsregexp.dll
+ 2007-11-14 16:04:52 71,144 ----a-w C:\WINDOWS\SYSTEM32\vsregexp.dll
- 2007-09-06 16:14:06 472,552 ----a-w C:\WINDOWS\SYSTEM32\vsutil.dll
+ 2007-11-14 16:04:54 472,552 ----a-w C:\WINDOWS\SYSTEM32\vsutil.dll
- 2007-09-06 16:14:06 46,568 ----a-w C:\WINDOWS\SYSTEM32\vswmi.dll
+ 2007-11-14 16:04:54 46,568 ----a-w C:\WINDOWS\SYSTEM32\vswmi.dll
- 2007-09-06 16:14:06 99,816 ----a-w C:\WINDOWS\SYSTEM32\vsxml.dll
+ 2007-11-14 16:04:54 99,816 ----a-w C:\WINDOWS\SYSTEM32\vsxml.dll
- 2007-09-06 16:14:06 83,432 ----a-w C:\WINDOWS\SYSTEM32\zlcomm.dll
+ 2007-11-14 16:04:56 83,432 ----a-w C:\WINDOWS\SYSTEM32\zlcomm.dll
- 2007-09-06 16:14:08 71,144 ----a-w C:\WINDOWS\SYSTEM32\zlcommdb.dll
+ 2007-11-14 16:04:56 71,144 ----a-w C:\WINDOWS\SYSTEM32\zlcommdb.dll
- 2007-11-27 07:39:12 4,212 ---ha-w C:\WINDOWS\SYSTEM32\zllictbl.dat
+ 2007-12-01 13:17:04 4,212 ---h--w C:\WINDOWS\SYSTEM32\zllictbl.dat
- 2007-09-06 16:13:56 99,816 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\camupd.dll
+ 2007-11-14 16:04:44 99,816 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\camupd.dll
- 2007-09-06 16:13:58 128,480 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\fbl.dll
+ 2007-11-14 16:04:46 128,480 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\fbl.dll
- 2007-09-06 16:13:58 38,376 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\featuremap.dll
+ 2007-11-14 16:04:46 38,376 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\featuremap.dll
- 2007-09-06 16:14:30 288,144 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\lib\ConfigWizard.zip.dll
+ 2007-11-14 16:05:18 288,144 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\lib\ConfigWizard.zip.dll
- 2007-09-06 16:14:30 152,976 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\lib\licenseui.zip.dll
+ 2007-11-14 16:05:18 152,976 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\lib\licenseui.zip.dll
- 2007-09-06 16:14:30 26,000 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\lib\zlsvc.zip.dll
+ 2007-11-14 16:05:18 26,000 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\lib\zlsvc.zip.dll
- 2007-09-06 16:14:32 1,361,296 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\lib\zpy.zip.dll
+ 2007-11-14 16:05:18 1,361,296 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\lib\zpy.zip.dll
- 2007-09-06 16:14:32 71,056 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\lib\zui.zip.dll
+ 2007-11-14 16:05:20 71,056 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\lib\zui.zip.dll
- 2007-09-06 16:15:50 30,184 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\plugins\rpc_server\rpc_server.dll
+ 2007-11-14 16:06:34 30,184 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\plugins\rpc_server\rpc_server.dll
- 2007-09-06 16:15:52 30,216 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\plugins\vsmon_plugin\vsmon_plugin.dll
+ 2007-11-14 16:06:36 30,216 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\plugins\vsmon_plugin\vsmon_plugin.dll
- 2007-11-18 22:00:19 714,208 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\qrbase.dll
+ 2007-10-18 20:18:38 714,208 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\qrbase.dll
- 2007-11-18 22:00:19 787,936 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\qrsrecl.dll
+ 2007-10-18 20:18:38 787,936 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\qrsrecl.dll
- 2007-09-06 16:14:00 173,544 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\scheduler.dll
+ 2007-11-14 16:04:48 173,544 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\scheduler.dll
- 2007-11-26 18:13:50 6,878,638 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\spyware.dat
+ 2007-11-30 18:44:37 6,940,722 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\spyware.dat
- 2007-11-18 22:00:26 6,463,239 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\spyware0.dat
+ 2007-11-29 18:01:08 6,463,239 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\spyware0.dat
- 2007-11-18 22:00:19 1,500,640 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\srescan.dll
+ 2007-10-18 20:18:40 1,500,640 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\srescan.dll
- 2007-11-18 22:00:20 51,176 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\srescan.sys
+ 2007-10-18 20:18:44 51,176 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\srescan.sys
- 2007-09-06 16:14:02 456,168 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\ssleay32.dll
+ 2007-11-14 16:04:50 456,168 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\ssleay32.dll
- 2007-09-06 16:15:52 214,528 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\streamapi\httpblocker\httpblocker.dll
+ 2007-11-14 16:06:36 214,528 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\streamapi\httpblocker\httpblocker.dll
- 2007-08-01 06:30:04 833,248 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\updating.dll
+ 2007-10-11 16:50:32 832,984 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\updating.dll
- 2007-09-06 16:14:18 149,032 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\updclient.exe
+ 2007-11-14 16:05:06 144,936 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\updclient.exe
- 2007-09-06 16:14:04 108,008 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\vsavpro.dll
+ 2007-11-14 16:04:52 108,008 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\vsavpro.dll
- 2007-09-06 16:14:04 79,336 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\vsdb.dll
+ 2007-11-14 16:04:52 83,432 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\vsdb.dll
- 2007-09-06 16:14:18 75,304 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
+ 2007-11-14 16:05:06 75,304 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
- 2007-09-06 16:14:04 2,024,936 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\vsmondll.dll
+ 2007-11-14 16:04:52 2,029,032 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\vsmondll.dll
- 2007-09-06 16:14:06 1,345,000 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\vsruledb.dll
+ 2007-11-14 16:04:54 1,361,384 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\vsruledb.dll
- 2007-09-06 16:14:06 239,080 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\vsvault.dll
+ 2007-11-14 16:04:54 239,080 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\vsvault.dll
- 2007-09-06 16:14:08 177,640 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\zlparser.dll
+ 2007-11-14 16:04:56 177,640 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\zlparser.dll
- 2007-09-06 16:14:08 79,344 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\zlquarantine.dll
+ 2007-11-14 16:04:56 79,344 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\zlquarantine.dll
- 2007-09-06 16:14:08 382,440 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\zlsre.dll
+ 2007-11-14 16:04:58 382,440 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\zlsre.dll
- 2007-09-06 16:14:08 120,296 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\zlupdate.dll
+ 2007-11-14 16:04:58 120,296 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\zlupdate.dll
.
-- Snapshot reset to current date --
.
sludgeguts
2007-12-02, 15:55
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09]
"Uvyi"="C:\WINDOWS\system32\WWEXEC~1.EXE" []
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2005-07-19 10:14]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 13:56]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 15:42]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 12:52]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 20:12]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 16:54]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-01-26 00:41]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 01:01]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2004-09-15 01:01]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-06-18 15:30]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2004-10-08 11:52]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-11-16 01:05]
"vptray"="C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe" [2004-02-12 11:49]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-12 13:55 C:\WINDOWS\SYSTEM32\bthprops.cpl]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-10-06 18:03]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2005-07-19 10:06]
"DLCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll" [2005-09-08 18:55]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41]
"btbb_wcm_McciTrayApp"="C:\Program Files\btbb_wcm\McciTrayApp.exe" [2006-11-30 10:51]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"btbb_McciTrayApp"="C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe" [2007-08-22 12:34]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" []
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" []
"54323f93"="C:\WINDOWS\system32\yagwgcwy.dll" [2007-11-24 18:43]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-12 13:56]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-12 14:01 C:\WINDOWS\SYSTEM32\narrator.exe]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-04 05:00]
C:\Documents and Settings\sam\Start Menu\Programs\Startup\
eTomi Pro On Startup.lnk - C:\Program Files\eTomiPro\Gui\etomipro.exe [2005-02-08 14:15:28]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2006-03-16 14:24:02]
BT Broadband Desktop Help.lnk - C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe [2007-10-05 19:37:10]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22]
Image Transfer.lnk - C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe [2005-02-07 18:53:16]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2005-01-28 18:35:59]
Windows Desktop Search.lnk - C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe [2005-09-20 17:10:04]
C:\WINDOWS\system32\NavLogon.dll 2004-02-12 11:38 45172 C:\WINDOWS\SYSTEM32\NavLogon.dll
S3 BTCOMM;BTCOMM;C:\WINDOWS\system32\drivers\Btcomm.sys
S3 BTKRNBDG;Bluetooth COM Bridge;C:\WINDOWS\system32\DRIVERS\btkrnbdg.sys
S3 BTNetFilter;Bluetooth Network Filter;\??\C:\WINDOWS\system32\drivers\BTNetFilter.sys
S3 CSRBC01;%CSRBC01.SvcDesc%;C:\WINDOWS\system32\Drivers\csrbc01.sys
S3 vad_multi;Windigo Virtual Audio Device (WDM);C:\WINDOWS\system32\drivers\vadmulti.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{20452f93-714b-11d9-a746-806d6172696f}]
\Shell\AutoRun\command - D:\Start.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-11-21 14:32:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-02 14:49:11
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-12-02 14:50:12
C:\ComboFix2.txt ... 2007-11-29 17:12
C:\ComboFix3.txt ... 2007-11-27 11:40
.
--- E O F ---
sludgeguts
2007-12-02, 15:56
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:55:43, on 02/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
C:\Program Files\BT Broadband Desktop Help\bin\mpbtn.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [DLCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [btbb_McciTrayApp] C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [54323f93] rundll32.exe "C:\WINDOWS\system32\yagwgcwy.dll",b
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Uvyi] C:\WINDOWS\system32\WWEXEC~1.EXE
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZCxdm413YYGB
O8 - Extra context menu item: Grip.com - file://C:\Program Files\GRIPCZ29\Cache\SelectedContextSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper2007261.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195318132796
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/prequal/MotivePreQual.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
--
End of file - 11260 bytes
__RiP_ChAiN_
2007-12-05, 05:42
Hello sludgeguts,
Jotti File Submission:
Please go to Jotti's malware scan (http://virusscan.jotti.org/)
Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
C:\WINDOWS\Help\litusm.bak1
Click on the submit button
Please post the results in your next reply.
1. Please open Notepad Click Start , then Run Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
File::
C:\WINDOWS\SYSTEM32\DRIVERS\lvuvc.hs
C:\WINDOWS\SYSTEM32\yagwgcwy.dll
C:\WINDOWS\SYSTEM32\whhfhrtt.dll
Folder::
C:\VundoFix Backups
3. Save the above as CFScript.txt
4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply: Combofix.txt A new HijackThis log.
sludgeguts
2007-12-05, 22:08
Service load: 0% 100%
File: litusm.bak1
Status: OK
MD5: b58039bb413490de1e82daa3618f54d7
Packers detected: -
Bit9 reports: File not found
Scanner results
Scan taken on 05 Dec 2007 21:02:57 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
sludgeguts
2007-12-05, 22:33
ComboFix 07-11-19.4 - max 2007-12-05 21:15:11.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.135 [GMT 0:00]
Running from: C:\Documents and Settings\max\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\max\Desktop\CFScript.txt
* Created a new restore point
FILE
C:\WINDOWS\SYSTEM32\DRIVERS\lvuvc.hs
C:\WINDOWS\SYSTEM32\whhfhrtt.dll
C:\WINDOWS\SYSTEM32\yagwgcwy.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\VundoFix Backups
C:\WINDOWS\cookies.ini
C:\WINDOWS\SYSTEM32\DRIVERS\lvuvc.hs
C:\WINDOWS\SYSTEM32\whhfhrtt.dll
C:\WINDOWS\SYSTEM32\yagwgcwy.dll
.
((((((((((((((((((((((((( Files Created from 2007-11-05 to 2007-12-05 )))))))))))))))))))))))))))))))
.
2007-12-02 14:41 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-02 14:41 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2007-11-27 07:55 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-26 18:49 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-11-26 18:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-23 20:50 <DIR> d-------- C:\Program Files\Safer Networking
2007-11-22 19:39 28,288 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\xjis.nls
2007-11-22 19:38 83,748 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\prcp.nls
2007-11-22 19:38 83,748 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\prc.nls
2007-11-22 19:38 57,856 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_scripto.dll
2007-11-22 19:38 26,112 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_seos.dll
2007-11-22 19:38 23,040 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_regtrace.exe
2007-11-22 19:38 12,288 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_smtpctrs.dll
2007-11-22 19:38 7,168 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_snprfdll.dll
2007-11-22 19:37 482,304 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\pintlgnt.ime
2007-11-22 19:37 131,584 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\pmxviceo.dll
2007-11-22 19:37 70,144 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\pintlphr.exe
2007-11-22 19:37 67,584 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\pmigrate.dll
2007-11-22 19:37 65,536 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_mailmsg.dll
2007-11-22 19:37 38,912 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_ntfsdrv.dll
2007-11-22 19:37 36,927 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\padrs411.dll
2007-11-22 19:37 14,336 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\padrs412.dll
2007-11-22 19:37 11,264 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\pmxmcro.dll
2007-11-22 19:37 6,144 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\pmxgl.dll
2007-11-22 19:36 13,463,552 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\hwxjpn.dll
2007-11-22 19:36 10,129,408 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\hwxkor.dll
2007-11-22 19:36 10,096,640 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\hwxcht.dll
2007-11-22 19:36 173,602 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\c_20002.nls
2007-11-22 19:36 54,528 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\cap7146.sys
2007-11-22 19:36 43,520 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_fcachdll.dll
2007-11-22 19:36 24,632 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\fpadmcgi.exe
2007-11-22 19:36 14,848 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\flattemp.exe
2007-11-22 19:36 7,168 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\f3ahvoas.dll
2007-11-22 19:35 188,480 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\cfgwiz.exe
2007-11-22 19:35 162,850 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\c_10001.nls
2007-11-22 19:35 45,056 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_aqadmin.dll
2007-11-22 19:35 5,632 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_adsiisex.dll
2007-11-22 19:30 749 -rah----- C:\WINDOWS\SYSTEM32\sapi.cpl.manifest
2007-11-22 19:30 749 -rah----- C:\WINDOWS\SYSTEM32\ncpa.cpl.manifest
2007-11-22 19:30 488 -rah----- C:\WINDOWS\SYSTEM32\logonui.exe.manifest
2007-11-22 19:28 214,528 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\icwconn1.exe
2007-11-22 19:28 86,016 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\icwconn2.exe
2007-11-22 19:28 32,768 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\icwdl.dll
2007-11-22 19:28 20,480 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\inetwiz.exe
2007-11-22 18:11 34 --a------ C:\WINDOWS\SYSTEM\oeminfo.ini
2007-11-22 18:10 2,012,670 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\NT5.CAT
2007-11-22 18:10 1,086,058 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\NTPRINT.CAT
2007-11-22 18:10 1,042,903 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\SP2.CAT
2007-11-22 18:10 797,189 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\NT5IIS.CAT
2007-11-22 18:10 399,645 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\MAPIMIG.CAT
2007-11-22 18:10 382,952 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\NT5INF.CAT
2007-11-22 18:10 37,484 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\MW770.CAT
2007-11-22 18:10 31,281 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\FP4.CAT
2007-11-22 18:10 24,661 --a------ C:\WINDOWS\SYSTEM32\spxcoins.dll
2007-11-22 18:10 24,661 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\spxcoins.dll
2007-11-22 18:10 13,472 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\HPCRDP.CAT
2007-11-22 18:10 13,312 --a------ C:\WINDOWS\SYSTEM32\irclass.dll
2007-11-22 18:10 8,574 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\IASNT4.CAT
2007-11-22 18:10 7,710 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\OEMBIOS.CAT
2007-11-22 18:10 7,334 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\wmerrenu.cat
2007-11-22 17:58 <DIR> d-------- C:\WINDOWS\dell
2007-11-20 20:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-11-18 19:53 4,212 ---h----- C:\WINDOWS\SYSTEM32\zllictbl.dat
2007-11-18 19:52 <DIR> d-------- C:\WINDOWS\SYSTEM32\ZoneLabs
2007-11-18 19:52 1,086,952 --a------ C:\WINDOWS\SYSTEM32\zpeng24.dll
2007-11-18 19:51 351,888 --a------ C:\WINDOWS\SYSTEM32\vsconfig.xml
2007-11-18 19:50 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-11-18 19:06 <DIR> d-------- C:\Program Files\Registry Defender
2007-11-18 13:24 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2007-11-18 13:24 30,072 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll.mui
2007-11-17 17:38 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-02 14:41 --------- d-----w C:\Program Files\Java
2007-11-29 09:03 --------- d-----w C:\Program Files\BitLord
2007-11-17 17:37 --------- d-----w C:\Program Files\Logitech
2007-11-17 17:37 --------- d-----w C:\Program Files\Common Files\logishrd
2007-11-17 17:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logishrd
2007-11-12 17:47 --------- d-----w C:\Documents and Settings\max\Application Data\HP
2007-11-07 15:19 --------- d-----w C:\Program Files\Dl_cats
2007-10-15 20:03 --------- d-----w C:\Program Files\Full Tilt Poker.Net
2007-10-11 17:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-08 14:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Motive
2007-10-06 09:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-05 19:43 --------- d-----w C:\Documents and Settings\mark\Application Data\Motive
2007-10-05 19:39 --------- d-----w C:\Program Files\BT Broadband Desktop Help
2007-10-05 19:38 --------- d-----w C:\Program Files\Common Files\Motive
2007-10-05 19:37 --------- d-----w C:\Program Files\Motive
2007-10-05 19:36 --------- d-----w C:\Program Files\BT Home Hub
2005-05-02 12:42 374,279 --sh--w C:\WINDOWS\Help\litusm.bak1
.
((((((((((((((((((((((((((((( snapshot_2007-12-02_14.49.28.89 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-30 18:44:37 6,940,722 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\spyware.dat
+ 2007-12-05 20:54:34 7,033,479 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\spyware.dat
- 2007-11-26 18:15:42 8,880,640 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\zlqrtdb.dat
+ 2007-12-02 18:32:04 8,880,640 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\zlqrtdb.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{040B7D23-99E1-BD14-BF1B-BFEE8A86EF9C}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0DD98BA3-25B7-4913-88AF-CFBDB28DA4CE}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{14DB7B51-B663-4BBA-9320-EB84949A098F}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{197846A8-E57E-F0A4-16D4-8563E6C3B0FF}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1AD5FCBE-100B-4D8F-7871-3CB6094DF4C3}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{34877841-C4D0-C554-A648-E82B2CE6D8CC}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{42C76E27-D4E8-8A39-CF3D-AAEF3E7DA299}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{449FC5FC-81F2-4A4A-A7C6-3E42A88C62C9}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{525EB293-5C57-76FC-05B0-7032D76FB69F}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5645ED67-538B-0D5B-817D-7C129130E693}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{599D53DB-B54C-BD94-6604-9C3C6058E0C4}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6A857019-91D0-9D02-A848-E82B2CE6D99E}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{88F78A1D-CD35-40F0-B3E5-946FB1BBF89A}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9C8A6B4D-6D6E-4843-891C-04439102F574}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A56A934A-85F4-4388-A362-BEB546E8F73C}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AAEE8DC8-830F-496F-AE31-8D4A51C01914}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B3FBAB34-16AC-4E79-DC2F-3EE600F60293}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f1b580b4-b04c-470f-8e10-0b5224ebab90}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09]
"Uvyi"="C:\WINDOWS\system32\WWEXEC~1.EXE" []
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2005-07-19 10:14]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 13:56]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 15:42]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 12:52]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 20:12]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 16:54]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-01-26 00:41]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 01:01]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2004-09-15 01:01]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-06-18 15:30]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2004-10-08 11:52]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-11-16 01:05]
"vptray"="C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe" [2004-02-12 11:49]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-12 13:55 C:\WINDOWS\SYSTEM32\bthprops.cpl]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-10-06 18:03]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2005-07-19 10:06]
"DLCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll" [2005-09-08 18:55]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41]
"btbb_wcm_McciTrayApp"="C:\Program Files\btbb_wcm\McciTrayApp.exe" [2006-11-30 10:51]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"btbb_McciTrayApp"="C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe" [2007-08-22 12:34]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" []
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" []
"54323f93"="C:\WINDOWS\system32\yagwgcwy.dll" []
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-12 13:56]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-12 14:01 C:\WINDOWS\SYSTEM32\narrator.exe]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-04 05:00]
C:\Documents and Settings\sam\Start Menu\Programs\Startup\
eTomi Pro On Startup.lnk - C:\Program Files\eTomiPro\Gui\etomipro.exe [2005-02-08 14:15:28]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2006-03-16 14:24:02]
BT Broadband Desktop Help.lnk - C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe [2007-10-05 19:37:10]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22]
Image Transfer.lnk - C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe [2005-02-07 18:53:16]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2005-01-28 18:35:59]
Windows Desktop Search.lnk - C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe [2005-09-20 17:10:04]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggfgge]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loctmiga]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\msutil]
C:\WINDOWS\system32\NavLogon.dll 2004-02-12 11:38 45172 C:\WINDOWS\SYSTEM32\NavLogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\req]
S3 BTCOMM;BTCOMM;C:\WINDOWS\system32\drivers\Btcomm.sys
S3 BTKRNBDG;Bluetooth COM Bridge;C:\WINDOWS\system32\DRIVERS\btkrnbdg.sys
S3 BTNetFilter;Bluetooth Network Filter;\??\C:\WINDOWS\system32\drivers\BTNetFilter.sys
S3 CSRBC01;%CSRBC01.SvcDesc%;C:\WINDOWS\system32\Drivers\csrbc01.sys
S3 vad_multi;Windigo Virtual Audio Device (WDM);C:\WINDOWS\system32\drivers\vadmulti.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{20452f93-714b-11d9-a746-806d6172696f}]
\Shell\AutoRun\command - D:\Start.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-12-05 14:32:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-05 21:25:08
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-12-05 21:29:02 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-02 14:50
C:\ComboFix3.txt ... 2007-11-29 17:12
.
--- E O F ---
sludgeguts
2007-12-05, 22:34
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:30:43, on 05/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
C:\Program Files\BT Broadband Desktop Help\bin\mpbtn.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: (no name) - {040B7D23-99E1-BD14-BF1B-BFEE8A86EF9C} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0DD98BA3-25B7-4913-88AF-CFBDB28DA4CE} - (no file)
O2 - BHO: (no name) - {14DB7B51-B663-4BBA-9320-EB84949A098F} - (no file)
O2 - BHO: (no name) - {197846A8-E57E-F0A4-16D4-8563E6C3B0FF} - (no file)
O2 - BHO: (no name) - {1AD5FCBE-100B-4D8F-7871-3CB6094DF4C3} - (no file)
O2 - BHO: (no name) - {34877841-C4D0-C554-A648-E82B2CE6D8CC} - (no file)
O2 - BHO: (no name) - {42C76E27-D4E8-8A39-CF3D-AAEF3E7DA299} - (no file)
O2 - BHO: (no name) - {449FC5FC-81F2-4A4A-A7C6-3E42A88C62C9} - (no file)
O2 - BHO: (no name) - {525EB293-5C57-76FC-05B0-7032D76FB69F} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5645ED67-538B-0D5B-817D-7C129130E693} - (no file)
O2 - BHO: (no name) - {599D53DB-B54C-BD94-6604-9C3C6058E0C4} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6A857019-91D0-9D02-A848-E82B2CE6D99E} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {88F78A1D-CD35-40F0-B3E5-946FB1BBF89A} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9C8A6B4D-6D6E-4843-891C-04439102F574} - (no file)
O2 - BHO: (no name) - {A56A934A-85F4-4388-A362-BEB546E8F73C} - (no file)
O2 - BHO: (no name) - {AAEE8DC8-830F-496F-AE31-8D4A51C01914} - (no file)
O2 - BHO: (no name) - {B3FBAB34-16AC-4E79-DC2F-3EE600F60293} - (no file)
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O2 - BHO: (no name) - {f1b580b4-b04c-470f-8e10-0b5224ebab90} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [DLCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [btbb_McciTrayApp] C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [54323f93] rundll32.exe "C:\WINDOWS\system32\yagwgcwy.dll",b
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Uvyi] C:\WINDOWS\system32\WWEXEC~1.EXE
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZCxdm413YYGB
O8 - Extra context menu item: Grip.com - file://C:\Program Files\GRIPCZ29\Cache\SelectedContextSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper2007261.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195318132796
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/prequal/MotivePreQual.cab
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} (Java Plug-in 1.4.2_03) -
O20 - Winlogon Notify: hggfgge - C:\WINDOWS\
O20 - Winlogon Notify: loctmiga - C:\WINDOWS\
O20 - Winlogon Notify: msutil - C:\WINDOWS\
O20 - Winlogon Notify: req - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
--
End of file - 13135 bytes
__RiP_ChAiN_
2007-12-06, 06:20
Hello sludgeguts,
A. Please RUN HijackThis
Click the SCAN button to produce a log.
Place a check mark beside each one of the following items:
O2 - BHO: (no name) - {040B7D23-99E1-BD14-BF1B-BFEE8A86EF9C} - (no file)
O2 - BHO: (no name) - {0DD98BA3-25B7-4913-88AF-CFBDB28DA4CE} - (no file)
O2 - BHO: (no name) - {14DB7B51-B663-4BBA-9320-EB84949A098F} - (no file)
O2 - BHO: (no name) - {197846A8-E57E-F0A4-16D4-8563E6C3B0FF} - (no file)
O2 - BHO: (no name) - {1AD5FCBE-100B-4D8F-7871-3CB6094DF4C3} - (no file)
O2 - BHO: (no name) - {34877841-C4D0-C554-A648-E82B2CE6D8CC} - (no file)
O2 - BHO: (no name) - {42C76E27-D4E8-8A39-CF3D-AAEF3E7DA299} - (no file)
O2 - BHO: (no name) - {449FC5FC-81F2-4A4A-A7C6-3E42A88C62C9} - (no file)
O2 - BHO: (no name) - {525EB293-5C57-76FC-05B0-7032D76FB69F} - (no file)
O2 - BHO: (no name) - {5645ED67-538B-0D5B-817D-7C129130E693} - (no file)
O2 - BHO: (no name) - {599D53DB-B54C-BD94-6604-9C3C6058E0C4} - (no file)
O2 - BHO: (no name) - {6A857019-91D0-9D02-A848-E82B2CE6D99E} - (no file)
O2 - BHO: (no name) - {88F78A1D-CD35-40F0-B3E5-946FB1BBF89A} - (no file)
O2 - BHO: (no name) - {9C8A6B4D-6D6E-4843-891C-04439102F574} - (no file)
O2 - BHO: (no name) - {A56A934A-85F4-4388-A362-BEB546E8F73C} - (no file)
O2 - BHO: (no name) - {AAEE8DC8-830F-496F-AE31-8D4A51C01914} - (no file)
O2 - BHO: (no name) - {B3FBAB34-16AC-4E79-DC2F-3EE600F60293} - (no file)
O2 - BHO: (no name) - {f1b580b4-b04c-470f-8e10-0b5224ebab90} - (no file)
O4 - HKLM\..\Run: [54323f93] rundll32.exe "C:\WINDOWS\system32\yagwgcwy.dll",b
O4 - HKCU\..\Run: C:\WINDOWS\system32\WWEXEC~1.EXE
O20 - Winlogon Notify: hggfgge - C:\WINDOWS\
O20 - Winlogon Notify: loctmiga - C:\WINDOWS\
O20 - Winlogon Notify: msutil - C:\WINDOWS\
O20 - Winlogon Notify: req - C:\WINDOWS\
Now with all the items selected, and [U]all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.
B. 1. Please open Notepad Click Start , then Run Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
File::
C:\WINDOWS\system32\yagwgcwy.dll
C:\WINDOWS\system32\REQ.DLL
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Save the above as CFScript.txt
4. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
6. After reboot, (in case it asks to reboot), please re-enable all the programs that were disabled during the running of ComboFix then post the following reports/logs into your next reply: Combofix.txt A new HijackThis log.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
sludgeguts
2007-12-06, 20:39
ComboFix 07-11-19.4 - max 2007-12-06 19:30:05.5 - NTFSx86
Running from: C:\Documents and Settings\max\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\max\Desktop\CFScript.txt
* Created a new restore point
FILE
C:\WINDOWS\system32\REQ.DLL
C:\WINDOWS\system32\yagwgcwy.dll
.
((((((((((((((((((((((((( Files Created from 2007-11-06 to 2007-12-06 )))))))))))))))))))))))))))))))
.
2007-12-06 19:14 <DIR> d-------- C:\WINDOWS\LastGood
2007-12-06 19:12 0 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\lvuvc.hs
2007-12-02 14:41 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-02 14:41 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2007-11-27 07:55 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-26 18:49 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-11-26 18:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-23 20:50 <DIR> d-------- C:\Program Files\Safer Networking
2007-11-22 19:39 28,288 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\xjis.nls
2007-11-22 19:38 83,748 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\prcp.nls
2007-11-22 19:38 83,748 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\prc.nls
2007-11-22 19:38 57,856 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_scripto.dll
2007-11-22 19:38 26,112 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_seos.dll
2007-11-22 19:38 23,040 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_regtrace.exe
2007-11-22 19:38 12,288 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_smtpctrs.dll
2007-11-22 19:38 7,168 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_snprfdll.dll
2007-11-22 19:37 482,304 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\pintlgnt.ime
2007-11-22 19:37 131,584 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\pmxviceo.dll
2007-11-22 19:37 70,144 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\pintlphr.exe
2007-11-22 19:37 67,584 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\pmigrate.dll
2007-11-22 19:37 65,536 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_mailmsg.dll
2007-11-22 19:37 38,912 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_ntfsdrv.dll
2007-11-22 19:37 36,927 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\padrs411.dll
2007-11-22 19:37 14,336 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\padrs412.dll
2007-11-22 19:37 11,264 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\pmxmcro.dll
2007-11-22 19:37 6,144 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\pmxgl.dll
2007-11-22 19:36 13,463,552 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\hwxjpn.dll
2007-11-22 19:36 10,129,408 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\hwxkor.dll
2007-11-22 19:36 10,096,640 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\hwxcht.dll
2007-11-22 19:36 173,602 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\c_20002.nls
2007-11-22 19:36 54,528 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\cap7146.sys
2007-11-22 19:36 43,520 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_fcachdll.dll
2007-11-22 19:36 24,632 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\fpadmcgi.exe
2007-11-22 19:36 14,848 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\flattemp.exe
2007-11-22 19:36 7,168 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\f3ahvoas.dll
2007-11-22 19:35 188,480 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\cfgwiz.exe
2007-11-22 19:35 162,850 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\c_10001.nls
2007-11-22 19:35 45,056 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_aqadmin.dll
2007-11-22 19:35 5,632 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_adsiisex.dll
2007-11-22 19:30 749 -rah----- C:\WINDOWS\SYSTEM32\sapi.cpl.manifest
2007-11-22 19:30 749 -rah----- C:\WINDOWS\SYSTEM32\ncpa.cpl.manifest
2007-11-22 19:30 488 -rah----- C:\WINDOWS\SYSTEM32\logonui.exe.manifest
2007-11-22 19:28 214,528 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\icwconn1.exe
2007-11-22 19:28 86,016 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\icwconn2.exe
2007-11-22 19:28 32,768 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\icwdl.dll
2007-11-22 19:28 20,480 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\inetwiz.exe
2007-11-22 18:11 34 --a------ C:\WINDOWS\SYSTEM\oeminfo.ini
2007-11-22 18:10 2,012,670 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\NT5.CAT
2007-11-22 18:10 1,086,058 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\NTPRINT.CAT
2007-11-22 18:10 1,042,903 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\SP2.CAT
2007-11-22 18:10 797,189 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\NT5IIS.CAT
2007-11-22 18:10 399,645 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\MAPIMIG.CAT
2007-11-22 18:10 382,952 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\NT5INF.CAT
2007-11-22 18:10 37,484 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\MW770.CAT
2007-11-22 18:10 31,281 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\FP4.CAT
2007-11-22 18:10 24,661 --a------ C:\WINDOWS\SYSTEM32\spxcoins.dll
2007-11-22 18:10 24,661 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\spxcoins.dll
2007-11-22 18:10 13,472 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\HPCRDP.CAT
2007-11-22 18:10 13,312 --a------ C:\WINDOWS\SYSTEM32\irclass.dll
2007-11-22 18:10 8,574 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\IASNT4.CAT
2007-11-22 18:10 7,710 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\OEMBIOS.CAT
2007-11-22 18:10 7,334 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\wmerrenu.cat
2007-11-22 17:58 <DIR> d-------- C:\WINDOWS\dell
2007-11-20 20:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-11-18 19:53 4,212 ---h----- C:\WINDOWS\SYSTEM32\zllictbl.dat
2007-11-18 19:52 <DIR> d-------- C:\WINDOWS\SYSTEM32\ZoneLabs
2007-11-18 19:52 1,086,952 --a------ C:\WINDOWS\SYSTEM32\zpeng24.dll
2007-11-18 19:51 351,888 --a------ C:\WINDOWS\SYSTEM32\vsconfig.xml
2007-11-18 19:50 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-11-18 19:06 <DIR> d-------- C:\Program Files\Registry Defender
2007-11-18 13:24 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2007-11-18 13:24 30,072 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll.mui
2007-11-17 17:38 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-02 14:41 --------- d-----w C:\Program Files\Java
2007-11-29 09:03 --------- d-----w C:\Program Files\BitLord
2007-11-17 17:37 --------- d-----w C:\Program Files\Logitech
2007-11-17 17:37 --------- d-----w C:\Program Files\Common Files\logishrd
2007-11-17 17:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logishrd
2007-11-12 17:47 --------- d-----w C:\Documents and Settings\max\Application Data\HP
2007-11-07 15:19 --------- d-----w C:\Program Files\Dl_cats
2007-10-15 20:03 --------- d-----w C:\Program Files\Full Tilt Poker.Net
2007-10-11 17:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-08 14:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Motive
2007-10-06 09:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
2005-05-02 12:42 374,279 --sh--w C:\WINDOWS\Help\litusm.bak1
.
((((((((((((((((((((((((((((( snapshot_2007-12-02_14.49.28.89 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-30 18:44:37 6,940,722 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\spyware.dat
+ 2007-12-06 19:24:47 7,060,547 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\spyware.dat
- 2007-11-26 18:15:42 8,880,640 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\zlqrtdb.dat
+ 2007-12-02 18:32:04 8,880,640 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\zlqrtdb.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2005-07-19 10:14]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 13:56]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 15:42]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 12:52]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 20:12]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 16:54]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-01-26 00:41]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 01:01]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2004-09-15 01:01]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-06-18 15:30]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2004-10-08 11:52]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-11-16 01:05]
"vptray"="C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe" [2004-02-12 11:49]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-12 13:55 C:\WINDOWS\SYSTEM32\bthprops.cpl]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-10-06 18:03]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2005-07-19 10:06]
"DLCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll" [2005-09-08 18:55]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41]
"btbb_wcm_McciTrayApp"="C:\Program Files\btbb_wcm\McciTrayApp.exe" [2006-11-30 10:51]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"btbb_McciTrayApp"="C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe" [2007-08-22 12:34]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" []
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" []
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-12 13:56]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-12 14:01 C:\WINDOWS\SYSTEM32\narrator.exe]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-04 05:00]
C:\Documents and Settings\sam\Start Menu\Programs\Startup\
eTomi Pro On Startup.lnk - C:\Program Files\eTomiPro\Gui\etomipro.exe [2005-02-08 14:15:28]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2006-03-16 14:24:02]
BT Broadband Desktop Help.lnk - C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe [2007-10-05 19:37:10]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22]
Image Transfer.lnk - C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe [2005-02-07 18:53:16]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2005-01-28 18:35:59]
Windows Desktop Search.lnk - C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe [2005-09-20 17:10:04]
C:\WINDOWS\system32\NavLogon.dll 2004-02-12 11:38 45172 C:\WINDOWS\SYSTEM32\NavLogon.dll
S3 BTCOMM;BTCOMM;C:\WINDOWS\system32\drivers\Btcomm.sys
S3 BTKRNBDG;Bluetooth COM Bridge;C:\WINDOWS\system32\DRIVERS\btkrnbdg.sys
S3 BTNetFilter;Bluetooth Network Filter;\??\C:\WINDOWS\system32\drivers\BTNetFilter.sys
S3 CSRBC01;%CSRBC01.SvcDesc%;C:\WINDOWS\system32\Drivers\csrbc01.sys
S3 vad_multi;Windigo Virtual Audio Device (WDM);C:\WINDOWS\system32\drivers\vadmulti.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{20452f93-714b-11d9-a746-806d6172696f}]
\Shell\AutoRun\command - D:\Start.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-12-05 14:32:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-06 19:35:02
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2007-12-06 19:36:48
C:\ComboFix2.txt ... 2007-12-05 21:29
C:\ComboFix3.txt ... 2007-12-02 14:50
.
--- E O F ---
sludgeguts
2007-12-06, 20:40
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:37:31, on 06/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
C:\Program Files\BT Broadband Desktop Help\bin\mpbtn.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [DLCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [btbb_McciTrayApp] C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZCxdm413YYGB
O8 - Extra context menu item: Grip.com - file://C:\Program Files\GRIPCZ29\Cache\SelectedContextSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper2007261.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195318132796
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/prequal/MotivePreQual.cab
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} (Java Plug-in 1.4.2_03) -
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
--
End of file - 11177 bytes
__RiP_ChAiN_
2007-12-07, 07:22
Hello sludgeguts,
Let's do a quick panda scan and see what else is still hiding out, I believe we might be nearing completion here :)
Please go HERE (http://www.pandasoftware.com/products/activescan.htm) to run Panda's ActiveScan Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
sludgeguts
2007-12-07, 19:51
Incident Status Location
Adware:adware/mediatickets Not disinfected C:\WINDOWS\system32\oins.exe
Dialer:dialer.asl Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0D62A517-E7C6-4E1F-A577-07D4AC549A48}
Spyware:spyware/virtumonde Not disinfected Windows Registry
Adware:adware/comet Not disinfected Windows Registry
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Briss\Cookies\briss@888[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Briss\Cookies\briss@888[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Briss\Cookies\briss@adrevolver[3].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Briss\Cookies\briss@ads.pointroll[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Briss\Cookies\briss@advertising[1].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Briss\Cookies\briss@apmebf[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Briss\Cookies\briss@atdmt[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Briss\Cookies\briss@bs.serving-sys[1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Briss\Cookies\briss@cassava[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Briss\Cookies\briss@doubleclick[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Briss\Cookies\briss@mediaplex[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Briss\Cookies\briss@perf.overture[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Briss\Cookies\briss@questionmarket[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Briss\Cookies\briss@serving-sys[2].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Briss\Cookies\briss@tradedoubler[2].txt
Spyware:Cookie/Golden Palace Online Casino Not disinfected C:\Documents and Settings\Briss\Cookies\briss@www.goldenpalace[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\mark\Cookies\mark@ad.yieldmanager[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\mark\Cookies\mark@advertising[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\mark\Cookies\mark@advertising[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\mark\Cookies\mark@advertising[3].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\mark\Cookies\mark@advertising[4].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\mark\Cookies\mark@apmebf[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\mark\Cookies\mark@atdmt[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\mark\Cookies\mark@casalemedia[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\mark\Cookies\mark@casalemedia[3].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\mark\Cookies\mark@casalemedia[4].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\mark\Cookies\mark@casalemedia[5].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\mark\Cookies\mark@doubleclick[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\mark\Cookies\mark@overture[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\mark\Cookies\mark@perf.overture[1].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\mark\Cookies\mark@statse.webtrendslive[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\max\Cookies\max@247realmedia[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\max\Cookies\max@ad.yieldmanager[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\max\Cookies\max@atdmt[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\max\Cookies\max@bs.serving-sys[2].txt
Spyware:Cookie/Casinotropez Not disinfected C:\Documents and Settings\max\Cookies\max@casinotropez[2].txt
Spyware:Cookie/Comclick Not disinfected C:\Documents and Settings\max\Cookies\max@fl01.ct2.comclick[1].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\max\Cookies\max@i.screensavers[2].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\max\Cookies\max@int.sitestat[1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\max\Cookies\max@int.sitestat[2].txt
Spyware:Cookie/AspinallsOnlineCasino Not disinfected C:\Documents and Settings\max\Cookies\max@pacificpoker[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\max\Cookies\max@server.iad.liveperson[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\max\Cookies\max@serving-sys[2].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\max\Cookies\max@toplist[1].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\max\Cookies\max@tradedoubler[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\max\Cookies\max@xiti[1].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\max\Desktop\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\max\Desktop\ComboFix.exe[nircmd.cfexe]
sludgeguts
2007-12-07, 19:53
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\mickey\Cookies\mickey@247realmedia[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\mickey\Cookies\mickey@888[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\mickey\Cookies\mickey@ad.yieldmanager[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\mickey\Cookies\mickey@adultfriendfinder[1].txt
Spyware:Cookie/Adviva Not disinfected C:\Documents and Settings\mickey\Cookies\mickey@adviva[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\mickey\Cookies\mickey@as1.falkag[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\mickey\Cookies\mickey@azjmp[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\mickey\Cookies\mickey@ccbill[1].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\mickey\Cookies\mickey@gostats[2].txt
Spyware:Cookie/Itrack Not disinfected C:\Documents and Settings\mickey\Cookies\mickey@ilead.itrack[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\mickey\Cookies\mickey@int.sitestat[1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\mickey\Cookies\mickey@int.sitestat[2].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\mickey\Cookies\mickey@server.iad.liveperson[1].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\mickey\Cookies\mickey@statse.webtrendslive[1].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\mickey\Cookies\mickey@toplist[1].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\mickey\Cookies\mickey@tradedoubler[2].txt
Spyware:Cookie/Weborama Not disinfected C:\Documents and Settings\mickey\Cookies\mickey@weborama[1].txt
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\mickey\Cookies\mickey@webpower[2].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\mickey\Cookies\mickey@xiti[1].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\mickey\Cookies\mickey@yadro[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\mickey\Local Settings\Temp\Cookies\mickey@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\mickey\Local Settings\Temp\Cookies\mickey@doubleclick[1].txt
Virus:Generic Malware Disinfected C:\Documents and Settings\mickey\Local Settings\Temp\sta39F.exe
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\sam\Cookies\sam@247realmedia[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\sam\Cookies\sam@888[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\sam\Cookies\sam@888[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\sam\Cookies\sam@ad.yieldmanager[2].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\sam\Cookies\sam@adopt.hbmediapro[1].txt
Spyware:Cookie/ads.tripod.lycos.com Not disinfected C:\Documents and Settings\sam\Cookies\sam@ads.tripod.lycos[3].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\sam\Cookies\sam@adultfriendfinder[1].txt
Spyware:Cookie/Adviva Not disinfected C:\Documents and Settings\sam\Cookies\sam@adviva[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\sam\Cookies\sam@azjmp[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\sam\Cookies\sam@belnk[2].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\sam\Cookies\sam@cassava[1].txt
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\sam\Cookies\sam@cs.sexcounter[2].txt
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\sam\Cookies\sam@ct.360i[2].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\sam\Cookies\sam@did-it[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\sam\Cookies\sam@dist.belnk[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\sam\Cookies\sam@drivecleaner[2].txt
Spyware:Cookie/fe.lea.lycos Not disinfected C:\Documents and Settings\sam\Cookies\sam@fe.lea.lycos[1].txt
Spyware:Cookie/Comclick Not disinfected C:\Documents and Settings\sam\Cookies\sam@fl01.ct2.comclick[2].txt
Spyware:Cookie/GoClick Not disinfected C:\Documents and Settings\sam\Cookies\sam@goclick[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\sam\Cookies\sam@go[1].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\sam\Cookies\sam@i.screensavers[1].txt
Spyware:Cookie/Kount Not disinfected C:\Documents and Settings\sam\Cookies\sam@kount[2].txt
Spyware:Cookie/Lop Not disinfected C:\Documents and Settings\sam\Cookies\sam@mp3search[1].txt
Spyware:Cookie/WegCash Not disinfected C:\Documents and Settings\sam\Cookies\sam@programs.wegcash[2].txt
Spyware:Cookie/Rightmedia Not disinfected C:\Documents and Settings\sam\Cookies\sam@rightmedia[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\sam\Cookies\sam@searchportal.information[2].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\sam\Cookies\sam@server.iad.liveperson[1].txt
sludgeguts
2007-12-07, 19:54
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\sam\Cookies\sam@stats.drivecleaner[2].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\sam\Cookies\sam@statse.webtrendslive[2].txt
Spyware:Cookie/SaveNow Not disinfected C:\Documents and Settings\sam\Cookies\sam@tracking.thunderdownloads[2].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\sam\Cookies\sam@tradedoubler[1].txt
Spyware:Cookie/Weborama Not disinfected C:\Documents and Settings\sam\Cookies\sam@weborama[2].txt
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\sam\Cookies\sam@webpower[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\sam\Cookies\sam@www.drivecleaner[1].txt
Spyware:Cookie/Intelli-tracker Not disinfected C:\Documents and Settings\sam\Cookies\sam@www.intelli-tracker[1].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\sam\Cookies\sam@www.myaffiliateprogram[2].txt
Spyware:Cookie/web-stat Not disinfected C:\Documents and Settings\sam\Cookies\sam@www.web-stat[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\sam\Cookies\sam@xiti[1].txt
Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\sam\Cookies\sam@xmts[2].txt
Spyware:Cookie/XXXCounter Not disinfected C:\Documents and Settings\sam\Cookies\sam@xxxcounter[2].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\sam\Cookies\sam@yadro[2].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\sue\Cookies\sue@112.2o7[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\sue\Cookies\sue@247realmedia[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\sue\Cookies\sue@adrevolver[1].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\sue\Cookies\sue@ads.addynamix[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\sue\Cookies\sue@ads.pointroll[1].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\sue\Cookies\sue@adtech[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\sue\Cookies\sue@advertising[1].txt
Spyware:Cookie/NewMedia Not disinfected C:\Documents and Settings\sue\Cookies\sue@anm.co[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\sue\Cookies\sue@as-eu.falkag[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\sue\Cookies\sue@as-us.falkag[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\sue\Cookies\sue@atdmt[2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\sue\Cookies\sue@azjmp[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\sue\Cookies\sue@bs.serving-sys[2].txt
Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\sue\Cookies\sue@centrport[1].txt
Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\sue\Cookies\sue@citi.bridgetrack[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\sue\Cookies\sue@com[1].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\sue\Cookies\sue@did-it[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\sue\Cookies\sue@doubleclick[2].txt
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\sue\Cookies\sue@enhance[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\sue\Cookies\sue@int.sitestat[1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\sue\Cookies\sue@int.sitestat[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\sue\Cookies\sue@mediaplex[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\sue\Cookies\sue@overture[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\sue\Cookies\sue@perf.overture[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\sue\Cookies\sue@questionmarket[1].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\sue\Cookies\sue@revenue[2].txt
Spyware:Cookie/Rightmedia Not disinfected C:\Documents and Settings\sue\Cookies\sue@rightmedia[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\sue\Cookies\sue@searchportal.information[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\sue\Cookies\sue@server.iad.liveperson[4].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\sue\Cookies\sue@serving-sys[1].txt
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\sue\Cookies\sue@stat.onestat[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\sue\Cookies\sue@statcounter[2].txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\sue\Cookies\sue@tickle[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\sue\Cookies\sue@tribalfusion[2].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\sue\Cookies\sue@www.myaffiliateprogram[2].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\sue\Cookies\sue@xiti[1].txt
Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\sue\Cookies\sue@xmts[2].txt
sludgeguts
2007-12-07, 19:56
Adware:Adware/PurityScan Not disinfected C:\qoobox\Quarantine\C\Program Files\Outerinfo\OiUninstaller.exe.vir
Spyware:Spyware/Virtumonde Not disinfected C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\audofben.dll.vir
Spyware:Spyware/Virtumonde Not disinfected C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\cnjvjtqk.exe.vir
Spyware:Spyware/Virtumonde Not disinfected C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\jokpcjje.dll.vir
Spyware:Spyware/Virtumonde Not disinfected C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\qpkvyobf.exe.vir
Adware:Adware/PurityScan Not disinfected C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\regsvr32.dll.vir
Spyware:Spyware/Virtumonde Not disinfected C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\rxdnblub.exe.vir
Spyware:Spyware/Virtumonde Not disinfected C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\uansobhs.exe.vir
Spyware:Spyware/Vundo Not disinfected C:\qoobox\Quarantine\catchme2007-11-27_112830.07.zip[jkhhe.dll]
Potentially unwanted tool:Application/Pskill.A Not disinfected C:\WINDOWS\Motive\btbb\pskill.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe
Virus:Trj/Lineage.AJO Disinfected C:\WINDOWS\SYSTEM32\dhsoux.dll
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\SYSTEM32\Shex.exe
__RiP_ChAiN_
2007-12-07, 23:35
Hello sludgeguts :)
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune.
This program is for XP and Windows 2000 only
Run ATF Cleaner:Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
1. Please open Notepad
Click Start , then Run
Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
File::
C:\WINDOWS\SYSTEM32\Shex.exe
C:\WINDOWS\system32\oins.exe
Registry::
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0D62A517-E7C6-4E1F-A577-07D4AC549A48}]
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Save the above as CFScript.txt
4. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:
Combofix.txt
A new HijackThis log.
Please take note:
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
sludgeguts
2007-12-08, 10:31
ComboFix 07-12-08.1 - max 2007-12-08 9:20:53.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.179 [GMT 0:00]
Running from: C:\Documents and Settings\max\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\max\Desktop\CFScript.txt
* Created a new restore point
FILE
C:\WINDOWS\system32\oins.exe
C:\WINDOWS\SYSTEM32\Shex.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\oins.exe
C:\WINDOWS\SYSTEM32\Shex.exe
.
((((((((((((((((((((((((( Files Created from 2007-11-08 to 2007-12-08 )))))))))))))))))))))))))))))))
.
2007-12-08 09:11 . 2007-12-08 09:11 <DIR> d-------- C:\WINDOWS\LastGood
2007-12-07 15:54 . 2007-12-07 18:35 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-12-07 15:54 . 2007-12-07 15:54 30,590 --a------ C:\WINDOWS\SYSTEM32\pavas.ico
2007-12-07 15:54 . 2007-12-07 15:54 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico
2007-12-06 19:12 . 2007-12-08 09:08 0 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\lvuvc.hs
2007-12-02 14:41 . 2007-12-02 14:41 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-02 14:41 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2007-11-27 07:55 . 2007-11-27 07:55 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-26 18:49 . 2007-11-26 18:49 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-11-26 18:49 . 2007-11-26 18:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-24 18:43 . 2007-12-05 21:13 808,848 ---hs---- C:\WINDOWS\SYSTEM32\ywcgwgay.ini
2007-11-23 20:50 . 2007-11-23 20:52 <DIR> d-------- C:\Program Files\Safer Networking
2007-11-22 19:59 . 2007-11-22 19:59 2,422 --a------ C:\WINDOWS\SYSTEM32\wpa.bak
2007-11-22 19:39 . 2004-08-12 14:10 28,288 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\xjis.nls
2007-11-22 19:37 . 2004-08-12 13:58 1,875,968 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\msir3jp.lex
2007-11-22 19:36 . 2004-08-12 13:58 13,463,552 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\hwxjpn.dll
2007-11-22 19:35 . 2004-05-13 00:39 876,653 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\fp4awel.dll
2007-11-22 19:30 . 2007-11-22 19:30 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2007-11-22 19:30 . 2007-11-22 19:30 749 -rah----- C:\WINDOWS\SYSTEM32\wuaucpl.cpl.manifest
2007-11-22 19:30 . 2007-11-22 19:30 749 -rah----- C:\WINDOWS\SYSTEM32\sapi.cpl.manifest
2007-11-22 19:30 . 2007-11-22 19:30 749 -rah----- C:\WINDOWS\SYSTEM32\ncpa.cpl.manifest
2007-11-22 19:30 . 2007-11-22 19:30 488 -rah----- C:\WINDOWS\SYSTEM32\logonui.exe.manifest
2007-11-22 19:29 . 2004-08-12 13:58 16,384 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\isignup.exe
2007-11-22 19:28 . 2004-08-12 13:57 214,528 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\icwconn1.exe
2007-11-22 19:28 . 2004-08-12 13:57 86,016 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\icwconn2.exe
2007-11-22 19:28 . 2004-08-12 13:57 32,768 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\icwdl.dll
2007-11-22 19:28 . 2004-08-12 13:58 20,480 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\inetwiz.exe
2007-11-22 18:11 . 2007-11-22 18:11 34 --a------ C:\WINDOWS\SYSTEM\oeminfo.ini
2007-11-22 17:58 . 2007-11-22 17:58 <DIR> d-------- C:\WINDOWS\dell
2007-11-20 20:03 . 2007-11-23 20:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-11-18 19:53 . 2007-12-05 21:24 4,212 ---h----- C:\WINDOWS\SYSTEM32\zllictbl.dat
2007-11-18 19:52 . 2007-12-07 18:41 <DIR> d-------- C:\WINDOWS\SYSTEM32\ZoneLabs
2007-11-18 19:52 . 2007-11-14 16:05 1,086,952 --a------ C:\WINDOWS\SYSTEM32\zpeng24.dll
2007-11-18 19:51 . 2007-12-08 09:10 351,888 --a------ C:\WINDOWS\SYSTEM32\vsconfig.xml
2007-11-18 19:50 . 2007-12-07 19:58 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-11-18 19:06 . 2007-11-18 21:03 <DIR> d-------- C:\Program Files\Registry Defender
2007-11-18 13:24 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2007-11-18 13:24 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll.mui
2007-11-17 17:38 . 2007-11-17 17:38 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-11-17 11:39 . 2007-11-17 14:59 489 --a------ C:\WINDOWS\wininit.ini
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-07 18:09 --------- d-----w C:\Program Files\iTunes
2007-12-07 17:58 --------- d-----w C:\Program Files\DellSupport
2007-12-07 17:57 --------- d-----w C:\Program Files\Dell Photo AIO Printer 922
2007-12-07 17:56 --------- d-----w C:\Program Files\Common Files\Motive
2007-12-07 17:55 --------- d-----w C:\Program Files\btbb_wcm
2007-12-07 16:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\QuickTime
2007-12-07 15:48 --------- d-----w C:\Program Files\Dl_cats
2007-12-06 19:12 2,811,364 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2007-12-02 14:41 --------- d-----w C:\Program Files\Java
2007-11-29 09:03 --------- d-----w C:\Program Files\BitLord
2007-11-27 07:30 61,539 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2007_11_25_21_44_20_small.dmp.zip
2007-11-27 07:30 61,435 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2007_11_25_21_44_32_small.dmp.zip
2007-11-25 19:49 194,771 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_11_25_18_01_20_small.dmp.zip
2007-11-25 19:49 180,683 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_11_25_18_01_39_small.dmp.zip
2007-11-21 10:38 66,056 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_11_19_20_39_55_small.dmp.zip
2007-11-21 10:38 215,145 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_11_19_20_32_51_small.dmp.zip
2007-11-21 10:38 185,660 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_11_19_20_32_29_small.dmp.zip
2007-11-17 17:37 --------- d-----w C:\Program Files\Logitech
2007-11-17 17:37 --------- d-----w C:\Program Files\Common Files\logishrd
2007-11-17 17:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logishrd
2007-11-12 17:47 --------- d-----w C:\Documents and Settings\max\Application Data\HP
2007-10-15 20:03 --------- d-----w C:\Program Files\Full Tilt Poker.Net
2007-10-11 17:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-08 14:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Motive
2005-05-02 12:42 374,279 --sh--w C:\WINDOWS\Help\litusm.bak1
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2005-07-19 10:14]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 13:56]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 15:42]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 12:52]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 20:12]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 16:54]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-01-26 00:41]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 01:01]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2004-09-15 01:01]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-06-18 15:30]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2004-10-08 11:52]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-11-16 01:05]
"vptray"="C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe" [2004-02-12 11:49]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-12 13:55 C:\WINDOWS\SYSTEM32\bthprops.cpl]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-10-06 18:03]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2005-07-19 10:06]
"DLCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll" [2005-09-08 18:55]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41]
"btbb_wcm_McciTrayApp"="C:\Program Files\btbb_wcm\McciTrayApp.exe" [2006-11-30 10:51]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"btbb_McciTrayApp"="C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe" [2007-08-22 12:34]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" []
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" []
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-12 13:56]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-12 14:01 C:\WINDOWS\SYSTEM32\narrator.exe]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-04 05:00]
C:\Documents and Settings\sam\Start Menu\Programs\Startup\
eTomi Pro On Startup.lnk - C:\Program Files\eTomiPro\Gui\etomipro.exe [2005-02-08 14:15:28]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2006-03-16 14:24:02]
BT Broadband Desktop Help.lnk - C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe [2007-10-05 19:37:10]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22]
Image Transfer.lnk - C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe [2005-02-07 18:53:16]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2005-01-28 18:35:59]
Windows Desktop Search.lnk - C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe [2005-09-20 17:10:04]
S3 BTCOMM;BTCOMM;C:\WINDOWS\system32\drivers\Btcomm.sys
S3 BTKRNBDG;Bluetooth COM Bridge;C:\WINDOWS\system32\DRIVERS\btkrnbdg.sys
S3 BTNetFilter;Bluetooth Network Filter;\??\C:\WINDOWS\system32\drivers\BTNetFilter.sys
S3 CSRBC01;%CSRBC01.SvcDesc%;C:\WINDOWS\system32\Drivers\csrbc01.sys
S3 vad_multi;Windigo Virtual Audio Device (WDM);C:\WINDOWS\system32\drivers\vadmulti.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{20452f93-714b-11d9-a746-806d6172696f}]
\Shell\AutoRun\command - D:\Start.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-12-05 14:32:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
**************************************************************************
catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-08 09:26:44
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-12-08 9:27:35
C:\ComboFix2.txt ... 2007-12-06 19:36
C:\ComboFix3.txt ... 2007-12-05 21:29
.
--- E O F ---
sludgeguts
2007-12-08, 10:32
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:27:58, on 08/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
C:\Program Files\BT Broadband Desktop Help\bin\mpbtn.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [DLCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [btbb_McciTrayApp] C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZCxdm413YYGB
O8 - Extra context menu item: Grip.com - file://C:\Program Files\GRIPCZ29\Cache\SelectedContextSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper2007261.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195318132796
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/prequal/MotivePreQual.cab
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} (Java Plug-in 1.4.2_03) -
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
--
End of file - 11258 bytes
__RiP_ChAiN_
2007-12-08, 22:32
Hello sludgeguts,
1. Please open Notepad
Click Start , then Run
Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
File::
C:\WINDOWS\SYSTEM32\ywcgwgay.ini
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Save the above as CFScript.txt
4. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:
Combofix.txt
A new HijackThis log.
Please take note:
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
sludgeguts
2007-12-09, 14:09
ComboFix 07-12-08.1 - max 2007-12-09 12:44:41.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.305 [GMT 0:00]Running from: C:\Documents and Settings\max\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\max\Desktop\CFScript.txt
* Created a new restore point
FILE
C:\WINDOWS\SYSTEM32\ywcgwgay.ini
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\SYSTEM32\ywcgwgay.ini
.
((((((((((((((((((((((((( Files Created from 2007-11-09 to 2007-12-09 )))))))))))))))))))))))))))))))
.
2007-12-07 15:54 . 2007-12-07 18:35 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-12-07 15:54 . 2007-12-07 15:54 30,590 --a------ C:\WINDOWS\SYSTEM32\pavas.ico
2007-12-07 15:54 . 2007-12-07 15:54 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico
2007-12-06 19:12 . 2007-12-09 08:36 0 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\lvuvc.hs
2007-12-02 14:41 . 2007-12-02 14:41 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-02 14:41 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2007-11-27 07:55 . 2007-11-27 07:55 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-26 18:49 . 2007-11-26 18:49 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-11-26 18:49 . 2007-11-26 18:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-23 20:50 . 2007-11-23 20:52 <DIR> d-------- C:\Program Files\Safer Networking
2007-11-22 19:59 . 2007-11-22 19:59 2,422 --a------ C:\WINDOWS\SYSTEM32\wpa.bak
2007-11-22 19:39 . 2004-08-12 14:10 28,288 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\xjis.nls
2007-11-22 19:37 . 2004-08-12 13:58 1,875,968 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\msir3jp.lex
2007-11-22 19:36 . 2004-08-12 13:58 13,463,552 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\hwxjpn.dll
2007-11-22 19:35 . 2004-05-13 00:39 876,653 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\fp4awel.dll
2007-11-22 19:30 . 2007-11-22 19:30 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2007-11-22 19:30 . 2007-11-22 19:30 749 -rah----- C:\WINDOWS\SYSTEM32\wuaucpl.cpl.manifest
2007-11-22 19:30 . 2007-11-22 19:30 749 -rah----- C:\WINDOWS\SYSTEM32\sapi.cpl.manifest
2007-11-22 19:30 . 2007-11-22 19:30 749 -rah----- C:\WINDOWS\SYSTEM32\ncpa.cpl.manifest
2007-11-22 19:30 . 2007-11-22 19:30 488 -rah----- C:\WINDOWS\SYSTEM32\logonui.exe.manifest
2007-11-22 19:29 . 2004-08-12 13:58 16,384 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\isignup.exe
2007-11-22 19:28 . 2004-08-12 13:57 214,528 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\icwconn1.exe
2007-11-22 19:28 . 2004-08-12 13:57 86,016 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\icwconn2.exe
2007-11-22 19:28 . 2004-08-12 13:57 32,768 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\icwdl.dll
2007-11-22 19:28 . 2004-08-12 13:58 20,480 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\inetwiz.exe
2007-11-22 18:11 . 2007-11-22 18:11 34 --a------ C:\WINDOWS\SYSTEM\oeminfo.ini
2007-11-22 17:58 . 2007-11-22 17:58 <DIR> d-------- C:\WINDOWS\dell
2007-11-20 20:03 . 2007-11-23 20:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-11-18 19:53 . 2007-12-08 22:03 4,212 ---h----- C:\WINDOWS\SYSTEM32\zllictbl.dat
2007-11-18 19:52 . 2007-12-07 18:41 <DIR> d-------- C:\WINDOWS\SYSTEM32\ZoneLabs
2007-11-18 19:52 . 2007-11-14 16:05 1,086,952 --a------ C:\WINDOWS\SYSTEM32\zpeng24.dll
2007-11-18 19:51 . 2007-12-09 08:37 351,888 --a------ C:\WINDOWS\SYSTEM32\vsconfig.xml
2007-11-18 19:50 . 2007-12-08 19:59 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-11-18 19:06 . 2007-11-18 21:03 <DIR> d-------- C:\Program Files\Registry Defender
2007-11-18 13:24 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2007-11-18 13:24 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll.mui
2007-11-17 17:38 . 2007-11-17 17:38 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-11-17 11:39 . 2007-11-17 14:59 489 --a------ C:\WINDOWS\wininit.ini
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-08 14:13 163,644 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-12-08 13:52 --------- d-----w C:\Program Files\GSC Game World
2007-12-08 13:51 --------- d-----w C:\Program Files\Microsoft Games
2007-12-07 18:09 --------- d-----w C:\Program Files\iTunes
2007-12-07 17:58 --------- d-----w C:\Program Files\DellSupport
2007-12-07 17:57 --------- d-----w C:\Program Files\Dell Photo AIO Printer 922
2007-12-07 17:56 --------- d-----w C:\Program Files\Common Files\Motive
2007-12-07 17:55 --------- d-----w C:\Program Files\btbb_wcm
2007-12-07 16:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\QuickTime
2007-12-07 15:48 --------- d-----w C:\Program Files\Dl_cats
2007-12-06 19:12 2,811,364 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2007-12-02 14:41 --------- d-----w C:\Program Files\Java
2007-11-29 09:03 --------- d-----w C:\Program Files\BitLord
2007-11-27 07:30 61,539 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2007_11_25_21_44_20_small.dmp.zip
2007-11-27 07:30 61,435 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2007_11_25_21_44_32_small.dmp.zip
2007-11-25 19:49 194,771 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_11_25_18_01_20_small.dmp.zip
2007-11-25 19:49 180,683 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_11_25_18_01_39_small.dmp.zip
2007-11-21 10:38 66,056 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_11_19_20_39_55_small.dmp.zip
2007-11-21 10:38 215,145 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_11_19_20_32_51_small.dmp.zip
2007-11-21 10:38 185,660 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_11_19_20_32_29_small.dmp.zip
2007-11-17 17:37 --------- d-----w C:\Program Files\Logitech
2007-11-17 17:37 --------- d-----w C:\Program Files\Common Files\logishrd
2007-11-17 17:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logishrd
2007-11-12 17:47 --------- d-----w C:\Documents and Settings\max\Application Data\HP
2007-10-15 20:03 --------- d-----w C:\Program Files\Full Tilt Poker.Net
2007-10-11 17:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2005-05-02 12:42 374,279 --sh--w C:\WINDOWS\Help\litusm.bak1
.
((((((((((((((((((((((((((((( snapshot@2007-12-08_ 9.26.50.89 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-12-17 14:08:21 53,248 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll
+ 2007-12-08 14:12:18 53,248 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll
- 2006-12-17 14:08:21 12,800 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll
+ 2007-12-08 14:12:18 12,800 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll
- 2006-12-17 14:08:21 473,600 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll
+ 2007-12-08 14:12:18 473,600 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll
- 2006-12-17 14:08:17 2,676,224 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.Direct3DX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2007-12-08 14:12:14 2,676,224 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.Direct3DX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2006-12-17 14:08:18 2,846,720 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.Direct3DX\1.0.2903.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2007-12-08 14:12:15 2,846,720 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.Direct3DX\1.0.2903.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2006-12-17 14:08:18 563,712 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.Direct3DX\1.0.2904.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2007-12-08 14:12:15 563,712 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.Direct3DX\1.0.2904.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2006-12-17 14:08:18 567,296 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2007-12-08 14:12:15 567,296 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2006-12-17 14:08:19 576,000 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2007-12-08 14:12:16 576,000 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2006-12-17 14:08:19 577,024 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.Direct3DX\1.0.2907.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2007-12-08 14:12:16 577,024 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.Direct3DX\1.0.2907.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2006-12-17 14:08:19 577,536 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.Direct3DX\1.0.2908.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2007-12-08 14:12:16 577,536 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.Direct3DX\1.0.2908.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2006-12-17 14:08:20 577,536 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.Direct3DX\1.0.2909.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2007-12-08 14:12:17 577,536 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.Direct3DX\1.0.2909.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2006-12-17 14:08:20 578,560 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.Direct3DX\1.0.2910.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2007-12-08 14:12:17 578,560 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.Direct3DX\1.0.2910.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2006-12-17 14:08:21 578,560 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.Direct3DX\1.0.2911.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2007-12-08 14:12:19 578,560 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.Direct3DX\1.0.2911.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2006-12-17 14:08:21 145,920 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll
+ 2007-12-08 14:12:20 145,920 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll
- 2006-12-17 14:08:22 159,232 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll
+ 2007-12-08 14:12:20 159,232 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll
- 2006-12-17 14:08:22 364,544 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll
+ 2007-12-08 14:12:20 364,544 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll
- 2006-12-17 14:08:22 178,176 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll
+ 2007-12-08 14:12:20 178,176 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll
- 2006-12-17 14:08:20 223,232 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll
+ 2007-12-08 14:12:18 223,232 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2005-07-19 10:14]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 13:56]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 15:42]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 12:52]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 20:12]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 16:54]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-01-26 00:41]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 01:01]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2004-09-15 01:01]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-06-18 15:30]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2004-10-08 11:52]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-11-16 01:05]
"vptray"="C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe" [2004-02-12 11:49]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-12 13:55 C:\WINDOWS\SYSTEM32\bthprops.cpl]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-10-06 18:03]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2005-07-19 10:06]
"DLCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll" [2005-09-08 18:55]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41]
"btbb_wcm_McciTrayApp"="C:\Program Files\btbb_wcm\McciTrayApp.exe" [2006-11-30 10:51]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"btbb_McciTrayApp"="C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe" [2007-08-22 12:34]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" []
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" []
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-12 13:56]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-12 14:01 C:\WINDOWS\SYSTEM32\narrator.exe]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-04 05:00]
C:\Documents and Settings\sam\Start Menu\Programs\Startup\
eTomi Pro On Startup.lnk - C:\Program Files\eTomiPro\Gui\etomipro.exe [2005-02-08 14:15:28]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2006-03-16 14:24:02]
BT Broadband Desktop Help.lnk - C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe [2007-10-05 19:37:10]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22]
Image Transfer.lnk - C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe [2005-02-07 18:53:16]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2005-01-28 18:35:59]
Windows Desktop Search.lnk - C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe [2005-09-20 17:10:04]
S3 BTCOMM;BTCOMM;C:\WINDOWS\system32\drivers\Btcomm.sys
S3 BTKRNBDG;Bluetooth COM Bridge;C:\WINDOWS\system32\DRIVERS\btkrnbdg.sys
S3 BTNetFilter;Bluetooth Network Filter;\??\C:\WINDOWS\system32\drivers\BTNetFilter.sys
S3 CSRBC01;%CSRBC01.SvcDesc%;C:\WINDOWS\system32\Drivers\csrbc01.sys
S3 vad_multi;Windigo Virtual Audio Device (WDM);C:\WINDOWS\system32\drivers\vadmulti.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{20452f93-714b-11d9-a746-806d6172696f}]
\Shell\AutoRun\command - D:\Start.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-12-05 14:32:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
**************************************************************************
catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-09 12:50:07
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-12-09 12:50:47
C:\ComboFix2.txt ... 2007-12-08 09:27
C:\ComboFix3.txt ... 2007-12-06 19:36
.
--- E O F ---
sludgeguts
2007-12-09, 14:10
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:06:58, on 09/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
C:\Program Files\BT Broadband Desktop Help\bin\mpbtn.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\HPZipm12.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [DLCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [btbb_McciTrayApp] C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZCxdm413YYGB
O8 - Extra context menu item: Grip.com - file://C:\Program Files\GRIPCZ29\Cache\SelectedContextSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper2007261.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195318132796
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/prequal/MotivePreQual.cab
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} (Java Plug-in 1.4.2_03) -
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
--
End of file - 11409 bytes
__RiP_ChAiN_
2007-12-10, 06:43
Hello sludgeguts,
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZCxdm413YYGB
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} (Java Plug-in 1.4.2_03) -
Now close all windows other than HiJackThis, then click Fix Checked. Close HijackThis.
Your logs are looking much better, how is your computer currently running?
sludgeguts
2007-12-10, 20:21
Have done as you asked computer seems to be in a much better state from where we began is there anything else you would like me to do
__RiP_ChAiN_
2007-12-13, 01:26
Hello sludgeguts,
Go ahead and delete the following folder now:
C:\Qoobox
Go ahead and remove any tools we used during your fix now, as they will no longer be needed.
Congratulations, your computer is now clean of malware!
Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.
The easiest and safest way to do this is:
Go to Start > Programs > Accessories > System Tools and click "System Restore".
Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
Then go to Start > Run and type: Cleanmgr
Click "OK".
Click the "More Options" Tab.
Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
See this link for a listing of some online & their stand-alone antivirus programs:
Virus, Spyware, and Malware Protection and Removal Resources (http://www.bleepingcomputer.com/forums/topict405.html)
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
For a tutorial on Firewalls and a listing of some available ones see the link below:
Understanding and Using Firewalls (http://www.bleepingcomputer.com/forums/tutorial60.html)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/forums/tutorial49.html)
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.
here are some additional utilities that will enhance your safety
IE/Spyad (http://www.bleepingcomputer.com/tutorials/tutorial53.html) <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar (http://toolbar.google.com/) <= Get the free google toolbar to help stop pop up windows.
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)
sludgeguts
2007-12-13, 20:02
Thankyou for all of your help you guys are real hero's
__RiP_ChAiN_
2007-12-13, 23:53
Your very welcome :)