View Full Version : Close to reformatting.. virtumonde got me :(
stunner37
2008-07-15, 03:42
Needing help.. I have spent weeks trying to clean my pc. I read the before you post, and have done as requested. Search & Destroy found Virtumonde, but so did my Shaw Secure (F-Secure) and both could not clean it.
The DLL file that shows on my virus scan is geBrqpME.dll .. Killbox cannot stop or remove the file.
Here is my HJT scan
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:34:36 PM, on 7/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\Shaw Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\Shaw Secure\Common\FSMA32.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Shaw Secure\Common\FSMB32.EXE
C:\Program Files\Shaw Secure\Common\FCH32.EXE
C:\Program Files\Shaw Secure\Common\FAMEH32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\fsqh.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Shaw Secure\FSAUA\program\fsaua.exe
C:\Program Files\Shaw Secure\Anti-Virus\fssm32.exe
C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsav32.exe
C:\Program Files\Shaw Secure\FSAUA\program\fsus.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Trend Micro\HijackThis\hjt.exe.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=5070124
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://mymail.sjrb.ca/exchweb/bin/auth/owalogon.asp?reason=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=5070124
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: {c80a08cf-3c5e-2799-b574-2e49d910e30a} - {a03e019d-94e2-475b-9972-e5c3fc80a08c} - C:\WINDOWS\system32\jnbgbq.dll (file missing)
O2 - BHO: (no name) - {D9D4B2FF-EB70-4DCA-9AA5-D1B096F9E3A5} - C:\WINDOWS\system32\geBrqpME.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Ashley\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1192670839484
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/activex/v2_0_0_9/PCAXSetupv2.0.0.9.cab?
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\Shaw Secure\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Shaw Secure\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 7259 bytes
massive thanks for your help.
Ash
stunner37
2008-07-15, 04:47
OK I followed instructions closely, ran ComboFix but I am still infected.
Here is the combofix log:
ComboFix 08-07-14.2 - Ashley 2008-07-14 19:03:27.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.515 [GMT -6:00]
Running from: C:\Documents and Settings\Ashley\Desktop\ComboFix.exe
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\BMa7cabbd1.txt
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\agtyjcmw.ini
C:\WINDOWS\system32\bnfjlcdy.ini
C:\WINDOWS\system32\eayuyfrw.ini
C:\WINDOWS\system32\elhmyjwb.ini
C:\WINDOWS\system32\EMpqrBeg.ini
C:\WINDOWS\system32\EMpqrBeg.ini2
C:\WINDOWS\system32\epbwfiwk.ini
C:\WINDOWS\system32\ivgndgkc.ini
C:\WINDOWS\system32\ivhiywvh.ini
C:\WINDOWS\system32\kluteouf.ini
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\nqsyrxwl.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\skofpklx.ini
C:\WINDOWS\system32\ukhpbojj.ini
C:\WINDOWS\system32\vkwtufch.ini
C:\WINDOWS\system32\xjyrtwmr.ini
----- BITS: Possible infected sites -----
hxxp://au.downõj
.
((((((((((((((((((((((((( Files Created from 2008-06-15 to 2008-07-15 )))))))))))))))))))))))))))))))
.
2008-07-14 18:30 . 2008-07-14 18:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-14 17:52 . 2008-07-14 17:52 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-14 17:52 . 2008-07-14 18:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-14 17:51 . 2008-07-14 17:51 80,896 --a------ C:\WINDOWS\system32\nbcmlrvy.dll
2008-07-14 17:49 . 2008-07-14 17:49 102,400 --a------ C:\WINDOWS\system32\bapxooih.dll
2008-07-14 17:47 . 2008-07-14 17:47 91,648 --a------ C:\WINDOWS\system32\pnhumodf.dll
2008-07-13 18:01 . 2008-07-13 18:01 <DIR> d-------- C:\!KillBox
2008-07-13 17:11 . 2008-07-13 17:11 101,376 --a------ C:\WINDOWS\system32\lmaqhmum.dll
2008-07-13 17:09 . 2008-07-13 17:09 80,896 --a------ C:\WINDOWS\system32\corgetiu.dll
2008-07-13 10:16 . 2008-07-13 10:16 92,160 --a------ C:\WINDOWS\system32\xfxbomxq.dll
2008-07-12 10:17 . 2008-07-12 10:18 81,408 --a------ C:\WINDOWS\system32\irkeeolo.dll
2008-07-12 10:14 . 2008-07-12 10:14 101,888 --a------ C:\WINDOWS\system32\rtmnlokg.dll
2008-07-12 10:14 . 2008-07-12 10:14 91,648 --a------ C:\WINDOWS\system32\bmwxtcrt.dll
2008-07-11 09:07 . 2008-07-11 09:07 80,896 --a------ C:\WINDOWS\system32\hvwyihvi.0ll
2008-07-11 09:04 . 2008-07-11 09:04 101,888 --a------ C:\WINDOWS\system32\nxlwvchp.0ll
2008-07-11 09:04 . 2008-07-11 09:04 101,888 --a------ C:\WINDOWS\system32\jnbgbq.0ll
2008-07-11 09:04 . 2008-07-11 09:04 92,672 --a------ C:\WINDOWS\system32\vtareapy.0ll
2008-07-11 09:01 . 2008-07-11 09:01 101,376 --a------ C:\WINDOWS\system32\xwbetw.0ll
2008-07-11 09:01 . 2008-07-11 09:01 101,376 --a------ C:\WINDOWS\system32\ksctgome.0ll
2008-07-11 09:01 . 2008-07-11 09:01 92,672 --a------ C:\WINDOWS\system32\ykmmmjnm.0ll
2008-07-10 08:57 . 2008-07-10 08:57 101,376 --a------ C:\WINDOWS\system32\qgkwxfro.0ll
2008-07-10 08:57 . 2008-07-10 08:57 101,376 --a------ C:\WINDOWS\system32\aswghr.0ll
2008-07-10 08:57 . 2008-07-10 08:57 92,672 --a------ C:\WINDOWS\system32\svuyoyoy.0ll
2008-07-08 20:33 . 2008-07-08 20:33 <DIR> d-------- C:\Documents and Settings\Dare\Application Data\Research In Motion
2008-07-08 20:25 . 2008-07-13 17:17 256 --a------ C:\Documents and Settings\Ashley\pool.bin
2008-07-08 20:23 . 2008-07-08 20:23 81,408 --a------ C:\WINDOWS\system32\ydcljfnb.0ll
2008-07-08 20:20 . 2008-07-08 20:20 101,376 --a------ C:\WINDOWS\system32\qangib.0ll
2008-07-08 20:20 . 2008-07-08 20:20 101,376 --a------ C:\WINDOWS\system32\lrawjlci.0ll
2008-07-06 00:52 . 2008-07-06 00:52 101,888 --a------ C:\WINDOWS\system32\wwxojp.0ll
2008-07-06 00:52 . 2008-07-06 00:52 101,888 --a------ C:\WINDOWS\system32\wgfetqts.0ll
2008-07-06 00:49 . 2008-07-06 00:49 80,896 --a------ C:\WINDOWS\system32\rmwtryjx.0ll
2008-07-04 20:33 . 2008-07-04 20:33 81,408 --a------ C:\WINDOWS\system32\wmcjytga.0ll
2008-07-04 20:30 . 2008-07-04 20:30 101,376 --a------ C:\WINDOWS\system32\wdpsneiu.0ll
2008-07-04 20:30 . 2008-07-04 20:30 101,376 --a------ C:\WINDOWS\system32\ujjhyo.0ll
2008-07-03 19:28 . 2008-07-03 19:28 104,448 --a------ C:\WINDOWS\system32\deyhmuww.0ll
2008-07-03 19:28 . 2008-07-03 19:28 104,448 --a------ C:\WINDOWS\system32\bnzkcb.0ll
2008-07-03 19:27 . 2008-07-03 19:27 87,040 --------- C:\WINDOWS\system32\wrfyuyae.0ll
2008-07-01 19:49 . 2008-07-01 19:49 94,720 --a------ C:\WINDOWS\system32\jhjncfwq.0ll
2008-06-29 21:41 . 2008-06-29 21:41 104,448 --a------ C:\WINDOWS\system32\sjvqycxr.0ll
2008-06-29 21:41 . 2008-06-29 21:41 104,448 --a------ C:\WINDOWS\system32\jqnhid.0ll
2008-06-29 21:38 . 2008-06-29 21:38 95,232 --a------ C:\WINDOWS\system32\mhcsjrry.dll
2008-06-29 21:38 . 2008-06-29 21:38 87,040 --a------ C:\WINDOWS\system32\xlkpfoks.0ll
2008-06-28 12:39 . 2008-06-28 12:39 104,960 --a------ C:\WINDOWS\system32\lxfjqjoj.0ll
2008-06-28 12:39 . 2008-06-28 12:39 104,960 --a------ C:\WINDOWS\system32\eahwhe.0ll
2008-06-28 12:39 . 2008-06-28 12:39 86,528 --a------ C:\WINDOWS\system32\bwjymhle.0ll
2008-06-28 12:37 . 2008-06-28 12:37 94,208 --a------ C:\WINDOWS\system32\rdwqbpam.0ll
2008-06-26 23:32 . 2008-06-26 23:32 87,040 --a------ C:\WINDOWS\system32\kwifwbpe.0ll
2008-06-26 23:29 . 2008-06-26 23:29 108,032 --a------ C:\WINDOWS\system32\ihhlpftb.0ll
2008-06-26 23:27 . 2008-07-10 08:57 110,321 --a------ C:\WINDOWS\BMa7cabbd1.xml
2008-06-26 23:27 . 2008-06-26 23:27 95,744 --a------ C:\WINDOWS\system32\sfvckbto.0ll
2008-06-25 22:49 . 2008-06-25 22:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-06-25 22:47 . 2008-07-13 19:01 <DIR> d-------- C:\Documents and Settings\Ashley\.housecall6.6
2008-06-25 20:39 . 2008-06-25 20:39 286,208 --a------ C:\WINDOWS\system32\geBrqpME.dll
2008-06-25 20:24 . 2008-06-28 17:20 <DIR> d-------- C:\WINDOWS\system32\modtrux05
2008-06-25 20:24 . 2008-06-25 20:24 <DIR> d-------- C:\Temp\syschk3
2008-06-25 20:24 . 2008-06-25 20:24 <DIR> d-------- C:\Temp
2008-06-25 20:24 . 2008-06-25 21:19 <DIR> d--hs---- C:\Documents and Settings\Ashley\!
2008-06-25 20:24 . 2008-06-25 20:24 0 --a------ C:\WINDOWS\system32\taskkill.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-05 19:13 --------- d-----w C:\Documents and Settings\Ashley\Application Data\F-Secure
2008-06-30 03:38 --------- d-----w C:\Documents and Settings\Dare\Application Data\F-Secure
2008-06-29 02:23 --------- d-----w C:\Program Files\Semagic
2008-06-28 18:44 --------- d-----w C:\Program Files\LimeWire
2008-06-14 02:33 --------- d-----w C:\Program Files\Dell
2008-06-14 02:32 --------- d-----w C:\Program Files\PokerStars.NET
2008-05-16 06:13 --------- d-----w C:\Documents and Settings\Dare\Application Data\Apple Computer
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-24 04:16 3,591,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-22 07:40 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-04-22 07:39 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-22 07:39 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-20 05:07 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-11-17 00:14 3,746 ----a-w C:\Documents and Settings\Ashley\Application Data\wklnhst.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDB2FFA4-D093-4D61-9E71-003B23169795}]
2008-06-25 20:39 286208 --a------ C:\WINDOWS\system32\geBrqpME.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\geBrqpME
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Ashley^Start Menu^Programs^Startup^IMVU.lnk]
path=C:\Documents and Settings\Ashley\Start Menu\Programs\Startup\IMVU.lnk
backup=C:\WINDOWS\pss\IMVU.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
--a------ 2006-11-23 02:45 1392640 C:\WINDOWS\system32\WLTRAY.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 05:00 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellHelp]
--a--c--- 2004-04-01 08:51 1589248 C:\dell\DellHelp\DellHelp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2004-12-06 01:05 127035 C:\WINDOWS\system32\dla\tfswctrl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
--a------ 2007-11-15 10:24 16384 C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F-Secure Manager]
--a------ 2007-11-01 05:42 182936 C:\Program Files\Shaw Secure\Common\FSM32.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F-Secure TNB]
--a------ 2007-11-01 05:42 739936 C:\Program Files\Shaw Secure\FSGUI\tnbutil.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-12-13 16:41 77824 C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-12-13 16:45 118784 C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-12-13 16:44 98304 C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
--a------ 2006-09-11 05:40 218032 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2006-09-11 05:40 218032 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2006-09-11 05:40 86960 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 13:10 267048 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
--------- 2003-09-10 02:24 20480 C:\Program Files\NetWaiting\netwaiting.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
--a------ 2005-07-12 19:05 1117184 C:\Program Files\McAfee\SpamKiller\MSKDetct.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 10:24 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--a------ 2007-05-02 19:16 184320 C:\Program Files\Dell\MediaDirect\PCMService.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a------ 2007-08-16 09:56 236016 C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 05:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2006-03-08 11:48 761947 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2006-03-24 16:30 282624 C:\WINDOWS\stsystra.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2008-03-17 19:57]
R1 F-Secure HIPS;F-Secure HIPS;C:\Program Files\Shaw Secure\HIPS\fshs.sys [2008-03-17 19:57]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\Shaw Secure\Anti-Virus\minifilter\fsgk.sys [2007-11-01 05:42]
S4 F-Secure Filter;F-Secure File System Filter;C:\Program Files\Shaw Secure\Anti-Virus\Win2K\FSfilter.sys [2007-11-01 05:42]
S4 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\Shaw Secure\Anti-Virus\Win2K\FSrec.sys [2007-11-01 05:42]
.
Contents of the 'Scheduled Tasks' folder
"2008-07-13 23:06:09 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.4.20.2.sxt _RegistrationOffer@16
"2008-07-15 00:04:41 C:\WINDOWS\Tasks\Scheduled scanning task.job"
- C:\PROGRA~1\SHAWSE~1\ANTI-V~1\fsav.exeQ /HARD /POLICY /SCHED /NOBREAK /REPORT=C:\PROGRA~1\SHAWSE~1\ANTI-V~1\report.txt
.
- - - - ORPHANS REMOVED - - - -
BHO-{a03e019d-94e2-475b-9972-e5c3fc80a08c} - C:\WINDOWS\system32\jnbgbq.dll
MSConfigStartUp-a4f9884d - C:\WINDOWS\system32\hvwyihvi.dll
MSConfigStartUp-Antivirus - C:\Program Files\VAV\vav.exe
MSConfigStartUp-BitTorrent - C:\Program Files\BitTorrent\bittorrent.exe
MSConfigStartUp-BMa7cabbd1 - C:\WINDOWS\system32\rdwqbpam.dll
MSConfigStartUp-Dell QuickSet - C:\Program Files\Dell\QuickSet\Quickset.exe
MSConfigStartUp-DNA - C:\Program Files\BitTorrent_DNA\dna.exe
MSConfigStartUp-Google Desktop Search - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
MSConfigStartUp-Host Process - C:\Documents and Settings\Ashley\svchost.exe
MSConfigStartUp-MPFExe - C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
MSConfigStartUp-MSKAGENTEXE - C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
MSConfigStartUp-MsnMsgr - C:\Program Files\MSN Messenger\msnmsgr.exe
MSConfigStartUp-OASClnt - C:\Program Files\McAfee.com\VSO\oasclnt.exe
MSConfigStartUp-VirusScan Online - c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
MSConfigStartUp-VSOCheckTask - C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-14 19:27:18
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\system32\geBrqpME.dll
PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\geBrqpME.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\Shaw Secure\Common\FSMA32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\fsgk32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Shaw Secure\Common\FSMB32.EXE
C:\Program Files\Shaw Secure\Common\FCH32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\fsqh.exe
C:\Program Files\Shaw Secure\Common\FAMEH32.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Shaw Secure\FSAUA\program\fsaua.exe
C:\Program Files\Shaw Secure\Anti-Virus\fssm32.exe
C:\Program Files\Shaw Secure\FWES\program\fsdfwd.exe
C:\PROGRA~1\SHAWSE~1\ANTI-V~1\fsav32.exe
C:\Program Files\Shaw Secure\FSAUA\program\fsus.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-07-14 19:35:20 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-15 01:35:04
Pre-Run: 98,333,069,312 bytes free
Post-Run: 98,767,650,816 bytes free
260 --- E O F --- 2008-06-14 02:44:12
stunner37
2008-07-15, 04:51
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:54:08 PM, on 7/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\Shaw Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\Shaw Secure\Common\FSMA32.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Shaw Secure\Common\FSMB32.EXE
C:\Program Files\Shaw Secure\Common\FCH32.EXE
C:\Program Files\Shaw Secure\Common\FAMEH32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\fsqh.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Shaw Secure\FSAUA\program\fsaua.exe
C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsav32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Shaw Secure\FSAUA\program\fsus.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Shaw Secure\Common\FSM32.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Shaw Secure\FSGUI\fsguidll.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\Program Files\Shaw Secure\Anti-Virus\fssm32.exe
C:\Program Files\Trend Micro\HijackThis\hjt.exe.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://mymail.sjrb.ca/exchweb/bin/auth/owalogon.asp?reason=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=5070124
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {D77AC26F-4E96-40A8-A4F3-A75B851E3503} - C:\WINDOWS\system32\geBrqpME.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Shaw Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Shaw Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DellHelp] C:\Dell\DellHelp\DellHelp.exe /c
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - Startup: IMVU.lnk = C:\Program Files\IMVU\IMVUClient.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Ashley\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1192670839484
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/activex/v2_0_0_9/PCAXSetupv2.0.0.9.cab?
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\Shaw Secure\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Shaw Secure\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 9675 bytes
stunner37
2008-07-15, 05:13
CClean Installed Programs Report.
Adobe Flash Player ActiveX
Adobe Reader 7.0.8
Adobe Shockwave Player 11
Apple Mobile Device Support
Apple Software Update
BlackBerry Desktop Software 4.3
BlackBerry Device Software v4.3.0 for the BlackBerry 8130 smartphone
CCleaner (remove only)
Conexant HDA D110 MDC V.92 Modem
Dell Support 3.2.1
Dell Support Center
Dell System Restore
Dell Wireless WLAN Card
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Intel(R) Graphics Media Accelerator Driver
iTunes
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 2
Java(TM) SE Runtime Environment 6 Update 1
Kodak EasyShare software
MediaDirect
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Office Professional Edition 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Works
Modem Helper
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
NetWaiting
OutlookAddinSetup
Quicken 2008
QuickTime
Semagic (remove only)
Shaw Secure 2.0
Snes9x
Sonic DLA
Sonic MyDVD LE
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Spybot - Search & Destroy
Synaptics Pointing Device Driver
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
stunner37
2008-07-15, 18:38
:oops:
I posted previously but realized from the "Before You Post" that since I added information afterwards, it is going to look like I am being helped. Sorry, my bad :(
Here is my HJT scan
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:34:36 PM, on 7/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\Shaw Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\Shaw Secure\Common\FSMA32.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Shaw Secure\Common\FSMB32.EXE
C:\Program Files\Shaw Secure\Common\FCH32.EXE
C:\Program Files\Shaw Secure\Common\FAMEH32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\fsqh.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Shaw Secure\FSAUA\program\fsaua.exe
C:\Program Files\Shaw Secure\Anti-Virus\fssm32.exe
C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsav32.exe
C:\Program Files\Shaw Secure\FSAUA\program\fsus.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Trend Micro\HijackThis\hjt.exe.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.ca/ig/dell?hl=en&c...ca&ibd=5070124
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://mymail.sjrb.ca/exchweb/bin/a...n.asp?reason=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.ca/ig/dell?hl=en&c...ca&ibd=5070124
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: {c80a08cf-3c5e-2799-b574-2e49d910e30a} - {a03e019d-94e2-475b-9972-e5c3fc80a08c} - C:\WINDOWS\system32\jnbgbq.dll (file missing)
O2 - BHO: (no name) - {D9D4B2FF-EB70-4DCA-9AA5-D1B096F9E3A5} - C:\WINDOWS\system32\geBrqpME.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Ashley\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/re...s/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/...oUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1192670839484
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/...ploader4_5.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/a...pv2.0.0.9.cab?
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/a...v2.0.0.10.cab?
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\Shaw Secure\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Shaw Secure\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 7259 bytes
I ran Combofix, the other post I posted yesterday is located here if you need that info. Please help, I am desperate.
http://forums.spybot.info/showthread.php?t=30979
Thanks! :)
Ash
Hi
I think you missed Do NOT run 'fixes' before helpers have analyzed HJT log (http://forums.spybot.info/showthread.php?t=16806) (ran ComboFix though it shouldn't be used without supervision) sticky.
Delete old copy of ComboFix.exe file. Then follow the instructions below.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
**Note: It is important that it is saved directly to your desktop**
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log & a fresh hjt log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
stunner37
2008-07-22, 03:35
Hi, thanks so much for helping me out. Sorry for jumping ahead, I was losing functionality and panic'd a bit. I wasnt sure if I should turn off my current virus protection before running the logs, but I have turned it off.. let me know if that is okay. :)
I followed your instructions, here is the new Combofix log:
ComboFix 08-07-20.A0 - Ashley 2008-07-21 18:15:52.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.550 [GMT -6:00]
Running from: C:\Documents and Settings\Ashley\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aowtqfhg.dll
C:\WINDOWS\system32\bumbxe.dll
C:\WINDOWS\system32\czrfvm.dll
C:\WINDOWS\system32\ecsuatfk.dll
C:\WINDOWS\system32\EMpqrBeg.ini
C:\WINDOWS\system32\EMpqrBeg.ini2
C:\WINDOWS\system32\geBrqpME.dll
C:\WINDOWS\system32\greyhgxi.dll
C:\WINDOWS\system32\hajoirgn.dll
C:\WINDOWS\system32\hdaskims.dll
C:\WINDOWS\system32\htcufuve.dll
C:\WINDOWS\system32\ixghyerg.ini
C:\WINDOWS\system32\ixghyerg.tmp
C:\WINDOWS\system32\llicyxhy.dll
C:\WINDOWS\system32\qbufgwcl.dll
C:\WINDOWS\system32\rrjoqs.dll
C:\WINDOWS\system32\smiksadh.ini
.
((((((((((((((((((((((((( Files Created from 2008-06-22 to 2008-07-22 )))))))))))))))))))))))))))))))
.
2008-07-15 20:49 . 2008-07-15 20:49 101,376 --a------ C:\WINDOWS\system32\rqwlbrfu.dll
2008-07-15 20:46 . 2008-07-15 20:46 81,408 --a------ C:\WINDOWS\system32\petvxnlp.dll
2008-07-15 20:43 . 2008-07-15 20:43 92,672 --a------ C:\WINDOWS\system32\flxleaki.dll
2008-07-14 21:20 . 2008-07-14 21:20 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-07-14 21:20 . 2008-07-14 21:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-14 20:45 . 2008-07-14 20:45 80,896 --a------ C:\WINDOWS\system32\sslulvaa.dll
2008-07-14 20:42 . 2008-07-14 20:42 102,400 --a------ C:\WINDOWS\system32\seycrnuc.dll
2008-07-14 20:41 . 2008-07-14 20:41 91,648 --a------ C:\WINDOWS\system32\qfaeuifh.dll
2008-07-14 20:07 . 2008-07-14 20:07 <DIR> d-------- C:\Program Files\CCleaner
2008-07-14 18:30 . 2008-07-14 18:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-14 17:52 . 2008-07-14 17:52 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-14 17:52 . 2008-07-16 03:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-14 17:51 . 2008-07-14 17:51 80,896 --a------ C:\WINDOWS\system32\nbcmlrvy.dll
2008-07-14 17:49 . 2008-07-14 17:49 102,400 --a------ C:\WINDOWS\system32\bapxooih.dll
2008-07-14 17:47 . 2008-07-14 17:47 91,648 --a------ C:\WINDOWS\system32\pnhumodf.dll
2008-07-13 18:01 . 2008-07-13 18:01 <DIR> d-------- C:\!KillBox
2008-07-13 17:11 . 2008-07-13 17:11 101,376 --a------ C:\WINDOWS\system32\lmaqhmum.dll
2008-07-13 17:09 . 2008-07-13 17:09 80,896 --a------ C:\WINDOWS\system32\corgetiu.dll
2008-07-13 10:16 . 2008-07-13 10:16 92,160 --a------ C:\WINDOWS\system32\xfxbomxq.dll
2008-07-12 10:17 . 2008-07-12 10:18 81,408 --a------ C:\WINDOWS\system32\irkeeolo.dll
2008-07-12 10:14 . 2008-07-12 10:14 101,888 --a------ C:\WINDOWS\system32\rtmnlokg.dll
2008-07-12 10:14 . 2008-07-12 10:14 91,648 --a------ C:\WINDOWS\system32\bmwxtcrt.dll
2008-07-11 09:07 . 2008-07-11 09:07 80,896 --a------ C:\WINDOWS\system32\hvwyihvi.0ll
2008-07-11 09:04 . 2008-07-11 09:04 101,888 --a------ C:\WINDOWS\system32\nxlwvchp.0ll
2008-07-11 09:04 . 2008-07-11 09:04 101,888 --a------ C:\WINDOWS\system32\jnbgbq.0ll
2008-07-11 09:04 . 2008-07-11 09:04 92,672 --a------ C:\WINDOWS\system32\vtareapy.0ll
2008-07-11 09:01 . 2008-07-11 09:01 101,376 --a------ C:\WINDOWS\system32\xwbetw.0ll
2008-07-11 09:01 . 2008-07-11 09:01 101,376 --a------ C:\WINDOWS\system32\ksctgome.0ll
2008-07-11 09:01 . 2008-07-11 09:01 92,672 --a------ C:\WINDOWS\system32\ykmmmjnm.0ll
2008-07-10 08:57 . 2008-07-10 08:57 101,376 --a------ C:\WINDOWS\system32\qgkwxfro.0ll
2008-07-10 08:57 . 2008-07-10 08:57 92,672 --a------ C:\WINDOWS\system32\svuyoyoy.0ll
2008-07-08 20:33 . 2008-07-08 20:33 <DIR> d-------- C:\Documents and Settings\Dare\Application Data\Research In Motion
2008-07-08 20:25 . 2008-07-13 17:17 256 --a------ C:\Documents and Settings\Ashley\pool.bin
2008-07-08 20:23 . 2008-07-08 20:23 81,408 --a------ C:\WINDOWS\system32\ydcljfnb.0ll
2008-07-08 20:20 . 2008-07-08 20:20 101,376 --a------ C:\WINDOWS\system32\qangib.0ll
2008-07-08 20:20 . 2008-07-08 20:20 101,376 --a------ C:\WINDOWS\system32\lrawjlci.0ll
2008-07-06 00:52 . 2008-07-06 00:52 101,888 --a------ C:\WINDOWS\system32\wwxojp.0ll
2008-07-06 00:52 . 2008-07-06 00:52 101,888 --a------ C:\WINDOWS\system32\wgfetqts.0ll
2008-07-06 00:49 . 2008-07-06 00:49 80,896 --a------ C:\WINDOWS\system32\rmwtryjx.0ll
2008-07-04 20:33 . 2008-07-04 20:33 81,408 --a------ C:\WINDOWS\system32\wmcjytga.0ll
2008-07-04 20:30 . 2008-07-04 20:30 101,376 --a------ C:\WINDOWS\system32\wdpsneiu.0ll
2008-07-04 20:30 . 2008-07-04 20:30 101,376 --a------ C:\WINDOWS\system32\ujjhyo.0ll
2008-07-03 19:28 . 2008-07-03 19:28 104,448 --a------ C:\WINDOWS\system32\deyhmuww.0ll
2008-07-03 19:28 . 2008-07-03 19:28 104,448 --a------ C:\WINDOWS\system32\bnzkcb.0ll
2008-07-03 19:27 . 2008-07-03 19:27 87,040 --------- C:\WINDOWS\system32\wrfyuyae.0ll
2008-07-01 19:49 . 2008-07-01 19:49 94,720 --a------ C:\WINDOWS\system32\jhjncfwq.0ll
2008-06-29 21:41 . 2008-06-29 21:41 104,448 --a------ C:\WINDOWS\system32\sjvqycxr.0ll
2008-06-29 21:41 . 2008-06-29 21:41 104,448 --a------ C:\WINDOWS\system32\jqnhid.0ll
2008-06-29 21:38 . 2008-06-29 21:38 95,232 --a------ C:\WINDOWS\system32\mhcsjrry.dll
2008-06-29 21:38 . 2008-06-29 21:38 87,040 --a------ C:\WINDOWS\system32\xlkpfoks.0ll
2008-06-28 12:39 . 2008-06-28 12:39 104,960 --a------ C:\WINDOWS\system32\lxfjqjoj.0ll
2008-06-28 12:39 . 2008-06-28 12:39 104,960 --a------ C:\WINDOWS\system32\eahwhe.0ll
2008-06-28 12:39 . 2008-06-28 12:39 86,528 --a------ C:\WINDOWS\system32\bwjymhle.0ll
2008-06-28 12:37 . 2008-06-28 12:37 94,208 --a------ C:\WINDOWS\system32\rdwqbpam.0ll
2008-06-26 23:32 . 2008-06-26 23:32 87,040 --a------ C:\WINDOWS\system32\kwifwbpe.0ll
2008-06-26 23:29 . 2008-06-26 23:29 108,032 --a------ C:\WINDOWS\system32\ihhlpftb.0ll
2008-06-26 23:27 . 2008-07-21 08:31 110,321 --a------ C:\WINDOWS\BMa7cabbd1.xml
2008-06-26 23:27 . 2008-06-26 23:27 95,744 --a------ C:\WINDOWS\system32\sfvckbto.0ll
2008-06-25 22:49 . 2008-06-25 22:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-06-25 22:47 . 2008-07-13 19:01 <DIR> d-------- C:\Documents and Settings\Ashley\.housecall6.6
2008-06-25 20:24 . 2008-06-28 17:20 <DIR> d-------- C:\WINDOWS\system32\modtrux05
2008-06-25 20:24 . 2008-06-25 20:24 <DIR> d-------- C:\Temp\syschk3
2008-06-25 20:24 . 2008-06-25 20:24 <DIR> d-------- C:\Temp
2008-06-25 20:24 . 2008-06-25 21:19 <DIR> d--hs---- C:\Documents and Settings\Ashley\!
2008-06-25 20:24 . 2008-06-25 20:24 0 --a------ C:\WINDOWS\system32\taskkill.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-05 19:13 --------- d-----w C:\Documents and Settings\Ashley\Application Data\F-Secure
2008-06-30 03:38 --------- d-----w C:\Documents and Settings\Dare\Application Data\F-Secure
2008-06-29 02:23 --------- d-----w C:\Program Files\Semagic
2008-06-28 18:44 --------- d-----w C:\Program Files\LimeWire
2008-06-14 02:33 --------- d-----w C:\Program Files\Dell
2008-06-14 02:32 --------- d-----w C:\Program Files\PokerStars.NET
2007-11-17 00:14 3,746 ----a-w C:\Documents and Settings\Ashley\Application Data\wklnhst.dat
.
((((((((((((((((((((((((((((( snapshot@2008-07-14_19.34.08.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-05-24 18:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 21:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 21:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2008-07-14 23:50:33 65,418 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-07-22 00:11:29 65,418 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-07-14 23:50:33 409,684 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-07-22 00:11:29 409,684 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 05:40 218032]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 11:48 761947]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 05:00 132496]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 05:40 86960]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 05:40 218032]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 16:44 98304]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 16:45 118784]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 16:41 77824]
"F-Secure TNB"="C:\Program Files\Shaw Secure\FSGUI\TNBUtil.exe" [2007-11-01 05:42 739936]
"F-Secure Manager"="C:\Program Files\Shaw Secure\Common\FSM32.EXE" [2007-11-01 05:42 182936]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 01:05 127035]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2006-11-23 02:45 1392640]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 16:30 282624 C:\WINDOWS\stsystra.exe]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellHelp]
--a--c--- 2004-04-01 08:51 1589248 C:\dell\DellHelp\DellHelp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
--a------ 2007-11-15 10:24 16384 C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 13:10 267048 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
--------- 2003-09-10 02:24 20480 C:\Program Files\NetWaiting\netwaiting.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
--a------ 2005-07-12 19:05 1117184 C:\Program Files\McAfee\SpamKiller\MSKDetct.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 10:24 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--a------ 2007-05-02 19:16 184320 C:\Program Files\Dell\MediaDirect\PCMService.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a------ 2007-08-16 09:56 236016 C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2008-03-17 19:57]
R1 F-Secure HIPS;F-Secure HIPS;C:\Program Files\Shaw Secure\HIPS\fshs.sys [2008-03-17 19:57]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\Shaw Secure\Anti-Virus\minifilter\fsgk.sys [2007-11-01 05:42]
S4 F-Secure Filter;F-Secure File System Filter;C:\Program Files\Shaw Secure\Anti-Virus\Win2K\FSfilter.sys [2007-11-01 05:42]
S4 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\Shaw Secure\Anti-Virus\Win2K\FSrec.sys [2007-11-01 05:42]
.
Contents of the 'Scheduled Tasks' folder
"2008-07-13 23:06:09 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.4.20.2.sxt _RegistrationOffer@16
"2008-07-22 00:08:00 C:\WINDOWS\Tasks\Scheduled scanning task.job"
- C:\PROGRA~1\SHAWSE~1\ANTI-V~1\fsav.exeQ /HARD /POLICY /SCHED /NOBREAK /REPORT=C:\PROGRA~1\SHAWSE~1\ANTI-V~1\report.txt
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-a4f9884d - C:\WINDOWS\system32\greyhgxi.dll
HKLM-Run-BMa7cabbd1 - C:\WINDOWS\system32\ecsuatfk.dll
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = https://mymail.sjrb.ca/exchweb/bin/auth/owalogon.asp?reason=1
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://www.yahoo.com/
O8 -: Copy to Semagic - C:\Program Files\Semagic\copy.htm
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 -: Semagic - C:\Program Files\Semagic\link.htm
O9 -: {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Ashley\Start Menu\Programs\IMVU\Run IMVU.lnk
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-21 18:28:25
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\Shaw Secure\Common\FSMA32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\fsgk32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Shaw Secure\Common\FSMB32.EXE
C:\Program Files\Shaw Secure\Common\FCH32.EXE
C:\Program Files\Shaw Secure\Common\FAMEH32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\fsqh.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Shaw Secure\FSAUA\program\fsaua.exe
C:\Program Files\Shaw Secure\Anti-Virus\fssm32.exe
C:\Program Files\Shaw Secure\FWES\program\fsdfwd.exe
C:\PROGRA~1\SHAWSE~1\ANTI-V~1\fsav32.exe
C:\Program Files\Shaw Secure\FSAUA\program\fsus.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\SHAWSE~1\Common\FSM32.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\SHAWSE~1\FSGUI\fsguidll.exe
.
**************************************************************************
.
Completion time: 2008-07-21 18:35:43 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-22 00:35:40
ComboFix2.txt 2008-07-15 01:35:24
Pre-Run: 98,784,976,896 bytes free
Post-Run: 98,729,586,688 bytes free
235 --- E O F --- 2008-06-14 02:44:12
stunner37
2008-07-22, 03:37
Again, thank you SO much..
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:36:37 PM, on 7/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\Shaw Secure\Common\FSMA32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Shaw Secure\Common\FSMB32.EXE
C:\Program Files\Shaw Secure\Common\FCH32.EXE
C:\Program Files\Shaw Secure\Common\FAMEH32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\fsqh.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Shaw Secure\FSAUA\program\fsaua.exe
C:\Program Files\Shaw Secure\Anti-Virus\fssm32.exe
C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsav32.exe
C:\Program Files\Shaw Secure\FSAUA\program\fsus.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Shaw Secure\Common\FSM32.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Shaw Secure\FSGUI\fsguidll.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\hjt.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://mymail.sjrb.ca/exchweb/bin/auth/owalogon.asp?reason=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=5070124
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Shaw Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Shaw Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - Startup: IMVU.lnk = C:\Program Files\IMVU\IMVUClient.exe
O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Ashley\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1192670839484
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/activex/v2_0_0_9/PCAXSetupv2.0.0.9.cab?
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\Shaw Secure\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Shaw Secure\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 8544 bytes
Hi
Upload following file to http://virusscan.jotti.org and post back the results:
C:\Documents and Settings\Ashley\pool.bin
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\system32\rqwlbrfu.dll
C:\WINDOWS\system32\petvxnlp.dll
C:\WINDOWS\system32\flxleaki.dll
C:\WINDOWS\system32\sslulvaa.dll
C:\WINDOWS\system32\seycrnuc.dll
C:\WINDOWS\system32\qfaeuifh.dll
C:\WINDOWS\system32\nbcmlrvy.dll
C:\WINDOWS\system32\bapxooih.dll
C:\WINDOWS\system32\pnhumodf.dll
C:\WINDOWS\system32\lmaqhmum.dll
C:\WINDOWS\system32\corgetiu.dll
C:\WINDOWS\system32\xfxbomxq.dll
C:\WINDOWS\system32\irkeeolo.dll
C:\WINDOWS\system32\rtmnlokg.dll
C:\WINDOWS\system32\bmwxtcrt.dll
C:\WINDOWS\system32\hvwyihvi.0ll
C:\WINDOWS\system32\nxlwvchp.0ll
C:\WINDOWS\system32\jnbgbq.0ll
C:\WINDOWS\system32\vtareapy.0ll
C:\WINDOWS\system32\xwbetw.0ll
C:\WINDOWS\system32\ksctgome.0ll
C:\WINDOWS\system32\ykmmmjnm.0ll
C:\WINDOWS\system32\qgkwxfro.0ll
C:\WINDOWS\system32\svuyoyoy.0ll
C:\WINDOWS\system32\ydcljfnb.0ll
C:\WINDOWS\system32\qangib.0ll
C:\WINDOWS\system32\lrawjlci.0ll
C:\WINDOWS\system32\wwxojp.0ll
C:\WINDOWS\system32\wgfetqts.0ll
C:\WINDOWS\system32\rmwtryjx.0ll
C:\WINDOWS\system32\wmcjytga.0ll
C:\WINDOWS\system32\wdpsneiu.0ll
C:\WINDOWS\system32\ujjhyo.0ll
C:\WINDOWS\system32\deyhmuww.0ll
C:\WINDOWS\system32\bnzkcb.0ll
C:\WINDOWS\system32\wrfyuyae.0ll
C:\WINDOWS\system32\jhjncfwq.0ll
C:\WINDOWS\system32\sjvqycxr.0ll
C:\WINDOWS\system32\jqnhid.0ll
C:\WINDOWS\system32\mhcsjrry.dll
C:\WINDOWS\system32\xlkpfoks.0ll
C:\WINDOWS\system32\lxfjqjoj.0ll
C:\WINDOWS\system32\eahwhe.0ll
C:\WINDOWS\system32\bwjymhle.0ll
C:\WINDOWS\system32\rdwqbpam.0ll
C:\WINDOWS\system32\kwifwbpe.0ll
C:\WINDOWS\system32\ihhlpftb.0ll
C:\WINDOWS\BMa7cabbd1.xml
C:\WINDOWS\system32\sfvckbto.0ll
C:\WINDOWS\system32\taskkill.exe
Folder::
C:\!KillBox
C:\WINDOWS\system32\modtrux05
C:\Temp\syschk3
C:\Documents and Settings\Ashley\!
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Run Kaspersky online scanner which you seem to have already installed and post back its report. Post a fresh hjt log (without forgetting above meantioned ComboFix resultant log) too.
stunner37
2008-07-23, 03:38
Here is the first item:
File: pool.bin
Status: OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 01d26528c8d9159f0c9500f81f272fc5
vscan result
Here is the HJT updated scan:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:40:28 PM, on 7/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\Shaw Secure\Common\FSMA32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Shaw Secure\Common\FSMB32.EXE
C:\Program Files\Shaw Secure\Common\FCH32.EXE
C:\Program Files\Shaw Secure\Common\FAMEH32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\fsqh.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Shaw Secure\FSAUA\program\fsaua.exe
C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
C:\Program Files\Shaw Secure\Anti-Virus\fssm32.exe
C:\Program Files\Shaw Secure\FSAUA\program\fsus.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsav32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Shaw Secure\Common\FSM32.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Shaw Secure\FSGUI\fsguidll.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\hjt.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://mymail.sjrb.ca/exchweb/bin/auth/owalogon.asp?reason=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=5070124
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Shaw Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Shaw Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - Startup: IMVU.lnk = C:\Program Files\IMVU\IMVUClient.exe
O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Ashley\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1192670839484
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/activex/v2_0_0_9/PCAXSetupv2.0.0.9.cab?
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\Shaw Secure\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Shaw Secure\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 8527 bytes
stunner37
2008-07-23, 03:39
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, July 22, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, July 22, 2008 13:16:29
Records in database: 984670
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
F:\
Scan statistics:
Files scanned: 104283
Threat name: 7
Infected objects: 37
Suspicious objects: 0
Duration of the scan: 01:27:29
File name / Threat name / Threats count
C:\Documents and Settings\Ashley\.housecall6.6\Quarantine\flikiun.exe.bac_a02248 Infected: not-a-virus:Monitor.Win32.Perflogger.an 1
C:\Documents and Settings\Ashley\svchost.0xe Infected: Trojan-Dropper.Win32.VB.di 1
C:\QooBox\Quarantine\C\WINDOWS\system32\bnzkcb.0ll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\bwjymhle.0ll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\deyhmuww.0ll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\eahwhe.0ll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\geBrqpME.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.zko 1
C:\QooBox\Quarantine\C\WINDOWS\system32\greyhgxi.dll.vir Infected: Trojan.Win32.Monder.arx 1
C:\QooBox\Quarantine\C\WINDOWS\system32\htcufuve.dll.vir Infected: Trojan.Win32.Monder.ary 1
C:\QooBox\Quarantine\C\WINDOWS\system32\hvwyihvi.0ll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\ihhlpftb.0ll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\jhjncfwq.0ll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\jnbgbq.0ll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\jqnhid.0ll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\ksctgome.0ll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\kwifwbpe.0ll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\lrawjlci.0ll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\lxfjqjoj.0ll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\nxlwvchp.0ll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\qangib.0ll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\qgkwxfro.0ll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\rdwqbpam.0ll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\rmwtryjx.0ll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\sfvckbto.0ll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\sjvqycxr.0ll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\svuyoyoy.0ll.vir Infected: Trojan.Win32.Monder.alz 1
C:\QooBox\Quarantine\C\WINDOWS\system32\ujjhyo.0ll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\vtareapy.0ll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\wdpsneiu.0ll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\wgfetqts.0ll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\wmcjytga.0ll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\wrfyuyae.0ll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\wwxojp.0ll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\xlkpfoks.0ll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\xwbetw.0ll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\ydcljfnb.0ll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\ykmmmjnm.0ll.vir Infected: Trojan.Win32.Monder.alz 1
The selected area was scanned.
stunner37
2008-07-23, 03:55
I was on my way out when uploading the logs and the combo fix log is so big it froze the pc. I will upload it in a few hours when I get home again. Thanks again for all the help..
stunner37
2008-07-23, 09:03
ComboFix 08-07-20.A0 - Ashley 2008-07-22 9:51:36.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.624 [GMT -6:00]
Running from: C:\Documents and Settings\Ashley\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ashley\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\BMa7cabbd1.xml
C:\WINDOWS\system32\bapxooih.dll
C:\WINDOWS\system32\bmwxtcrt.dll
C:\WINDOWS\system32\bnzkcb.0ll
C:\WINDOWS\system32\bwjymhle.0ll
C:\WINDOWS\system32\corgetiu.dll
C:\WINDOWS\system32\deyhmuww.0ll
C:\WINDOWS\system32\eahwhe.0ll
C:\WINDOWS\system32\flxleaki.dll
C:\WINDOWS\system32\hvwyihvi.0ll
C:\WINDOWS\system32\ihhlpftb.0ll
C:\WINDOWS\system32\irkeeolo.dll
C:\WINDOWS\system32\jhjncfwq.0ll
C:\WINDOWS\system32\jnbgbq.0ll
C:\WINDOWS\system32\jqnhid.0ll
C:\WINDOWS\system32\ksctgome.0ll
C:\WINDOWS\system32\kwifwbpe.0ll
C:\WINDOWS\system32\lmaqhmum.dll
C:\WINDOWS\system32\lrawjlci.0ll
C:\WINDOWS\system32\lxfjqjoj.0ll
C:\WINDOWS\system32\mhcsjrry.dll
C:\WINDOWS\system32\nbcmlrvy.dll
C:\WINDOWS\system32\nxlwvchp.0ll
C:\WINDOWS\system32\petvxnlp.dll
C:\WINDOWS\system32\pnhumodf.dll
C:\WINDOWS\system32\qangib.0ll
C:\WINDOWS\system32\qfaeuifh.dll
C:\WINDOWS\system32\qgkwxfro.0ll
C:\WINDOWS\system32\rdwqbpam.0ll
C:\WINDOWS\system32\rmwtryjx.0ll
C:\WINDOWS\system32\rqwlbrfu.dll
C:\WINDOWS\system32\rtmnlokg.dll
C:\WINDOWS\system32\seycrnuc.dll
C:\WINDOWS\system32\sfvckbto.0ll
C:\WINDOWS\system32\sjvqycxr.0ll
C:\WINDOWS\system32\sslulvaa.dll
C:\WINDOWS\system32\svuyoyoy.0ll
C:\WINDOWS\system32\taskkill.exe
C:\WINDOWS\system32\ujjhyo.0ll
C:\WINDOWS\system32\vtareapy.0ll
C:\WINDOWS\system32\wdpsneiu.0ll
C:\WINDOWS\system32\wgfetqts.0ll
C:\WINDOWS\system32\wmcjytga.0ll
C:\WINDOWS\system32\wrfyuyae.0ll
C:\WINDOWS\system32\wwxojp.0ll
C:\WINDOWS\system32\xfxbomxq.dll
C:\WINDOWS\system32\xlkpfoks.0ll
C:\WINDOWS\system32\xwbetw.0ll
C:\WINDOWS\system32\ydcljfnb.0ll
C:\WINDOWS\system32\ykmmmjnm.0ll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\!KillBox
C:\!KillBox\Logs\kb.log
C:\Documents and Settings\Ashley\!
C:\Documents and Settings\Ashley\!\'' MuLTI8 poke r file 2007 2008 windows xp.htm
C:\Documents and Settings\Ashley\!\'For Dummies' eBook Collection[www scifitorrents net].htm
C:\Documents and Settings\Ashley\!\-- 99dpi.htm
C:\Documents and Settings\Ashley\!\-- B -- 21 thousand books by (prisoner520).htm
C:\Documents and Settings\Ashley\!\-- C -- 21 thousand books by (prisoner520).htm
C:\Documents and Settings\Ashley\!\- - Food - Chinese Vegetarian Cooking Recipes.pdf.htm
C:\Documents and Settings\Ashley\!\- -Naguib Mahfouz complete works-Arabic PDF-gWm rar.htm
C:\Documents and Settings\Ashley\!\- 10 Magic Tricks eBooks - Become a Magican!!.htm
C:\Documents and Settings\Ashley\!\- Aristotle - Complete Works.pdf.htm
C:\Documents and Settings\Ashley\!\- Demonoid com -Handbooks for designers and engineers CD 2 55048771 9096.htm
C:\Documents and Settings\Ashley\!\- Demonoid com -Mark Steyn Ameria Alone The End of the World as We Know It 5719762 3766.htm
C:\Documents and Settings\Ashley\!\- Dostoevskij - L'idiota pdf.htm
C:\Documents and Settings\Ashley\!\- Engineering - (ebook - PDF) - Matlab Programming pdf.htm
C:\Documents and Settings\Ashley\!\- Non comprate questi jeans !!!.htm
C:\Documents and Settings\Ashley\!\- Report -Easy Clickbank Cash.htm
C:\Documents and Settings\Ashley\!\- Sams, Teach Yourself Uml In 24 Hours (2004), 3Ed.pdf.htm
C:\Documents and Settings\Ashley\!\- Soeur Marie Theacute;regrave;se Des Batignolles Tome 5 - Fluide Glacial - pdf.htm
C:\Documents and Settings\Ashley\!\- The Fountainhead (MERC).htm
C:\Documents and Settings\Ashley\!\- The Persona of the Junkie.htm
C:\Documents and Settings\Ashley\!\-[mininova org]- 'Are We Prisoners of Our Genes' - 2004 pdf.htm
C:\Documents and Settings\Ashley\!\-=Codex-Creations=-CP ITEPCHSCG3E Jan 2008 eBook-BBL.htm
C:\Documents and Settings\Ashley\!\-=Codex-Creations=-CP ITEPCHSLSG3E Jan 2008 eBook-BBL.htm
C:\Documents and Settings\Ashley\!\-A Communicative Grammar of English.htm
C:\Documents and Settings\Ashley\!\-Demonoid com- Sperm Wars Infidelity Sexual Conflict and Other Bedroom Battles5719762 3766.htm
C:\Documents and Settings\Ashley\!\-Demonoid com-Anne Todd McCaffrey Dragon Harper Unabridged 1759597 6758.htm
C:\Documents and Settings\Ashley\!\-Ebook- How To Be Creative.htm
C:\Documents and Settings\Ashley\!\-Ebook -( Everyones An Expert In Something).htm
C:\Documents and Settings\Ashley\!\-Ebookby Seth Godin (KnockKnock) (How ToMake Your Website WorkEffectively).htm
C:\Documents and Settings\Ashley\!\-Encyclopedia of Card Tricks.htm
C:\Documents and Settings\Ashley\!\-engComputer Arts 2003 (7 issues).htm
C:\Documents and Settings\Ashley\!\-engKNIGHTS OF FUZZ-(eBook).htm
C:\Documents and Settings\Ashley\!\-engLetterhead & Logo Designs.htm
C:\Documents and Settings\Ashley\!\-engLogo Design Workbook (adams morioka).htm
C:\Documents and Settings\Ashley\!\-engManuale di Officina ALFA 75 ENG.htm
C:\Documents and Settings\Ashley\!\-Gustave Flaubert Madame Bovary in both LIT and PDF.htm
C:\Documents and Settings\Ashley\!\-ita1000.E.Book.Italiano.EnergieBox.rar.htm
C:\Documents and Settings\Ashley\!\-Learn Guitar Fretboard In 10 Mins.htm
C:\Documents and Settings\Ashley\!\-skole(laereboger).rar.htm
C:\Documents and Settings\Ashley\!\-The ArtScience of Web Design FULL!.htm
C:\Documents and Settings\Ashley\!\-Windows Vista 2007 5-11.htm
C:\Documents and Settings\Ashley\!\-Wireless Technicians Handbook.htm
C:\Documents and Settings\Ashley\!\! ! - World Of Warcraft - Gold and Leveling Guide pdf.htm
C:\Documents and Settings\Ashley\!\! ! - World Of Warcraft - Gold Farming and Leveling Secrets pdf.htm
C:\Documents and Settings\Ashley\!\! ! ! END OF TIMES Web Site ! ! !.htm
C:\Documents and Settings\Ashley\!\! ! ! EVIDENCES OF CREATION Web Site ! ! !.htm
C:\Documents and Settings\Ashley\!\! ! ! EVOLUTION DECEIT ! ! !.htm
C:\Documents and Settings\Ashley\!\! ! ! Evolution Documentary ! ! !.htm
C:\Documents and Settings\Ashley\!\! ! ! Insight-magazine ! ! !.htm
C:\Documents and Settings\Ashley\!\! ! ! ISLAM AND BUDDHISM ! ! !.htm
C:\Documents and Settings\Ashley\!\! ! ! ISLAM AND KARMA ! ! !.htm
C:\Documents and Settings\Ashley\!\! ! ! Islam denounces antisemitism ! ! !.htm
C:\Documents and Settings\Ashley\!\! ! ! Islam denounces terrorism ! ! !.htm
C:\Documents and Settings\Ashley\!\! ! ! JESUS WILL RETURN ! ! !.htm
C:\Documents and Settings\Ashley\!\! ! ! Living-fossils ! ! !.htm
C:\Documents and Settings\Ashley\!\! ! ! MIRACLES OF THE QURAN ! ! !.htm
C:\Documents and Settings\Ashley\!\! ! ! Secret beyond matter ! ! !.htm
C:\Documents and Settings\Ashley\!\! ! ! THE STONE AGE ! ! !.htm
C:\Documents and Settings\Ashley\!\! ! Earn hundreds each month from home, US only! pdf.htm
C:\Documents and Settings\Ashley\!\! ! Learn how to get PAID to search on Google pdf.htm
C:\Documents and Settings\Ashley\!\! # (1 profitable secret) - ebook manual.htm
C:\Documents and Settings\Ashley\!\! # (A Saxonfreed guide to increasing your wealth) - 15 complete methods (part 1 of 8).htm
C:\Documents and Settings\Ashley\!\! # (roulette trick) - updated - real version.htm
C:\Documents and Settings\Ashley\!\! # (The Perfect Blackjack System) - complete ebook.htm
C:\Documents and Settings\Ashley\!\! # (theroulettesystem) complete ebook.htm
C:\Documents and Settings\Ashley\!\! # (Working from Home) - A complete guide from Saxonfreed.htm
C:\Documents and Settings\Ashley\!\! # (Your preparation guide for Christmas!).htm
C:\Documents and Settings\Ashley\!\! # 21 Amazing Sites That Your Probably Havent Visited.htm
C:\Documents and Settings\Ashley\!\! # 21 Cool Websites You Never Visited.htm
C:\Documents and Settings\Ashley\!\! # A How to make anyone fall in love with you.htm
C:\Documents and Settings\Ashley\!\! # Affiliate Guide For Online Marketing - Dotcomology video (The Secret).htm
C:\Documents and Settings\Ashley\!\! # AMedical Head to Toe Assessment Tool for Nurses & Nursing Students.htm
C:\Documents and Settings\Ashley\!\! # Antony Sutton - Wall Street and the Rise of Hitler (1976) pdf.htm
C:\Documents and Settings\Ashley\!\! # Avi Fristars Forex Trading Machine and Other Forex Systems.htm
C:\Documents and Settings\Ashley\!\! # BenGurion Scandals, How the Mossad Eliminated Jews (2003) pdf.htm
C:\Documents and Settings\Ashley\!\! # Bodyweight Excercises & Tips with Illustrations pdf.htm
C:\Documents and Settings\Ashley\!\! # Crash Course To Affiliate Marketing v. 1.0 e-Book.htm
C:\Documents and Settings\Ashley\!\! # CREATION OF UNIVERSE Web site.htm
C:\Documents and Settings\Ashley\!\! # Douglas Reed - The Controversy of Zion (2004) pdf.htm
C:\Documents and Settings\Ashley\!\! # eBay Entrepreneur Kit zip.htm
C:\Documents and Settings\Ashley\!\! # ebay tools with crack ebooks templates latest 2008 (clean and tested) rar.htm
C:\Documents and Settings\Ashley\!\! # Edwin Wright - The Great Zionist Cover-Up (1975) pdf.htm
C:\Documents and Settings\Ashley\!\! # Engineering - The Illustrated Dictionary Of Electronics - eBook pdf.htm
C:\Documents and Settings\Ashley\!\! # Fibonacci Numbers And The Golden Section pdf - (REVEALED).htm
C:\Documents and Settings\Ashley\!\! # God Wants You Dead -- Sean Hastings - Paul Rosenberg.htm
C:\Documents and Settings\Ashley\!\! # God Wants You Dead.pdf -- A truly unusual book by Sean Hastings and Paul Rosenberg.htm
C:\Documents and Settings\Ashley\!\! # How to Draw Comic Book Heroes and Villains Part 2 Zap! Pow! Crunch! 2008 Edition.htm
C:\Documents and Settings\Ashley\!\! # Israel Shamir - Galilee Flowers, The Collected Essays (2002) pdf.htm
C:\Documents and Settings\Ashley\!\! # Israel Shamir - Pardes, A Study In Cabbala (2007) pdf.htm
C:\Documents and Settings\Ashley\!\! # John Sack - An Eye for an Eye, A Story of Revenge (1993) pdf.htm
C:\Documents and Settings\Ashley\!\! # Le Monde 10 11 07.htm
C:\Documents and Settings\Ashley\!\! # Make Money Online Trading Forex.htm
C:\Documents and Settings\Ashley\!\! # Maximising wealth - wealth building techniques for the 21st century part 2.htm
C:\Documents and Settings\Ashley\!\! # Maximising wealth - wealth building techniques for the 21st century.htm
C:\Documents and Settings\Ashley\!\! # Noam Chomsky - The U S AIsrael, and the Palestinians (1999) pdf.htm
C:\Documents and Settings\Ashley\!\! ## HOW TO BECOME RICH IN 30 MINUTES - RCG 07.htm
C:\Documents and Settings\Ashley\!\! #`OReilly.Learning.PHP.and.MySQL.Pdf -430 Pages [ pdfwiki.blogspot.com ].htm
C:\Documents and Settings\Ashley\!\! #2008 Movies - A Complete list. (e-book) pdf.htm
C:\Documents and Settings\Ashley\!\! #Andrew Loomis - Fun With A Pencil.PDF (how everybody can easily learn to draw).htm
C:\Documents and Settings\Ashley\!\! #Biggest World Secrets.Pdf (e-books).htm
C:\Documents and Settings\Ashley\!\! #Fibonacci Numbers And The Golden Section pdf.htm
C:\Documents and Settings\Ashley\!\! #FLASH_ActionScript_Reference_Guide (816 Pages PDF) ( pdfwiki.blogspot.com ).htm
C:\Documents and Settings\Ashley\!\! #Gardening Basics for Dummies - S. Frowine.pdf (eBook).htm
C:\Documents and Settings\Ashley\!\! #Hacking For Dummies - Access To Other Peoples Systems Made Simple.pdf (eBook).htm
C:\Documents and Settings\Ashley\!\! #Home Networking for Dummies 3rd Ed 2005.pdf (eBook).htm
C:\Documents and Settings\Ashley\!\! #Horacio Altuna - The Postman Alwais Comes Twice - Full Color.htm
C:\Documents and Settings\Ashley\!\! #How to Copy CD to CD (e-Book).pdf.htm
C:\Documents and Settings\Ashley\!\! #How to Create an Audio CD (e-Book).pdf.htm
C:\Documents and Settings\Ashley\!\! #How to Draw Comic Book Heroes and Villains Part 2 Zap! Pow! Crunch!.htm
C:\Documents and Settings\Ashley\!\! #How to Draw General Anime Faces pdf.htm
C:\Documents and Settings\Ashley\!\! #How to Draw Human (female) Body pdf.htm
C:\Documents and Settings\Ashley\!\! #How to Start Writing to a Basic Data CD.htm
C:\Documents and Settings\Ashley\!\! #JRR Tolkien - Lord of the Rings Collection (including The Hobbitt) (Ebook).Pdf.htm
C:\Documents and Settings\Ashley\!\! #Knife Fighting Techniques From Folsom Prison (Demo with Pictures).htm
C:\Documents and Settings\Ashley\!\! #Learn Martial Arts - Complete Book Of Wrists Locks.pdf (eBook).htm
C:\Documents and Settings\Ashley\!\! #Learn to Draw Landscape to Portrait- Easy Illustrated Lessons pdf.htm
C:\Documents and Settings\Ashley\!\! #Learn to Draw Manga Characters (39 pages) PDF.htm
C:\Documents and Settings\Ashley\!\! #Martial Arts-The Underground Guide To Warrior Fitness.ebook.PDF.htm
C:\Documents and Settings\Ashley\!\! #Martial Arts - Bruce Lees Training Secrets.pdf.htm
C:\Documents and Settings\Ashley\!\! #Mind Powers (How to Use and Control Your Unlimited Potential).ebook.PDF.htm
C:\Documents and Settings\Ashley\!\! #Neil Strauss - The Annihilation Method - Seduction Blueprint.htm
C:\Documents and Settings\Ashley\!\! #OReilly.Learning.PHP.and.MySQL.Pdf -430 Pagespdfwiki.htm
C:\Documents and Settings\Ashley\!\! #Photoshop CS2 -Learn Through Help (815 Pages PDF) ( pdfwiki.blogspot.com ).htm
C:\Documents and Settings\Ashley\!\! #Psychology - Instant Fact - How to Get the Truth Out of Anyone.eBook.Pdf.htm
C:\Documents and Settings\Ashley\!\Zygors Horde World of Warcraft 1-70 Leveling Guide - Coltboy.htm
C:\Temp\syschk3
C:\WINDOWS\BMa7cabbd1.xml
C:\WINDOWS\system32\bapxooih.dll
C:\WINDOWS\system32\bmwxtcrt.dll
C:\WINDOWS\system32\bnzkcb.0ll
C:\WINDOWS\system32\bwjymhle.0ll
C:\WINDOWS\system32\corgetiu.dll
C:\WINDOWS\system32\deyhmuww.0ll
C:\WINDOWS\system32\eahwhe.0ll
C:\WINDOWS\system32\flxleaki.dll
C:\WINDOWS\system32\hvwyihvi.0ll
C:\WINDOWS\system32\ihhlpftb.0ll
C:\WINDOWS\system32\irkeeolo.dll
C:\WINDOWS\system32\jhjncfwq.0ll
C:\WINDOWS\system32\jnbgbq.0ll
C:\WINDOWS\system32\jqnhid.0ll
C:\WINDOWS\system32\ksctgome.0ll
C:\WINDOWS\system32\kwifwbpe.0ll
C:\WINDOWS\system32\lmaqhmum.dll
C:\WINDOWS\system32\lrawjlci.0ll
C:\WINDOWS\system32\lxfjqjoj.0ll
C:\WINDOWS\system32\mhcsjrry.dll
C:\WINDOWS\system32\modtrux05
C:\WINDOWS\system32\nbcmlrvy.dll
C:\WINDOWS\system32\nxlwvchp.0ll
C:\WINDOWS\system32\petvxnlp.dll
C:\WINDOWS\system32\pnhumodf.dll
C:\WINDOWS\system32\qangib.0ll
C:\WINDOWS\system32\qfaeuifh.dll
C:\WINDOWS\system32\qgkwxfro.0ll
C:\WINDOWS\system32\rdwqbpam.0ll
C:\WINDOWS\system32\rmwtryjx.0ll
C:\WINDOWS\system32\rqwlbrfu.dll
C:\WINDOWS\system32\rtmnlokg.dll
C:\WINDOWS\system32\seycrnuc.dll
C:\WINDOWS\system32\sfvckbto.0ll
C:\WINDOWS\system32\sjvqycxr.0ll
C:\WINDOWS\system32\sslulvaa.dll
C:\WINDOWS\system32\svuyoyoy.0ll
C:\WINDOWS\system32\taskkill.exe
stunner37
2008-07-23, 09:05
C:\WINDOWS\system32\ujjhyo.0ll
C:\WINDOWS\system32\vtareapy.0ll
C:\WINDOWS\system32\wdpsneiu.0ll
C:\WINDOWS\system32\wgfetqts.0ll
C:\WINDOWS\system32\wmcjytga.0ll
C:\WINDOWS\system32\wrfyuyae.0ll
C:\WINDOWS\system32\wwxojp.0ll
C:\WINDOWS\system32\xfxbomxq.dll
C:\WINDOWS\system32\xlkpfoks.0ll
C:\WINDOWS\system32\xwbetw.0ll
C:\WINDOWS\system32\ydcljfnb.0ll
C:\WINDOWS\system32\ykmmmjnm.0ll
.
((((((((((((((((((((((((( Files Created from 2008-06-22 to 2008-07-22 )))))))))))))))))))))))))))))))
.
2008-07-14 21:20 . 2008-07-14 21:20 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-07-14 21:20 . 2008-07-14 21:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-14 20:07 . 2008-07-14 20:07 <DIR> d-------- C:\Program Files\CCleaner
2008-07-14 18:30 . 2008-07-14 18:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-14 17:52 . 2008-07-14 17:52 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-14 17:52 . 2008-07-16 03:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-08 20:33 . 2008-07-08 20:33 <DIR> d-------- C:\Documents and Settings\Dare\Application Data\Research In Motion
2008-07-08 20:25 . 2008-07-13 17:17 256 --a------ C:\Documents and Settings\Ashley\pool.bin
2008-06-25 22:49 . 2008-06-25 22:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-06-25 22:47 . 2008-07-13 19:01 <DIR> d-------- C:\Documents and Settings\Ashley\.housecall6.6
2008-06-25 20:24 . 2008-07-22 10:34 <DIR> d-------- C:\Temp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-05 19:13 --------- d-----w C:\Documents and Settings\Ashley\Application Data\F-Secure
2008-06-30 03:38 --------- d-----w C:\Documents and Settings\Dare\Application Data\F-Secure
2008-06-29 02:23 --------- d-----w C:\Program Files\Semagic
2008-06-28 18:44 --------- d-----w C:\Program Files\LimeWire
2008-06-14 02:33 --------- d-----w C:\Program Files\Dell
2008-06-14 02:32 --------- d-----w C:\Program Files\PokerStars.NET
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2007-11-17 00:14 3,746 ----a-w C:\Documents and Settings\Ashley\Application Data\wklnhst.dat
.
((((((((((((((((((((((((((((( snapshot@2008-07-14_19.34.08.26 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-14 11:01:02 272,128 ------w C:\WINDOWS\Driver Cache\i386\bthport.sys
+ 2008-06-13 13:10:50 272,128 ------w C:\WINDOWS\Driver Cache\i386\bthport.sys
- 2008-06-14 02:41:44 593,920 ----a-r C:\WINDOWS\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2008-07-22 00:48:37 593,920 ----a-r C:\WINDOWS\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2008-06-14 02:41:44 12,288 ----a-r C:\WINDOWS\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2008-07-22 00:48:37 12,288 ----a-r C:\WINDOWS\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2008-06-14 02:41:44 86,016 ----a-r C:\WINDOWS\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2008-07-22 00:48:37 86,016 ----a-r C:\WINDOWS\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2008-06-14 02:41:44 135,168 ----a-r C:\WINDOWS\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-07-22 00:48:37 135,168 ----a-r C:\WINDOWS\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2008-06-14 02:41:44 11,264 ----a-r C:\WINDOWS\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2008-07-22 00:48:37 11,264 ----a-r C:\WINDOWS\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2008-06-14 02:41:44 27,136 ----a-r C:\WINDOWS\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2008-07-22 00:48:37 27,136 ----a-r C:\WINDOWS\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2008-06-14 02:41:45 4,096 ----a-r C:\WINDOWS\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2008-07-22 00:48:38 4,096 ----a-r C:\WINDOWS\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2008-06-14 02:41:45 794,624 ----a-r C:\WINDOWS\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2008-07-22 00:48:38 794,624 ----a-r C:\WINDOWS\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2008-06-14 02:41:44 249,856 ----a-r C:\WINDOWS\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2008-07-22 00:48:37 249,856 ----a-r C:\WINDOWS\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2008-06-14 02:41:44 61,440 ----a-r C:\WINDOWS\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2008-07-22 00:48:37 61,440 ----a-r C:\WINDOWS\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2008-06-14 02:41:45 23,040 ----a-r C:\WINDOWS\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2008-07-22 00:48:38 23,040 ----a-r C:\WINDOWS\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2008-06-14 02:41:44 286,720 ----a-r C:\WINDOWS\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2008-07-22 00:48:37 286,720 ----a-r C:\WINDOWS\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2008-06-14 02:41:43 409,600 ----a-r C:\WINDOWS\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-07-22 00:48:37 409,600 ----a-r C:\WINDOWS\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2008-04-14 11:01:02 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
+ 2008-06-13 13:10:50 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
+ 2005-05-24 18:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 21:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 21:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2008-05-29 22:35:12 17,486,968 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-06-25 16:15:46 17,972,344 ----a-w C:\WINDOWS\system32\MRT.exe
- 2008-07-14 23:50:33 65,418 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-07-22 16:41:01 65,418 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-07-14 23:50:33 409,684 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-07-22 16:41:01 409,684 ----a-w C:\WINDOWS\system32\perfh009.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 05:40 218032]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 11:48 761947]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 05:00 132496]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 05:40 86960]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 05:40 218032]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 16:44 98304]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 16:45 118784]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 16:41 77824]
"F-Secure TNB"="C:\Program Files\Shaw Secure\FSGUI\TNBUtil.exe" [2007-11-01 05:42 739936]
"F-Secure Manager"="C:\Program Files\Shaw Secure\Common\FSM32.EXE" [2007-11-01 05:42 182936]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 01:05 127035]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2006-11-23 02:45 1392640]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 16:30 282624 C:\WINDOWS\stsystra.exe]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellHelp]
--a--c--- 2004-04-01 08:51 1589248 C:\dell\DellHelp\DellHelp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
--a------ 2007-11-15 10:24 16384 C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 13:10 267048 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
--------- 2003-09-10 02:24 20480 C:\Program Files\NetWaiting\netwaiting.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
--a------ 2005-07-12 19:05 1117184 C:\Program Files\McAfee\SpamKiller\MSKDetct.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 10:24 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--a------ 2007-05-02 19:16 184320 C:\Program Files\Dell\MediaDirect\PCMService.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a------ 2007-08-16 09:56 236016 C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2008-03-17 19:57]
R1 F-Secure HIPS;F-Secure HIPS;C:\Program Files\Shaw Secure\HIPS\fshs.sys [2008-03-17 19:57]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\Shaw Secure\Anti-Virus\minifilter\fsgk.sys [2007-11-01 05:42]
S4 F-Secure Filter;F-Secure File System Filter;C:\Program Files\Shaw Secure\Anti-Virus\Win2K\FSfilter.sys [2007-11-01 05:42]
S4 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\Shaw Secure\Anti-Virus\Win2K\FSrec.sys [2007-11-01 05:42]
.
Contents of the 'Scheduled Tasks' folder
"2008-07-13 23:06:09 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.4.20.2.sxt _RegistrationOffer@16
"2008-07-22 00:08:00 C:\WINDOWS\Tasks\Scheduled scanning task.job"
- C:\PROGRA~1\SHAWSE~1\ANTI-V~1\fsav.exeQ /HARD /POLICY /SCHED /NOBREAK /REPORT=C:\PROGRA~1\SHAWSE~1\ANTI-V~1\report.txt
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-22 10:46:18
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\Shaw Secure\Common\FSMA32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\fsgk32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Shaw Secure\Common\FSMB32.EXE
C:\Program Files\Shaw Secure\Common\FCH32.EXE
C:\Program Files\Shaw Secure\Common\FAMEH32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\fsqh.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Shaw Secure\FSAUA\program\fsaua.exe
C:\Program Files\Shaw Secure\FWES\program\fsdfwd.exe
C:\Program Files\Shaw Secure\Anti-Virus\fssm32.exe
C:\Program Files\Shaw Secure\FSAUA\program\fsus.exe
C:\PROGRA~1\SHAWSE~1\ANTI-V~1\fsav32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\SHAWSE~1\Common\FSM32.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\SHAWSE~1\FSGUI\fsguidll.exe
.
**************************************************************************
.
Completion time: 2008-07-22 10:52:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-22 16:52:23
ComboFix2.txt 2008-07-22 00:35:44
ComboFix3.txt 2008-07-15 01:35:24
Pre-Run: 98,590,715,904 bytes free
Post-Run: 98,565,001,216 bytes free
44266 --- E O F --- 2008-07-22 04:43:57
Hi
Delete following files:
C:\Documents and Settings\Ashley\.housecall6.6\Quarantine\flikiun.exe.bac_a02248
C:\Documents and Settings\Ashley\svchost.0xe
QooBox contents will be removed after ComboFix is uninstalled. Instructions below.
Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.
THESE STEPS ARE VERY IMPORTANT
Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis
Now lets uninstall ComboFix:
Click START then RUN
Now type Combofix /u in the runbox and click OK
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6 Update 7 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says
The J2SE Runtime Environment (JRE) allows end-users to run Java applications.
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u7-windows-i586-p.exe to install the newest version.
UPDATING WINDOWS AND INTERNET EXPLORER
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.
If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.
Make your Internet Explorer more secure
This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.
Download Adaware
Adaware is a free program. It scans for known spyware on your computer. These scans should be run at least once every two weeks. For more information, see this tutorial (http://www.bleepingcomputer.com/forums/index.php?showtutorial=48)
The program is available for download here (http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10319876.html?tag=lst-0-1)
Download Spybot
Spybot is a scanner like adaware. It scans for spyware and other malicious programs. It is important to have both Adaware and Spybot on your computer because each program provides unique detection and pretection measures. Spybot has preventitive tools that stop programs from even installing on your computer.
To see how to set this up as well as more spybot features, see here (http://www.bleepingcomputer.com/forums/index.php?showtutorial=43)
Spybot can be downloaded at this location (http://www.download.com/Spybot-Search-Destroy/3000-8022-10122137.html?part=dl-spybot&subj=dl&tag=but)
Download SpywareBlaster
Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes
kill bits
in the registry, so that certain activex controls can't install.
If you don't know what activex controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
You can download SpywareBlaster here here (http://majorgeeks.com/downloadget.php?id=2859&file=11&evp=61b0e8ad41924a03c37615f4682b4cef)
SpywareBlaster tutorial (http://www.bleepingcomputer.com/forums/tutorial49.html)
hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this (http://www.bleepingcomputer.com/forums/tutorial60.html) webpage out.
See here (http://www.freebyte.com/antivirus/#firewalls) to choose one if your F-Secure doesn't contain a firewall and you don't have a hardware firewall.
Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Run the spybot and adaware regularly. (Once or twice a week minimum.)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Once again, please post and tell me how things are going with your system... problems etc.
Have a great day,
Blade :cool:
stunner37
2008-07-25, 00:42
FANTASTIC, thank you a million times over. I followed the steps you listed above and .. really can't thank you enough.
The computer is running better than it has in a long time. It did randomly crash when listening to an mp3 file, but I am assuming that is nothing since the virus scans are clean.
Again, thank you sooo much.
:angel:
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)
Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.