View Full Version : having problems removing virtumonde and smitfraud
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:13:53 AM, on 7/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\winself.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\AOL\1139686249\ee\AOLSoftware.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = By D&E Jazzd
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\uoyzsydz.exe,
O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1139686249\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [bedpco] c:\windows\system32\bedpco.exe bedpco
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [8c5bd2a2] rundll32.exe "C:\WINDOWS\system32\jsymkfol.dll",b
O4 - HKLM\..\Run: [BM8f68e13e] Rundll32.exe "C:\WINDOWS\system32\idulqtnq.dll",s
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB7816] command /c del "C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5278] cmd /c del "C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3367] command /c del "C:\WINDOWS\SYSTEM32\cbXPgEtS.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8837] cmd /c del "C:\WINDOWS\SYSTEM32\cbXPgEtS.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6276] command /c del "C:\WINDOWS\SYSTEM32\idulqtnq.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9475] cmd /c del "C:\WINDOWS\SYSTEM32\idulqtnq.dll_old"
O4 - HKCU\..\Policies\Explorer\Run: [{8C5BD20D-0AE9-1033-0110-050412200001}] "C:\Program Files\Common Files\{8C5BD20D-0AE9-1033-0110-050412200001}\Update.exe" te-110-12-0000073
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Kel\Local Settings\Temp\{0EB6FF53-8AE8-4A4C-A157-27F0368B225D}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
O16 - DPF: {04CCFF26-7D52-4E42-BF6A-F8ECE0896EB7} - http://scripts.downloadv3.com/binaries/EGDAccess/EGDACCESS_1071_XP.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Risk/Images/stg_drm.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://gamesville.worldwinner.com/games/v47/shared/FunGamesLoader.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {3DAD912E-D2B9-4323-B7C9-7F2C5CC0C57B} - http://scripts.downloadv3.com/binaries/EGDAccess/EGDACCESS_1070_XP.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8D8BAF56-B581-4B90-A549-C4AC6B03F1BB} - http://scripts.downloadv3.com/binaries/EGDAccess/EGDACCESS_1074_XP.cab
O16 - DPF: {95460ABD-946A-46FF-9F56-268718323EEE} - http://scripts.downloadv3.com/binaries/EGDAccess/EGDACCESS_1068_XP.cab
O16 - DPF: {BA749BC1-143E-430D-B1DA-1D2AF67A3658} - http://scripts.downloadv3.com/binaries/EGDAccess/EGDACCESS_1069_XP.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O16 - DPF: {C2481ED1-9896-4D49-AE90-69858DFDE446} - http://scripts.downloadv3.com/binaries/EGDAccess/EGDACCESS_1073_XP.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Risk/Images/armhelper.ocx
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {E24E8472-89B7-479F-8AD8-BBD7206A6A02} - http://scripts.downloadv3.com/binaries/EGDAccess/EGDACCESS_1067_XP.cab
O16 - DPF: {EC4AFBF3-4540-4306-AF10-4CAC509EA16B} - http://scripts.downloadv3.com/binaries/EGDAccess/EGDACCESS_1074_ASPIV4_XP.cab
O16 - DPF: {FCF289D4-0AC8-4ED8-BE31-E8AF09606AB5} - http://static.35mb.com/applet/applet_o.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O21 - SSODL: mszb32.dll - {B1F43681-88F8-FC7B-3582-4440AA32AC9C} - c:\windows\system32\mszb32.dll (file missing)
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\winself.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Plug and Play (RPC) (PlugPlayRPC) - Unknown owner - C:\WINDOWS\portsv.exe (file missing)
--
End of file - 10912 bytes
shelf life
2008-07-29, 00:52
hi ghent52,
ok we will get two downloads to use. the first is Sdfix which runs in safe mode. the second is combofix. you can get them both at the same time, run sdfix first, followed by combofix.
links and directions:
sdfix:
Download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, the Advanced Options Menu should appear;
* Select the first option, to run Windows in Safe Mode, then press Enter.
* Choose your usual account.
* Open the extracted SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
* Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
combofix:
Download combofix from one of these links and save it to your Desktop:
http://subs.geekstogo.com/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.
post:
the sdfix log
the combofix log
a new hjt log
thanks for the response, here are the new reports.
SDFix:
SDFix: Version 1.209
Run by Kel on Mon 07/28/2008 at 06:39 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\Kel\Desktop\SDFix
Checking Services :
Name :
MsSecurity1.209.4
Path :
C:\WINDOWS\winself.exe service
MsSecurity1.209.4 - Deleted
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
Checking Files :
Trojan Files Found:
C:\WINDOWS\system32\cbXPgEtS.dll - Deleted
C:\WINDOWS\SYSTEM32\TASKKILL.EXE - Deleted
C:\Temp\1cb\syscheck.log - Deleted
C:\WINDOWS\astctl32.ocx - Deleted
C:\WINDOWS\ctfmon32.exe - Deleted
C:\WINDOWS\directx32.exe - Deleted
C:\WINDOWS\dnsrelay.dll - Deleted
C:\WINDOWS\explorer32.exe - Deleted
C:\WINDOWS\funniest.exe - Deleted
C:\WINDOWS\funny.exe - Deleted
C:\WINDOWS\gfmnaaa.dll - Deleted
C:\WINDOWS\helpcvs.exe - Deleted
C:\WINDOWS\inetinf.exe - Deleted
C:\WINDOWS\internet.exe - Deleted
C:\WINDOWS\mainms.vpi - Deleted
C:\WINDOWS\megavid.cdt - Deleted
C:\WINDOWS\msspi.dll - Deleted
C:\WINDOWS\mswsc10.dll - Deleted
C:\WINDOWS\mswsc20.dll - Deleted
C:\WINDOWS\muotr.so - Deleted
C:\WINDOWS\quicken.exe - Deleted
C:\WINDOWS\rundll32.vbe - Deleted
C:\WINDOWS\searchword.dll - Deleted
C:\WINDOWS\svcinit.exe - Deleted
C:\WINDOWS\system32\hljwugsf.bin - Deleted
C:\WINDOWS\system32\pac.txt - Deleted
C:\WINDOWS\time.exe - Deleted
C:\WINDOWS\winself.exe - Deleted
C:\WINDOWS\xplugin.dll - Deleted
C:\WINDOWS\Fonts\*.zip - 1 File(s) 115,980 bytes - Deleted
Could Not Remove C:\WINDOWS\system32\drivers\core.cache.dsk
Folder C:\Temp\1cb - Removed
Folder C:\Temp\tn3 - Removed
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-28 18:49:33
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"="C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe:*:Disabled:TaskPanl"
"C:\\Program Files\\America Online 9.0b\\waol.exe"="C:\\Program Files\\America Online 9.0b\\waol.exe:*:Disabled:America Online 9.0b"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe:*:Disabled:AOLTopSpeed"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe:*:Disabled:AOLTsMon"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Disabled:Windows Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Disabled:Yahoo! FT Server"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Disabled:Yahoo! Messenger"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Disabled:AOL Instant Messenger"
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe:*:Disabled:avginet.exe"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Disabled:Internet Explorer"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1139686249\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1139686249\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1139686249\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1139686249\\ee\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:ęTorrent"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"D:\\Setup.exe"="D:\\Setup.exe:*:Enabled:Setup"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Kel\\Desktop\\aim.exe"="C:\\Documents and Settings\\Kel\\Desktop\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0b\\waol.exe"="C:\\Program Files\\America Online 9.0b\\waol.exe:*:Enabled:America Online 9.0b"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
Remaining Files :
C:\WINDOWS\system32\drivers\core.cache.dsk Found
File Backups: - C:\DOCUME~1\Kel\Desktop\SDFix\backups\backups.zip
Files with Hidden Attributes :
Tue 24 Aug 2004 155,648 A..H. --- "C:\DELL\PRIMOSDK.DLL"
Tue 24 Aug 2004 360,448 A..H. --- "C:\DELL\PX.DLL"
Wed 28 Jul 2004 56,832 A..H. --- "C:\DELL\PXCPYA64.EXE"
Wed 28 Jul 2004 108,544 A..H. --- "C:\DELL\PXCPYI64.EXE"
Wed 18 Aug 2004 389,120 A..H. --- "C:\DELL\PXDRV.DLL"
Mon 2 Aug 2004 20,576 A..H. --- "C:\DELL\PXHELP20.SYS"
Mon 2 Aug 2004 54,976 A..H. --- "C:\DELL\PXHELP64.SYS"
Mon 2 Aug 2004 32,272 A..H. --- "C:\DELL\PXHELPER.SYS"
Mon 2 Aug 2004 26,720 A..H. --- "C:\DELL\PXHLPA64.SYS"
Mon 2 Aug 2004 57,344 A..H. --- "C:\DELL\PXHPINST.EXE"
Mon 2 Aug 2004 53,760 A..H. --- "C:\DELL\PXINSA64.EXE"
Mon 2 Aug 2004 104,960 A..H. --- "C:\DELL\PXINSI64.EXE"
Tue 24 Aug 2004 159,744 A..H. --- "C:\DELL\PXMAS.DLL"
Wed 28 Jul 2004 57,344 A..H. --- "C:\DELL\PXSETUP.EXE"
Tue 24 Aug 2004 339,968 A..H. --- "C:\DELL\PXWAVE.DLL"
Thu 20 May 2004 28,672 A..H. --- "C:\DELL\VXBLOCK.DLL"
Tue 24 Aug 2004 155,648 A..H. --- "C:\DELL\MEDIAEXE\PRIMOSDK.DLL"
Tue 24 Aug 2004 360,448 A..H. --- "C:\DELL\MEDIAEXE\PX.DLL"
Wed 28 Jul 2004 56,832 A..H. --- "C:\DELL\MEDIAEXE\PXCPYA64.EXE"
Wed 28 Jul 2004 108,544 A..H. --- "C:\DELL\MEDIAEXE\PXCPYI64.EXE"
Wed 18 Aug 2004 389,120 A..H. --- "C:\DELL\MEDIAEXE\PXDRV.DLL"
Mon 2 Aug 2004 20,576 A..H. --- "C:\DELL\MEDIAEXE\PXHELP20.SYS"
Mon 2 Aug 2004 54,976 A..H. --- "C:\DELL\MEDIAEXE\PXHELP64.SYS"
Mon 2 Aug 2004 32,272 A..H. --- "C:\DELL\MEDIAEXE\PXHELPER.SYS"
Mon 2 Aug 2004 26,720 A..H. --- "C:\DELL\MEDIAEXE\PXHLPA64.SYS"
Mon 2 Aug 2004 57,344 A..H. --- "C:\DELL\MEDIAEXE\PXHPINST.EXE"
Mon 2 Aug 2004 53,760 A..H. --- "C:\DELL\MEDIAEXE\PXINSA64.EXE"
Mon 2 Aug 2004 104,960 A..H. --- "C:\DELL\MEDIAEXE\PXINSI64.EXE"
Tue 24 Aug 2004 159,744 A..H. --- "C:\DELL\MEDIAEXE\PXMAS.DLL"
Wed 28 Jul 2004 57,344 A..H. --- "C:\DELL\MEDIAEXE\PXSETUP.EXE"
Tue 24 Aug 2004 339,968 A..H. --- "C:\DELL\MEDIAEXE\PXWAVE.DLL"
Thu 20 May 2004 28,672 A..H. --- "C:\DELL\MEDIAEXE\VXBLOCK.DLL"
Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 7 Jul 2008 2,156,368 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Fri 18 Jul 2008 706,136 A.SH. --- "C:\WINDOWS\SYSTEM32\jwvvvmpt.tmp"
Thu 21 Apr 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 22 Jan 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Thu 8 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\BIT21.tmp"
Thu 21 Apr 2005 4,348 ...H. --- "C:\Documents and Settings\Kel\My Documents\My Music\License Backup\drmv1key.bak"
Tue 20 Sep 2005 20 A..H. --- "C:\Documents and Settings\Kel\My Documents\My Music\License Backup\drmv1lic.bak"
Thu 5 May 2005 312 A.SH. --- "C:\Documents and Settings\Kel\My Documents\My Music\License Backup\drmv2key.bak"
Finished!
combofix:
ComboFix 08-07-28.4 - Kel 2008-07-28 18:58:45.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.131 [GMT -4:00]
Running from: C:\Documents and Settings\Kel\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\Common Files\{8C5BD~1
C:\Program Files\outlook
C:\WINDOWS\444.470
C:\WINDOWS\BM8f68e13e.txt
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\egdaccess_aspiv4.inf
C:\WINDOWS\Downloaded Program Files\sysiasvc32.inf
C:\WINDOWS\msskinner
C:\WINDOWS\pskt.ini
c:\WINDOWS\SYSTEM32\bedpco.dat
c:\WINDOWS\SYSTEM32\bedpco_nav.dat
C:\WINDOWS\system32\bedpco_navps.dat
C:\WINDOWS\system32\bljuwlfq.dll
C:\WINDOWS\system32\CcIOVyay.ini
C:\WINDOWS\SYSTEM32\CcIOVyay.ini2
C:\WINDOWS\system32\drivers\TOSIDEE.sys
C:\WINDOWS\SYSTEM32\eOoqBcfe.ini
C:\WINDOWS\SYSTEM32\eOoqBcfe.ini2
C:\WINDOWS\system32\fdecbbabbfb.dll
C:\WINDOWS\system32\gbehtjfj.ini
C:\WINDOWS\SYSTEM32\IjkTCcfe.ini
C:\WINDOWS\SYSTEM32\IjkTCcfe.ini2
C:\WINDOWS\SYSTEM32\jwvvvmpt.ini
C:\WINDOWS\system32\lofkmysj.ini
C:\WINDOWS\system32\luttencj.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\opuwts.dll
C:\WINDOWS\SYSTEM32\qflwujlb.ini
C:\WINDOWS\system32\qoMeEttt.dll
C:\WINDOWS\system32\sjghrngc.dll
C:\WINDOWS\system32\tnmqjavf.ini
C:\WINDOWS\system32\tttEeMoq.ini
C:\WINDOWS\SYSTEM32\tttEeMoq.ini2
C:\WINDOWS\system32\ulovid.dll
C:\WINDOWS\SYSTEM32\upyufycj.ini
C:\WINDOWS\system32\wcbwqmjg.ini
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_TOSIDEE
-------\Service_TOSIDEE
((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-28 )))))))))))))))))))))))))))))))
.
2008-07-28 19:05 . 2008-07-28 19:05 294 ---hs---- C:\WINDOWS\SYSTEM32\upyufycj.ini
2008-07-28 18:45 . 2008-07-28 18:45 167,976 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk
2008-07-28 18:30 . 2008-07-28 18:31 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-28 18:26 . 2008-07-28 00:39 <DIR> d-------- C:\SDFix
2008-07-28 18:16 . 2008-07-28 18:16 83,456 --a------ C:\WINDOWS\SYSTEM32\jcyfuypu.dll
2008-07-28 18:13 . 2008-07-28 18:13 105,472 --a------ C:\WINDOWS\SYSTEM32\vkfwpwge.dll
2008-07-28 18:13 . 2008-07-28 18:13 105,472 --a------ C:\WINDOWS\SYSTEM32\grzmsq.dll
2008-07-28 18:10 . 2008-07-28 18:10 91,648 --a------ C:\WINDOWS\SYSTEM32\tpmhokox.dll
2008-07-27 23:01 . 2008-07-27 23:01 83,456 --a------ C:\WINDOWS\SYSTEM32\jfjthebg.dll
2008-07-27 22:58 . 2008-07-27 22:58 105,472 --a------ C:\WINDOWS\SYSTEM32\omycbutn.dll
2008-07-27 22:58 . 2008-07-27 22:58 105,472 --a------ C:\WINDOWS\SYSTEM32\ibxkzz.dll
2008-07-27 01:06 . 2008-07-27 01:06 <DIR> d-------- C:\SIMEARTH
2008-07-26 23:01 . 2008-07-26 23:02 83,456 --a------ C:\WINDOWS\SYSTEM32\jsymkfol.dll
2008-07-26 22:58 . 2008-07-26 22:58 105,472 --a------ C:\WINDOWS\SYSTEM32\zovsgy.dll
2008-07-26 22:58 . 2008-07-26 22:58 105,472 --a------ C:\WINDOWS\SYSTEM32\tcobkauo.dll
2008-07-25 22:59 . 2008-07-25 22:59 83,456 --a------ C:\WINDOWS\SYSTEM32\fvajqmnt.dll
2008-07-25 22:56 . 2008-07-25 22:56 105,472 --a------ C:\WINDOWS\SYSTEM32\wwmakw.dll
2008-07-25 22:56 . 2008-07-25 22:56 105,472 --a------ C:\WINDOWS\SYSTEM32\vqiiqehb.dll
2008-07-24 22:18 . 2008-07-24 22:18 83,456 --a------ C:\WINDOWS\SYSTEM32\gjmqwbcw.dll
2008-07-24 22:15 . 2008-07-24 22:15 105,472 --a------ C:\WINDOWS\SYSTEM32\rlryds.dll
2008-07-24 22:15 . 2008-07-24 22:15 105,472 --a------ C:\WINDOWS\SYSTEM32\dkjdwham.dll
2008-07-20 00:51 . 2008-07-20 00:52 1,160 --a------ C:\WINDOWS\mozver.dat
2008-07-19 17:50 . 2008-07-19 17:50 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-19 17:50 . 2008-07-19 19:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-19 10:50 . 2008-07-19 10:50 <DIR> d-------- C:\Program Files\Windows Defender
2008-07-19 03:01 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-07-19 02:58 . 2008-07-19 02:58 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-19 02:21 . 2008-07-19 19:48 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-07-19 01:59 . 2008-07-19 01:59 73 --a------ C:\WINDOWS\st_affiliate.ini
2008-07-18 23:53 . 2008-07-18 23:53 230 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.inf
2008-07-18 03:14 . 2008-07-18 03:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-18 02:55 . 2008-07-18 02:55 706,136 --ahs---- C:\WINDOWS\SYSTEM32\jwvvvmpt.tmp
2008-07-18 01:25 . 2008-07-28 16:57 <DIR> d--h----- C:\$AVG8.VAULT$
2008-07-18 01:22 . 2008-07-28 17:24 <DIR> d-------- C:\WINDOWS\SYSTEM32\DRIVERS\Avg
2008-07-18 01:22 . 2008-07-18 21:37 <DIR> d-------- C:\Documents and Settings\Kel\Application Data\AVGTOOLBAR
2008-07-18 01:22 . 2008-07-18 01:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-18 01:22 . 2008-07-18 01:22 96,520 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avgldx86.sys
2008-07-18 01:22 . 2008-07-18 01:22 10,520 --a------ C:\WINDOWS\SYSTEM32\avgrsstx.dll
2008-07-17 22:25 . 2008-07-17 22:25 73 --a------ C:\WINDOWS\4173.bat
2008-07-17 19:58 . 2008-07-20 17:04 <DIR> d-------- C:\WINDOWS\SYSTEM32\6148
2008-07-17 19:00 . 2008-07-17 19:00 <DIR> d--hs---- C:\Documents and Settings\LocalService\UserData
2008-07-17 18:59 . 2008-07-17 18:59 <DIR> d-------- C:\WINDOWS\SYSTEM32\aumsDK06
2008-07-17 18:58 . 2008-07-17 22:25 121,344 --a------ C:\WINDOWS\task32.exe
2008-07-17 18:58 . 2008-07-17 18:58 73 --a------ C:\WINDOWS\3586.bat
2008-07-17 18:57 . 2008-07-17 18:57 <DIR> d-------- C:\WINDOWS\SYSTEM32\vdll
2008-07-17 18:57 . 2008-07-17 18:57 <DIR> d-------- C:\WINDOWS\SYSTEM32\dv32
2008-07-17 18:57 . 2008-07-17 18:57 <DIR> d-------- C:\WINDOWS\SYSTEM32\bin1
2008-07-17 18:57 . 2008-07-18 00:47 <DIR> d-------- C:\WINDOWS\SYSTEM32\BDE
2008-07-17 18:57 . 2008-07-17 18:57 <DIR> d-------- C:\WINDOWS\SYSTEM32\aumsDK18
2008-07-17 18:57 . 2008-07-17 18:58 <DIR> d-------- C:\TEMP\zpv201
2008-07-17 16:36 . 2008-07-17 16:36 268 --ah----- C:\sqmdata00.sqm
2008-07-17 16:36 . 2008-07-17 16:36 244 --ah----- C:\sqmnoopt00.sqm
2008-07-17 13:07 . 2008-07-28 19:05 111,548 --a------ C:\WINDOWS\BM8f68e13e.xml
2008-07-15 22:49 . 2008-07-15 22:49 32,768 --a------ C:\WINDOWS\SYSTEM32\aumsDK18\aumsDK182328.exe
2008-07-15 22:47 . 2008-07-15 22:47 32,768 --a------ C:\WINDOWS\SYSTEM32\aumsDK06\aumsDK061083.exe
2008-07-15 16:17 . 2008-07-15 16:17 <DIR> d-------- C:\Program Files\AVG
2008-07-14 01:53 . 2008-07-14 01:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FunGames
2008-07-12 23:51 . 2008-07-12 23:51 <DIR> d-------- C:\Program Files\MSN Messenger
2008-07-03 11:28 . 2008-06-13 09:10 272,128 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\bthport.sys
2008-07-03 11:28 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-28 23:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\DIGStream
2008-07-27 05:13 --------- d-----w C:\Program Files\Trend Micro
2008-07-19 21:56 --------- d-----w C:\Program Files\Lavasoft
2008-07-19 07:01 --------- d-----w C:\Program Files\Java
2008-07-19 04:00 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-18 23:27 --------- d-----w C:\Program Files\Google
2008-07-18 17:53 --------- d-----w C:\Program Files\D&E Jazzd Self-Repair Technician
2008-07-18 07:15 --------- d-----w C:\Documents and Settings\Kel\Application Data\Lavasoft
2008-07-18 05:48 --------- d-----w C:\Program Files\Freeciv-2.1.4-gtk2
2008-07-18 05:47 --------- d-----w C:\Program Files\AntWar_at
2008-07-15 20:33 --------- d-----w C:\Program Files\Viewpoint
2008-07-15 20:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-07-13 06:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-26 06:57 --------- d-----w C:\Program Files\EACOM
2008-06-26 06:55 --------- d-----w C:\Program Files\EA SPORTS
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53dd4007-9e10-458c-8735-b54c7115fcfc}]
2008-07-28 18:13 105472 --a------ C:\WINDOWS\system32\grzmsq.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 22:12 221184]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 03:01 110592]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-03-22 11:48 26112]
"HostManager"="C:\Program Files\Common Files\AOL\1139686249\ee\AOLSoftware.exe" [2006-05-09 20:24 50760]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 14:49 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 14:46 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 14:50 114688]
"DIGStream"="C:\Program Files\DIGStream\digstream.exe" [2005-10-31 11:05 278528]
"DIGServices"="C:\Program Files\ESPNRunTime\DIGServices.exe" [2005-10-31 11:18 101888]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-18 01:22 1232152]
"8c5bd2a2"="C:\WINDOWS\system32\jcyfuypu.dll" [2008-07-28 18:16 83456]
"BM8f68e13e"="C:\WINDOWS\system32\tpmhokox.dll" [2008-07-28 18:10 91648]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 07:00 53760 C:\WINDOWS\SYSTEM32\NARRATOR.EXE]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-04 16:04:48 176128]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1139686249\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1139686249\\ee\\aim6.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-18 01:22]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-18 01:22]
S2 PlugPlayRPC;Plug and Play (RPC);C:\WINDOWS\portsv.exe service []
S3 adxapie;adxapie;C:\DOCUME~1\Kel\LOCALS~1\Temp\adxapie.sys []
.
Contents of the 'Scheduled Tasks' folder
2008-07-28 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
- - - - ORPHANS REMOVED - - - -
BHO-{25D5FAE1-369F-4A14-9E58-17BC3A2486AC} - C:\WINDOWS\system32\efcBqoOe.dll
BHO-{5681AA18-555F-4964-A661-E6F0EB82A812} - C:\WINDOWS\system32\efcCTkjI.dll
BHO-{FECB8A9C-D65D-4998-BD3C-5398311A06E3} - C:\WINDOWS\system32\yayVOIcC.dll
WebBrowser-{6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - (no file)
WebBrowser-{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - (no file)
HKCU-Run-Yahoo! Pager - C:\Program Files\Yahoo!\Messenger\ypager.exe
HKCU-Run-BitTorrent - C:\Program Files\BitTorrent\bittorrent.exe
SSODL-mszb32.dll-{B1F43681-88F8-FC7B-3582-4440AA32AC9C} - c:\windows\system32\mszb32.dll
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Local Page = \blank.htm
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
R0 -: HKLM-Main,Local Page = \blank.htm
R0 -: HKLM-Main,Start Page = hxxp://www.google.com
R0 -: HKLM-Main,Window Title = By D&E Jazzd
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/keyword/%s
O8 -: &AIM Search - C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 -: {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe
O9 -: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 -: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O16 -: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
C:\WINDOWS\Downloaded Program Files\OSDED4D.OSD
C:\WINDOWS\Downloaded Program Files\InstallerControl.dll
O16 -: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Risk/Images/stg_drm.ocx
C:\WINDOWS\Downloaded Program Files\stg_drm.ocx
O16 -: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Risk/Images/armhelper.ocx
C:\WINDOWS\Downloaded Program Files\armhelper.ocx
O16 -: {FCF289D4-0AC8-4ED8-BE31-E8AF09606AB5} - hxxp://static.35mb.com/applet/applet_o.cab
C:\WINDOWS\Downloaded Program Files\applet.INF
C:\WINDOWS\SYSTEM32\MSInet.ocx
C:\WINDOWS\system32\MSSTKPRP.DLL
C:\WINDOWS\system32\msvbvm60.dll
C:\WINDOWS\system32\OLEAUT32.DLL
C:\WINDOWS\system32\OLEPRO32.DLL
C:\WINDOWS\system32\ASYCFILT.DLL
C:\WINDOWS\system32\STDOLE2.TLB
C:\WINDOWS\system32\COMCAT.DLL
C:\WINDOWS\Downloaded Program Files\applet.ocx
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-28 19:05:50
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\SYSTEM32\WSCNTFY.EXE
C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
.
**************************************************************************
.
Completion time: 2008-07-28 19:13:05 - machine was rebooted [Kel]
ComboFix-quarantined-files.txt 2008-07-28 23:12:41
Pre-Run: 4,058,005,504 bytes free
Post-Run: 4,150,808,576 bytes free
258 --- E O F --- 2008-07-10 02:25:05
hijackthis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:21:17 PM, on 7/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\AOL\1139686249\ee\AOLSoftware.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: {cfcf5117-c45b-5378-c854-01e97004dd35} - {53dd4007-9e10-458c-8735-b54c7115fcfc} - C:\WINDOWS\system32\grzmsq.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1139686249\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [8c5bd2a2] rundll32.exe "C:\WINDOWS\system32\jcyfuypu.dll",b
O4 - HKLM\..\Run: [BM8f68e13e] Rundll32.exe "C:\WINDOWS\system32\tpmhokox.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Kel\Local Settings\Temp\{0EB6FF53-8AE8-4A4C-A157-27F0368B225D}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Risk/Images/stg_drm.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://gamesville.worldwinner.com/games/v47/shared/FunGamesLoader.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Risk/Images/armhelper.ocx
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FCF289D4-0AC8-4ED8-BE31-E8AF09606AB5} - http://static.35mb.com/applet/applet_o.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Plug and Play (RPC) (PlugPlayRPC) - Unknown owner - C:\WINDOWS\portsv.exe (file missing)
--
End of file - 8845 bytes
shelf life
2008-07-29, 03:38
hi,
ok thanks for the info. you have quite a load. ok we will use combofix again:
Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:
File::
C:\WINDOWS\SYSTEM32\upyufycj.ini
C:\WINDOWS\SYSTEM32\jcyfuypu.dll
C:\WINDOWS\SYSTEM32\vkfwpwge.dll
C:\WINDOWS\SYSTEM32\grzmsq.dll
C:\WINDOWS\SYSTEM32\tpmhokox.dll
C:\WINDOWS\SYSTEM32\jfjthebg.dll
C:\WINDOWS\SYSTEM32\omycbutn.dll
C:\WINDOWS\SYSTEM32\ibxkzz.dl
C:\WINDOWS\SYSTEM32\jsymkfol.dll
C:\WINDOWS\SYSTEM32\zovsgy.dll
C:\WINDOWS\SYSTEM32\tcobkauo.dll
C:\WINDOWS\SYSTEM32\fvajqmnt.dll
C:\WINDOWS\SYSTEM32\wwmakw.dll
C:\WINDOWS\SYSTEM32\vqiiqehb.dll
C:\WINDOWS\SYSTEM32\gjmqwbcw.dll
C:\WINDOWS\SYSTEM32\rlryds.dll
C:\WINDOWS\SYSTEM32\dkjdwham.dll
C:\WINDOWS\mozver.dat
C:\WINDOWS\SYSTEM32\jwvvvmpt.tmp
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\task32.exe
C:\WINDOWS\4173.bat
C:\WINDOWS\SYSTEM32\aumsDK18\aumsDK182328.exe
C:\WINDOWS\SYSTEM32\aumsDK06\aumsDK061083.exe
Folder::
C:\WINDOWS\SYSTEM32\aumsDK18
C:\WINDOWS\SYSTEM32\dv32
C:\WINDOWS\SYSTEM32\vdll
C:\WINDOWS\SYSTEM32\bin1
C:\TEMP\zpv201
C:\WINDOWS\SYSTEM32\BDE
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"8c5bd2a2"="-
"BM8f68e13e"="-
Name the Notepad file CFScript.txt and Save it to your desktop.
now locate the file you just saved and the combofix icon
using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
please post the new combofix log and a new hjt log.
--------------------------------------------------------
we will get another download to use also. malwarebytes. link and directions:
Please download Malwarebytes' Anti-Malware to your desktop:
http://www.besttechie.net/tools/mbam-setup.exe
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
after the above please post the new combofix log, the malwarebytes log and last: rescan and post a new hjt log.
combofix:
ComboFix 08-07-28.4 - Kel 2008-07-28 21:07:46.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.160 [GMT -4:00]
Running from: C:\Documents and Settings\Kel\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kel\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\4173.bat
C:\WINDOWS\mozver.dat
C:\WINDOWS\SYSTEM32\aumsDK06\aumsDK061083.exe
C:\WINDOWS\SYSTEM32\aumsDK18\aumsDK182328.exe
C:\WINDOWS\SYSTEM32\dkjdwham.dll
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\SYSTEM32\fvajqmnt.dll
C:\WINDOWS\SYSTEM32\gjmqwbcw.dll
C:\WINDOWS\SYSTEM32\grzmsq.dll
C:\WINDOWS\SYSTEM32\ibxkzz.dl
C:\WINDOWS\SYSTEM32\jcyfuypu.dll
C:\WINDOWS\SYSTEM32\jfjthebg.dll
C:\WINDOWS\SYSTEM32\jsymkfol.dll
C:\WINDOWS\SYSTEM32\jwvvvmpt.tmp
C:\WINDOWS\SYSTEM32\omycbutn.dll
C:\WINDOWS\SYSTEM32\rlryds.dll
C:\WINDOWS\SYSTEM32\tcobkauo.dll
C:\WINDOWS\SYSTEM32\tpmhokox.dll
C:\WINDOWS\SYSTEM32\upyufycj.ini
C:\WINDOWS\SYSTEM32\vkfwpwge.dll
C:\WINDOWS\SYSTEM32\vqiiqehb.dll
C:\WINDOWS\SYSTEM32\wwmakw.dll
C:\WINDOWS\SYSTEM32\zovsgy.dll
C:\WINDOWS\task32.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\TEMP\zpv201
C:\TEMP\zpv201\chckNB2.log
C:\WINDOWS\4173.bat
C:\WINDOWS\mozver.dat
C:\WINDOWS\SYSTEM32\aumsDK06\aumsDK061083.exe
C:\WINDOWS\SYSTEM32\aumsDK18
C:\WINDOWS\SYSTEM32\aumsDK18\aumsDK182328.exe
C:\WINDOWS\SYSTEM32\BDE
C:\WINDOWS\SYSTEM32\bin1
C:\WINDOWS\SYSTEM32\bin1\tocoDB3.exe
C:\WINDOWS\SYSTEM32\dkjdwham.dll
C:\WINDOWS\SYSTEM32\dv32
C:\WINDOWS\SYSTEM32\dv32\LKremp43.exe
C:\WINDOWS\SYSTEM32\fvajqmnt.dll
C:\WINDOWS\SYSTEM32\gjmqwbcw.dll
C:\WINDOWS\SYSTEM32\grzmsq.dll
C:\WINDOWS\SYSTEM32\jcyfuypu.dll
C:\WINDOWS\SYSTEM32\jfjthebg.dll
C:\WINDOWS\SYSTEM32\jsymkfol.dll
C:\WINDOWS\SYSTEM32\jwvvvmpt.tmp
C:\WINDOWS\SYSTEM32\omycbutn.dll
C:\WINDOWS\SYSTEM32\rlryds.dll
C:\WINDOWS\SYSTEM32\tcobkauo.dll
C:\WINDOWS\SYSTEM32\upyufycj.ini
C:\WINDOWS\SYSTEM32\vdll
C:\WINDOWS\SYSTEM32\vdll\shotrem3.exe
C:\WINDOWS\SYSTEM32\vkfwpwge.dll
C:\WINDOWS\SYSTEM32\vqiiqehb.dll
C:\WINDOWS\SYSTEM32\wwmakw.dll
C:\WINDOWS\SYSTEM32\zovsgy.dll
C:\WINDOWS\task32.exe
.
((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-29 )))))))))))))))))))))))))))))))
.
2008-07-28 21:04 . 2008-07-28 21:04 <DIR> d-------- C:\Documents and Settings\Kel\Application Data\Malwarebytes
2008-07-28 21:03 . 2008-07-28 21:04 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-28 21:03 . 2008-07-28 21:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-28 21:03 . 2008-07-23 20:09 38,472 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-07-28 21:03 . 2008-07-23 20:09 17,144 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-07-28 18:30 . 2008-07-28 18:31 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-28 18:26 . 2008-07-28 00:39 <DIR> d-------- C:\SDFix
2008-07-28 18:10 . 2008-07-28 18:10 91,648 --------- C:\WINDOWS\SYSTEM32\tpmhokox.dll_old
2008-07-27 22:58 . 2008-07-27 22:58 105,472 --a------ C:\WINDOWS\SYSTEM32\ibxkzz.dll
2008-07-27 01:06 . 2008-07-27 01:06 <DIR> d-------- C:\SIMEARTH
2008-07-19 17:50 . 2008-07-19 17:50 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-19 17:50 . 2008-07-19 19:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-19 10:50 . 2008-07-19 10:50 <DIR> d-------- C:\Program Files\Windows Defender
2008-07-19 03:01 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-07-19 02:58 . 2008-07-19 02:58 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-19 02:21 . 2008-07-19 19:48 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-07-19 01:59 . 2008-07-19 01:59 73 --a------ C:\WINDOWS\st_affiliate.ini
2008-07-18 23:53 . 2008-07-18 23:53 230 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.inf
2008-07-18 03:14 . 2008-07-18 03:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-18 01:25 . 2008-07-28 19:26 <DIR> d--h----- C:\$AVG8.VAULT$
2008-07-18 01:22 . 2008-07-28 17:24 <DIR> d-------- C:\WINDOWS\SYSTEM32\DRIVERS\Avg
2008-07-18 01:22 . 2008-07-18 21:37 <DIR> d-------- C:\Documents and Settings\Kel\Application Data\AVGTOOLBAR
2008-07-18 01:22 . 2008-07-18 01:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-18 01:22 . 2008-07-18 01:22 96,520 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avgldx86.sys
2008-07-18 01:22 . 2008-07-18 01:22 10,520 --a------ C:\WINDOWS\SYSTEM32\avgrsstx.dll
2008-07-17 19:58 . 2008-07-20 17:04 <DIR> d-------- C:\WINDOWS\SYSTEM32\6148
2008-07-17 19:00 . 2008-07-17 19:00 <DIR> d--hs---- C:\Documents and Settings\LocalService\UserData
2008-07-17 18:59 . 2008-07-28 21:08 <DIR> d-------- C:\WINDOWS\SYSTEM32\aumsDK06
2008-07-17 18:58 . 2008-07-17 18:58 73 --a------ C:\WINDOWS\3586.bat
2008-07-17 16:36 . 2008-07-17 16:36 268 --ah----- C:\sqmdata00.sqm
2008-07-17 16:36 . 2008-07-17 16:36 244 --ah----- C:\sqmnoopt00.sqm
2008-07-17 13:07 . 2008-07-28 20:30 111,548 --a------ C:\WINDOWS\BM8f68e13e.xml
2008-07-15 16:17 . 2008-07-15 16:17 <DIR> d-------- C:\Program Files\AVG
2008-07-14 01:53 . 2008-07-14 01:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FunGames
2008-07-12 23:51 . 2008-07-12 23:51 <DIR> d-------- C:\Program Files\MSN Messenger
2008-07-03 11:28 . 2008-06-13 09:10 272,128 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\bthport.sys
2008-07-03 11:28 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-29 00:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\DIGStream
2008-07-27 05:13 --------- d-----w C:\Program Files\Trend Micro
2008-07-19 21:56 --------- d-----w C:\Program Files\Lavasoft
2008-07-19 07:01 --------- d-----w C:\Program Files\Java
2008-07-19 04:00 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-18 23:27 --------- d-----w C:\Program Files\Google
2008-07-18 17:53 --------- d-----w C:\Program Files\D&E Jazzd Self-Repair Technician
2008-07-18 07:15 --------- d-----w C:\Documents and Settings\Kel\Application Data\Lavasoft
2008-07-18 05:48 --------- d-----w C:\Program Files\Freeciv-2.1.4-gtk2
2008-07-18 05:47 --------- d-----w C:\Program Files\AntWar_at
2008-07-15 20:33 --------- d-----w C:\Program Files\Viewpoint
2008-07-15 20:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-07-13 06:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-26 06:57 --------- d-----w C:\Program Files\EACOM
2008-06-26 06:55 --------- d-----w C:\Program Files\EA SPORTS
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip6.sys
2008-05-08 12:28 202,752 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
.
((((((((((((((((((((((((((((( snapshot@2008-07-28_19.11.45.51 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-09-14 08:39:49 1,022,976 ----a-w C:\WINDOWS\SYSTEM32\browseui.dll
+ 2008-04-21 07:03:56 1,023,488 ----a-w C:\WINDOWS\SYSTEM32\browseui.dll
- 2006-09-14 08:39:49 151,040 ----a-w C:\WINDOWS\SYSTEM32\cdfview.dll
+ 2008-04-21 07:03:56 151,040 ----a-w C:\WINDOWS\SYSTEM32\cdfview.dll
- 2006-09-14 08:39:50 1,054,208 ----a-w C:\WINDOWS\SYSTEM32\danim.dll
+ 2008-04-21 07:03:57 1,054,208 ----a-w C:\WINDOWS\SYSTEM32\danim.dll
- 2006-09-14 08:39:49 1,022,976 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\browseui.dll
+ 2008-04-21 07:03:56 1,023,488 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\browseui.dll
- 2006-09-14 08:39:49 151,040 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\cdfview.dll
+ 2008-04-21 07:03:56 151,040 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\cdfview.dll
- 2006-09-14 08:39:50 1,054,208 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\danim.dll
+ 2008-04-21 07:03:57 1,054,208 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\danim.dll
- 2006-09-14 08:39:50 357,888 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtmsft.dll
+ 2008-04-21 07:03:57 357,888 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtmsft.dll
- 2006-09-14 08:39:50 205,312 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
+ 2008-04-21 07:03:57 205,312 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
- 2006-09-14 08:39:50 55,808 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
+ 2008-04-21 07:03:57 55,808 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
- 2006-09-13 08:52:55 18,432 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iedw.exe
+ 2008-04-17 10:52:54 18,432 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iedw.exe
- 2006-09-14 08:39:50 251,392 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iepeers.dll
+ 2008-04-21 07:03:58 251,392 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iepeers.dll
- 2006-09-14 08:39:50 96,256 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\inseng.dll
+ 2008-04-21 07:03:58 96,256 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\inseng.dll
- 2006-09-14 08:39:50 16,384 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
+ 2008-04-21 07:03:58 16,384 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
- 2006-09-14 08:39:52 3,054,592 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
+ 2008-04-21 07:03:59 3,059,712 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
- 2006-09-14 08:39:53 448,512 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
+ 2008-04-21 07:03:59 449,024 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
- 2006-09-14 08:39:53 146,432 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
+ 2008-04-21 07:03:59 146,432 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
- 2006-09-14 08:39:53 532,480 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
+ 2008-04-21 07:03:59 532,480 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
- 2006-09-14 08:39:53 39,424 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\pngfilt.dll
+ 2008-04-21 07:03:59 39,424 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\pngfilt.dll
- 2006-09-04 06:08:01 1,494,016 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shdocvw.dll
+ 2008-04-21 07:04:00 1,494,528 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shdocvw.dll
- 2006-09-14 08:39:54 474,112 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shlwapi.dll
+ 2008-04-21 07:04:00 474,112 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shlwapi.dll
- 2006-09-14 08:39:55 613,888 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
+ 2008-04-21 07:04:00 615,936 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
- 2006-09-14 08:39:55 658,944 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
+ 2008-04-21 07:04:00 659,456 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
- 2006-09-14 08:39:50 357,888 ----a-w C:\WINDOWS\SYSTEM32\dxtmsft.dll
+ 2008-04-21 07:03:57 357,888 ----a-w C:\WINDOWS\SYSTEM32\dxtmsft.dll
- 2006-09-14 08:39:50 205,312 ----a-w C:\WINDOWS\SYSTEM32\dxtrans.dll
+ 2008-04-21 07:03:57 205,312 ----a-w C:\WINDOWS\SYSTEM32\dxtrans.dll
- 2006-09-14 08:39:50 55,808 ----a-w C:\WINDOWS\SYSTEM32\extmgr.dll
+ 2008-04-21 07:03:57 55,808 ----a-w C:\WINDOWS\SYSTEM32\extmgr.dll
- 2006-09-14 08:39:50 251,392 ----a-w C:\WINDOWS\SYSTEM32\iepeers.dll
+ 2008-04-21 07:03:58 251,392 ----a-w C:\WINDOWS\SYSTEM32\iepeers.dll
- 2006-09-14 08:39:50 96,256 ----a-w C:\WINDOWS\SYSTEM32\inseng.dll
+ 2008-04-21 07:03:58 96,256 ----a-w C:\WINDOWS\SYSTEM32\inseng.dll
- 2006-09-14 08:39:50 16,384 ----a-w C:\WINDOWS\SYSTEM32\jsproxy.dll
+ 2008-04-21 07:03:58 16,384 ----a-w C:\WINDOWS\SYSTEM32\jsproxy.dll
- 2006-09-14 08:39:52 3,054,592 ----a-w C:\WINDOWS\SYSTEM32\mshtml.dll
+ 2008-04-21 07:03:59 3,059,712 ----a-w C:\WINDOWS\SYSTEM32\mshtml.dll
- 2006-09-14 08:39:53 448,512 ----a-w C:\WINDOWS\SYSTEM32\mshtmled.dll
+ 2008-04-21 07:03:59 449,024 ----a-w C:\WINDOWS\SYSTEM32\mshtmled.dll
- 2006-09-14 08:39:53 146,432 ----a-w C:\WINDOWS\SYSTEM32\msrating.dll
+ 2008-04-21 07:03:59 146,432 ----a-w C:\WINDOWS\SYSTEM32\msrating.dll
- 2006-09-14 08:39:53 532,480 ----a-w C:\WINDOWS\SYSTEM32\mstime.dll
+ 2008-04-21 07:03:59 532,480 ----a-w C:\WINDOWS\SYSTEM32\mstime.dll
- 2006-09-14 08:39:53 39,424 ----a-w C:\WINDOWS\SYSTEM32\pngfilt.dll
+ 2008-04-21 07:03:59 39,424 ----a-w C:\WINDOWS\SYSTEM32\pngfilt.dll
- 2006-09-04 06:08:01 1,494,016 ----a-w C:\WINDOWS\SYSTEM32\shdocvw.dll
+ 2008-04-21 07:04:00 1,494,528 ----a-w C:\WINDOWS\SYSTEM32\shdocvw.dll
- 2006-09-14 08:39:54 474,112 ----a-w C:\WINDOWS\SYSTEM32\shlwapi.dll
+ 2008-04-21 07:04:00 474,112 ----a-w C:\WINDOWS\SYSTEM32\shlwapi.dll
- 2006-09-14 08:39:55 613,888 ----a-w C:\WINDOWS\SYSTEM32\urlmon.dll
+ 2008-04-21 07:04:00 615,936 ----a-w C:\WINDOWS\SYSTEM32\urlmon.dll
- 2006-09-14 08:39:55 658,944 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
+ 2008-04-21 07:04:00 659,456 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
- 2007-10-29 10:04:03 350,720 ----a-w C:\WINDOWS\SYSTEM32\xpsp3res.dll
+ 2008-04-17 10:37:04 351,744 ----a-w C:\WINDOWS\SYSTEM32\xpsp3res.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingB2362"="command" [X]
"SpybotDeletingD3734"="del" [X]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 22:12 221184]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 03:01 110592]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-03-22 11:48 26112]
"HostManager"="C:\Program Files\Common Files\AOL\1139686249\ee\AOLSoftware.exe" [2006-05-09 20:24 50760]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 14:49 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 14:46 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 14:50 114688]
"DIGStream"="C:\Program Files\DIGStream\digstream.exe" [2005-10-31 11:05 278528]
"DIGServices"="C:\Program Files\ESPNRunTime\DIGServices.exe" [2005-10-31 11:18 101888]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-18 01:22 1232152]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 07:00 53760 C:\WINDOWS\SYSTEM32\NARRATOR.EXE]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-04 16:04:48 176128]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1139686249\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1139686249\\ee\\aim6.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-18 01:22]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-18 01:22]
S2 PlugPlayRPC;Plug and Play (RPC);C:\WINDOWS\portsv.exe service []
S3 adxapie;adxapie;C:\DOCUME~1\Kel\LOCALS~1\Temp\adxapie.sys []
.
Contents of the 'Scheduled Tasks' folder
2008-07-29 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-8c5bd2a2 - C:\WINDOWS\system32\jcyfuypu.dll
HKLM-Run-BM8f68e13e - C:\WINDOWS\system32\tpmhokox.dll
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-28 21:10:43
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-07-28 21:12:28
ComboFix-quarantined-files.txt 2008-07-29 01:12:09
ComboFix2.txt 2008-07-28 23:13:06
Pre-Run: 4,033,568,768 bytes free
Post-Run: 4,007,632,896 bytes free
289 --- E O F --- 2008-07-29 00:11:19
malwarebytes:
Malwarebytes' Anti-Malware 1.23
Database version: 1004
Windows 5.1.2600 Service Pack 2
9:55:35 PM 7/28/2008
mbam-log-7-28-2008 (21-55-35).txt
Scan type: Full Scan (C:\|)
Objects scanned: 85876
Time elapsed: 37 minute(s), 46 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 13
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\ppo.ob (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ppo.ob.1 (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{587097ab-a686-4c3b-83a7-2b8e2d47868e} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{5f2b8ee3-5b51-4424-a4bd-6c0595c40007} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PlugPlayRPC (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\xflock (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\WakeNet (Trojan.Adware) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWay) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\QooBox\Quarantine\C\WINDOWS\444.470.vir (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\fdecbbabbfb.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\bin1\tocoDB3.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vdll\shotrem3.exe.vir (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1162\A0142618.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1165\A0142852.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1165\A0142854.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\BM8f68e13e.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM8f68e13e.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:58:53 PM, on 7/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\AOL\1139686249\ee\AOLSoftware.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1139686249\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Kel\Local Settings\Temp\{0EB6FF53-8AE8-4A4C-A157-27F0368B225D}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Risk/Images/stg_drm.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://gamesville.worldwinner.com/games/v47/shared/FunGamesLoader.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Risk/Images/armhelper.ocx
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FCF289D4-0AC8-4ED8-BE31-E8AF09606AB5} - http://static.35mb.com/applet/applet_o.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
--
End of file - 8183 bytes
shelf life
2008-07-30, 01:23
hi,
ok good thanks for the info. we will use combofix again. i left the extra l off by mistake. (ibxkzz.dl)
just like last time:
Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:
File::
C:\WINDOWS\SYSTEM32\ibxkzz.dll
Name the Notepad file CFScript.txt and Save it to your desktop.
now locate the file you just saved and the combofix icon
using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
rerun spybot now and see how it all looks on your end.
spybot ran through completely clear, thank you SO much. below is the final combofix log.
ComboFix 08-07-28.4 - Kel 2008-07-29 21:57:22.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.233 [GMT -4:00]
Running from: C:\Documents and Settings\Kel\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kel\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\SYSTEM32\ibxkzz.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Kel\Application Data\macromedia\Flash Player\#SharedObjects\SGS9XX6H\interclick.com
C:\Documents and Settings\Kel\Application Data\macromedia\Flash Player\#SharedObjects\SGS9XX6H\interclick.com\ud.sol
C:\Documents and Settings\Kel\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Kel\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\SYSTEM32\ibxkzz.dll
.
((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-30 )))))))))))))))))))))))))))))))
.
2008-07-29 16:48 . 2008-07-29 16:49 30 --a------ C:\WINDOWS\Gnucleus.INI
2008-07-29 16:44 . 2008-07-29 16:45 <DIR> d-------- C:\Documents and Settings\Kel\Application Data\Cabos
2008-07-29 16:31 . 2008-07-29 16:31 <DIR> d-------- C:\Program Files\Pidgin
2008-07-29 16:31 . 2008-07-29 16:49 <DIR> d-------- C:\Program Files\Common Files\GTK
2008-07-29 16:31 . 2008-07-29 16:34 <DIR> d-------- C:\Documents and Settings\Kel\Application Data\.purple
2008-07-29 16:17 . 2008-07-29 16:17 <DIR> d-------- C:\Program Files\Kazaa
2008-07-28 21:04 . 2008-07-28 21:04 <DIR> d-------- C:\Documents and Settings\Kel\Application Data\Malwarebytes
2008-07-28 21:03 . 2008-07-28 21:04 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-28 21:03 . 2008-07-28 21:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-28 21:03 . 2008-07-23 20:09 38,472 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-07-28 21:03 . 2008-07-23 20:09 17,144 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-07-28 18:30 . 2008-07-28 18:31 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-28 18:26 . 2008-07-28 00:39 <DIR> d-------- C:\SDFix
2008-07-27 01:06 . 2008-07-27 01:06 <DIR> d-------- C:\SIMEARTH
2008-07-19 17:50 . 2008-07-19 17:50 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-19 17:50 . 2008-07-19 19:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-19 10:50 . 2008-07-19 10:50 <DIR> d-------- C:\Program Files\Windows Defender
2008-07-19 03:01 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-07-19 02:58 . 2008-07-19 02:58 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-19 02:21 . 2008-07-19 19:48 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-07-19 01:59 . 2008-07-19 01:59 73 --a------ C:\WINDOWS\st_affiliate.ini
2008-07-18 23:53 . 2008-07-18 23:53 230 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.inf
2008-07-18 03:14 . 2008-07-18 03:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-18 01:25 . 2008-07-28 19:26 <DIR> d--h----- C:\$AVG8.VAULT$
2008-07-18 01:22 . 2008-07-29 06:01 <DIR> d-------- C:\WINDOWS\SYSTEM32\DRIVERS\Avg
2008-07-18 01:22 . 2008-07-18 21:37 <DIR> d-------- C:\Documents and Settings\Kel\Application Data\AVGTOOLBAR
2008-07-18 01:22 . 2008-07-18 01:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-18 01:22 . 2008-07-18 01:22 96,520 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avgldx86.sys
2008-07-18 01:22 . 2008-07-18 01:22 10,520 --a------ C:\WINDOWS\SYSTEM32\avgrsstx.dll
2008-07-17 19:58 . 2008-07-20 17:04 <DIR> d-------- C:\WINDOWS\SYSTEM32\6148
2008-07-17 19:00 . 2008-07-17 19:00 <DIR> d--hs---- C:\Documents and Settings\LocalService\UserData
2008-07-17 18:59 . 2008-07-28 21:08 <DIR> d-------- C:\WINDOWS\SYSTEM32\aumsDK06
2008-07-17 18:58 . 2008-07-17 18:58 73 --a------ C:\WINDOWS\3586.bat
2008-07-17 16:36 . 2008-07-17 16:36 268 --ah----- C:\sqmdata00.sqm
2008-07-17 16:36 . 2008-07-17 16:36 244 --ah----- C:\sqmnoopt00.sqm
2008-07-15 16:17 . 2008-07-15 16:17 <DIR> d-------- C:\Program Files\AVG
2008-07-14 01:53 . 2008-07-14 01:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FunGames
2008-07-12 23:51 . 2008-07-12 23:51 <DIR> d-------- C:\Program Files\MSN Messenger
2008-07-03 11:28 . 2008-06-13 09:10 272,128 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\bthport.sys
2008-07-03 11:28 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
2008-06-26 02:57 . 2008-06-26 02:57 573 --a------ C:\WINDOWS\eReg.dat
2008-06-26 02:56 . 2008-06-26 02:57 <DIR> d-------- C:\Program Files\EACOM
2008-06-26 02:55 . 2008-06-26 02:55 <DIR> d-------- C:\Program Files\EA SPORTS
2008-06-20 06:44 . 2008-06-20 06:44 138,368 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\afd.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-30 01:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\DIGStream
2008-07-29 19:25 --------- d-----w C:\Program Files\LimeWire
2008-07-27 05:13 --------- d-----w C:\Program Files\Trend Micro
2008-07-19 21:56 --------- d-----w C:\Program Files\Lavasoft
2008-07-19 07:01 --------- d-----w C:\Program Files\Java
2008-07-19 04:00 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-18 23:27 --------- d-----w C:\Program Files\Google
2008-07-18 17:53 --------- d-----w C:\Program Files\D&E Jazzd Self-Repair Technician
2008-07-18 07:15 --------- d-----w C:\Documents and Settings\Kel\Application Data\Lavasoft
2008-07-18 05:48 --------- d-----w C:\Program Files\Freeciv-2.1.4-gtk2
2008-07-18 05:47 --------- d-----w C:\Program Files\AntWar_at
2008-07-15 20:33 --------- d-----w C:\Program Files\Viewpoint
2008-07-15 20:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-07-13 06:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip6.sys
2008-05-08 12:28 202,752 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
2008-04-23 04:16 63,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2008-04-23 04:16 6,066,176 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2008-04-23 04:16 52,224 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2008-04-23 04:16 459,264 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2008-04-23 04:16 383,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2008-04-23 04:16 267,776 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2008-04-22 07:39 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2008-04-21 07:04 615,936 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2008-04-21 07:04 474,112 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shlwapi.dll
2008-04-21 07:04 1,494,528 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shdocvw.dll
2008-04-17 20:22 208,896 ----a-w C:\WINDOWS\SYSTEM32\ConTest.dll
2008-04-17 10:52 18,432 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iedw.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 22:12 221184]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 03:01 110592]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-03-22 11:48 26112]
"HostManager"="C:\Program Files\Common Files\AOL\1139686249\ee\AOLSoftware.exe" [2006-05-09 20:24 50760]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 14:49 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 14:46 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 14:50 114688]
"DIGStream"="C:\Program Files\DIGStream\digstream.exe" [2005-10-31 11:05 278528]
"DIGServices"="C:\Program Files\ESPNRunTime\DIGServices.exe" [2005-10-31 11:18 101888]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-18 01:22 1232152]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 07:00 53760 C:\WINDOWS\SYSTEM32\NARRATOR.EXE]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-04 16:04:48 176128]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1139686249\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1139686249\\ee\\aim6.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\WINDOWS\\SYSTEM32\\java.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-18 01:22]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-18 01:22]
S3 adxapie;adxapie;C:\DOCUME~1\Kel\LOCALS~1\Temp\adxapie.sys []
.
Contents of the 'Scheduled Tasks' folder
2008-07-29 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-29 22:00:36
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-07-29 22:02:15
ComboFix-quarantined-files.txt 2008-07-30 02:01:51
ComboFix2.txt 2008-07-29 01:12:30
ComboFix3.txt 2008-07-28 23:13:06
Pre-Run: 3,836,891,136 bytes free
Post-Run: 3,817,181,184 bytes free
173 --- E O F --- 2008-07-29 00:11:19
shelf life
2008-07-31, 01:12
hi,
ok looking good. can you post one more hjt log and i think we can finish it up.
hows it all looking on your end now?
everything has been running great, no sign of trouble. thanks again!!! here is the HJT log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:37:19 PM, on 7/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\AOL\1139686249\ee\AOLSoftware.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1139686249\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Kel\Local Settings\Temp\{0EB6FF53-8AE8-4A4C-A157-27F0368B225D}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Risk/Images/stg_drm.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://gamesville.worldwinner.com/games/v47/shared/FunGamesLoader.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Risk/Images/armhelper.ocx
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FCF289D4-0AC8-4ED8-BE31-E8AF09606AB5} - http://static.35mb.com/applet/applet_o.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
--
End of file - 8165 bytes
shelf life
2008-07-31, 23:21
hi,
ok good.
start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked"
R3 - URLSearchHook: (no name) - - (no file)
O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Kel\Local Settings\Temp\{0EB6FF53-8AE8-4A4C-A157-27F0368B225D}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolb...lerControl.cab
O16 - DPF: {FCF289D4-0AC8-4ED8-BE31-E8AF09606AB5} - http://static.35mb.com/applet/applet_o.cab
you can also select this item if you or some software didnt put the policy in place:
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
---------------------------------------------------
to remove the tools we used we will get OTMoveIt2 which will do it for you:
Please download the OTMoveIt2 by OldTimer.
http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe
* Save it to your desktop.
* Please double-click OTMoveIt2.exe to run it.
from the window select the green CleanUp! button and follow the prompts.
two things left to do: java version and system restore points:
java:
Vulnerabilities and possible exploits in versions of Sun Java may be responsible for some malware installs via your browser.
It is important to keep Sun Java up to date and also to remove older versions which may have vulnerabilites and possible exploits that can be taken advantage of to possibly introduce malware via your browser.
* 1. Uninstall old versions of Sun Java via Add/Remove Programs.
* 2. Click the Remove or Change/Remove button
* 3. Reboot your PC if prompted.
to check if you have the latest version of Java and to download the latest version:
http://www.java.com/en/download/installed.jsp
system restore;
One of the features of Windows ME,XP and Vista is the System Restore option, however if malware infects a computer it is possible that the malware could be backed up in the System Restore folder. Therefore, clearing the restore points is a good idea after malware is removed.
To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.
(winXP)
1. Turn off System Restore. (deletes old possibly infected restore points)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.(create new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot
happy safe surfing. some info for you:
My Top Ten
The Short Version:
1) Keep your OS, (Windows) browser (IE, FireFox) and software up to date.
2) Know what you are installing to your computer. A lot of software can come with unwanted add-ons. Do you trust the source?
3) Install, keep updated: antivirus and two anti-malware applications.
4)Dont click on links or install files you receive via E-Mail, IM, Chat Rooms or Social Sites, no matter how tempting the message. Do you trust the source?
5) Dont click on adds/pop ups or offers from websites to install software.
6) Dont click on offers to "scan" your computer.
7) Set up and use limited accounts rather than administrator accounts.
8) Consider using an alternate browser and E-mail client.
9) Install and understand the limitations of a third party software firewall.
10) If your habits include visiting or installing files from: warez, cracks etc or p2p networks you are much more likely to encounter malicious code. Do you trust the source?
longer version in link below
thanks again for all the help, great advice at the end as well. i wish you could have told my old roommate those tips.
shelf life
2008-08-02, 04:11
ok, your welcome. happy safe surfing out there.