Glitch000
2008-09-12, 06:28
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:55:25 PM, on 9/11/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Components\Encoder\Wmencagt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\WINNT\System32\svchost.exe
C:\Documents and Settings\Paul\Desktop\Cleaner.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.drudgereport.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {696201FB-39A5-4903-8F74-9FFCF8811C24} - C:\WINNT\system32\iifcBrrQ.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll (file missing)
O2 - BHO: (no name) - {C092F94D-D786-4C6F-B7B7-E909AC86864A} - C:\WINNT\system32\khfEXonN.dll
O2 - BHO: {05dc88e9-95d2-028a-a374-d80dd3f6a2ed} - {de2a6f3d-d08d-473a-a820-2d599e88cd50} - C:\WINNT\system32\mamkkj.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: (no name) - {C17590D2-ECB4-4b15-8820-F58798DCC118} - (no file)
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINNT\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [603c3f3d] rundll32.exe "C:\WINNT\system32\mupxwwus.dll",b
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
O4 - .DEFAULT Startup: firefox.exe (User 'Default user')
O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\Wmencagt.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5023/mcfscan.cab
O20 - AppInit_DLLs: yuagqb.dll weojxz.dll mamkkj.dll
O20 - Winlogon Notify: iifcBrrQ - C:\WINNT\SYSTEM32\iifcBrrQ.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
--
End of file - 7221 bytes
pskelley
2008-09-14, 03:33
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.
It is a Vundo infection and I don't know how well combofix runs on your Operating System, but I guess if you still need help, we will find out.
1) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Remove any old copies of combofix before you proceed.
Thanks to sUBs and anyone else who helped with this fix.
It is important that it is saved directly to your Desktop.
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the combofix log and a new HJT log. <<< follow the instructions in #2 to safely locate HJT.
2) Download Trend Micro Hijack This™ to your Desktop
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log.
Copy and paste the contents of the log in your next reply.
Thanks
Glitch000
2008-09-15, 05:53
ComboFix 08-09-13.05 - Paul 09/14/2008 20:57:45.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.21 [GMT -6:00]
Running from: C:\Documents and Settings\Paul\Desktop\ComboFix.exe
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Ben\Cookies\ben@trafficmp[1].txt
C:\Documents and Settings\Doris\Local Settings\Temporary Internet Files\ENCounterSpyConsumer.2.5.1040.0.exe
C:\Documents and Settings\Paul\Cookies\paul@advertising[10].txt
C:\Documents and Settings\Paul\Cookies\paul@ehg-reed.hitbox[2].txt
C:\Documents and Settings\Paul\Cookies\paul@insightexpressai[3].txt
C:\WINNT\BM630f0ca1.txt
C:\WINNT\BM630f0ca1.xml
C:\WINNT\system32\abtckojr.dll
C:\WINNT\system32\aqbdryrj.dll
C:\WINNT\system32\arqnvmfs.dll
C:\WINNT\system32\asrkxanx.dll
C:\WINNT\system32\beuyip.dll
C:\WINNT\system32\bieevbfw.dll
C:\WINNT\system32\blubdovo.dll
C:\WINNT\system32\brtsered.ini
C:\WINNT\system32\ctziks.dll
C:\WINNT\system32\dao350.dll
C:\WINNT\system32\dobfkkmg.ini
C:\WINNT\system32\dqkdrysl.dll
C:\WINNT\system32\eporfhbv.dll
C:\WINNT\system32\eqjwxb.dll
C:\WINNT\system32\ffnlwomi.ini
C:\WINNT\system32\fhdajfox.dll
C:\WINNT\system32\fidwidlm.ini
C:\WINNT\system32\gjnymgio.dll
C:\WINNT\system32\gjyucihu.dll
C:\WINNT\system32\gngiafbe.ini
C:\WINNT\system32\gofdsltk.dll
C:\WINNT\system32\hdqawvbo.dll
C:\WINNT\system32\hihnasps.dll
C:\WINNT\system32\hpgkej.dll
C:\WINNT\system32\hpzpzn.dll
C:\WINNT\system32\hyrxcnpx.ini
C:\WINNT\system32\ibfhqk.dll
C:\WINNT\system32\idooipep.ini
C:\WINNT\system32\iifcBrrQ.dll
C:\WINNT\system32\iudnnkwl.dll
C:\WINNT\system32\jnkswstl.dll
C:\WINNT\system32\kdouddpo.ini
C:\WINNT\system32\kelpvd.dll
C:\WINNT\system32\khfEXonN.dll
C:\WINNT\system32\klltaryu.dll
C:\WINNT\system32\kmxayz.dll
C:\WINNT\system32\kyjieiro.ini
C:\WINNT\system32\ljpagv.dll
C:\WINNT\system32\lmgeax.dll
C:\WINNT\system32\MabryObj.dll
C:\WINNT\system32\mamkkj.dll
C:\WINNT\system32\mcrh.tmp
C:\WINNT\system32\mogxgrpu.dll
C:\WINNT\system32\MSINET.oca
C:\WINNT\system32\nbwlybao.ini
C:\WINNT\system32\nnnliGvW.dll
C:\WINNT\system32\NnoXEfhk.ini
C:\WINNT\system32\NnoXEfhk.ini2
C:\WINNT\system32\nxpexaxd.dll
C:\WINNT\system32\okudhaqg.ini
C:\WINNT\system32\orieijyk.dll
C:\WINNT\system32\pac.txt
C:\WINNT\system32\pdwkxded.dll
C:\WINNT\system32\pmpeggwh.ini
C:\WINNT\system32\qafvwsls.dll
C:\WINNT\system32\qyheogxi.ini
C:\WINNT\system32\rgqdfz.dll
C:\WINNT\system32\rldxdvqr.dll
C:\WINNT\system32\rniovdps.dll
C:\WINNT\system32\sfayjequ.ini
C:\WINNT\system32\shfdgqpk.dll
C:\WINNT\system32\slswvfaq.ini
C:\WINNT\system32\soxtqp.dll
C:\WINNT\system32\spdvoinr.ini
C:\WINNT\system32\suwwxpum.ini
C:\WINNT\system32\tdwmtckg.ini
C:\WINNT\system32\trwvscab.dll
C:\WINNT\system32\uprgxgom.ini
C:\WINNT\system32\vphnrues.ini
C:\WINNT\system32\vrakegqy.dll
C:\WINNT\system32\vwublr.dll
C:\WINNT\system32\weojxz.dll
C:\WINNT\system32\wfabdwpw.dll
C:\WINNT\system32\wfbveeib.ini
C:\WINNT\system32\wlqxjjgb.dll
C:\WINNT\system32\wvytojse.dll
C:\WINNT\system32\xgddhkqg.ini
C:\WINNT\system32\xjhdlu.dll
C:\WINNT\system32\xofjadhf.ini
C:\WINNT\system32\yenbunro.dll
C:\WINNT\system32\yhgzff.dll
C:\WINNT\system32\yjcvbtmd.dll
C:\WINNT\system32\ykpvql.dll
C:\WINNT\system32\yqnutemv.dll
C:\WINNT\system32\yuagqb.dll
C:\WINNT\system32\zgaqbq.dll
C:\WINNT\Web\default.htt
.
((((((((((((((((((((((((( Files Created from 2008-08-15 to 2008-09-15 )))))))))))))))))))))))))))))))
.
2008-09-12 06:19 . 08-09-14 16:43 465,692 ---h----- C:\WINNT\ShellIconCache
2008-09-07 15:48 . 08-09-07 15:48 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-06 20:33 . 08-05-18 03:30 <DIR> d-------- C:\Documents and Settings\Paul.WIZARD\Application Data\RegistrySmart
2008-09-06 20:33 . 08-09-06 20:33 <DIR> d-------- C:\Documents and Settings\Paul.WIZARD
2008-09-06 20:27 . 08-05-18 03:30 <DIR> d-------- C:\Documents and Settings\Doris.WIZARD\Application Data\RegistrySmart
2008-09-06 20:27 . 08-09-06 20:27 <DIR> d-------- C:\Documents and Settings\Doris.WIZARD
2008-09-04 14:42 . 08-09-04 14:42 <DIR> d-------- C:\Documents and Settings\Alex\dwhelper
2008-09-01 15:23 . 08-09-01 15:23 64,512 --a------ C:\WINNT\system32\gmkkfbod.dll
2008-08-28 16:15 . 08-09-03 21:47 <DIR> d-------- C:\Program Files\Avidemux 2.4
2008-08-26 20:56 . 08-08-26 20:56 <DIR> d-------- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-08-26 11:17 . 08-08-26 11:17 <DIR> d-a------ C:\WINNT\system32\eMaxt02
2008-08-26 11:17 . 08-08-26 11:17 355 --a------ C:\755.bat
2008-08-26 11:16 . 08-08-26 11:16 <DIR> d-------- C:\temp\bbc2
2008-08-25 21:42 . 08-08-26 10:48 <DIR> d-------- C:\Program Files\LimeWire
2008-08-21 10:21 . 08-08-21 10:26 55 --a------ C:\Documents and Settings\Alex\Shutdown.bat
2008-08-20 23:02 . 08-08-20 23:04 <DIR> d-a------ C:\WINNT\system32\shutdown
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-14 11:03 --------- d---a-w C:\Program Files\Java
2008-09-14 04:21 --------- d-----w C:\Documents and Settings\Doris\Application Data\WeatherWatcher
2008-09-12 12:44 --------- d-----w C:\Documents and Settings\Alex\Application Data\LimeWire
2008-09-12 11:25 --------- d-----w C:\Program Files\McAfee
2008-09-07 21:48 --------- d-----w C:\Program Files\Lavasoft
2008-09-07 21:39 --------- d-----w C:\Program Files\Webshots
2008-09-06 04:06 --------- d-----w C:\Program Files\Sony Handheld
2008-09-04 03:47 --------- d-----w C:\Program Files\AviSynth 2.5
2008-08-28 03:37 --------- d-----w C:\Program Files\LEGO MINDSTORMS
2008-08-28 01:55 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-27 16:00 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-27 04:22 --------- d-----w C:\Program Files\Enigma Software Group
2008-08-27 03:09 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-24 22:38 --------- d-----w C:\Program Files\Microsoft Games
2008-08-06 03:44 --------- d-----w C:\Program Files\palmOne
2008-08-05 03:08 --------- d-----w C:\Program Files\Weather Watcher
2008-08-05 03:07 --------- d-----w C:\Documents and Settings\Paul\Application Data\WeatherWatcher
2008-07-27 16:35 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-20 20:38 --------- d-----w C:\Documents and Settings\Ben\Application Data\HotSync
2008-06-17 03:11 53,248 ----a-w C:\WINNT\PalmDevC.dll
2007-03-20 22:47 5,572,608 ----a-w C:\Program Files\Three Days Grace - Pain.mp3
2006-12-10 23:46 271 ---h--w C:\Program Files\desktop.ini
2006-12-10 23:46 21,952 ---h--w C:\Program Files\folder.htt
2002-07-26 23:02 153,088 ----a-w C:\Program Files\UNWISE.EXE
2001-05-08 12:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
1996-08-31 07:10 23,040 ----a-w C:\Documents and Settings\Alex\Shutgui.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07-06-05 16:47 68856]
"WeatherWatcher"="C:\Program Files\Weather Watcher\ww.exe" [08-07-26 09:12 1077248]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LVCOMS"="C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [02-06-10 14:21 102400]
"USBToolTip"="C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe" [04-04-23 11:00 192512]
"USB2Check"="C:\WINNT\system32\PCLECoInst.dll" [04-04-08 15:30 61440]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [07-07-27 20:14 271672]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [08-06-10 04:27 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [08-01-11 22:16 39792]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [07-11-01 19:12 582992]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [05-02-12 21:05 339968]
"Synchronization Manager"="mobsync.exe" [03-06-19 13:05 111376 C:\WINNT\system32\mobsync.exe]
C:\Documents and Settings\Alex\Start Menu\Programs\Startup\
firefox.exe [2008-07-15 7667312]
C:\Documents and Settings\Ben\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\Sony Handheld\HOTSYNC.EXE [2008-03-26 299008]
C:\Documents and Settings\Doris\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2008-04-20 157008]
C:\Documents and Settings\Paul\Start Menu\Programs\Startup\
Encoder Agent.lnk - C:\Program Files\Windows Media Components\Encoder\Wmencagt.exe [2007-07-08 53248]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\Sony Handheld\HOTSYNC.EXE [2008-03-26 299008]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=yuagqb.dll weojxz.dll yhgzff.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
"VIDC.I420"= vdrcodec.dll
"VIDC.MJPG"= Pvmjpg21.dll
"VIDC.PIM1"= pclepim1.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINNT\system32\khfEXonN
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"WeatherWatcherLive"="C:\Program Files\Weather Watcher Live\ww.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
"WUSB54Gv2"=C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
"SBCSTray"=C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
"HPDJ Taskbar Utility"=C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
R1 cmosa;cmosa;C:\WINNT\system32\drivers\cmosa.sys [00-05-08 20:50 29344]
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\system32\DRIVERS\el90xbc5.sys [99-10-23 06:22 61712]
S1 lusbaudio;Logitech USB Microphone;C:\WINNT\system32\drivers\lvsound2.sys [02-06-10 14:20 34816]
S3 LTower;LEGO USB Tower Driver;C:\WINNT\system32\Drivers\LTower.sys [01-04-25 16:44 36981]
S3 QCEmerald;Logitech QuickCam Web(PID_0850);C:\WINNT\system32\DRIVERS\LVCE.sys [02-06-10 14:20 44544]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys [ ]
*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -
BHO-{62cbb23a-74a0-4861-add4-c6b976af18f1} - C:\WINNT\system32\yhgzff.dll
BHO-{696201FB-39A5-4903-8F74-9FFCF8811C24} - C:\WINNT\system32\iifcBrrQ.dll
BHO-{77D56AC4-2912-4168-B474-4B1EA90B9AA6} - C:\WINNT\system32\khfEXonN.dll
HKLM-Run-WinampAgent - C:\Program Files\Winamp\winampa.exe
HKLM-Run-603c3f3d - C:\WINNT\system32\bieevbfw.dll
HKLM-Run-BM630f0ca1 - C:\WINNT\system32\swewtpyf.dll
ShellExecuteHooks-{696201FB-39A5-4903-8F74-9FFCF8811C24} - C:\WINNT\system32\iifcBrrQ.dll
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\gn29wvoh.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.drudgereport.com/
FF -: plugin - C:\Program Files\Yahoo!\Common\npyaxmpb.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-14 21:28:38
Windows 5.0.2195 Service Pack 4 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINNT\explorer.exe
-> ?:\WINNT\system32\MSACM32.dll
.
Completion time: 2008-09-14 21:33:21 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-15 03:33:03
Pre-Run: 69,664,337,920 bytes free
Post-Run: 70,222,184,448 bytes free
243 --- E O F --- 2008-08-14 12:41:06
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:39:26 PM, on 9/14/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Weather Watcher\ww.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\Windows Media Components\Encoder\Wmencagt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINNT\explorer.exe
C:\Documents and Settings\Paul\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.drudgereport.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: (no name) - {C17590D2-ECB4-4b15-8820-F58798DCC118} - (no file)
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINNT\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
O4 - .DEFAULT Startup: firefox.exe (User 'Default user')
O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\Wmencagt.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5023/mcfscan.cab
O20 - AppInit_DLLs: yuagqb.dll weojxz.dll yhgzff.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
--
End of file - 6971 bytes
pskelley
2008-09-15, 14:15
Thanks for returning your information, please read and follow the directions carefully and in the numbered order.
C:\Program Files\LimeWire <<< please see the information here:
http://forums.spybot.info/showthread.php?t=282
Uninstall Limewire and any other p2p programs you have installed.
1) HJT is not in a safe location, appears the directions were not followed, follow these:
Download Trend Micro Hijack This™ to your Desktop
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log. <<< close HJT until you need it later.
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.
3) Open notepad and copy/paste the text in the codebox below into it:
File::
C:\WINNT\system32\gmkkfbod.dll
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
Save this as CFScript
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Referring to the picture above, drag CFScript into ComboFix.exe.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)
4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
(this item is damaged, if you use it download it again once we finish)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll (file missing)
O3 - Toolbar: (no name) - {C17590D2-ECB4-4b15-8820-F58798DCC118} - (no file)
(next two are Alexa related and resource wasters, if you use Alexa you can leave them)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O20 - AppInit_DLLs: yuagqb.dll weojxz.dll yhgzff.dll <<< may be gone
Close all programs but HJT and all browser windows, then click on "Fix Checked"
5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
6) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the log from CFScript, the log from MBAM and a new HJT log.
Please report on the performance of the computer, any more malware issues?
Thanks
Glitch000
2008-09-16, 13:51
pskelley,
The computer is performing well. I don't see any evidence of the previous problems. Thank you very much for your help.
ComboFix 08-09-13.05 - Paul 09/15/2008 20:46:35.2 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.46 [GMT -6:00]
Running from: C:\Documents and Settings\Paul\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Paul\Desktop\CFScript.txt
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINNT\system32\gmkkfbod.dll
.
((((((((((((((((((((((((( Files Created from 2008-08-16 to 2008-09-16 )))))))))))))))))))))))))))))))
.
2008-09-15 20:42 . 08-09-15 20:42 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-12 06:19 . 08-09-15 17:22 421,900 ---h----- C:\WINNT\ShellIconCache
2008-09-07 15:48 . 08-09-07 15:48 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-06 20:33 . 08-05-18 03:30 <DIR> d-------- C:\Documents and Settings\Paul.WIZARD\Application Data\RegistrySmart
2008-09-06 20:33 . 08-09-06 20:33 <DIR> d-------- C:\Documents and Settings\Paul.WIZARD
2008-09-06 20:27 . 08-05-18 03:30 <DIR> d-------- C:\Documents and Settings\Doris.WIZARD\Application Data\RegistrySmart
2008-09-06 20:27 . 08-09-06 20:27 <DIR> d-------- C:\Documents and Settings\Doris.WIZARD
2008-09-04 14:42 . 08-09-04 14:42 <DIR> d-------- C:\Documents and Settings\Alex\dwhelper
2008-08-28 16:15 . 08-09-03 21:47 <DIR> d-------- C:\Program Files\Avidemux 2.4
2008-08-26 20:56 . 08-08-26 20:56 <DIR> d-------- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-08-26 11:17 . 08-08-26 11:17 <DIR> d-a------ C:\WINNT\system32\eMaxt02
2008-08-26 11:17 . 08-08-26 11:17 355 --a------ C:\755.bat
2008-08-26 11:16 . 08-08-26 11:16 <DIR> d-------- C:\temp\bbc2
2008-08-21 10:21 . 08-08-21 10:26 55 --a------ C:\Documents and Settings\Alex\Shutdown.bat
2008-08-20 23:02 . 08-08-20 23:04 <DIR> d-a------ C:\WINNT\system32\shutdown
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-15 03:33 --------- d-----w C:\Documents and Settings\Paul\Application Data\WeatherWatcher
2008-09-14 11:03 --------- d---a-w C:\Program Files\Java
2008-09-14 04:21 --------- d-----w C:\Documents and Settings\Doris\Application Data\WeatherWatcher
2008-09-12 12:44 --------- d-----w C:\Documents and Settings\Alex\Application Data\LimeWire
2008-09-12 11:25 --------- d-----w C:\Program Files\McAfee
2008-09-07 21:48 --------- d-----w C:\Program Files\Lavasoft
2008-09-07 21:39 --------- d-----w C:\Program Files\Webshots
2008-09-06 04:06 --------- d-----w C:\Program Files\Sony Handheld
2008-09-04 03:47 --------- d-----w C:\Program Files\AviSynth 2.5
2008-08-28 03:37 --------- d-----w C:\Program Files\LEGO MINDSTORMS
2008-08-28 01:55 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-27 16:00 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-27 04:22 --------- d-----w C:\Program Files\Enigma Software Group
2008-08-27 03:09 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-24 22:38 --------- d-----w C:\Program Files\Microsoft Games
2008-08-06 03:44 --------- d-----w C:\Program Files\palmOne
2008-08-05 03:08 --------- d-----w C:\Program Files\Weather Watcher
2008-07-27 16:35 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-20 20:38 --------- d-----w C:\Documents and Settings\Ben\Application Data\HotSync
2008-06-17 03:11 53,248 ----a-w C:\WINNT\PalmDevC.dll
2007-03-20 22:47 5,572,608 ----a-w C:\Program Files\Three Days Grace - Pain.mp3
2006-12-10 23:46 271 ---h--w C:\Program Files\desktop.ini
2006-12-10 23:46 21,952 ---h--w C:\Program Files\folder.htt
2002-07-26 23:02 153,088 ----a-w C:\Program Files\UNWISE.EXE
2001-05-08 12:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
1996-08-31 07:10 23,040 ----a-w C:\Documents and Settings\Alex\Shutgui.exe
.
((((((((((((((((((((((((((((( snapshot@Sun 2008-09-14_21.32.05.75 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-11 14:03:21 69,120 ----a-w C:\WINNT\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
+ 2008-09-15 09:03:27 69,120 ----a-w C:\WINNT\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
- 2008-04-11 14:03:30 72,192 ----a-w C:\WINNT\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2008-09-15 09:03:34 72,192 ----a-w C:\WINNT\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
- 2008-04-11 14:02:50 4,444,160 ----a-w C:\WINNT\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
+ 2008-09-15 09:03:13 4,444,160 ----a-w C:\WINNT\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
- 2008-04-11 14:03:34 483,840 ----a-w C:\WINNT\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2008-09-15 09:03:27 483,840 ----a-w C:\WINNT\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
- 2008-04-11 14:03:08 3,036,160 ----a-w C:\WINNT\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
+ 2008-09-15 09:03:18 3,036,160 ----a-w C:\WINNT\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
- 2008-04-11 14:03:39 258,048 ----a-w C:\WINNT\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
+ 2008-09-15 09:03:37 258,048 ----a-w C:\WINNT\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
- 2008-04-11 14:03:39 113,664 ----a-w C:\WINNT\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
+ 2008-09-15 09:03:37 113,664 ----a-w C:\WINNT\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
- 2008-04-11 14:03:31 261,120 ----a-w C:\WINNT\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
+ 2008-09-15 09:03:34 261,120 ----a-w C:\WINNT\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
- 2008-04-11 14:03:05 5,431,296 ----a-w C:\WINNT\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
+ 2008-09-15 09:03:21 5,431,296 ----a-w C:\WINNT\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
- 2008-04-11 14:03:16 10,752 ----a-w C:\WINNT\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
+ 2008-09-15 09:03:26 10,752 ----a-w C:\WINNT\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
- 2008-04-11 14:03:06 507,904 ----a-w C:\WINNT\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
+ 2008-09-15 09:03:20 507,904 ----a-w C:\WINNT\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
- 2008-04-11 14:03:20 13,312 ----a-w C:\WINNT\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2008-09-15 09:03:27 13,312 ----a-w C:\WINNT\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
- 2008-04-11 14:03:24 8,192 ----a-w C:\WINNT\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
+ 2008-09-15 09:03:30 8,192 ----a-w C:\WINNT\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
- 2008-04-11 14:03:26 77,824 ----a-w C:\WINNT\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
+ 2008-09-15 09:03:31 77,824 ----a-w C:\WINNT\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
- 2008-04-11 14:03:27 6,656 ----a-w C:\WINNT\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
+ 2008-09-15 09:03:32 6,656 ----a-w C:\WINNT\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
- 2008-04-11 14:03:40 348,160 ----a-w C:\WINNT\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
+ 2008-09-15 09:03:38 348,160 ----a-w C:\WINNT\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
- 2008-04-11 14:03:40 36,864 ----a-w C:\WINNT\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
+ 2008-09-15 09:03:38 36,864 ----a-w C:\WINNT\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
- 2008-04-11 14:03:42 655,360 ----a-w C:\WINNT\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
+ 2008-09-15 09:03:39 655,360 ----a-w C:\WINNT\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
- 2008-04-11 14:03:43 77,824 ----a-w C:\WINNT\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
+ 2008-09-15 09:03:39 77,824 ----a-w C:\WINNT\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
- 2008-04-11 14:03:28 749,568 ----a-w C:\WINNT\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
+ 2008-09-15 09:03:32 749,568 ----a-w C:\WINNT\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
- 2008-04-11 14:03:25 110,592 ----a-w C:\WINNT\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2008-09-15 09:03:31 110,592 ----a-w C:\WINNT\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
- 2008-04-11 14:03:24 372,736 ----a-w C:\WINNT\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
+ 2008-09-15 09:03:30 372,736 ----a-w C:\WINNT\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
- 2008-04-11 14:03:35 28,672 ----a-w C:\WINNT\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
+ 2008-09-15 09:03:35 28,672 ----a-w C:\WINNT\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
- 2008-04-11 14:03:23 671,744 ----a-w C:\WINNT\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
+ 2008-09-15 09:03:29 671,744 ----a-w C:\WINNT\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
- 2008-04-11 14:02:57 5,632 ----a-w C:\WINNT\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2008-09-15 09:03:16 5,632 ----a-w C:\WINNT\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
- 2008-04-11 14:03:37 12,800 ----a-w C:\WINNT\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2008-09-15 09:03:36 12,800 ----a-w C:\WINNT\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
- 2008-04-11 14:03:22 32,768 ----a-w C:\WINNT\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
+ 2008-09-15 09:03:29 32,768 ----a-w C:\WINNT\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
- 2008-04-11 14:03:21 7,168 ----a-w C:\WINNT\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
+ 2008-09-15 09:03:28 7,168 ----a-w C:\WINNT\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
- 2008-04-11 14:03:29 110,592 ----a-w C:\WINNT\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
+ 2008-09-15 09:03:33 110,592 ----a-w C:\WINNT\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
- 2008-04-11 14:03:30 81,920 ----a-w C:\WINNT\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
+ 2008-09-15 09:03:33 81,920 ----a-w C:\WINNT\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
- 2008-04-11 14:03:07 425,984 ----a-w C:\WINNT\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
+ 2008-09-15 09:03:17 425,984 ----a-w C:\WINNT\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
- 2008-04-11 14:03:09 741,376 ----a-w C:\WINNT\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
+ 2008-09-15 09:03:19 741,376 ----a-w C:\WINNT\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
- 2008-04-11 14:03:10 933,888 ----a-w C:\WINNT\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
+ 2008-09-15 09:03:17 933,888 ----a-w C:\WINNT\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
- 2008-04-11 14:03:46 5,070,848 ----a-w C:\WINNT\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
+ 2008-09-15 09:03:41 5,070,848 ----a-w C:\WINNT\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
- 2008-04-11 14:03:41 188,416 ----a-w C:\WINNT\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
+ 2008-09-15 09:03:29 188,416 ----a-w C:\WINNT\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
- 2008-04-11 14:03:17 401,408 ----a-w C:\WINNT\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2008-09-15 09:03:28 401,408 ----a-w C:\WINNT\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
- 2008-04-11 14:03:36 81,920 ----a-w C:\WINNT\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2008-09-15 09:03:42 81,920 ----a-w C:\WINNT\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
- 2008-04-11 14:02:58 630,784 ----a-w C:\WINNT\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
+ 2008-09-15 09:03:22 630,784 ----a-w C:\WINNT\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
- 2008-04-11 14:03:38 372,736 ----a-w C:\WINNT\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
+ 2008-09-15 09:03:37 372,736 ----a-w C:\WINNT\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
- 2008-04-11 14:03:36 258,048 ----a-w C:\WINNT\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
+ 2008-09-15 09:03:36 258,048 ----a-w C:\WINNT\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
- 2008-04-11 14:03:33 299,008 ----a-w C:\WINNT\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
+ 2008-09-15 09:03:35 299,008 ----a-w C:\WINNT\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
- 2008-04-11 14:03:32 131,072 ----a-w C:\WINNT\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
+ 2008-09-15 09:03:35 131,072 ----a-w C:\WINNT\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
- 2008-04-11 14:02:59 258,048 ----a-w C:\WINNT\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
+ 2008-09-15 09:03:22 258,048 ----a-w C:\WINNT\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
- 2008-04-11 14:03:00 114,688 ----a-w C:\WINNT\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
+ 2008-09-15 09:03:23 114,688 ----a-w C:\WINNT\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
- 2008-04-11 14:03:14 884,736 ----a-w C:\WINNT\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
+ 2008-09-15 09:03:25 884,736 ----a-w C:\WINNT\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
- 2008-04-11 14:03:15 90,112 ----a-w C:\WINNT\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
+ 2008-09-15 09:03:26 90,112 ----a-w C:\WINNT\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
- 2008-04-11 14:03:13 839,680 ----a-w C:\WINNT\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
+ 2008-09-15 09:03:24 839,680 ----a-w C:\WINNT\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
- 2008-04-11 14:03:19 5,013,504 ----a-w C:\WINNT\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
+ 2008-09-15 09:03:43 5,013,504 ----a-w C:\WINNT\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
- 2008-04-11 14:03:03 2,068,480 ----a-w C:\WINNT\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
+ 2008-09-15 09:03:24 2,068,480 ----a-w C:\WINNT\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
- 2008-04-11 14:03:12 3,076,096 ----a-w C:\WINNT\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
+ 2008-09-15 09:03:11 3,076,096 ----a-w C:\WINNT\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
- 2004-05-04 17:53:40 1,645,320 ----a-w C:\WINNT\Microsoft.NET\Framework\v1.1.4322\gdiplus.dll
+ 2008-04-15 16:54:20 1,724,416 ----a-w C:\WINNT\Microsoft.NET\Framework\v1.1.4322\gdiplus.dll
- 2005-09-23 13:28:44 1,638,400 ----a-w C:\WINNT\Microsoft.NET\Framework\v2.0.50727\gdiplus.dll
+ 2008-05-23 10:19:16 1,724,416 ----a-w C:\WINNT\Microsoft.NET\Framework\v2.0.50727\gdiplus.dll
- 2007-06-26 19:52:08 2,286,080 -c--a-w C:\WINNT\system32\dllcache\vgx.dll
+ 2008-04-29 16:22:46 2,290,688 -c--a-w C:\WINNT\system32\dllcache\VGX.DLL
- 2008-08-05 18:11:01 15,888,504 ----a-w C:\WINNT\system32\MRT.exe
+ 2008-08-26 20:28:12 16,208,504 ----a-w C:\WINNT\system32\MRT.exe
- 2007-07-31 00:19:10 271,224 ----a-w C:\WINNT\system32\mucltui.dll
+ 2008-07-19 04:07:34 270,880 ----a-w C:\WINNT\system32\mucltui.dll
- 2007-07-31 00:19:04 207,736 ----a-w C:\WINNT\system32\muweb.dll
+ 2008-07-19 04:07:32 210,976 ----a-w C:\WINNT\system32\muweb.dll
- 2008-04-11 14:04:12 61,514 ----a-w C:\WINNT\system32\perfc009.dat
+ 2008-09-15 09:04:06 61,514 ----a-w C:\WINNT\system32\perfc009.dat
- 2008-04-11 14:04:12 394,662 ----a-w C:\WINNT\system32\perfh009.dat
+ 2008-09-15 09:04:06 394,662 ----a-w C:\WINNT\system32\perfh009.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07-06-05 16:47 68856]
"WeatherWatcher"="C:\Program Files\Weather Watcher\ww.exe" [08-07-26 09:12 1077248]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LVCOMS"="C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [02-06-10 14:21 102400]
"USBToolTip"="C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe" [04-04-23 11:00 192512]
"USB2Check"="C:\WINNT\system32\PCLECoInst.dll" [04-04-08 15:30 61440]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [07-07-27 20:14 271672]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [08-06-10 04:27 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [08-01-11 22:16 39792]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [07-11-01 19:12 582992]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [05-02-12 21:05 339968]
"Synchronization Manager"="mobsync.exe" [03-06-19 13:05 111376 C:\WINNT\system32\mobsync.exe]
C:\Documents and Settings\Alex\Start Menu\Programs\Startup\
firefox.exe [2008-07-15 7667312]
C:\Documents and Settings\Ben\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\Sony Handheld\HOTSYNC.EXE [2008-03-26 299008]
C:\Documents and Settings\Doris\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2008-04-20 157008]
C:\Documents and Settings\Paul\Start Menu\Programs\Startup\
Encoder Agent.lnk - C:\Program Files\Windows Media Components\Encoder\Wmencagt.exe [2007-07-08 53248]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\Sony Handheld\HOTSYNC.EXE [2008-03-26 299008]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
"VIDC.I420"= vdrcodec.dll
"VIDC.MJPG"= Pvmjpg21.dll
"VIDC.PIM1"= pclepim1.dll
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"WeatherWatcherLive"="C:\Program Files\Weather Watcher Live\ww.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
"WUSB54Gv2"=C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
"SBCSTray"=C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
"HPDJ Taskbar Utility"=C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
R1 cmosa;cmosa;C:\WINNT\system32\drivers\cmosa.sys [00-05-08 20:50 29344]
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\system32\DRIVERS\el90xbc5.sys [99-10-23 06:22 61712]
S1 lusbaudio;Logitech USB Microphone;C:\WINNT\system32\drivers\lvsound2.sys [02-06-10 14:20 34816]
S3 LTower;LEGO USB Tower Driver;C:\WINNT\system32\Drivers\LTower.sys [01-04-25 16:44 36981]
S3 QCEmerald;Logitech QuickCam Web(PID_0850);C:\WINNT\system32\DRIVERS\LVCE.sys [02-06-10 14:20 44544]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys [ ]
.
Contents of the 'Scheduled Tasks' folder
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-15 21:11:37
Windows 5.0.2195 Service Pack 4 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\DOCUME~1\Paul\LOCALS~1\Temp\WW14.tmp 3 bytes
scan completed successfully
hidden files: 1
**************************************************************************
.
Completion time: 2008-09-15 21:15:43 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-16 03:15:35
ComboFix2.txt 2008-09-15 03:33:23
Pre-Run: 70,498,873,344 bytes free
Post-Run: 70,505,320,448 bytes free
247 --- E O F --- 2008-09-15 09:08:36
Malwarebytes' Anti-Malware 1.28
Database version: 1159
Windows 5.0.2195 Service Pack 4
9/16/2008 5:03:12 AM
mbam-log-2008-09-16 (05-03-12).txt
Scan type: Full Scan (C:\|)
Objects scanned: 127100
Time elapsed: 1 hour(s), 2 minute(s), 7 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 9
Files Infected: 47
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
C:\Documents and Settings\Paul.WIZARD\Application Data\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Paul.WIZARD\Application Data\RegistrySmart\Log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Doris.WIZARD\Application Data\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Doris.WIZARD\Application Data\RegistrySmart\Log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Default User\Application Data\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Default User\Application Data\RegistrySmart\Log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\Application Data\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\Application Data\RegistrySmart\Log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\Application Data\RegistrySmart\Registry Backups (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
Files Infected:
C:\QooBox\Quarantine\C\WINNT\system32\aqbdryrj.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\bieevbfw.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\blubdovo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\ctziks.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\eporfhbv.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\eqjwxb.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\fhdajfox.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\gjyucihu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\gmkkfbod.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\gofdsltk.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\hdqawvbo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\hpgkej.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\hpzpzn.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\iudnnkwl.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\jnkswstl.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\kelpvd.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\khfEXonN.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\klltaryu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\kmxayz.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\lmgeax.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\mamkkj.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\mogxgrpu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\nxpexaxd.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\orieijyk.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\qafvwsls.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\rgqdfz.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\rldxdvqr.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\rniovdps.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\soxtqp.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\vrakegqy.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\weojxz.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\wfabdwpw.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\wvytojse.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\xjhdlu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\ykpvql.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\yqnutemv.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\yuagqb.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\Application Data\RegistrySmart\Errors.stg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\Application Data\RegistrySmart\Results.stg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\Application Data\RegistrySmart\Registry Backups\2007-07-07_21-37-50.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\Application Data\RegistrySmart\Registry Backups\2007-07-07_21-38-28.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\Application Data\RegistrySmart\Registry Backups\2008-02-04_07-52-50.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\Application Data\RegistrySmart\Registry Backups\2008-02-04_07-53-03.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\Application Data\RegistrySmart\Registry Backups\2008-03-17_06-56-32.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\Application Data\RegistrySmart\Registry Backups\2008-03-17_06-56-43.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\Application Data\RegistrySmart\Registry Backups\2008-03-17_06-56-47.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\Application Data\RegistrySmart\Registry Backups\2008-03-17_06-56-51.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:27:54 AM, on 9/16/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Weather Watcher\ww.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\Windows Media Components\Encoder\Wmencagt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.drudgereport.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINNT\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
O4 - .DEFAULT Startup: firefox.exe (User 'Default user')
O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\Wmencagt.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5023/mcfscan.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
--
End of file - 6372 bytes