View Full Version : Virtumonde and More
bruce531
2008-09-18, 21:20
Please help, I will apologize in advance,I have never posted to a forum and will probably make some stupid mistakes
as well as not being where I should have been on the internet.
I did run the fix this because under the description forVirtumonde it said that it could be removed by disconnecting from the internet and runnig Spybot again.
I looked at the report and I know that you don’t want all of it but I don’t know what of the list you do?
Note: I read the “before you post” I did go to look at the System Restore and noticed that all the dates up to the infection are missing or deleted
Smitfraud-C.: [SBI $6572489E] Data (File, nothing done)
C:\Documents and Settings\Bruce Hicks\Local Settings\Temp\x.ico
Microsoft.Windows.System: [SBI $D619D565] Settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-3405039426-3485517607-2614902147-1013\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage
Microsoft.Windows.System: [SBI $7F8E43F4] User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-3405039426-3485517607-2614902147-1013\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage
Virtumonde: [SBI $3BE84E58] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-3405039426-3485517607-2614902147-1013\Software\mwc
Virtumonde: [SBI $0FB400C8] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-3405039426-3485517607-2614902147-1013\Software\wkey
Windows firewall has been blocking attacks by the following;
Trojan-Downloader.Win32.Agent.bq
Trojan-Spy.Win32.Keylogger.aa
Trojan-Spy.HTML.Bankfraud.dq
Trojan-Clicker.Win32.Tiny.h
Trojan-Spy.Win32.GreenScreen
AVG-8 has been picking up other Tojans;
Trojan horse BackDoor. Generic10.IFP
Trojan horse Generic11.ZHW
Trojan horse Generic_c.VCZ
Trojan horse Dropper.Small.29.AX
Trojan horse KillAV.IL
My Desktop background is White
________________________________________________
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:12:22 PM, on 9/18/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\SYSTEM32\Brmfrmps.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\system32\lxctcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Documents and Settings\All Users\Application Data\rshkhgzs\tunubczi.exe
C:\WINDOWS\system32\ltmsg.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Lexmark 5400 Series\lxctmon.exe
C:\Program Files\Lexmark 5400 Series\ezprint.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\WDC\SetIcon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Documents and Settings\Bruce Hicks\Local Settings\Temp\.tt6.tmp
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\Jasc Software Inc\Paint Shop Pro 8\Paint Shop Pro.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\DOCUME~1\BRUCEH~4\LOCALS~1\Temp\tofufavc.exe
C:\WINDOWS\system32\janmhqrs.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\AVG\AVG8\avgui.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Opera\Opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [lxctmon.exe] "C:\Program Files\Lexmark 5400 Series\lxctmon.exe"
O4 - HKLM\..\Run: [Lexmark 5400 Series Fax Server] "C:\Program Files\Lexmark 5400 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 5400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [SetIcon] \Program Files\WDC\SetIcon.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [lphc3gbj0en67] C:\WINDOWS\system32\lphc3gbj0en67.exe
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [cmdmsg] C:\WINDOWS\system32\dmpijarc.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKLM\..\Policies\Explorer\Run: [LQ5CuL6uQq] C:\Documents and Settings\All Users\Application Data\rshkhgzs\tunubczi.exe
O4 - HKUS\S-1-5-21-3405039426-3485517607-2614902147-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'Default user')
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: ColorVisionStartup.lnk = C:\Program Files\ColorVision\Utility\ColorVisionStartup.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://help.bellsouth.net/sdccommon/download/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3B02AAA2-327C-40ED-A849-4BE819AE5385} (ImgSizer Control) - file://C:\Documents and Settings\Bruce Hicks\Local Settings\Temp\~DlfnTmp0\imgSizer.ocx
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/21f6e52405b3a7113915/netzip/RdxIE601.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase969.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159902100687
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = coop
O17 - HKLM\Software\..\Telephony: DomainName = coop
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = coop
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = coop
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O21 - SSODL: dscuiproc - {5A5D5E64-97E7-14D8-3DEB-05BA9B92AE2A} - C:\Program Files\vtujrhe\dscuiproc.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\SYSTEM32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxct_device - - C:\WINDOWS\system32\lxctcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
--
End of file - 11913 bytes
pskelley
2008-09-20, 16:46
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.
Bruce, you are doing fine so far, at least you read the directions and most folks do not. Before we start, have a look at this information:
Please be sure Spybot S&D is up to date and fully immunized.
Spybot-S&D 1.6 has arrived! 8. July 2008
http://www.safer-networking.org/en/
http://www.safer-networking.org/en/news/2008-07-08.html
If you need to update but can not because of the infection, just wait until you are clean.
1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)
2) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Remove any old copies of combofix before you proceed.
Thanks to sUBs and anyone else who helped with this fix.
It is important that it is saved directly to your Desktop.
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the combofix log and a new HJT log.
Thanks
bruce531
2008-09-22, 16:31
pskelly Thanks for responding. I had sent a PM to an admin to remove this thread because I had gone to Supportspace off of your Spybots web page. The tech struggled and I'm not sure if what we did actually fixed all the problems. I'm actually glad to see that the thread was still open. I would greatly appreciate you still looking at the logs where he didn't use any of these tools. Thank you
ComboFix 08-09-20.05 - Bruce Hicks 2008-09-22 9:22:53.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.418 [GMT -4:00]
Running from: C:\Documents and Settings\Bruce Hicks\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\delfin
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_sysrest.sys
((((((((((((((((((((((((( Files Created from 2008-08-22 to 2008-09-22 )))))))))))))))))))))))))))))))
.
2008-09-18 23:41 . 2008-09-18 23:41 <DIR> d-------- C:\Documents and Settings\Bruce Hicks\Application Data\Malwarebytes
2008-09-18 23:40 . 2008-09-18 23:40 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-18 23:40 . 2008-09-18 23:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-18 23:40 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-09-18 23:40 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-09-18 23:29 . 2008-09-18 23:29 98,304 --a------ C:\WINDOWS\SYSTEM32\wvsluban.exe
2008-09-18 19:32 . 2008-09-18 19:32 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-09-18 19:32 . 2008-09-18 19:32 <DIR> d-------- C:\Documents and Settings\Bruce Hicks\Application Data\SUPERAntiSpyware.com
2008-09-18 19:32 . 2008-09-18 19:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-18 19:18 . 2008-09-18 19:18 3,298 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-09-18 19:17 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2008-09-18 19:17 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2008-09-18 19:17 . 2008-09-08 23:38 88,576 --a------ C:\WINDOWS\SYSTEM32\AntiXPVSTFix.exe
2008-09-18 19:17 . 2008-09-02 16:51 86,528 --a------ C:\WINDOWS\SYSTEM32\VACFix.exe
2008-09-18 19:17 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\SYSTEM32\IEDFix.exe
2008-09-18 19:17 . 2008-09-18 12:11 82,944 --a------ C:\WINDOWS\SYSTEM32\IEDFix.C.exe
2008-09-18 19:17 . 2008-08-18 12:19 82,432 --a------ C:\WINDOWS\SYSTEM32\404Fix.exe
2008-09-18 19:17 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2008-09-18 19:17 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2008-09-18 19:17 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2008-09-18 18:49 . 2008-09-18 18:49 <DIR> d-------- C:\Documents and Settings\Bruce Hicks\temp
2008-09-18 18:49 . 2008-09-18 18:49 <DIR> d-------- C:\Documents and Settings\Bruce Hicks\Application Data\TeamViewer
2008-09-18 15:11 . 2008-09-18 15:11 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-16 10:43 . 2008-09-16 10:43 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting
2008-09-16 10:43 . 2008-09-16 10:43 <DIR> d-------- C:\WINDOWS\SYSTEM32\en
2008-09-16 10:43 . 2008-09-16 10:43 <DIR> d-------- C:\WINDOWS\l2schemas
2008-09-16 10:26 . 2008-09-18 22:08 <DIR> d-------- C:\Program Files\vtujrhe
2008-09-16 06:26 . 2008-09-18 22:06 <DIR> d-------- C:\Program Files\nhnuckc
2008-09-16 02:17 . 2008-09-16 02:17 118 --a------ C:\WINDOWS\SYSTEM32\MRT.INI
2008-09-15 16:35 . 2008-09-18 22:06 <DIR> d-------- C:\Program Files\vhbadi
2008-09-15 16:34 . 2008-09-19 06:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\rshkhgzs
2008-09-12 10:54 . 2008-09-12 10:54 <DIR> d-------- C:\Program Files\APC
2008-09-12 10:54 . 2004-08-10 15:35 4,142,592 --a------ C:\WINDOWS\SYSTEM32\qtintf.dll
2008-09-10 08:56 . 2008-09-10 08:58 <DIR> d-------- C:\Program Files\Flickr Uploadr
2008-09-10 08:53 . 2008-09-10 08:54 12,926,700 --a------ C:\Program Files\FlickrUploadr-3.0.5-en.exe
2008-08-27 19:18 . 2008-08-27 19:18 <DIR> d-------- C:\Documents and Settings\Bruce Hicks\Application Data\DivX
2008-08-23 15:00 . 2008-08-23 15:01 7,040,192 --a------ C:\Program Files\Opera_952_10108_en.exe
2008-08-23 14:58 . 2008-04-13 20:12 276,992 --------- C:\WINDOWS\SYSTEM32\wmphoto.dll
2008-08-23 14:58 . 2008-04-13 20:12 69,120 --------- C:\WINDOWS\SYSTEM32\wlanapi.dll
2008-08-23 14:57 . 2008-04-13 20:12 712,704 --------- C:\WINDOWS\SYSTEM32\windowscodecs.dll
2008-08-23 14:57 . 2008-04-13 20:12 346,112 --------- C:\WINDOWS\SYSTEM32\windowscodecsext.dll
2008-08-23 14:57 . 2008-04-13 20:12 53,248 --------- C:\WINDOWS\SYSTEM32\tsgqec.dll
2008-08-23 14:57 . 2008-04-13 20:12 50,688 --------- C:\WINDOWS\SYSTEM32\tspkg.dll
2008-08-23 14:56 . 2008-04-13 20:12 412,160 --------- C:\WINDOWS\SYSTEM32\photometadatahandler.dll
2008-08-23 14:56 . 2008-04-13 20:12 291,328 --------- C:\WINDOWS\SYSTEM32\qagentrt.dll
2008-08-23 14:56 . 2008-04-13 20:12 290,304 --------- C:\WINDOWS\SYSTEM32\rhttpaa.dll
2008-08-23 14:56 . 2008-04-13 20:12 150,528 --------- C:\WINDOWS\SYSTEM32\qagent.dll
2008-08-23 14:56 . 2008-04-13 20:12 76,800 --------- C:\WINDOWS\SYSTEM32\qutil.dll
2008-08-23 14:56 . 2008-04-13 20:12 62,464 --------- C:\WINDOWS\SYSTEM32\qcliprov.dll
2008-08-23 14:56 . 2008-04-13 20:12 61,952 --------- C:\WINDOWS\SYSTEM32\rasqec.dll
2008-08-23 14:56 . 2008-04-13 20:12 32,768 --------- C:\WINDOWS\SYSTEM32\setupn.exe
2008-08-23 14:56 . 2008-04-13 14:40 10,240 --------- C:\WINDOWS\SYSTEM32\DRIVERS\sffp_mmc.sys
2008-08-23 14:55 . 2008-04-13 20:12 1,306,624 --------- C:\WINDOWS\SYSTEM32\msxml6.dll
2008-08-23 14:55 . 2008-04-13 20:12 1,306,624 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msxml6.dll
2008-08-23 14:55 . 2008-04-13 20:12 193,024 --------- C:\WINDOWS\SYSTEM32\napmontr.dll
2008-08-23 14:55 . 2008-04-13 20:12 176,640 --------- C:\WINDOWS\SYSTEM32\napstat.exe
2008-08-23 14:55 . 2008-04-13 20:12 155,136 --------- C:\WINDOWS\SYSTEM32\mssha.dll
2008-08-23 14:55 . 2008-04-13 20:12 144,384 --------- C:\WINDOWS\SYSTEM32\onex.dll
2008-08-23 14:55 . 2008-04-13 13:27 79,872 --------- C:\WINDOWS\SYSTEM32\msxml6r.dll
2008-08-23 14:55 . 2008-04-13 13:27 79,872 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msxml6r.dll
2008-08-23 14:55 . 2008-04-13 14:14 76,800 --------- C:\WINDOWS\SYSTEM32\msshavmsg.dll
2008-08-23 14:55 . 2008-04-13 20:12 30,208 --------- C:\WINDOWS\SYSTEM32\napipsec.dll
2008-08-23 14:54 . 2008-04-13 20:11 397,312 --------- C:\WINDOWS\SYSTEM32\mmcex.dll
2008-08-23 14:54 . 2008-04-13 20:11 184,320 --------- C:\WINDOWS\SYSTEM32\microsoft.managementconsole.dll
2008-08-23 14:54 . 2008-04-13 20:11 106,496 --------- C:\WINDOWS\SYSTEM32\mmcfxcommon.dll
2008-08-23 14:54 . 2008-04-13 20:12 33,792 --------- C:\WINDOWS\SYSTEM32\mmcperf.exe
2008-08-23 14:53 . 2008-04-13 20:11 61,440 --------- C:\WINDOWS\SYSTEM32\kmsvc.dll
2008-08-23 14:53 . 2008-04-13 20:11 37,376 --------- C:\WINDOWS\SYSTEM32\l2gpstore.dll
2008-08-23 14:53 . 2008-04-13 20:09 6,144 --------- C:\WINDOWS\SYSTEM32\kbdpash.dll
2008-08-23 14:53 . 2008-04-13 20:09 6,144 --------- C:\WINDOWS\SYSTEM32\kbdnepr.dll
2008-08-23 14:53 . 2008-04-13 20:09 6,144 --------- C:\WINDOWS\SYSTEM32\kbdiultn.dll
2008-08-23 14:53 . 2008-04-13 20:09 6,144 --------- C:\WINDOWS\SYSTEM32\kbdbhc.dll
2008-08-23 14:51 . 2008-04-13 20:11 136,192 --------- C:\WINDOWS\SYSTEM32\aaclient.dll
2008-08-22 08:15 . 2008-08-05 18:02 129,784 --------- C:\WINDOWS\SYSTEM32\pxafs.dll
2008-08-22 08:15 . 2008-08-05 18:02 120,056 --------- C:\WINDOWS\SYSTEM32\pxcpyi64.exe
2008-08-22 08:15 . 2008-08-05 18:02 118,520 --------- C:\WINDOWS\SYSTEM32\pxinsi64.exe
2008-08-22 08:14 . 2008-09-04 08:30 <DIR> d-------- C:\Program Files\DivX
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-22 13:37 --------- d-----w C:\Program Files\Lx_cats
2008-09-22 13:36 --------- d-----w C:\Program Files\lg_fwupdate
2008-09-22 02:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Retrospect
2008-09-21 03:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-09-18 23:32 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-09-16 09:57 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-16 09:57 --------- d-----w C:\Program Files\SpywareBlaster
2008-09-16 09:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-16 08:03 --------- d-----w C:\Program Files\RegCleaner
2008-09-16 06:56 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-12 14:54 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-30 13:31 97,928 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-22 01:02 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLbz.DAT
2008-08-19 17:38 13,320,192 ----a-w C:\Program Files\meetthegimp057.mp3
2008-08-15 12:48 --------- d-----w C:\Program Files\Aspell
2008-08-15 12:37 182,442 ----a-w C:\Program Files\aspell6-en-6.0-0.tar.bz2
2008-08-15 12:36 1,777,930 ----a-w C:\Program Files\aspell-0.60.6.tar.gz
2008-08-14 14:43 --------- d-----w C:\Documents and Settings\Bruce Hicks\Application Data\vlc
2008-08-14 14:36 --------- d-----w C:\Program Files\VideoLAN
2008-08-05 22:02 524,288 ----a-w C:\WINDOWS\SYSTEM32\DivXsm.exe
2008-08-05 22:02 43,528 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys
2008-08-05 22:02 3,596,288 ----a-w C:\WINDOWS\SYSTEM32\qt-dx331.dll
2008-08-05 22:00 200,704 ----a-w C:\WINDOWS\SYSTEM32\ssldivx.dll
2008-08-05 22:00 1,044,480 ----a-w C:\WINDOWS\SYSTEM32\libdivx.dll
2008-08-05 21:59 81,920 ----a-w C:\WINDOWS\SYSTEM32\dpl100.dll
2008-08-05 21:59 593,920 ----a-w C:\WINDOWS\SYSTEM32\dpuGUI11.dll
2008-08-05 21:59 57,344 ----a-w C:\WINDOWS\SYSTEM32\dpv11.dll
2008-08-05 21:59 53,248 ----a-w C:\WINDOWS\SYSTEM32\dpuGUI10.dll
2008-08-05 21:59 344,064 ----a-w C:\WINDOWS\SYSTEM32\dpus11.dll
2008-08-05 21:59 294,912 ----a-w C:\WINDOWS\SYSTEM32\dpu11.dll
2008-08-05 21:59 294,912 ----a-w C:\WINDOWS\SYSTEM32\dpu10.dll
2008-08-05 21:59 196,608 ----a-w C:\WINDOWS\SYSTEM32\dtu100.dll
2008-08-05 21:58 823,296 ----a-w C:\WINDOWS\SYSTEM32\divx_xx0c.dll
2008-08-05 21:58 823,296 ----a-w C:\WINDOWS\SYSTEM32\divx_xx07.dll
2008-08-05 21:58 815,104 ----a-w C:\WINDOWS\SYSTEM32\divx_xx0a.dll
2008-08-05 21:58 802,816 ----a-w C:\WINDOWS\SYSTEM32\divx_xx11.dll
2008-08-05 21:58 683,520 ----a-w C:\WINDOWS\SYSTEM32\DivX.dll
2008-08-05 21:58 161,096 ----a-w C:\WINDOWS\SYSTEM32\DivXCodecVersionChecker.exe
2008-08-05 21:58 12,288 ----a-w C:\WINDOWS\SYSTEM32\DivXWMPExtType.dll
2008-08-03 23:08 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\cdm.dll
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\SYSTEM32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\SYSTEM32\wuauclt.exe
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\SYSTEM32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\SYSTEM32\wups.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\SYSTEM32\wuapi.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\SYSTEM32\wucltui.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\SYSTEM32\wuweb.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\SYSTEM32\wuaueng.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuaueng.dll
2008-07-19 02:07 270,880 ----a-w C:\WINDOWS\SYSTEM32\mucltui.dll
2008-07-19 02:07 210,976 ----a-w C:\WINDOWS\SYSTEM32\muweb.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\SYSTEM32\es.dll
2008-07-07 20:26 253,952 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\es.dll
2008-07-06 12:16 10,520 ----a-w C:\WINDOWS\SYSTEM32\avgrsstx.dll
2008-06-26 08:15 619,520 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2008-06-26 08:15 1,499,136 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\shdocvw.dll
2008-06-24 22:12 295,936 ------w C:\WINDOWS\SYSTEM32\wmpeffects.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\SYSTEM32\mscms.dll
2008-06-24 16:43 74,240 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mscms.dll
2008-06-23 15:09 666,112 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
2008-06-23 15:09 666,112 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2008-06-23 15:09 3,067,392 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-09-24 11:36 2,293,712 ----a-w C:\Program Files\FLV PlayerFCSetup.exe
2007-05-02 21:49 99,016 ----a-w C:\Documents and Settings\Bruce Hicks\Application Data\GDIPFONTCACHEV1.DAT
2007-04-01 12:37 7,127,614 ----a-w C:\Program Files\GlobalVpnClient.zip
2005-04-04 18:11 3,218 ----a-w C:\Program Files\README.TXT
2005-04-04 18:10 636 ----a-w C:\Program Files\LICENSE.TXT
2005-02-16 16:06 218,112 ----a-w C:\Program Files\HijackThis.exe
2004-07-26 07:16 1,117,491 ----a-w C:\Program Files\dvdshrink32setup.exe
2004-05-07 23:28 4,059,648 ----a-w C:\Program Files\wdmcdrvr.exe
2004-04-13 15:22 268 ----a-w C:\Program Files\Install.bat
2004-03-11 18:27 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2004-02-19 15:10 734,619 ----a-w C:\Program Files\spywareblastersetup.exe
2004-02-15 14:10 6,500,352 ----a-w C:\Program Files\FirefoxSetup-0.8.exe
2004-01-21 21:32 513 ----a-w C:\Program Files\Shortcut to AOL Communicator.lnk
2004-01-21 21:26 19,183,158 ----a-w C:\Program Files\ac_install.exe
2003-12-31 17:48 1,418,120 ----a-w C:\Program Files\j2re-1_4_2_03-windows-i586-p-iftw.exe
2003-04-09 02:55 723 ----a-w C:\Program Files\INSTALL.LOG
2001-06-20 20:19 40,960 ----a-w C:\Program Files\ACMonitor_X83.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-11 68856]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-03 1576176]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-10-06 5058560]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"Dell|Alert"="C:\Program Files\Dell\Support\Alert\bin\DAMon.exe" [2002-04-03 282624]
"lxctmon.exe"="C:\Program Files\Lexmark 5400 Series\lxctmon.exe" [2007-03-19 291760]
"Lexmark 5400 Series Fax Server"="C:\Program Files\Lexmark 5400 Series\fm3032.exe" [2007-03-19 304048]
"EzPrint"="C:\Program Files\Lexmark 5400 Series\ezprint.exe" [2007-03-19 82864]
"LXCTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll" [2006-11-21 106496]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 54832]
"LGODDFU"="C:\Program Files\lg_fwupdate\fwupdate.exe" [2007-10-30 249856]
"SetIcon"="\Program Files\WDC\SetIcon.exe" [2004-01-30 46080]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-30 1235736]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 413696]
"LTWinModem1"="ltmsg.exe" [2001-04-03 C:\WINDOWS\SYSTEM32\ltmsg.exe]
"nwiz"="nwiz.exe" [2003-10-06 C:\WINDOWS\SYSTEM32\nwiz.exe]
"WD Button Manager"="WDBtnMgr.exe" [2008-02-21 C:\WINDOWS\SYSTEM32\WDBtnMgr.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2008-04-13 15360]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 443968]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe [2008-09-12 221247]
ColorVisionStartup.lnk - C:\Program Files\ColorVision\Utility\ColorVisionStartup.exe [2006-01-31 385024]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm
"aux1"= ctwdm32.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AdaptecDirectCD"=C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"UpdReg"=C:\WINDOWS\Updreg.exe
"AHQInit"=C:\Program Files\Creative\SBLive\Program\AHQInit.exe
"BJCFD"=C:\Program Files\BroadJump\Client Foundation\CFD.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\SonicWALL\\SonicWALL Global VPN Client\\SWGVpnClient.exe"=
"C:\\WINDOWS\\SYSTEM32\\spoolsv.exe"=
"C:\\WINDOWS\\SYSTEM32\\lxctcoms.exe"=
"C:\\Program Files\\Opera\\Opera.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Documents and Settings\\Bruce Hicks\\temp\\TeamViewer3\\TeamViewer.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-30 97928]
R1 RCFOX;SonicWALL IPsec Driver;C:\WINDOWS\system32\Drivers\RCFOX.sys [2004-10-15 91136]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-30 231704]
R3 rcvpn;SonicWALL VPN Adapter;C:\WINDOWS\system32\DRIVERS\rcvpn.sys [2003-08-20 23180]
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;C:\WINDOWS\system32\Drivers\usbscan.sys [2008-04-13 15104]
S3 cvspydr2;ColorVision Spyder 2;C:\WINDOWS\system32\DRIVERS\cvspydr2.sys [2002-04-02 33024]
S3 echodap;echodap;C:\WINDOWS\system32\drivers\echodap.sys [2001-07-27 12722]
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2008-04-13 12800]
S4 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys [2001-08-17 38144]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aacc5440-fe93-11dc-9d00-006073ea8b8f}]
\Shell\AutoRun\command - M:\WD_Windows_Tools\Setup.exe
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-PowerBar - C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe
HKCU-Run-cmdmsg - C:\WINDOWS\system32\dmpijarc.exe
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Bruce Hicks\Application Data\Mozilla\Firefox\Profiles\3l51nea0.Default User\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1060933&SearchSource=3&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npsnapfish.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-22 09:32:48
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\brss01a.exe
C:\WINDOWS\SYSTEM32\devldr32.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\SYSTEM32\Brmfrmps.exe
C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE
C:\WINDOWS\SYSTEM32\Crypserv.exe
C:\WINDOWS\SYSTEM32\lxctcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\SYSTEM32\MsPMSPSv.exe
C:\Program Files\WDC\SetIcon.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-09-22 9:47:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-22 13:47:38
Pre-Run: 10,368,126,976 bytes free
Post-Run: 10,285,363,200 bytes free
337 --- E O F --- 2008-09-18 07:08:41
and the HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:06:40, on 9/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\SYSTEM32\Brmfrmps.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\system32\lxctcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\ltmsg.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Lexmark 5400 Series\lxctmon.exe
C:\Program Files\Lexmark 5400 Series\ezprint.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\WDC\SetIcon.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [lxctmon.exe] "C:\Program Files\Lexmark 5400 Series\lxctmon.exe"
O4 - HKLM\..\Run: [Lexmark 5400 Series Fax Server] "C:\Program Files\Lexmark 5400 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 5400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [SetIcon] \Program Files\WDC\SetIcon.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [cmdmsg] C:\WINDOWS\system32\dmpijarc.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'Default user')
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: ColorVisionStartup.lnk = C:\Program Files\ColorVision\Utility\ColorVisionStartup.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://help.bellsouth.net/sdccommon/download/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3B02AAA2-327C-40ED-A849-4BE819AE5385} (ImgSizer Control) - file://C:\Documents and Settings\Bruce Hicks\Local Settings\Temp\~DlfnTmp0\imgSizer.ocx
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase969.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159902100687
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = coop
O17 - HKLM\Software\..\Telephony: DomainName = coop
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = coop
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = coop
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\SYSTEM32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxct_device - - C:\WINDOWS\system32\lxctcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
--
End of file - 10692 bytes
Thank you again
pskelley
2008-09-22, 17:54
You are still infected, before I look closer, I need you to read and follow the directions for me. Please read #1 (one) and follow it, then post a new HJT log:
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:06:40, on 9/22/2008
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
bruce531
2008-09-22, 22:15
pskelley- sorry I saw the resident shield in the large window and unchecked it.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:46:59, on 9/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\SYSTEM32\Brmfrmps.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\system32\lxctcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\system32\ltmsg.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Lexmark 5400 Series\lxctmon.exe
C:\Program Files\Lexmark 5400 Series\ezprint.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\WDC\SetIcon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\PROGRA~1\AVG\AVG8\avgupd.exe
C:\WINDOWS\system32\wuauclt.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [lxctmon.exe] "C:\Program Files\Lexmark 5400 Series\lxctmon.exe"
O4 - HKLM\..\Run: [Lexmark 5400 Series Fax Server] "C:\Program Files\Lexmark 5400 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 5400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [SetIcon] \Program Files\WDC\SetIcon.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [cmdmsg] C:\WINDOWS\system32\dmpijarc.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'Default user')
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: ColorVisionStartup.lnk = C:\Program Files\ColorVision\Utility\ColorVisionStartup.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://help.bellsouth.net/sdccommon/download/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3B02AAA2-327C-40ED-A849-4BE819AE5385} (ImgSizer Control) - file://C:\Documents and Settings\Bruce Hicks\Local Settings\Temp\~DlfnTmp0\imgSizer.ocx
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase969.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159902100687
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = coop
O17 - HKLM\Software\..\Telephony: DomainName = coop
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = coop
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = coop
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\SYSTEM32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxct_device - - C:\WINDOWS\system32\lxctcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
--
End of file - 10631 bytes
pskelley
2008-09-22, 22:57
Thanks for returning the HJT log, proceed carefully and in the numbered order.
1) C:\Program Files\Java\jre1.6.0_03\ <<< update the Java program, see this:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.
3) Open notepad and copy/paste the text in the codebox below into it:
File::
C:\WINDOWS\system32\dmpijarc.exe
C:\WINDOWS\SYSTEM32\wvsluban.exe
Save this as CFScript
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Referring to the picture above, drag CFScript into ComboFix.exe.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)
4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
(may be gone)
O4 - HKCU\..\Run: [cmdmsg] C:\WINDOWS\system32\dmpijarc.exe
Close all programs but HJT and all browser windows, then click on "Fix Checked"
5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
*Cleaning Prefetch may results in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html
(if you still have MBAM, no need to download it again, just make sure you update and run it like I posted)
6) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the log from CFScript, the log from MBAM and a new HJT log.
Please tell me how the computer is running now.
Thanks...Phil
bruce531
2008-09-23, 14:19
Phil,
Here are the new logs below. My computer is holding the screen saver and the only thing that I've noticed is that AVG thinks is doing a scan all the time and puts the scan icon in the task bar. Other than that it's preforming as best as can be expected for an old computer. I'm in the middle of looking for a new desktop and certainly don't want to pass any corrupted files over to the new one when I pick one out.
I can't tell you how much I appreciate your time and expertise. Thanks!
When we are finished (if you can) I would like some advice on the following:
What to keep and use and what to get rid of and or what to get
When I got infected I was using
Windows firewall
SpywareBlaster Free (maybe not keeping it updated as good as I could have)
AVG 8 Free
Spybot Free (running in advanced mode but note sure I have the settings correct and don't understand all of it)
now I have also what the Supportspace tech put on:
SUPERAntispyware
Malwarebtyes
And the items you had me install
Is there any way to tell if someone got anything off your computer?
Thanks
ComboFix 08-09-20.05 - Bruce Hicks 2008-09-22 19:38:53.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.330 [GMT -4:00]
Running from: C:\Documents and Settings\Bruce Hicks\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Bruce Hicks\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\system32\dmpijarc.exe
C:\WINDOWS\SYSTEM32\wvsluban.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\SYSTEM32\wvsluban.exe
G:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2008-08-22 to 2008-09-22 )))))))))))))))))))))))))))))))
.
2008-09-22 19:22 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-09-22 19:21 . 2008-09-22 19:21 <DIR> d-------- C:\Program Files\Common Files\Java
2008-09-18 23:41 . 2008-09-18 23:41 <DIR> d-------- C:\Documents and Settings\Bruce Hicks\Application Data\Malwarebytes
2008-09-18 23:40 . 2008-09-18 23:40 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-18 23:40 . 2008-09-18 23:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-18 23:40 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-09-18 23:40 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-09-18 19:32 . 2008-09-18 19:32 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-09-18 19:32 . 2008-09-18 19:32 <DIR> d-------- C:\Documents and Settings\Bruce Hicks\Application Data\SUPERAntiSpyware.com
2008-09-18 19:32 . 2008-09-18 19:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-18 19:18 . 2008-09-18 19:18 3,298 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-09-18 19:17 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2008-09-18 19:17 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2008-09-18 19:17 . 2008-09-08 23:38 88,576 --a------ C:\WINDOWS\SYSTEM32\AntiXPVSTFix.exe
2008-09-18 19:17 . 2008-09-02 16:51 86,528 --a------ C:\WINDOWS\SYSTEM32\VACFix.exe
2008-09-18 19:17 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\SYSTEM32\IEDFix.exe
2008-09-18 19:17 . 2008-09-18 12:11 82,944 --a------ C:\WINDOWS\SYSTEM32\IEDFix.C.exe
2008-09-18 19:17 . 2008-08-18 12:19 82,432 --a------ C:\WINDOWS\SYSTEM32\404Fix.exe
2008-09-18 19:17 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2008-09-18 19:17 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2008-09-18 19:17 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2008-09-18 18:49 . 2008-09-18 18:49 <DIR> d-------- C:\Documents and Settings\Bruce Hicks\temp
2008-09-18 18:49 . 2008-09-18 18:49 <DIR> d-------- C:\Documents and Settings\Bruce Hicks\Application Data\TeamViewer
2008-09-18 15:11 . 2008-09-18 15:11 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-16 10:43 . 2008-09-16 10:43 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting
2008-09-16 10:43 . 2008-09-16 10:43 <DIR> d-------- C:\WINDOWS\SYSTEM32\en
2008-09-16 10:43 . 2008-09-16 10:43 <DIR> d-------- C:\WINDOWS\l2schemas
2008-09-16 10:26 . 2008-09-18 22:08 <DIR> d-------- C:\Program Files\vtujrhe
2008-09-16 06:26 . 2008-09-18 22:06 <DIR> d-------- C:\Program Files\nhnuckc
2008-09-16 02:17 . 2008-09-16 02:17 118 --a------ C:\WINDOWS\SYSTEM32\MRT.INI
2008-09-15 16:35 . 2008-09-18 22:06 <DIR> d-------- C:\Program Files\vhbadi
2008-09-15 16:34 . 2008-09-19 06:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\rshkhgzs
2008-09-12 10:54 . 2008-09-12 10:54 <DIR> d-------- C:\Program Files\APC
2008-09-12 10:54 . 2004-08-10 15:35 4,142,592 --a------ C:\WINDOWS\SYSTEM32\qtintf.dll
2008-09-10 08:56 . 2008-09-10 08:58 <DIR> d-------- C:\Program Files\Flickr Uploadr
2008-09-10 08:53 . 2008-09-10 08:54 12,926,700 --a------ C:\Program Files\FlickrUploadr-3.0.5-en.exe
2008-08-27 19:18 . 2008-08-27 19:18 <DIR> d-------- C:\Documents and Settings\Bruce Hicks\Application Data\DivX
2008-08-23 15:00 . 2008-08-23 15:01 7,040,192 --a------ C:\Program Files\Opera_952_10108_en.exe
2008-08-23 14:58 . 2008-04-13 20:12 276,992 --------- C:\WINDOWS\SYSTEM32\wmphoto.dll
2008-08-23 14:58 . 2008-04-13 20:12 69,120 --------- C:\WINDOWS\SYSTEM32\wlanapi.dll
2008-08-23 14:57 . 2008-04-13 20:12 712,704 --------- C:\WINDOWS\SYSTEM32\windowscodecs.dll
2008-08-23 14:57 . 2008-04-13 20:12 346,112 --------- C:\WINDOWS\SYSTEM32\windowscodecsext.dll
2008-08-23 14:57 . 2008-04-13 20:12 53,248 --------- C:\WINDOWS\SYSTEM32\tsgqec.dll
2008-08-23 14:57 . 2008-04-13 20:12 50,688 --------- C:\WINDOWS\SYSTEM32\tspkg.dll
2008-08-23 14:56 . 2008-04-13 20:12 412,160 --------- C:\WINDOWS\SYSTEM32\photometadatahandler.dll
2008-08-23 14:56 . 2008-04-13 20:12 291,328 --------- C:\WINDOWS\SYSTEM32\qagentrt.dll
2008-08-23 14:56 . 2008-04-13 20:12 290,304 --------- C:\WINDOWS\SYSTEM32\rhttpaa.dll
2008-08-23 14:56 . 2008-04-13 20:12 150,528 --------- C:\WINDOWS\SYSTEM32\qagent.dll
2008-08-23 14:56 . 2008-04-13 20:12 76,800 --------- C:\WINDOWS\SYSTEM32\qutil.dll
2008-08-23 14:56 . 2008-04-13 20:12 62,464 --------- C:\WINDOWS\SYSTEM32\qcliprov.dll
2008-08-23 14:56 . 2008-04-13 20:12 61,952 --------- C:\WINDOWS\SYSTEM32\rasqec.dll
2008-08-23 14:56 . 2008-04-13 20:12 32,768 --------- C:\WINDOWS\SYSTEM32\setupn.exe
2008-08-23 14:56 . 2008-04-13 14:40 10,240 --------- C:\WINDOWS\SYSTEM32\DRIVERS\sffp_mmc.sys
2008-08-23 14:55 . 2008-04-13 20:12 1,306,624 --------- C:\WINDOWS\SYSTEM32\msxml6.dll
2008-08-23 14:55 . 2008-04-13 20:12 1,306,624 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msxml6.dll
2008-08-23 14:55 . 2008-04-13 20:12 193,024 --------- C:\WINDOWS\SYSTEM32\napmontr.dll
2008-08-23 14:55 . 2008-04-13 20:12 176,640 --------- C:\WINDOWS\SYSTEM32\napstat.exe
2008-08-23 14:55 . 2008-04-13 20:12 155,136 --------- C:\WINDOWS\SYSTEM32\mssha.dll
2008-08-23 14:55 . 2008-04-13 20:12 144,384 --------- C:\WINDOWS\SYSTEM32\onex.dll
2008-08-23 14:55 . 2008-04-13 13:27 79,872 --------- C:\WINDOWS\SYSTEM32\msxml6r.dll
2008-08-23 14:55 . 2008-04-13 13:27 79,872 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msxml6r.dll
2008-08-23 14:55 . 2008-04-13 14:14 76,800 --------- C:\WINDOWS\SYSTEM32\msshavmsg.dll
2008-08-23 14:55 . 2008-04-13 20:12 30,208 --------- C:\WINDOWS\SYSTEM32\napipsec.dll
2008-08-23 14:54 . 2008-04-13 20:11 397,312 --------- C:\WINDOWS\SYSTEM32\mmcex.dll
2008-08-23 14:54 . 2008-04-13 20:11 184,320 --------- C:\WINDOWS\SYSTEM32\microsoft.managementconsole.dll
2008-08-23 14:54 . 2008-04-13 20:11 106,496 --------- C:\WINDOWS\SYSTEM32\mmcfxcommon.dll
2008-08-23 14:54 . 2008-04-13 20:12 33,792 --------- C:\WINDOWS\SYSTEM32\mmcperf.exe
2008-08-23 14:53 . 2008-04-13 20:11 61,440 --------- C:\WINDOWS\SYSTEM32\kmsvc.dll
2008-08-23 14:53 . 2008-04-13 20:11 37,376 --------- C:\WINDOWS\SYSTEM32\l2gpstore.dll
2008-08-23 14:53 . 2008-04-13 20:09 6,144 --------- C:\WINDOWS\SYSTEM32\kbdpash.dll
2008-08-23 14:53 . 2008-04-13 20:09 6,144 --------- C:\WINDOWS\SYSTEM32\kbdnepr.dll
2008-08-23 14:53 . 2008-04-13 20:09 6,144 --------- C:\WINDOWS\SYSTEM32\kbdiultn.dll
2008-08-23 14:53 . 2008-04-13 20:09 6,144 --------- C:\WINDOWS\SYSTEM32\kbdbhc.dll
2008-08-23 14:51 . 2008-04-13 20:11 136,192 --------- C:\WINDOWS\SYSTEM32\aaclient.dll
2008-08-22 08:15 . 2008-08-05 18:02 129,784 --------- C:\WINDOWS\SYSTEM32\pxafs.dll
2008-08-22 08:15 . 2008-08-05 18:02 120,056 --------- C:\WINDOWS\SYSTEM32\pxcpyi64.exe
2008-08-22 08:15 . 2008-08-05 18:02 118,520 --------- C:\WINDOWS\SYSTEM32\pxinsi64.exe
2008-08-22 08:14 . 2008-09-04 08:30 <DIR> d-------- C:\Program Files\DivX
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-22 23:22 --------- d-----w C:\Program Files\Java
2008-09-22 23:04 --------- d-----w C:\Program Files\Google
2008-09-22 19:45 --------- d-----w C:\Program Files\Lx_cats
2008-09-22 19:45 --------- d-----w C:\Program Files\lg_fwupdate
2008-09-22 02:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Retrospect
2008-09-21 03:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-09-18 23:32 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-09-16 09:57 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-16 09:57 --------- d-----w C:\Program Files\SpywareBlaster
2008-09-16 09:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-16 08:03 --------- d-----w C:\Program Files\RegCleaner
2008-09-16 06:56 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-12 14:54 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-30 13:31 97,928 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-22 01:02 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLbz.DAT
2008-08-19 17:38 13,320,192 ----a-w C:\Program Files\meetthegimp057.mp3
2008-08-15 12:48 --------- d-----w C:\Program Files\Aspell
2008-08-15 12:37 182,442 ----a-w C:\Program Files\aspell6-en-6.0-0.tar.bz2
2008-08-15 12:36 1,777,930 ----a-w C:\Program Files\aspell-0.60.6.tar.gz
2008-08-14 14:43 --------- d-----w C:\Documents and Settings\Bruce Hicks\Application Data\vlc
2008-08-14 14:36 --------- d-----w C:\Program Files\VideoLAN
2008-08-05 22:02 524,288 ----a-w C:\WINDOWS\SYSTEM32\DivXsm.exe
2008-08-05 22:02 43,528 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys
2008-08-05 22:02 3,596,288 ----a-w C:\WINDOWS\SYSTEM32\qt-dx331.dll
2008-08-05 22:00 200,704 ----a-w C:\WINDOWS\SYSTEM32\ssldivx.dll
2008-08-05 22:00 1,044,480 ----a-w C:\WINDOWS\SYSTEM32\libdivx.dll
2008-08-05 21:59 81,920 ----a-w C:\WINDOWS\SYSTEM32\dpl100.dll
2008-08-05 21:59 593,920 ----a-w C:\WINDOWS\SYSTEM32\dpuGUI11.dll
2008-08-05 21:59 57,344 ----a-w C:\WINDOWS\SYSTEM32\dpv11.dll
2008-08-05 21:59 53,248 ----a-w C:\WINDOWS\SYSTEM32\dpuGUI10.dll
2008-08-05 21:59 344,064 ----a-w C:\WINDOWS\SYSTEM32\dpus11.dll
2008-08-05 21:59 294,912 ----a-w C:\WINDOWS\SYSTEM32\dpu11.dll
2008-08-05 21:59 294,912 ----a-w C:\WINDOWS\SYSTEM32\dpu10.dll
2008-08-05 21:59 196,608 ----a-w C:\WINDOWS\SYSTEM32\dtu100.dll
2008-08-05 21:58 823,296 ----a-w C:\WINDOWS\SYSTEM32\divx_xx0c.dll
2008-08-05 21:58 823,296 ----a-w C:\WINDOWS\SYSTEM32\divx_xx07.dll
2008-08-05 21:58 815,104 ----a-w C:\WINDOWS\SYSTEM32\divx_xx0a.dll
2008-08-05 21:58 802,816 ----a-w C:\WINDOWS\SYSTEM32\divx_xx11.dll
2008-08-05 21:58 683,520 ----a-w C:\WINDOWS\SYSTEM32\DivX.dll
2008-08-05 21:58 161,096 ----a-w C:\WINDOWS\SYSTEM32\DivXCodecVersionChecker.exe
2008-08-05 21:58 12,288 ----a-w C:\WINDOWS\SYSTEM32\DivXWMPExtType.dll
2008-08-03 23:08 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\cdm.dll
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\SYSTEM32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\SYSTEM32\wuauclt.exe
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\SYSTEM32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\SYSTEM32\wups.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\SYSTEM32\wuapi.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\SYSTEM32\wucltui.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\SYSTEM32\wuweb.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\SYSTEM32\wuaueng.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuaueng.dll
2008-07-19 02:07 270,880 ----a-w C:\WINDOWS\SYSTEM32\mucltui.dll
2008-07-19 02:07 210,976 ----a-w C:\WINDOWS\SYSTEM32\muweb.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\SYSTEM32\es.dll
2008-07-07 20:26 253,952 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\es.dll
2008-07-06 12:16 10,520 ----a-w C:\WINDOWS\SYSTEM32\avgrsstx.dll
2008-06-26 08:15 619,520 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2008-06-26 08:15 1,499,136 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\shdocvw.dll
2008-06-24 22:12 295,936 ------w C:\WINDOWS\SYSTEM32\wmpeffects.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\SYSTEM32\mscms.dll
2008-06-24 16:43 74,240 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mscms.dll
2008-06-23 15:09 666,112 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
2008-06-23 15:09 666,112 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2008-06-23 15:09 3,067,392 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-09-24 11:36 2,293,712 ----a-w C:\Program Files\FLV PlayerFCSetup.exe
2007-05-02 21:49 99,016 ----a-w C:\Documents and Settings\Bruce Hicks\Application Data\GDIPFONTCACHEV1.DAT
2007-04-01 12:37 7,127,614 ----a-w C:\Program Files\GlobalVpnClient.zip
2005-04-04 18:11 3,218 ----a-w C:\Program Files\README.TXT
2005-04-04 18:10 636 ----a-w C:\Program Files\LICENSE.TXT
2005-02-16 16:06 218,112 ----a-w C:\Program Files\HijackThis.exe
2004-07-26 07:16 1,117,491 ----a-w C:\Program Files\dvdshrink32setup.exe
2004-05-07 23:28 4,059,648 ----a-w C:\Program Files\wdmcdrvr.exe
2004-04-13 15:22 268 ----a-w C:\Program Files\Install.bat
2004-03-11 18:27 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2004-02-19 15:10 734,619 ----a-w C:\Program Files\spywareblastersetup.exe
2004-02-15 14:10 6,500,352 ----a-w C:\Program Files\FirefoxSetup-0.8.exe
2004-01-21 21:32 513 ----a-w C:\Program Files\Shortcut to AOL Communicator.lnk
2004-01-21 21:26 19,183,158 ----a-w C:\Program Files\ac_install.exe
2003-12-31 17:48 1,418,120 ----a-w C:\Program Files\j2re-1_4_2_03-windows-i586-p-iftw.exe
2003-04-09 02:55 723 ----a-w C:\Program Files\INSTALL.LOG
2001-06-20 20:19 40,960 ----a-w C:\Program Files\ACMonitor_X83.exe
.
((((((((((((((((((((((((((((( snapshot@2008-09-22_ 9.46.50.26 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-09-25 03:30:28 135,168 ----a-w C:\WINDOWS\SYSTEM32\java.exe
+ 2008-06-10 05:21:01 135,168 ----a-w C:\WINDOWS\SYSTEM32\java.exe
- 2007-09-25 03:30:30 135,168 ----a-w C:\WINDOWS\SYSTEM32\javaw.exe
+ 2008-06-10 05:21:04 135,168 ----a-w C:\WINDOWS\SYSTEM32\javaw.exe
- 2007-09-25 04:31:42 139,264 ----a-w C:\WINDOWS\SYSTEM32\javaws.exe
+ 2008-06-10 06:32:34 139,264 ----a-w C:\WINDOWS\SYSTEM32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-11 68856]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-03 1576176]
"cmdmsg"="C:\WINDOWS\system32\dmpijarc.exe" [BU]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-10-06 5058560]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"Dell|Alert"="C:\Program Files\Dell\Support\Alert\bin\DAMon.exe" [2002-04-03 282624]
"lxctmon.exe"="C:\Program Files\Lexmark 5400 Series\lxctmon.exe" [2007-03-19 291760]
"Lexmark 5400 Series Fax Server"="C:\Program Files\Lexmark 5400 Series\fm3032.exe" [2007-03-19 304048]
"EzPrint"="C:\Program Files\Lexmark 5400 Series\ezprint.exe" [2007-03-19 82864]
"LXCTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll" [2006-11-21 106496]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 54832]
"LGODDFU"="C:\Program Files\lg_fwupdate\fwupdate.exe" [2007-10-30 249856]
"SetIcon"="\Program Files\WDC\SetIcon.exe" [2004-01-30 46080]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-30 1235736]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 413696]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"LTWinModem1"="ltmsg.exe" [2001-04-03 C:\WINDOWS\SYSTEM32\ltmsg.exe]
"nwiz"="nwiz.exe" [2003-10-06 C:\WINDOWS\SYSTEM32\nwiz.exe]
"WD Button Manager"="WDBtnMgr.exe" [2008-02-21 C:\WINDOWS\SYSTEM32\WDBtnMgr.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2008-04-13 15360]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 443968]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe [2008-09-12 221247]
ColorVisionStartup.lnk - C:\Program Files\ColorVision\Utility\ColorVisionStartup.exe [2006-01-31 385024]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm
"aux1"= ctwdm32.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AdaptecDirectCD"=C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"UpdReg"=C:\WINDOWS\Updreg.exe
"AHQInit"=C:\Program Files\Creative\SBLive\Program\AHQInit.exe
"BJCFD"=C:\Program Files\BroadJump\Client Foundation\CFD.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\SonicWALL\\SonicWALL Global VPN Client\\SWGVpnClient.exe"=
"C:\\WINDOWS\\SYSTEM32\\spoolsv.exe"=
"C:\\WINDOWS\\SYSTEM32\\lxctcoms.exe"=
"C:\\Program Files\\Opera\\Opera.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Documents and Settings\\Bruce Hicks\\temp\\TeamViewer3\\TeamViewer.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-30 97928]
R1 RCFOX;SonicWALL IPsec Driver;C:\WINDOWS\system32\Drivers\RCFOX.sys [2004-10-15 91136]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-30 231704]
R3 rcvpn;SonicWALL VPN Adapter;C:\WINDOWS\system32\DRIVERS\rcvpn.sys [2003-08-20 23180]
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;C:\WINDOWS\system32\Drivers\usbscan.sys [2008-04-13 15104]
S3 cvspydr2;ColorVision Spyder 2;C:\WINDOWS\system32\DRIVERS\cvspydr2.sys [2002-04-02 33024]
S3 echodap;echodap;C:\WINDOWS\system32\drivers\echodap.sys [2001-07-27 12722]
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2008-04-13 12800]
S4 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys [2001-08-17 38144]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aacc5440-fe93-11dc-9d00-006073ea8b8f}]
\Shell\AutoRun\command - M:\WD_Windows_Tools\Setup.exe
.
Contents of the 'Scheduled Tasks' folder
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-22 19:44:26
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2008-09-22 19:49:10
ComboFix-quarantined-files.txt 2008-09-22 23:48:05
ComboFix2.txt 2008-09-22 13:47:59
Pre-Run: 10,118,590,464 bytes free
Post-Run: 10,103,062,528 bytes free
313 --- E O F --- 2008-09-18 07:08:41
Malwarebytes' Anti-Malware 1.28
Database version: 1194
Windows 5.1.2600 Service Pack 3
9/23/2008 7:30:23 AM
mbam-log-2008-09-23 (07-30-23).txt
Scan type: Full Scan (C:\|G:\|I:\|M:\|)
Objects scanned: 202665
Time elapsed: 5 hour(s), 36 minute(s), 28 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:46:59, on 9/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\SYSTEM32\Brmfrmps.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\system32\lxctcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\system32\ltmsg.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Lexmark 5400 Series\lxctmon.exe
C:\Program Files\Lexmark 5400 Series\ezprint.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\WDC\SetIcon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\PROGRA~1\AVG\AVG8\avgupd.exe
C:\WINDOWS\system32\wuauclt.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [lxctmon.exe] "C:\Program Files\Lexmark 5400 Series\lxctmon.exe"
O4 - HKLM\..\Run: [Lexmark 5400 Series Fax Server] "C:\Program Files\Lexmark 5400 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 5400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [SetIcon] \Program Files\WDC\SetIcon.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [cmdmsg] C:\WINDOWS\system32\dmpijarc.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'Default user')
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: ColorVisionStartup.lnk = C:\Program Files\ColorVision\Utility\ColorVisionStartup.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://help.bellsouth.net/sdccommon/download/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3B02AAA2-327C-40ED-A849-4BE819AE5385} (ImgSizer Control) - file://C:\Documents and Settings\Bruce Hicks\Local Settings\Temp\~DlfnTmp0\imgSizer.ocx
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase969.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159902100687
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = coop
O17 - HKLM\Software\..\Telephony: DomainName = coop
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = coop
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = coop
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\SYSTEM32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxct_device - - C:\WINDOWS\system32\lxctcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
--
End of file - 10631 bytes
pskelley
2008-09-23, 15:45
Bruce, you have posted the same HJT log twice:sad: please post a new HJT log run after CFScript.
I will try to answer all questions before we finish, I would also like a look at your uninstall list like this:
Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Thanks...Phil
bruce531
2008-09-23, 17:28
Sorry Phil, I didn't save the system only scan log, but I did have to check and fix the one item
O4 - HKCU\..\Run: [cmdmsg] C:\WINDOWS\system32\dmpijarc.exe
Here's the new HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:18:58, on 9/23/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\SYSTEM32\Brmfrmps.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\system32\lxctcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\ltmsg.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Lexmark 5400 Series\lxctmon.exe
C:\Program Files\Lexmark 5400 Series\ezprint.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\WDC\SetIcon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [lxctmon.exe] "C:\Program Files\Lexmark 5400 Series\lxctmon.exe"
O4 - HKLM\..\Run: [Lexmark 5400 Series Fax Server] "C:\Program Files\Lexmark 5400 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 5400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [SetIcon] \Program Files\WDC\SetIcon.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'Default user')
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: ColorVisionStartup.lnk = C:\Program Files\ColorVision\Utility\ColorVisionStartup.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://help.bellsouth.net/sdccommon/download/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3B02AAA2-327C-40ED-A849-4BE819AE5385} (ImgSizer Control) - file://C:\Documents and Settings\Bruce Hicks\Local Settings\Temp\~DlfnTmp0\imgSizer.ocx
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase969.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159902100687
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = coop
O17 - HKLM\Software\..\Telephony: DomainName = coop
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = coop
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = coop
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\SYSTEM32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxct_device - - C:\WINDOWS\system32\lxctcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
--
End of file - 10618 bytes
Uninstall list
ABBYY FineReader 6.0 Sprint
Adobe Flash Player ActiveX
Adobe Reader 7.0.9
Adobe Shockwave Player
APC PowerChute Personal Edition
Apple Mobile Device Support
Apple Software Update
Aspell English Dictionary-0.50-2
AVG Free 8.0
Bonjour
BroadJump Client Foundation
Capture NX
CD-DA X-Tractor v0.12
CDRoller version 6.30
CutePDF Writer 2.7
DelFin Media Viewer
Dell | Support
Dell Picture Studio - Dell Image Expert
Dell ResourceCD
Dell Solution Center
DivX Codec
DivX Converter
DivX Player
DivX Web Player
DVD Decrypter (Remove Only)
DVD Shrink 3.2
DVD Solution
DVD Suite
Easy CD Creator 5 Basic
Event Planner
Excel Unique & Duplicate Data Remover 7.0
Flickr Uploadr 3.0.5
FLV Player
Freecorder Toolbar 3.0 Application
GNU Aspell 0.50-3
Google Earth
Hallmark Card Studio 2003
Hallmark Card Studio 2004 Deluxe
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
IKEA Home Planner
Intel® Personal Audio Player 3000
InterActual Player
iTunes
Jasc Paint Shop Pro 8
Java(TM) 6 Update 7
Lexmark 5400 Series
Lexmark Software Uninstall
Lexmark Toolbar
LG ODD Auto Firmware Update
Lucent Win Modem
Malwarebytes' Anti-Malware
Management by Statistics (Service Pack 11)
MapSend Topo for the United States
MGI PhotoSuite 8.1 (Remove Only)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Interactive Training
Microsoft Money 2002
Microsoft Money 2002 System Pack
Microsoft Network Guide
Microsoft Office XP Media Content
Microsoft Office XP Professional
Microsoft Publisher 2002
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows Journal Viewer
Modem Helper
Mozilla Firefox (0.8.)
Mozilla Firefox (2.0.0.16)
MSN Music Assistant
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MUSICMATCH Jukebox
Nero OEM
Nikon Message Center
Noiseware Community Edition
NVIDIA Display Driver
NVIDIA Windows 2000/XP Display Drivers
OfficeReady Professional 3.0
Opera 9.25
PhoneTools
Picasa 2
Picture Control Utility
Postage $aver Pro Demo
Postage $aver Pro with Barcoder
Postage $aver Update
PowerDVD
PowerProducer
QuickTime
RealPlayer
Realtek RTL8139 Diagnostics Program
Retrospect 6.5
Roxio CDEngine
RunAlyzer
Secret Barcoder Ring Demo
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
SonicWALL Global VPN Client
Sound Blaster Live! Value
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
Spyder2PRO
SpywareBlaster 4.1
SUPERAntiSpyware Free Edition
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
VideoLAN VLC media player 0.8.6i
Viewpoint Media Player
WD Diagnostics
WD Media Center Driver
Windows Live Safety Scanner
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
Winkflash Photo Manager
Winkflash Transporter
Yahoo! Toolbar
Thanks Bruce
pskelley
2008-09-23, 19:24
Uninstall list: I look for malware and security issues only.
https://psi.secunia.com/ <<< if you want a small free program to let you know when programs are out of date, look at this one. I personally turn it off in MSConfig and run it when I want to check in All Programs.
Adobe Reader 7.0.9 <<< hackers are exploiting out of date Adobe to infect folks.
Adobe Reader 9.0
http://www.filehippo.com/download_adobe_reader/
DelFin Media Viewer <<< I would uninstall that junk
http://research.sunbelt-software.com/threatdisplay.aspx?name=Delfin.Media%20Viewer&threatid=4325
Mozilla Firefox (0.8.)
Mozilla Firefox (2.0.0.16)
If you are going to run it, you need to keep it up to date
http://www.mozilla.com/en-US/firefox/
Spybot - Search & Destroy <<< not sure which this is
Spybot - Search & Destroy 1.5.2.20
Make sure you have the newest version and uninstall all others.
Spybot-S&D 1.6 has arrived! 8. July 2008
http://www.safer-networking.org/en/
http://www.safer-networking.org/en/news/2008-07-08.html
Viewpoint Media Player > aol junk, see this:
http://www.greatis.com/appdata/u/v/viewmgr.exe.htm
http://www.spywareinfo.com/newsletter/archives/2005/nov4.php#viewpoint
http://www.clickz.com/news/article.php/3561546
Bruce, I don't know all of your programs, but I am going to bet if there is that many issues, more are out of date and dangerous.
This is the next important step:
I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not have access to Recovery Console via a Windows CD, I strongly advise you to install this tool.
If you do not wish to install RC, let me know so I can continue with the cleanup.
If you install RC, post the C:\*CF-RC.txt*.
http://img.photobucket.com/albums/v666/sUBs/RC1-4.gif
Since we do not need to scan with combofix, click NO
http://img.photobucket.com/albums/v666/sUBs/RC_whatnext.gif
http://img.photobucket.com/albums/v666/sUBs/RC_AllDone.gif
Thanks...Phil
bruce531
2008-09-25, 10:32
Phil- I've done some clean up Thanks,here is the log
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
pskelley
2008-09-25, 15:23
Good job installing Recovery Console:bigthumb: here is a little information:
http://support.microsoft.com/kb/314058
http://support.microsoft.com/kb/307654
Recovery Console is a tool that will allow you to recover from a catastrophic system failure, so let's hope you never need it. Many experts believe Microsoft should have installed it by default.
Remove combofix from the computer like this:
Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
Clean the System Restore files like this:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
Since MBAM found nothing, I am not going to run it again.
Update AVG and scan the system to make sure it is working right and scanning clean. If all is well at this point, let me know and I will close your topic.
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
http://www.malwarecomplaints.info/
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
http://users.telenet.be/bluepatchy/miekiemoes/Links.html
bruce531
2008-09-26, 01:52
Phil, Again I will donate and thank you so much for your help.
Here is the AVG log:
Scan "Scan whole computer" was finished.
Infections found:;"0"
Infected objects removed or healed:;"0"
Not removed or healed:;"0"
Spyware found:;"0"
Spyware removed:;"0"
Not removed:;"0"
Warnings count:;"0"
Information count:;"0"
Scan started:;"Thursday September 25 2008 1:21:38 PM"
Scan finished:;"Thursday September 25 2008 4:09:25 PM (2 hour(s) 47 minute(s) 47 second(s))"
Total object scanned:;"850506"
User who launched the scan:;"Bruce Hicks"
Warnings
File;"Infection";"Result"
C:\Documents and Settings\Bruce Hicks\Cookies\bruce hicks@m.webtrends[2].txt;"Found Tracking cookie.Webtrends";"Moved to Virus Vault"
C:\Documents and Settings\Bruce Hicks\Cookies\bruce hicks@m.webtrends[2].txt:\m.webtrends.com.b4ca7df0;"Found Tracking cookie.Webtrends";"Moved to Virus Vault"
C:\Documents and Settings\Bruce Hicks\Cookies\bruce hicks@real[1].txt;"Found Tracking cookie.Real";"Moved to Virus Vault"
C:\Documents and Settings\Bruce Hicks\Cookies\bruce hicks@real[1].txt:\real.com.66561182;"Found Tracking cookie.Real";"Moved to Virus Vault"
C:\Documents and Settings\Bruce Hicks\Cookies\bruce hicks@real[1].txt:\real.com.77111473;"Found Tracking cookie.Real";"Moved to Virus Vault"
C:\Documents and Settings\Bruce Hicks\Cookies\bruce hicks@real[1].txt:\real.com.fc148bc3;"Found Tracking cookie.Real";"Moved to Virus Vault"
Just a couple of things
We didn't turn teatimer back on?
spywareblaster, or superantispyware, or neither?
Thanks again, Bruce
pskelley
2008-09-26, 02:25
Hey Bruce, AVG removed those cookies to the Virus Vault, make sure you dump them from there.
AVG Interface > History > Virus Vault > Empty Vault
If you want to stop allowing those junk cookies see this information:
http://www.mvps.org/winhelp2002/cookies.htm
http://www.microsoft.com/windows/ie/using/howto/privacy/config.mspx
We didn't turn teatimer back on? <<< see next comments
spywareblaster, or superantispyware, or neither?
You should read the links I posted before asking question, they will be answered there.
I will take a moment here, I only suggest freeware products, I have used SpywareBlaster and SpywareGuard for many years, you will read about those programs in the links.
If you install and run SpywareGuard then leave TT disabled.
Thanks
bruce531
2008-09-26, 04:53
I hadn't had time to read all the links but will
I appreciate your time and your patients.
Bruce